David Zülke ha scritto: > Can do, but I wanted to figure out a way to create a reproduce case > first (I already have an idea). > > - David > > > > On 24.07.2009, at 12:20, Dmitry Stogov wrote: > >> Hi David, >> >> Please report a bug on bugs.php.net (assign it to dmitry). >> I'll look into it later. >> >> Thanks. Dmitry. >> >> David Zülke wrote: >>> This sounds like a serious issue, but I'm not sure if it's in libxml or >>> in ext/soap. Will have a look later; but maybe Dmitry or someone else >>> knows off the top of their heads? >>> >>> - David >>> >>> >>> Begin forwarded message: >>> >>>> From: Davide Romanini <davide.romanini@gmail.com> >>>> Date: 30. Juni 2009 11:49:30 MESZ >>>> To: soap@lists.php.net >>>> Subject: SOAPClient authentication problem >>>> Reply-To: d.romanini@cineca.it >>>> >>>> Hi, >>>> >>>> Today I found a nasty problem with a simple php SOAP client. Never had >>>> problems before, but today I have the following error at SOAPClient >>>> constructor line: >>>> >>>> SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open >>>> stream: HTTP request failed! HTTP/1.1 401 Authorization Required >>>> >>>> The source is as simple as: >>>> >>>> $client = new SoapClient("http://my.host.com/my_web_service?wsdl";, >>>> array( 'trace' => TRUE, >>>> 'login'=>'mylogin', >>>> 'password'=>'secret' >>>> ) >>>> ); >>>> >>>> It seems that the php xml parser tries to fetch the url >>>> http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the >>>> network operations I found that php uses my login and password (for the >>>> web service) also to access external references! :-O >>>> >>>> GET /2001/xml.xsd HTTP/1.0 >>>> Authorization: Basic bXlsb2dpbjpzZWNyZXQ= >>>> Host: www.w3.org >>>> >>>> In the past probably w3.org just ignored the issue, but now I >>>> receive an >>>> HTTP 401 Unauthorized error in response... >>>> >>>> In any case it is a serious security issue if SOAPClient sends password >>>> around the web, when the intent is that they are used only for the web >>>> service host! >>>> >>>> I tried the following PHP versions: >>>> >>>> PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53) >>>> Copyright (c) 1997-2007 The PHP Group >>>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies >>>> >>>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) >>>> Copyright (c) 1997-2008 The PHP Group >>>> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies >>>> with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by >>>> Zend Technologies >>>> with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend >>>> Technologies >>>> with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend >>>> Technologies >>>> >>>> >>>> Regards, >>>> Davide >>>> >>>> -- >>>> PHP Soap Mailing List (http://www.php.net/) >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>>> >>> >> > It's really simple to reproduce. Take this example wsdl: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:sch="http://mycompany.com/hr/schemas"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://mycompany.com/hr/schemas"; targetNamespace="http://mycompany.com/hr/schemas";> <wsdl:types> <xs:schema xmlns:hr="http://mycompany.com/hr/schemas"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" targetNamespace="http://mycompany.com/hr/schemas";> <xs:import namespace="http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/> <xs:element name="HolidayRequest"> <xs:complexType> <xs:sequence> <xs:element ref="hr:Holiday"/> <xs:element ref="hr:Employee"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Holiday"> <xs:complexType> <xs:sequence> <xs:element ref="hr:StartDate"/> <xs:element ref="hr:EndDate"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="StartDate" type="xs:NMTOKEN"/> <xs:element name="EndDate" type="xs:NMTOKEN"/> <xs:element name="Employee"> <xs:complexType> <xs:sequence> <xs:element ref="hr:Number"/> <xs:element ref="hr:FirstName"/> <xs:element ref="hr:LastName"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Number" type="xs:integer"/> <xs:element name="FirstName" type="xs:NCName"/> <xs:element name="LastName" type="xs:NCName"/> </xs:schema> </wsdl:types> <wsdl:message name="HolidayRequest"> <wsdl:part element="tns:HolidayRequest" name="HolidayRequest"> </wsdl:part> </wsdl:message> <wsdl:portType name="holidayPortType"> <wsdl:operation name="Holiday"> <wsdl:input message="tns:HolidayRequest" name="HolidayRequest"> </wsdl:input> </wsdl:operation> </wsdl:portType> <wsdl:binding name="holidayPortTypeSoap11" type="tns:holidayPortType"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="Holiday"> <soap:operation soapAction=""/> <wsdl:input name="HolidayRequest"> <soap:body use="literal"/> </wsdl:input> </wsdl:operation> </wsdl:binding> <wsdl:service name="holidayService"> <wsdl:port binding="tns:holidayPortTypeSoap11" name="holidayPortTypeSoap11"> <soap:address/> </wsdl:port> </wsdl:service> </wsdl:definitions> The important part is <xs:import namespace="http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/> I just copied this file in my local apache doc root and tried to run this script: <?php $client = new SoapClient("http://localhost/test/holiday.wsdl";, array( 'trace' => TRUE, 'login'=>'mylogin', 'password'=>'secret' ) ); ?> And the output is: Warning: SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required in /home/romaz/tmp/soapFail.php on line 7 Warning: SoapClient::SoapClient(): I/O warning : failed to load external entity "http://www.w3.org/2001/xml.xsd"; in /home/romaz/tmp/soapFail.php on line 7 Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing Schema: can't import schema from 'http://www.w3.org/2001/xml.xsd' in /home/romaz/tmp/soapFail.php:7 Stack trace: #0 /home/romaz/tmp/soapFail.php(7): SoapClient->SoapClient('http://localhos...', Array) #1 {main} thrown in /home/romaz/tmp/soapFail.php on line 7 Note that login and password here are completely useless, because on my local apache I haven't any access restriction. Bye, Davide -- PHP Soap Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
