ID: 42214
Updated by: [EMAIL PROTECTED]
Reported By: stuart dot caie at gmail dot com
-Status: Open
+Status: Assigned
Bug Type: SOAP related
Operating System: Ubuntu
PHP Version: 5.2.4RC1
Assigned To: dmitry
New Comment:
Usually when PHP hits a fatal error (that means _FATAL_ :) it's in such
state that continuing script run would be causing e.g. crash or the
engine is about to blow up in some other way. Don't bother submitting
bug report about that, it will not change. (I think there's already one
about it too..)
Assigned back to Dmitry.
Previous Comments:
[2007-08-31 15:11:38] stuart dot caie at gmail dot com
Yes, I would like the soap extension to let me hide fatal error
messages. Please add that option, either in code or in the php.ini
I still think PHP itself needs to be fixed so it can continue running
user code after a fatal error. However, that is a bigger change and less
likely to be done. I'll look to see if such a bug is already raised,
otherwise I'll raise that as another bug.
Thanks
Stuart
[2007-08-31 12:44:10] [EMAIL PROTECTED]
PHP is not able to execute user-code after a fatal error.
The only thing I can do with this - provide a special SoapServer option
to hide error messages. In this case it always will send
"[SOAP-ENV:Server] Internal error".
Do you like such solution?
[2007-08-05 21:58:46] stuart dot caie at gmail dot com
Description:
When presenting a SOAP API to the general public, I do not want the
text of PHP errors to be send down the wire as "SOAP-ENV;Server" faults.
It's just as embarrassing and as much of a security risk as having the
display_errors INI option turned on - it could reveal exploitable
private implementation details to hostile users.
I would like to catch all PHP errors, log them and instead send the
user a custom SOAP fault which gives them a unique error ID to report
(which matches with my log), but does not reveal the actual PHP error
message.
However,
1. use_soap_error_handler() does nothing. Set it to true, it sends out
SOAP-ENV:Server faults with the PHP error message. Set it to false, it
still sends out SOAP-ENV:Server faults with the PHP error message.
2. User-defined error handlers can't catch E_ERROR, E_PARSE,
E_CORE_ERROR, E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING, and
most of E_STRICT. Other scripting languages such as Perl (via
$SIG{__DIE__}) or Ruby (via begin/rescue) let user code catch fatal
errors, PHP comes up short.
I'd like you to allow PHP to catch fatal errors in the user defined
error handler. If you won't fix that, please add some kind of kludge to
SoapServer so that it doesn't reveal the text of PHP errors to clients.
Reproduce code:
---
fault('error', "report \"$ticket\" to
support");
}
set_error_handler('error_handler');
use_soap_error_handler(false);
$server = new SoapServer(NULL, array('uri' =>
'http://localhost/server.php'));
$server->setClass('test');
$server->handle();
?>
'http://localhost/server.php', 'location' =>
'http://localhost/server.php'));
$client ->test();
?>
Expected result:
client.php: Uncaught SoapFault exception: [error] report ""
to support
server.php: entry in /tmp/soap_error_log reading:
[] 1: Call to undefined function obvious_error() in
server.php line 4
Actual result:
--
client.php: Uncaught SoapFault exception: [SOAP-ENV:Server] Call to
undefined function obvious_error()
server.php: no entry in /tmp/soap_error_log.
--
Edit this bug report at http://bugs.php.net/?id=42214&edit=1
