|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #75421 Invalid values accepted for the SoapHeader actor parameter.
Submitted: 2017-10-23 23:30 UTC Modified: 2021-03-23 14:53 UTC
From: Assigned:
Status: Open Package: SOAP related
PHP Version: 7.1.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2017-10-23 23:30 UTC]
As per the spec,the SoapHeader actor attribute/parameter should be an URI/URL.

There is no validation to ensure this is the case.

Test script:
$namespace = 'urn:Foo-BAR';
$soapVarHeader = "value";
$invalidURL = "http://127_0_0_1/next";
$soapHeader = new SoapHeader($namespace, "name", $soapVarHeader, false, $invalidURL);
var_dump ($soapHeader);

Expected result:
var_dump should not execute. A warning should be raised/thrown.

Actual result:
var_dump displays the following. It shouldn't get that far.

class SoapHeader#1 (5) {
  public $namespace =>
  string(11) "urn:Foo-BAR"
  public $name =>
  string(4) "name"
  public $data =>
  string(5) "value"
  public $mustUnderstand =>
  public $actor =>
  string(21) "http://127_0_0_1/next"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-23 14:53 UTC]
-Type: Bug +Type: Documentation Problem
 [2021-03-23 14:53 UTC]
I can confirm the behavior.  However, it appears to be debatable
whether it's the responsibility of the user to pass an URI, or
whether SoapHeader::__construct() should reject anything else.
Obviously, the implementation is intentionally liberal[1], and
changing this might break some code.

IMO, we should primarily document this.

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 04:01:29 2024 UTC