php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49144 import of schema from different host transmits original authentication details
Submitted: 2009-08-03 16:32 UTC Modified: 2009-08-17 18:26 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david dot zuelke at bitextender dot com Assigned: dmitry (profile)
Status: Closed Package: SOAP related
PHP Version: 5.3.0 OS: Mac OS X 10.5.7
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: david dot zuelke at bitextender dot com
New email:
PHP Version: OS:

 

 [2009-08-03 16:32 UTC] david dot zuelke at bitextender dot com 
Description:
------------
Say I have a webservice at foo.com, described by http://foo.com/wsdl, 
and it's protected by HTTP Basic Authentication.

If this WSDL inside the XML Schema definitions imports another schema 
from a different host, then the HTTP Basic Authentication credentials 
will be transmitted to this host, too, resulting in the credentials 
being inadvertently leaked to a third party.

An example is the importing of W3C's XML schema located at 
http://www.w3.org/2001/xml.xsd

The original issue was reported on the soap@lists.php.net list and 
brought to internals@'s attention here: 
http://thread.gmane.org/gmane.comp.php.devel/58024

Reproduce code:
---------------
.phpt: http://pastie.org/569897

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-17 18:23 UTC] svn@php.net 
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=287425
Log: Fixed bug #49144 (import of schema from different host transmits original authentication details)
 [2009-08-17 18:26 UTC] dmitry@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2011-11-29 10:27 UTC] php dot net at bascht dot com 
Is it possible that the Fix for #49144 introduces another problem, when the 
referenced XSD files have a port specified?

I'm not sure if I read the C code right, but it looks like PHP drops the auth 
credentials if the WSDL is at:

  http://foo.com/wsdl

and includes an XSD like:


  http://foo.com:80/example.xsd
                 ^

Can someone verify this?
 [2012-01-17 15:49 UTC] ramon at future500 dot nl 
I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2

WSDL has:
schemaLocation="http://hostname.com:80/webservice?xsd=1"


        $options = array(
            'login'             => '_username',
            'password'          => '_password',
        );

This fails:
$soap = new SoapClient( 'http://hostname.com/webservice?wsdl', $options);

This works:
$soap = new SoapClient( 'http://hostname.com:80/webservice?wsdl', $options);
 [2012-01-17 16:53 UTC] php dot net at bascht dot com 
I am not sure if someone will reopen this ticket, so maybe we just should file a 
new one and reference this fix.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC