go to bug id or search bugs for
Say I have a webservice at foo.com, described by http://foo.com/wsdl,
and it's protected by HTTP Basic Authentication.
If this WSDL inside the XML Schema definitions imports another schema
from a different host, then the HTTP Basic Authentication credentials
will be transmitted to this host, too, resulting in the credentials
being inadvertently leaked to a third party.
An example is the importing of W3C's XML schema located at
The original issue was reported on the email@example.com list and
brought to internals@'s attention here:
Add a Patch
Add a Pull Request
Automatic comment from SVN on behalf of dmitry
Log: Fixed bug #49144 (import of schema from different host transmits original authentication details)
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.
Is it possible that the Fix for #49144 introduces another problem, when the
referenced XSD files have a port specified?
I'm not sure if I read the C code right, but it looks like PHP drops the auth
credentials if the WSDL is at:
and includes an XSD like:
Can someone verify this?
I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2
$options = array(
'login' => '_username',
'password' => '_password',
$soap = new SoapClient( 'http://hostname.com/webservice?wsdl', $options);
$soap = new SoapClient( 'http://hostname.com:80/webservice?wsdl', $options);
I am not sure if someone will reopen this ticket, so maybe we just should file a
new one and reference this fix.