php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22338 XML-RPC classes rely on $HTTP_RAW_POST_DATA
Submitted: 2003-02-20 15:19 UTC Modified: 2006-03-13 18:08 UTC
Votes:10
Avg. Score:4.6 ± 0.7
Reproduced:9 of 9 (100.0%)
Same Version:2 (22.2%)
Same OS:5 (55.6%)
From: stuart at gnqs dot org Assigned: ssb (profile)
Status: No Feedback Package: *General Issues
PHP Version: 4.3.0 OS: Windows XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: stuart at gnqs dot org
New email:
PHP Version: OS:

 

 [2003-02-20 15:19 UTC] stuart at gnqs dot org
Hi,

Just been looking at the XML-RPC classes in PEAR.  Granted, I haven't tried running the code, but from inspection it appears to rely on $HTTP_RAW_POST_DATA.  That particular variable doesn't exist if register_globals is set to 'off'.

The php://input stream has been around since PHP 3.x (according to the manual), and might be a more portable way of handling this.  Just tested this under PHP 4.3.0 with register_globals off, and (as expected) it worked fine.

Do any other classes in PEAR rely on $HTTP_RAW_POST_DATA?

Best regards,
Stu
--

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-26 18:21 UTC] philip@php.net
Actually, this variable is not affected by register_globals, it doesn't live in any superglobal.  It's its own variable.

AFAICT its created when either an unrecognized mime type is provided and/or the php directive always_populate_raw_post_data = on.

I tried to grasp it once but gave up, here are the related threads:
http://marc.theaimsgroup.com/?l=php-dev&m=103688014620968
http://marc.theaimsgroup.com/?l=php-dev&m=103709898507271

Maybe someone with a better understanding of HTTP can make sense of all this, sorry to get a little offtopic.

 [2003-04-27 04:20 UTC] stuart at gnqs dot org
Hi Philip,

A simple one-liner proves that $HTTP_RAW_POST_DATA doesn't exist when register_globals=off

<?php

echo $HTTP_RAW_POST_DATA

?>

On my PHP installation, that generates the error:

Notice: Undefined variable: HTTP_RAW_POST_DATA in c:\devel\htdocs\test.php on line 3

I'd never heard of a 'always_populate_raw_post_data' directive.  Wouldn't it be better to make the code work without having to set specific directives in php.ini files (not everyone has permissions to do this, y'know)?  If you use the php://input stream to get the data instead, this will work in every installation.

Best regards,
Stu
--
 [2003-04-27 04:56 UTC] mansion@php.net
I agree with that, the best way is to use php://input 
when $HTTP_RAW_POST_DATA is not set. 
This is how it's done in horde [1] and in a few other 
applications.
IMO, this should be changed in XMLRPC package but I 
don't know who is the maintainer of this package.


[1] http://cvs.horde.org/co.php/horde/rpc.php?r=1.14
 [2003-04-27 09:55 UTC] philip@php.net
This is not affected by register_globals and if it is then that's a bug in itself, it would have been a very recent change and a BC issue.  Are you saying it's defined with register_globals on and undefined when off, with this being the ONLY change?!!  I sincerly hope this isn't the case although if register_globals decides to register it even when no value exists that wouldn't be a _major_ deal, just silly.

Regarding php://input, this also has issues as AFAICT it didn't work for this with CGI before PHP 4.3.0.

The existence of this raw post information is pretty sketchy in PHP, I don't envy anyone writing scripts that rely on it.  Here's a quote from Hartmut who was working on fixing it (quoted from the above thread):

"from now on i declare it best practice to use php://input for 4.3 while $HTTP_RAW_POST_DATA is still available for BC reasons ... :)"

And lastly, the existence of this variable shouldn't rely on any directive as it's creation can be forced (bad mime...).   That always populate directive just makes it easier to deal with.  In conclusion, I believe a hack is required to check for and find this information in both locations.
 [2003-07-31 03:52 UTC] nicos@php.net
According to bertrand, here is a patch for that.

I need feedback from the maintainer before commiting it.

Index: Server.php
===================================================================
RCS file: /repository/pear/XML_RPC/Server.php,v
retrieving revision 1.2
diff -u -u -r1.2 Server.php
--- Server.php  28 Feb 2002 10:59:30 -0000      1.2
+++ Server.php  31 Jul 2003 08:52:13 -0000
@@ -221,8 +221,13 @@
         global $XML_RPC_err, $XML_RPC_str, $XML_RPC_errxml,
             $XML_RPC_defencoding, $XML_RPC_Server_dmap;

-        if ($data=="") {
-            $data=$HTTP_RAW_POST_DATA;
+               if (isset($HTTP_RAW_POST_DATA)) {
+                   $input = $HTTP_RAW_POST_DATA;
+               } else {
+                   $input = implode("\r\n", file('php://input'));
+               }
+        if (empty($data)) {
+            $data = $input;
         }
         $parser = xml_parser_create($XML_RPC_defencoding);

@@ -301,9 +306,13 @@

         // a debugging routine: just echos back the input
         // packet as a string value
-
+               if (isset($HTTP_RAW_POST_DATA)) {
+                   $input = $HTTP_RAW_POST_DATA;
+               } else {
+                   $input = implode("\r\n", file('php://input'));
+               }
         $r=new XML_RPC_Response;
-        $r->xv=new XML_RPC_Value( "'Aha said I: '" . $HTTP_RAW_POST_DATA, "string");
+        $r->xv=new XML_RPC_Value( "'Aha said I: '" . $input, "string");
         print $r->serialize();
   }
 }

 [2005-05-24 01:00 UTC] pear-dev at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-03-12 10:40 UTC] ifyoumind at yahoo dot com
Hi,

  Am trying to use NUSOAP and it requires HTTP_RAW_POST_DATA variable set. I have both the register_globals and always_populate_raw_post_data on but still it gives me an error HTTP_RAW_POST_DATA. I read quiet a lot of forum where almost in all places the question is clear and the answer still is murky. It doesn't make any sense when always_populate_raw_post_data turned on when I echo $HTTP_RAW_POST_DATA it actually gives me an error!
 [2006-03-13 18:08 UTC] jeichorn@php.net
You shouldn't use file/implode to read files, it uses tons of memory and you have better options.

In this case any version of php that has php://input has file_get_contents, so just use that.


 [2006-10-24 12:25 UTC] migelanca at yahoo dot com
When you ar using nuSoap is posible redirect the warning, only put the next line on the first line the server seb service>

error_reporting(E_ERROR | E_WARNING | E_PARSE);

With that line the error don't generate problems.
 [2007-03-30 10:45 UTC] mail2sen_vin at yahoo dot co dot in
HI ,

i m senthil

i had one error in php xmlrpc...

just i ran the server program..

but it shows error undefined variable $HTTP_RAW_POST_DATA...

even im set HTTP_RAW_POST_DATA its on in php.ini file

even though its shows same error ....


any solution for this please help me.......
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 08:01:27 2024 UTC