Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.5.5

Bug #4231 RPC method calls with bad parameter counts can cause PHP notices.
Submitted: 2005-04-27 08:42 UTC
From: mike at naberezny dot com Assigned: danielc
Status: Closed Package: XML_RPC
PHP Version: Irrelevant OS: Irrelevant
Roadmaps: (Not assigned)    
Subscription  


 [2005-04-27 08:42 UTC] mike at naberezny dot com
Description: ------------ If a client calls an RPC method but supplies a parameter count that does not match any of the method's signatures as defined in the dispatch map, the function verifySignature() of XML_RPC_Server will cause PHP undefined variable notices if PHP notices have not been disabled. This is a security issue because it exposes the script path to the client. Also, having the server's XML response prepended with PHP notices will cause many clients to reject the return payload as invalid during parsing. Reproduce code: --------------- Build the example server and client from the end-user documentation. The built-in RPC method system.methodHelp() takes one parameter. Use the client to call this method with no parameters, and again with two or more parameters. Observe the response payload. Expected result: ---------------- A valid response from the server with a fault code of 3 and a fault string similar to "Bad parameter count". Actual result: -------------- Undefined variable notices occur for $wanted, $got, and $pno in the function verifySignature() of XML_RPC_Server. These will be prepended to the XML returned from the server, resulting in XML_RPC_Client to report its own fault code 2 (invalud return payload). Although the XML from the server does contain a faultCode and faultString, most other clients react similarly and reject the return payload during parsing. Fix ---- In the class XML_RPC_Server, replace the last line of the function verifySignature(). Before: return array(0, "Wanted ${wanted}, got ${got} at param ${pno})"); Fixed: if (isset($pno)) { return array(0, "Wanted ${wanted}, got ${got} at param ${pno})"); } else { return array(0, 'Bad parameter count'); }

Comments

 [2005-05-04 16:47 UTC] danielc
In order to ease my debugging process, please provide a short test script that produces the problem. A textual description of a test case is insufficient. Thanks.
 [2005-05-05 05:09 UTC] mike at naberezny dot com
Please see the reproduce code here: http://www.mikenaberezny.com/pear/bugs/4231
 [2005-05-05 15:12 UTC] danielc
Fixed in CVS. Thanks for the sample code and thorough explanations.
 [2005-05-07 00:57 UTC] mike at naberezny dot com
I have reopened this bug because the patch in 1.3.0RC2 has the side-effect of breaking support for optional method parameters. Please see a description and reproduce code here: http://www.mikenaberezny.com/pear/bugs/4231-addendum
 [2005-05-08 00:40 UTC] danielc
More changes made to CVS. Please check out the latest RPC.php and Server.php files. Thanks for the further excellent commentary and examples. The problem last time was I didn't comprehend how the signatures needed to be set. The documentation wasn't great. Now I understand the process, I've improved the documentation as well.