security fix: hardened the Client::send() method against misuse of the $method argument (issue #81).
Abusing its value, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor).
This weakness only affects installations where all the following conditions apply, at the same time:
the xmlrpc Client is used, ie. not xmlrpc servers
untrusted data (eg. data from remote users) is used as value for the $method argument of method Client::send(), in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or calling Client::setUseCurl() beforehand)
either have set the Clients return_type property to 'xml', or make the resulting Response's object httpResponse member, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be accessed via magic property Response::raw_data, and in the Request's httpResponse member)
This is most likely a very uncommon usage scenario, and as such the severity of this issue can be considered low.
If it is not possible to upgrade to this release of the library at this time, a proactive security measure, to avoid the Client accessing any local file on the server which hosts it, is to add the following call to your code:
security fix: hardened the Wrapper::buildClientWrapperCode method's code generation against code injection via usage of a malevolent $client argument (issue #80).
In order for this weakness to be exploited, the following conditions have to apply, at the same time:
method Wrapper::buildClientWrapperCode, or any methods which depend on it, such as Wrapper::wrapXmlrpcServer, Wrapper::wrapXmlrpcMethod or Wrapper::buildWrapMethodSource must be in use. Note that they are not used by default in either the Client or Server classes provided by the library; the developer has to specifically make use of them in his/her own code
the $client argument to either of those methods should have been built with malicious data, ie. data controlled by a 3rd party, passed to its constructor call
This is most likely an uncommon usage scenario, and as such the severity of this issue can be considered low.
NB the graphical debugger which is shipped as part of the library is vulnerable to this, when used with the option "Generate stub for method call" selected. In that case, the debugger will display but not execute the malicious code, which would have to be provided via carefully crafted values for the "Address" and "Path" inputs.
The attack scenario in this case is that a developer copies into his/her own source code the php snippet generated by the debugger, in a situation where the debugger is used with "Address"/"Path" input values supplied by a 3rd party.
The malicious payload in the "Address"/"Path" input values should be easily recognized as suspicious by any barely proficient developer, as it resembles a bog-standard injection attack.
It goes without saying that a responsible developer should not blindly copy and paste into his/her own code anything generated by a 3rd party tool, such as the phpxmlrpc debugger, without giving it at least a cursory scan.
fixed: a php warning on php 8 when parsing responses which do not have a Content-Type header (issue #104)
fixed: added a missing html-escaping call in demo file introspect.php
fixed: decoding of responses with latin-1 charset declared in the xml prolog but not in http headers, when on php 5.4, 5.5
fixed: DateTimeInterface is not present in php 5.4 (error introduced in ver. 4.8.1)
fixed: use of uninitialized var when accessing nonexisting member of legacy class xmlrpc_server - thanks SonarQube
new: the Client class now supports making calls which follow http redirections (issue #77). For that to work, use this code:
new: allow users of the library to get more fine-grained information about errors in parsing received responses by overriding the integer value of PhpXmlRpc::$xmlrpcerr['invalid_xml'], PhpXmlRpc::$xmlrpcerr['xml_not_compliant'], PhpXmlRpc::$xmlrpcerr['xml_parsing_error'] and the equivalent PhpXmlRpc::$xmlrpcstr strings (feature req. #101)
improved: added the HTTP/2 protocol to the debugger
... (truncated)
Commits
cf6e605 fix security issues 80 and 81; comments; whitespace; docs; tag for release
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/glFusion/glfusion/network/alerts).
Bumps phpxmlrpc/phpxmlrpc from 4.6.1 to 4.9.0.
Release notes
Sourced from phpxmlrpc/phpxmlrpc's releases.
... (truncated)
Commits
cf6e605
fix security issues 80 and 81; comments; whitespace; docs; tag for release78e6d2c
commentsebb46ba
docs and commentsacc3ee6
git ignore sonarqube data251b1a2
more WIP to fix doc build chain970c568
doc build improvements3f3f214
oops80cfcb6
add http2 support to the debugger85783e4
docsf5e1627
allow following redirects: support 307, 308Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/glFusion/glfusion/network/alerts).