Re: SOAPClient authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Zülke ha scritto:
> Can do, but I wanted to figure out a way to create a reproduce case
> first (I already have an idea).
> 
> - David
> 
> 
> 
> On 24.07.2009, at 12:20, Dmitry Stogov wrote:
> 
>> Hi David,
>>
>> Please report a bug on bugs.php.net (assign it to dmitry).
>> I'll look into it later.
>>
>> Thanks. Dmitry.
>>
>> David Zülke wrote:
>>> This sounds like a serious issue, but I'm not sure if it's in libxml or
>>> in ext/soap. Will have a look later; but maybe Dmitry or someone else
>>> knows off the top of their heads?
>>>
>>> - David
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> From: Davide Romanini <davide.romanini@gmail.com>
>>>> Date: 30. Juni 2009 11:49:30 MESZ
>>>> To: soap@lists.php.net
>>>> Subject:  SOAPClient authentication problem
>>>> Reply-To: d.romanini@cineca.it
>>>>
>>>> Hi,
>>>>
>>>> Today I found a nasty problem with a simple php SOAP client. Never had
>>>> problems before, but today I have the following error at SOAPClient
>>>> constructor line:
>>>>
>>>> SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open
>>>> stream: HTTP request failed! HTTP/1.1 401 Authorization Required
>>>>
>>>> The source is as simple as:
>>>>
>>>> $client = new SoapClient("http://my.host.com/my_web_service?wsdl";,
>>>>                        array( 'trace' => TRUE,
>>>>                               'login'=>'mylogin',
>>>>                               'password'=>'secret'
>>>>                             )
>>>>                       );
>>>>
>>>> It seems that the php xml parser tries to fetch the url
>>>> http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
>>>> network operations I found that php uses my login and password (for the
>>>> web service) also to access external references! :-O
>>>>
>>>> GET /2001/xml.xsd HTTP/1.0
>>>> Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
>>>> Host: www.w3.org
>>>>
>>>> In the past probably w3.org just ignored the issue, but now I
>>>> receive an
>>>> HTTP 401 Unauthorized error in response...
>>>>
>>>> In any case it is a serious security issue if SOAPClient sends password
>>>> around the web, when the intent is that they are used only for the web
>>>> service host!
>>>>
>>>> I tried the following PHP versions:
>>>>
>>>> PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
>>>> Copyright (c) 1997-2007 The PHP Group
>>>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>>>>
>>>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
>>>> Copyright (c) 1997-2008 The PHP Group
>>>> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>>>>   with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
>>>> Zend Technologies
>>>>   with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
>>>> Technologies
>>>>   with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend
>>>> Technologies
>>>>
>>>>
>>>> Regards,
>>>> Davide
>>>>
>>>> -- 
>>>> PHP Soap Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>
>>
> 

It's really simple to reproduce. Take this example wsdl:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:sch="http://mycompany.com/hr/schemas";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://mycompany.com/hr/schemas";
targetNamespace="http://mycompany.com/hr/schemas";>
  <wsdl:types>
    <xs:schema xmlns:hr="http://mycompany.com/hr/schemas";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
elementFormDefault="qualified"
targetNamespace="http://mycompany.com/hr/schemas";>
    <xs:import namespace="http://www.w3.org/XML/1998/namespace";
schemaLocation="http://www.w3.org/2001/xml.xsd"/>

    <xs:element name="HolidayRequest">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="hr:Holiday"/>
                <xs:element ref="hr:Employee"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>
    <xs:element name="Holiday">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="hr:StartDate"/>
                <xs:element ref="hr:EndDate"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>
    <xs:element name="StartDate" type="xs:NMTOKEN"/>
    <xs:element name="EndDate" type="xs:NMTOKEN"/>
    <xs:element name="Employee">
        <xs:complexType>
            <xs:sequence>
                <xs:element ref="hr:Number"/>
                <xs:element ref="hr:FirstName"/>
                <xs:element ref="hr:LastName"/>
            </xs:sequence>
        </xs:complexType>
    </xs:element>
    <xs:element name="Number" type="xs:integer"/>
    <xs:element name="FirstName" type="xs:NCName"/>
    <xs:element name="LastName" type="xs:NCName"/>
</xs:schema>
  </wsdl:types>
  <wsdl:message name="HolidayRequest">
    <wsdl:part element="tns:HolidayRequest" name="HolidayRequest">
    </wsdl:part>
  </wsdl:message>
  <wsdl:portType name="holidayPortType">
    <wsdl:operation name="Holiday">
      <wsdl:input message="tns:HolidayRequest" name="HolidayRequest">
    </wsdl:input>
    </wsdl:operation>
  </wsdl:portType>
  <wsdl:binding name="holidayPortTypeSoap11" type="tns:holidayPortType">
    <soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
    <wsdl:operation name="Holiday">
      <soap:operation soapAction=""/>
      <wsdl:input name="HolidayRequest">
        <soap:body use="literal"/>
      </wsdl:input>
    </wsdl:operation>
  </wsdl:binding>
  <wsdl:service name="holidayService">
    <wsdl:port binding="tns:holidayPortTypeSoap11"
name="holidayPortTypeSoap11">
      <soap:address/>
    </wsdl:port>
  </wsdl:service>
</wsdl:definitions>


The important part is

<xs:import namespace="http://www.w3.org/XML/1998/namespace";
schemaLocation="http://www.w3.org/2001/xml.xsd"/>

I just copied this file in my local apache doc root and tried to run
this script:

<?php
$client = new SoapClient("http://localhost/test/holiday.wsdl";,
                       array( 'trace' => TRUE,
                              'login'=>'mylogin',
                              'password'=>'secret'
                            )
                      );
?>

And the output is:

Warning: SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed
to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required
 in /home/romaz/tmp/soapFail.php on line 7

Warning: SoapClient::SoapClient(): I/O warning : failed to load external
entity "http://www.w3.org/2001/xml.xsd"; in /home/romaz/tmp/soapFail.php
on line 7

Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing
Schema: can't import schema from 'http://www.w3.org/2001/xml.xsd' in
/home/romaz/tmp/soapFail.php:7
Stack trace:
#0 /home/romaz/tmp/soapFail.php(7):
SoapClient->SoapClient('http://localhos...', Array)
#1 {main}
  thrown in /home/romaz/tmp/soapFail.php on line 7

Note that login and password here are completely useless, because on my
local apache I haven't any access restriction.

Bye,
Davide

-- 
PHP Soap Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Kernel Newbies]     [PHP Database]     [Yosemite]

  Powered by Linux