php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #75421 Invalid values accepted for the SoapHeader actor parameter.
Submitted: 2017-10-23 23:30 UTC Modified: 2021-03-23 14:53 UTC
From: kguest@php.net Assigned:
Status: Open Package: SOAP related
PHP Version: 7.1.10 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2017-10-23 23:30 UTC] kguest@php.net 
Description:
------------
As per the spec,the SoapHeader actor attribute/parameter should be an URI/URL.

https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383499

There is no validation to ensure this is the case.

Test script:
---------------
<?php
$namespace = 'urn:Foo-BAR';
$soapVarHeader = "value";
$invalidURL = "http://127_0_0_1/next";
$soapHeader = new SoapHeader($namespace, "name", $soapVarHeader, false, $invalidURL);
var_dump ($soapHeader);
?>


Expected result:
----------------
var_dump should not execute. A warning should be raised/thrown.

Actual result:
--------------
var_dump displays the following. It shouldn't get that far.

class SoapHeader#1 (5) {
  public $namespace =>
  string(11) "urn:Foo-BAR"
  public $name =>
  string(4) "name"
  public $data =>
  string(5) "value"
  public $mustUnderstand =>
  bool(false)
  public $actor =>
  string(21) "http://127_0_0_1/next"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-23 14:53 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-03-23 14:53 UTC] cmb@php.net 
I can confirm the behavior.  However, it appears to be debatable
whether it's the responsibility of the user to pass an URI, or
whether SoapHeader::__construct() should reject anything else.
Obviously, the implementation is intentionally liberal[1], and
changing this might break some code.

IMO, we should primarily document this.

[1] <https://github.com/php/php-src/blob/php-7.4.16/ext/soap/soap.c#L841-L851>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 12:01:31 2024 UTC