php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49144 import of schema from different host transmits original authentication details
Submitted: 2009-08-03 16:32 UTC Modified: 2009-08-17 18:26 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david dot zuelke at bitextender dot com Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5.3.0 OS: Mac OS X 10.5.7
Private report: No CVE-ID:
 [2009-08-03 16:32 UTC] david dot zuelke at bitextender dot com
Description:
------------
Say I have a webservice at foo.com, described by http://foo.com/wsdl, 
and it's protected by HTTP Basic Authentication.

If this WSDL inside the XML Schema definitions imports another schema 
from a different host, then the HTTP Basic Authentication credentials 
will be transmitted to this host, too, resulting in the credentials 
being inadvertently leaked to a third party.

An example is the importing of W3C's XML schema located at 
http://www.w3.org/2001/xml.xsd

The original issue was reported on the soap@lists.php.net list and 
brought to internals@'s attention here: 
http://thread.gmane.org/gmane.comp.php.devel/58024

Reproduce code:
---------------
.phpt: http://pastie.org/569897


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-17 18:23 UTC] svn@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=287425
Log: Fixed bug #49144 (import of schema from different host transmits original authentication details)
 [2009-08-17 18:26 UTC] dmitry@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-29 10:27 UTC] php dot net at bascht dot com
Is it possible that the Fix for #49144 introduces another problem, when the 
referenced XSD files have a port specified?

I'm not sure if I read the C code right, but it looks like PHP drops the auth 
credentials if the WSDL is at:

  http://foo.com/wsdl

and includes an XSD like:


  http://foo.com:80/example.xsd
                 ^

Can someone verify this?
 [2012-01-17 15:49 UTC] ramon at future500 dot nl
I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2

WSDL has:
schemaLocation="http://hostname.com:80/webservice?xsd=1"


        $options = array(
            'login'             => '_username',
            'password'          => '_password',
        );

This fails:
$soap = new SoapClient( 'http://hostname.com/webservice?wsdl', $options);

This works:
$soap = new SoapClient( 'http://hostname.com:80/webservice?wsdl', $options);
 [2012-01-17 16:53 UTC] php dot net at bascht dot com
I am not sure if someone will reopen this ticket, so maybe we just should file a 
new one and reference this fix.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 20:02:09 2014 UTC