From: stuart dot caie at gmail dot com
Operating system: Ubuntu
PHP version: 5.2.4RC1
PHP Bug Type: SOAP related
Bug description: SoapServer sends clients internal PHP errors
Description:
------------
When presenting a SOAP API to the general public, I do not want the text
of PHP errors to be send down the wire as "SOAP-ENV;Server" faults. It's
just as embarrassing and as much of a security risk as having the
display_errors INI option turned on - it could reveal exploitable private
implementation details to hostile users.
I would like to catch all PHP errors, log them and instead send the user a
custom SOAP fault which gives them a unique error ID to report (which
matches with my log), but does not reveal the actual PHP error message.
However,
1. use_soap_error_handler() does nothing. Set it to true, it sends out
SOAP-ENV:Server faults with the PHP error message. Set it to false, it
still sends out SOAP-ENV:Server faults with the PHP error message.
2. User-defined error handlers can't catch E_ERROR, E_PARSE, E_CORE_ERROR,
E_CORE_WARNING, E_COMPILE_ERROR, E_COMPILE_WARNING, and most of E_STRICT.
Other scripting languages such as Perl (via $SIG{__DIE__}) or Ruby (via
begin/rescue) let user code catch fatal errors, PHP comes up short.
I'd like you to allow PHP to catch fatal errors in the user defined error
handler. If you won't fix that, please add some kind of kludge to
SoapServer so that it doesn't reveal the text of PHP errors to clients.
Reproduce code:
---------------
<?php // server.php
class test {
function test() { obvious_error(); } // will cause an error
}
function error_handler($level, $error, $file, $line, $context) {
$ticket = date('YmdHis-') . $_SERVER['REMOTE_ADDR'];
if ($fh = fopen('/tmp/soap_error_log', 'a')) { fwrite($fh, "[$ticket]
$level: $error at $file line $line\n"); fclose($fh); }
if (isset($server)) $server->fault('error', "report \"$ticket\" to
support");
}
set_error_handler('error_handler');
use_soap_error_handler(false);
$server = new SoapServer(NULL, array('uri' =>
'http://localhost/server.php'));
$server->setClass('test');
$server->handle();
?>
<?php // client.php
$client = new SoapClient(NULL, array('uri' =>
'http://localhost/server.php', 'location' =>
'http://localhost/server.php'));
$client ->test();
?>
Expected result:
----------------
client.php: Uncaught SoapFault exception: [error] report "<unique id>" to
support
server.php: entry in /tmp/soap_error_log reading:
[<unique id>] 1: Call to undefined function obvious_error() in server.php
line 4
Actual result:
--------------
client.php: Uncaught SoapFault exception: [SOAP-ENV:Server] Call to
undefined function obvious_error()
server.php: no entry in /tmp/soap_error_log.
--
Edit bug report at http://bugs.php.net/?id=42214&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42214&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42214&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42214&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42214&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42214&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42214&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42214&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42214&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42214&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42214&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42214&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42214&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42214&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42214&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42214&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42214&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42214&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42214&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42214&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42214&r=mysqlcfg
