php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45966 SoapServer does not report WSDL validation errors
Submitted: 2008-09-01 17:24 UTC Modified: 2010-09-20 17:19 UTC
Votes:57
Avg. Score:4.6 ± 0.7
Reproduced:55 of 55 (100.0%)
Same Version:20 (36.4%)
Same OS:34 (61.8%)
From: chammers at netcologne dot de Assigned:
Status: Re-Opened Package: SOAP related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-09-01 17:24 UTC] chammers at netcologne dot de
Description:
------------
When receiving a SOAP request, SoapServer does not properly validate if it matches the given WSDL. 

Invalid elements are simply surpressed and not passed through to the called function.

I would expect the SoapServer->handler() to raise an Exception so that the program can decide if it terminates or go ahead with all parameters it can get.

bye,

-christian-

Reproduce code:
---------------
<?php
ini_set("soap.wsdl_cache_enabled", "0");

class DummyClass {
    public function __call($name, $arguments) {
        fprintf(STDERR, "Method $name was called with ".var_export($arguments, 1)."\n");
    }
}

$HTTP_RAW_POST_DATA = <<<EOF
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope 
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:ns1="http://www.foo.de/services/exampleService">
<SOAP-ENV:Body>
    <ns1:exampleRequest>
        <aaaa>1000</aaaa>
        <bbb>815</bbb>
    </ns1:exampleRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>


EOF;

$server = new SoapServer("chammers.wsdl");
$server->setClass('DummyClass');
$server->handle($HTTP_RAW_POST_DATA);
########################################################################



And the WSDL (here "chammers.wsdl")





<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
    xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
    xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:tns="http://www.foo.de/services/exampleService"
    targetNamespace="http://www.foo.de/services/exampleService">
    
    <!-- ==== TYPES ==== -->
    <wsdl:types>
        <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
                    targetNamespace="http://www.foo.de/services/exampleService">
            <xsd:element name="exampleRequest">
                <xsd:complexType>
                    <xsd:sequence>
                        <xsd:element name="aaa" type="xsd:int"/>
                        <xsd:element name="bbb" type="xsd:int"/>
                    </xsd:sequence>
                </xsd:complexType>
            </xsd:element>
        </xsd:schema>
    </wsdl:types>   
    
    <!-- ==== MESSAGE ==== -->
    <wsdl:message name="exampleRequestMessage">
        <wsdl:part name="body" element="tns:exampleRequest"/>
    </wsdl:message>
    
    <!-- ==== PORTTYPE ==== -->
    <wsdl:portType name="examplePortType">
        <wsdl:operation name="example">            
            <wsdl:input message="tns:exampleRequestMessage"/>
        </wsdl:operation>
    </wsdl:portType>
    
    <!-- ==== BINDING ==== -->
    <wsdl:binding name="exampleBinding" type="tns:examplePortType">
        <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
        <wsdl:operation name="example">
            <soap:operation soapAction="http://soap.foo.de/services/example"/>
            <wsdl:input>
                <soap:body use="literal" />
            </wsdl:input>       
        </wsdl:operation>
    </wsdl:binding>
    
    <!-- ==== SERVICE ==== -->
    <wsdl:service name="exampleServices">
        <wsdl:port name="examplePortType" binding="tns:exampleBinding">
            <soap:address location="http://localhost:4080/services/exampleServices"/>
        </wsdl:port>
    </wsdl:service>
        
</wsdl:definitions>





Expected result:
----------------
As the request parameter "aaa" has a typo and is actually written as "aaaa" I would expect an Exception or at least some kind of warning.



Actual result:
--------------
... but the handler class just gets the "bbb" parameter:


$ php chammers.php 
Method example was called with array (
  0 => 
  stdClass::__set_state(array(
     'bbb' => 815,
  )),
)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-25 16:24 UTC] jani@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2009-05-03 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2010-07-05 07:26 UTC] ccorliss at gmail dot com
Despite the comment below, this issue is still not fixed in 5.3.2.  Missing 
required elements are quietly skipped.
 [2010-09-20 16:14 UTC] wim at godden dot net
The problem (which still exists in 5.3.3) is a little worse than thought : the SoapServer doesn't mention invalid elements (elements that basically shouldn't be there), it also doesn't complain about missing elements.
Basically, it seems there's no decent validation code in the PHP SoapServer. Is this something on the roadmap ?
 [2010-09-20 17:19 UTC] ch@php.net
-Status: No Feedback +Status: Re-Opened
 [2010-09-20 17:19 UTC] ch@php.net
As feel so free to re-open this bug as other users reported that it is still valid in the latest version.
 [2011-09-19 15:50 UTC] thomasf1021 at hotmail dot com
Also a problem in 5.3.6
 [2013-03-11 07:57 UTC] lw200552+php at googlemail dot com
And it's still there in 2013.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 13:02:46 2014 UTC