Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:44623
Return-Path: <davide.romanini@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76195 invoked from network); 2 Jul 2009 08:19:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Jul 2009 08:19:14 -0000
X-Host-Fingerprint: 130.186.18.161 pdl-18-161.nat.cineca.it  
Received: from [130.186.18.161] ([130.186.18.161:13706] helo=localhost.localdomain)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 05/22-65216-D7D6C4A4 for <internals@lists.php.net>; Thu, 02 Jul 2009 04:19:10 -0400
Message-ID: <05.22.65216.D7D6C4A4@pb1.pair.com>
To: internals@lists.php.net
Date: Thu, 02 Jul 2009 10:19:03 +0200
Reply-To: davide.romanini@gmail.com
Organization: CINECA
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-Posted-By: 130.186.18.161
Subject: SOAPClient authentication problem
From: davide.romanini@gmail.com (Davide Romanini)

I sent this message to the php.soap newsgroup, but noone answered me.


Today I found a nasty problem with a simple php SOAP client. Never had
problems before, but today I have the following error at SOAPClient
constructor line:

SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open
stream: HTTP request failed! HTTP/1.1 401 Authorization Required

The source is as simple as:

$client = new SoapClient("http://my.host.com/my_web_service?wsdl",
                         array( 'trace' => TRUE,
                                'login'=>'mylogin',
                                'password'=>'secret'
                              )
                        );

It seems that the php xml parser tries to fetch the url
http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
network operations I found that php uses my login and password (for the
web service) also to access external references! :-O

GET /2001/xml.xsd HTTP/1.0
Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
Host: www.w3.org

In the past probably w3.org just ignored the issue, but now I receive an
HTTP 401 Unauthorized error in response...

In any case it is a serious security issue if SOAPClient sends password
around the web, when the intent is that they are used only for the web
service host!

I tried the following PHP versions:

PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
Zend Technologies
    with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
Technologies
    with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies


Regards,
Davide