Re: SOAPClient authentication problem

[David Zülke <david.zuelke@bitextender.com>]

Can do, but I wanted to figure out a way to create a reproduce case  
first (I already have an idea).

- David



On 24.07.2009, at 12:20, Dmitry Stogov wrote:

> Hi David,
>
> Please report a bug on bugs.php.net (assign it to dmitry).
> I'll look into it later.
>
> Thanks. Dmitry.
>
> David Zülke wrote:
> > This sounds like a serious issue, but I'm not sure if it's in  
> > libxml or
> > in ext/soap. Will have a look later; but maybe Dmitry or someone else
> > knows off the top of their heads?
> >
> > - David
> >
> >
> > Begin forwarded message:
> >
> > > From: Davide Romanini <davide.romanini@gmail.com>
> > > Date: 30. Juni 2009 11:49:30 MESZ
> > > To: soap@lists.php.net
> > > Subject:  SOAPClient authentication problem
> > > Reply-To: d.romanini@cineca.it
> > >
> > > Hi,
> > >
> > > Today I found a nasty problem with a simple php SOAP client. Never  
> > > had
> > > problems before, but today I have the following error at SOAPClient
> > > constructor line:
> > >
> > > SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to  
> > > open
> > > stream: HTTP request failed! HTTP/1.1 401 Authorization Required
> > >
> > > The source is as simple as:
> > >
> > > $client = new SoapClient("http://my.host.com/my_web_service?wsdl";,
> > >                        array( 'trace' => TRUE,
> > >                               'login'=>'mylogin',
> > >                               'password'=>'secret'
> > >                             )
> > >                       );
> > >
> > > It seems that the php xml parser tries to fetch the url
> > > http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
> > > network operations I found that php uses my login and password  
> > > (for the
> > > web service) also to access external references! :-O
> > >
> > > GET /2001/xml.xsd HTTP/1.0
> > > Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
> > > Host: www.w3.org
> > >
> > > In the past probably w3.org just ignored the issue, but now I  
> > > receive an
> > > HTTP 401 Unauthorized error in response...
> > >
> > > In any case it is a serious security issue if SOAPClient sends  
> > > password
> > > around the web, when the intent is that they are used only for the  
> > > web
> > > service host!
> > >
> > > I tried the following PHP versions:
> > >
> > > PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
> > > Copyright (c) 1997-2007 The PHP Group
> > > Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
> > >
> > > PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
> > > Copyright (c) 1997-2008 The PHP Group
> > > Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
> > >   with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
> > > Zend Technologies
> > >   with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
> > > Technologies
> > >   with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend
> > > Technologies
> > >
> > >
> > > Regards,
> > > Davide
> > >
> > > --
> > > PHP Soap Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php

Attachment: smime.p7s
Description: S/MIME cryptographic signature