Bug #49144 [Com]: import of schema from different host transmits original authentication details

2011-11-29 Thread php dot net at bascht dot com 
Edit report at https://bugs.php.net/bug.php?id=49144&edit=1

 ID: 49144
 Comment by:     php dot net at bascht dot com
 Reported by:david dot zuelke at bitextender dot com
 Summary:import of schema from different host transmits
 original authentication details
 Status: Closed
 Type:   Bug
 Package:SOAP related
 Operating System:   Mac OS X 10.5.7
 PHP Version:5.3.0
 Assigned To:dmitry
 Block user comment: N
 Private report: N

 New Comment:

Is it possible that the Fix for #49144 introduces another problem, when the 
referenced XSD files have a port specified?

I'm not sure if I read the C code right, but it looks like PHP drops the auth 
credentials if the WSDL is at:

  http://foo.com/wsdl

and includes an XSD like:


  http://foo.com:80/example.xsd
 ^

Can someone verify this?


Previous Comments:

[2009-08-17 18:26:29] dmi...@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




[2009-08-17 18:23:49] s...@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=287425
Log: Fixed bug #49144 (import of schema from different host transmits original 
authentication details)


[2009-08-03 16:32:54] david dot zuelke at bitextender dot com

Description:

Say I have a webservice at foo.com, described by http://foo.com/wsdl, 
and it's protected by HTTP Basic Authentication.

If this WSDL inside the XML Schema definitions imports another schema 
from a different host, then the HTTP Basic Authentication credentials 
will be transmitted to this host, too, resulting in the credentials 
being inadvertently leaked to a third party.

An example is the importing of W3C's XML schema located at 
http://www.w3.org/2001/xml.xsd

The original issue was reported on the s...@lists.php.net list and 
brought to internals@'s attention here: 
http://thread.gmane.org/gmane.comp.php.devel/58024

Reproduce code:
---
.phpt: http://pastie.org/569897







-- 
Edit this bug report at https://bugs.php.net/bug.php?id=49144&edit=1

Bug #49144 [Com]: import of schema from different host transmits original authentication details

2012-01-17 Thread php dot net at bascht dot com 
Edit report at https://bugs.php.net/bug.php?id=49144&edit=1

 ID: 49144
 Comment by:     php dot net at bascht dot com
 Reported by:david dot zuelke at bitextender dot com
 Summary:import of schema from different host transmits
 original authentication details
 Status: Closed
 Type:   Bug
 Package:SOAP related
 Operating System:   Mac OS X 10.5.7
 PHP Version:5.3.0
 Assigned To:dmitry
 Block user comment: N
 Private report: N

 New Comment:

I am not sure if someone will reopen this ticket, so maybe we just should file 
a 
new one and reference this fix.


Previous Comments:

[2012-01-17 15:49:40] ramon at future500 dot nl

I can confirm this issue with PHP 5.3.8 on Mac OSX 10.7.2

WSDL has:
schemaLocation="http://hostname.com:80/webservice?xsd=1";


$options = array(
'login' => '_username',
'password'  => '_password',
);

This fails:
$soap = new SoapClient( 'http://hostname.com/webservice?wsdl', $options);

This works:
$soap = new SoapClient( 'http://hostname.com:80/webservice?wsdl', $options);

----------------------------
[2011-11-29 10:27:37] php dot net at bascht dot com

Is it possible that the Fix for #49144 introduces another problem, when the 
referenced XSD files have a port specified?

I'm not sure if I read the C code right, but it looks like PHP drops the auth 
credentials if the WSDL is at:

  http://foo.com/wsdl

and includes an XSD like:


  http://foo.com:80/example.xsd
 ^

Can someone verify this?


[2009-08-17 18:26:29] dmi...@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




[2009-08-17 18:23:49] s...@php.net

Automatic comment from SVN on behalf of dmitry
Revision: http://svn.php.net/viewvc/?view=revision&revision=287425
Log: Fixed bug #49144 (import of schema from different host transmits original 
authentication details)


[2009-08-03 16:32:54] david dot zuelke at bitextender dot com

Description:

Say I have a webservice at foo.com, described by http://foo.com/wsdl, 
and it's protected by HTTP Basic Authentication.

If this WSDL inside the XML Schema definitions imports another schema 
from a different host, then the HTTP Basic Authentication credentials 
will be transmitted to this host, too, resulting in the credentials 
being inadvertently leaked to a third party.

An example is the importing of W3C's XML schema located at 
http://www.w3.org/2001/xml.xsd

The original issue was reported on the s...@lists.php.net list and 
brought to internals@'s attention here: 
http://thread.gmane.org/gmane.comp.php.devel/58024

Reproduce code:
---
.phpt: http://pastie.org/569897







-- 
Edit this bug report at https://bugs.php.net/bug.php?id=49144&edit=1