This sounds like a serious issue, but I'm not sure if it's in libxml or in ext/soap. Will have a look later; but maybe Dmitry or someone else knows off the top of their heads?

- David

Begin forwarded message:

From: Davide Romanini <>
Date: 30. Juni 2009 11:49:30 MESZ
Subject: [SOAP] SOAPClient authentication problem


Today I found a nasty problem with a simple php SOAP client. Never had
problems before, but today I have the following error at SOAPClient
constructor line:

SoapClient::SoapClient( failed to open
stream: HTTP request failed! HTTP/1.1 401 Authorization Required

The source is as simple as:

$client = new SoapClient("";,
                        array( 'trace' => TRUE,

It seems that the php xml parser tries to fetch the url at wsdl parsing time. Sniffing the
network operations I found that php uses my login and password (for the
web service) also to access external references! :-O

GET /2001/xml.xsd HTTP/1.0
Authorization: Basic bXlsb2dpbjpzZWNyZXQ=

In the past probably just ignored the issue, but now I receive an
HTTP 401 Unauthorized error in response...

In any case it is a serious security issue if SOAPClient sends password
around the web, when the intent is that they are used only for the web
service host!

I tried the following PHP versions:

PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
   with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
Zend Technologies
   with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies


PHP Soap Mailing List (
To unsubscribe, visit:

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to