|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49144 import of schema from different host transmits original authentication details
Submitted: 2009-08-03 16:32 UTC Modified: 2009-08-17 18:26 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david dot zuelke at bitextender dot com Assigned: dmitry (profile)
Status: Closed Package: SOAP related
PHP Version: 5.3.0 OS: Mac OS X 10.5.7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
39 + 33 = ?
Subscribe to this entry?

 [2009-08-03 16:32 UTC] david dot zuelke at bitextender dot com
Say I have a webservice at, described by, 
and it's protected by HTTP Basic Authentication.

If this WSDL inside the XML Schema definitions imports another schema 
from a different host, then the HTTP Basic Authentication credentials 
will be transmitted to this host, too, resulting in the credentials 
being inadvertently leaked to a third party.

An example is the importing of W3C's XML schema located at

The original issue was reported on the list and 
brought to internals@'s attention here:

Reproduce code:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-17 18:23 UTC]
Automatic comment from SVN on behalf of dmitry
Log: Fixed bug #49144 (import of schema from different host transmits original authentication details)
 [2009-08-17 18:26 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2011-11-29 10:27 UTC] php dot net at bascht dot com
Is it possible that the Fix for #49144 introduces another problem, when the 
referenced XSD files have a port specified?

I'm not sure if I read the C code right, but it looks like PHP drops the auth 
credentials if the WSDL is at:

and includes an XSD like:

Can someone verify this?
 [2012-01-17 15:49 UTC] ramon at future500 dot nl
I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2

WSDL has:

        $options = array(
            'login'             => '_username',
            'password'          => '_password',

This fails:
$soap = new SoapClient( '', $options);

This works:
$soap = new SoapClient( '', $options);
 [2012-01-17 16:53 UTC] php dot net at bascht dot com
I am not sure if someone will reopen this ticket, so maybe we just should file a 
new one and reference this fix.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 19:01:28 2024 UTC