ID: 39493
User updated by: RQuadling at GMail dot com
Reported By: RQuadling at GMail dot com
Status: Bogus
Bug Type: SimpleXML related
Operating System: Windows XP SP2
PHP Version: 5CVS-2006-11-13 (snap)
New Comment:
What about open_basedir, and other file access restrictions?
Is it possible that all the security used within PHP can be bypassed
using this library?
A potential security risk surely!
But, as you mentioned libxml, this can be solved by using
libxml_set_streams_context.
So, whereas I've got ...
$r_default_context = stream_context_get_default
(
array
(
'http' => array
(
'proxy' => 'tcp://127.0.0.1:8080',
'request_fulluri' => True,
),
)
);
I can add ...
libxml_set_streams_context($r_default_context);
I think.
Testing ...
Yep!
I'll be adding a user notes relating to this as it stumped me!
Thanks for the help.
Maybe, with windows being used more and more for PHP, this should be a
documentation issue?
Previous Comments:
------------------------------------------------------------------------
[2006-11-13 10:29:27] [EMAIL PROTECTED]
simplexml_load_file() is just a wrapper for libxml2 functions, which
apparently know nothing about stream context etc.
------------------------------------------------------------------------
[2006-11-13 10:14:54] RQuadling at GMail dot com
Description:
------------
I'm behind a MS ISA server using NTLM Authentication which is
unsupported by PHP.
To allow PHP through, I use Python and the NTLM Authentication Proxy
Server (further details for this at http://rquadling.php1h.com).
I then use an auto_prepend_file entry to include a default context
assignment to route http traffic to my the proxy.
This works fine for both CLI and ISAPI operations.
The simplexml_load_file() function does not have a context facility. It
also does not use the same mechanism to get data OR it is ignoring the
default context setup.
The example code is just to show the error.
If you are NOT using contexts or you are have direct access to the
outside world, then you will not see the problem.
My NTLM APS logs do not show 2 requests to the external data. Only 1 -
the file_get_contents() call.
Reproduce code:
---------------
<?php
// Define the default, system-wide context. - COPIED FROM
auto_prepended_file.php
$r_default_context = stream_context_get_default
(
array
(
'http' => array
( // All HTTP requests are passed through the local
NTLM proxy
server on port 8080.
'proxy' => 'tcp://127.0.0.1:8080',
'request_fulluri' => True,
),
)
);
echo file_get_contents('http://www.people.com.cn/rss/politics.xml');
$xml =
simplexml_load_file('http://www.people.com.cn/rss/politics.xml');
?>
Expected result:
----------------
<?xml version="1.0" encoding="GB2312"?>
<rss version="2.0">
<channel>
<title>╣·─┌ð┬╬┼</title>
<link>http://politics.people.com.cn</link>
<language>zh_CN</language>
<copyright>Copyright ? 1997-2006 by www.people.com.cn. all rights
reserved</copyright>
<pubDate>2006-11-13 16:40:00</pubDate>
[SNIP]
<pubDate>2006-11-13 16:43:03</pubDate>
</item>
</channel>
</rss>
Actual result:
--------------
<?xml version="1.0" encoding="GB2312"?>
<rss version="2.0">
<channel>
<title>╣·─┌ð┬╬┼</title>
<link>http://politics.people.com.cn</link>
<language>zh_CN</language>
<copyright>Copyright ? 1997-2006 by www.people.com.cn. all rights
reserved</copyright>
<pubDate>2006-11-13 16:40:00</pubDate>
[SNIP]
<pubDate>2006-11-13 16:43:03</pubDate>
</item>
</channel>
</rss>
Warning:
simplexml_load_file(http://www.people.com.cn/rss/politics.xml): failed
to open stream: HTTP request failed! HTTP/1.1 403 Forbidden ( The ISA
Server denies the specified Uniform Resource Locator (URL). )
in C:\noCX.php on line 16
Warning: simplexml_load_file(): I/O warning : failed to load external
entity "http://www.people.com.cn/rss/politics.xml"; in C:\noCX.php on
line 16
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39493&edit=1
