php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42214 SoapServer sends clients internal PHP errors
Submitted: 2007-08-05 21:58 UTC Modified: 2007-09-05 11:23 UTC
Votes:3
Avg. Score:5.0 ± 0.0
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: stuart dot caie at gmail dot com Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5.2.4RC1 OS: Ubuntu
Private report: No CVE-ID:
 [2007-08-05 21:58 UTC] stuart dot caie at gmail dot com
Description:
------------
When presenting a SOAP API to the general public, I do not want the text of PHP errors to be send down the wire as "SOAP-ENV;Server" faults. It's just as embarrassing and as much of a security risk as having the display_errors INI option turned on - it could reveal exploitable private implementation details to hostile users.

I would like to catch all PHP errors, log them and instead send the user a custom SOAP fault which gives them a unique error ID to report (which matches with my log), but does not reveal the actual PHP error message.

However,

1. use_soap_error_handler() does nothing. Set it to true, it sends out SOAP-ENV:Server faults with the PHP error message. Set it to false, it still sends out SOAP-ENV:Server faults with the PHP error message.


2. User-defined error handlers can't catch E_ERROR, E_PARSE, E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING, and most of E_STRICT. Other scripting languages such as Perl (via $SIG{__DIE__}) or Ruby (via begin/rescue) let user code catch fatal errors, PHP comes up short.

I'd like you to allow PHP to catch fatal errors in the user defined error handler. If you won't fix that, please add some kind of kludge to SoapServer so that it doesn't reveal the text of PHP errors to clients.

Reproduce code:
---------------
<?php // server.php
class test {
    function test() { obvious_error(); } // will cause an error
}
function error_handler($level, $error, $file, $line, $context) {
    $ticket = date('YmdHis-') . $_SERVER['REMOTE_ADDR'];
    if ($fh = fopen('/tmp/soap_error_log', 'a')) { fwrite($fh, "[$ticket] $level: $error at $file line $line\n"); fclose($fh); }
    if (isset($server)) $server->fault('error', "report \"$ticket\" to support");
}
set_error_handler('error_handler');
use_soap_error_handler(false);
$server = new SoapServer(NULL, array('uri' => 'http://localhost/server.php'));
$server->setClass('test');
$server->handle();
?>

<?php // client.php
$client = new SoapClient(NULL, array('uri' => 'http://localhost/server.php', 'location' => 'http://localhost/server.php'));
$client ->test();
?>



Expected result:
----------------
client.php: Uncaught SoapFault exception: [error] report "<unique id>" to support

server.php: entry in /tmp/soap_error_log reading:
[<unique id>] 1: Call to undefined function obvious_error() in server.php line 4


Actual result:
--------------
client.php: Uncaught SoapFault exception: [SOAP-ENV:Server] Call to undefined function obvious_error()

server.php: no entry in /tmp/soap_error_log.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-08-31 12:44 UTC] dmitry@php.net
PHP is not able to execute user-code after a fatal error.
The only thing I can do with this - provide a special SoapServer option to hide error messages. In this case it always will send "[SOAP-ENV:Server] Internal error".

Do you like such solution?
 [2007-08-31 15:11 UTC] stuart dot caie at gmail dot com
Yes, I would like the soap extension to let me hide fatal error messages. Please add that option, either in code or in the php.ini


I still think PHP itself needs to be fixed so it can continue running user code after a fatal error. However, that is a bigger change and less likely to be done. I'll look to see if such a bug is already raised, otherwise I'll raise that as another bug.

Thanks
Stuart
 [2007-09-03 10:56 UTC] jani@php.net
Usually when PHP hits a fatal error (that means _FATAL_ :) it's in such state that continuing script run would be causing e.g. crash or the engine is about to blow up in some other way. Don't bother submitting bug report about that, it will not change. (I think there's already one about it too..)

Assigned back to Dmitry.
 [2007-09-05 11:23 UTC] dmitry@php.net
Fixed in CVS HEAD and PHP_5_2.
Now you can disable to send errors back to client.

$server = new SoapServer(NULL, 
    array('uri' => 'http://localhost/server.php',
          'send_errors' => false));

 [2010-07-11 23:55 UTC] webmaster at guestwho dot com
Is it at least possible to add filename and error number to error messages ? I often run into "call to member function on non-object" and I have a dozen possible classes that this could occur in. The soapfaul generated by PHP doesn't contain filename nor line number, so I'm flying blind (no way to debug php fatal errors that happen during a SOAP call).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 22:02:05 2014 UTC