Edit report at https://bugs.php.net/bug.php?id=49144&edit=1
ID: 49144
Comment by: ramon at future500 dot nl
Reported by: david dot zuelke at bitextender dot com
Summary: import of schema from different host transmits
original authentication details
Status: Closed
Type: Bug
Package: SOAP related
Operating System: Mac OS X 10.5.7
PHP Version: 5.3.0
Assigned To: dmitry
Block user comment: N
Private report: N
New Comment:
I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2
WSDL has:
schemaLocation="http://hostname.com:80/webservice?xsd=1";
$options = array(
'login' => '_username',
'password' => '_password',
);
This fails:
$soap = new SoapClient( 'http://hostname.com/webservice?wsdl', $options);
This works:
$soap = new SoapClient( 'http://hostname.com:80/webservice?wsdl', $options);
Previous Comments:
------------------------------------------------------------------------
[2011-11-29 10:27:37] php dot net at bascht dot com
Is it possible that the Fix for #49144 introduces another problem, when the
referenced XSD files have a port specified?
I'm not sure if I read the C code right, but it looks like PHP drops the auth
credentials if the WSDL is at:
http://foo.com/wsdl
and includes an XSD like:
http://foo.com:80/example.xsd
^
Can someone verify this?
------------------------------------------------------------------------
[2009-08-17 18:26:29] dmi...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2009-08-17 18:23:49] s...@php.net
Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=287425
Log: Fixed bug #49144 (import of schema from different host transmits original
authentication details)
------------------------------------------------------------------------
[2009-08-03 16:32:54] david dot zuelke at bitextender dot com
Description:
------------
Say I have a webservice at foo.com, described by http://foo.com/wsdl,
and it's protected by HTTP Basic Authentication.
If this WSDL inside the XML Schema definitions imports another schema
from a different host, then the HTTP Basic Authentication credentials
will be transmitted to this host, too, resulting in the credentials
being inadvertently leaked to a third party.
An example is the importing of W3C's XML schema located at
http://www.w3.org/2001/xml.xsd
The original issue was reported on the s...@lists.php.net list and
brought to internals@'s attention here:
http://thread.gmane.org/gmane.comp.php.devel/58024
Reproduce code:
---------------
.phpt: http://pastie.org/569897
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=49144&edit=1
