php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #75421 Invalid values accepted for the SoapHeader actor parameter.
Submitted: 2017-10-23 23:30 UTC Modified: 2021-03-23 14:53 UTC
From: kguest@php.net Assigned:
Status: Open Package: SOAP related
PHP Version: 7.1.10 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kguest@php.net
New email:
PHP Version: OS:

 

 [2017-10-23 23:30 UTC] kguest@php.net 
Description:
------------
As per the spec,the SoapHeader actor attribute/parameter should be an URI/URL.

https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383499

There is no validation to ensure this is the case.

Test script:
---------------
<?php
$namespace = 'urn:Foo-BAR';
$soapVarHeader = "value";
$invalidURL = "http://127_0_0_1/next";
$soapHeader = new SoapHeader($namespace, "name", $soapVarHeader, false, $invalidURL);
var_dump ($soapHeader);
?>


Expected result:
----------------
var_dump should not execute. A warning should be raised/thrown.

Actual result:
--------------
var_dump displays the following. It shouldn't get that far.

class SoapHeader#1 (5) {
  public $namespace =>
  string(11) "urn:Foo-BAR"
  public $name =>
  string(4) "name"
  public $data =>
  string(5) "value"
  public $mustUnderstand =>
  bool(false)
  public $actor =>
  string(21) "http://127_0_0_1/next"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-23 14:53 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-03-23 14:53 UTC] cmb@php.net 
I can confirm the behavior.  However, it appears to be debatable
whether it's the responsibility of the user to pass an URI, or
whether SoapHeader::__construct() should reject anything else.
Obviously, the implementation is intentionally liberal[1], and
changing this might break some code.

IMO, we should primarily document this.

[1] <https://github.com/php/php-src/blob/php-7.4.16/ext/soap/soap.c#L841-L851>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC