Scheißy has asked for the wisdom of the Perl Monks concerning the following question:

Hey guys. I know u get this all the time but I'm new here so please be patient with me

I'm trying to get rid of an entity injection problem using Perl/FCGI and SOAP::Lite 0.69. For this I tried to switch the $DO_NOT_USE_XML_PARSER from 0 to 1 within the SOAP::Lite modul. I tested this with a SOAP call from a web service using wget and it worked quiet nice for me.

Now I'm trying the same thing with a SOAP Client - and it doesn't work. At least not always. The first request always looks fine, but any further request fail with an "500 Internal Server Error".

My debugging failed completely. The request always looks nice - in the first call as well as in any further calls - but the response suddenly fails with a "Application failed during request deserialization: Unresolved prefix 'soap' for attribute 'soap:Envelope'" message. What bugs me the most is the different log messages in the error log and the console. The error log always prints out the following (I tried to format the output for u guys to make it easier to read): 

mod_fcgid: stderr: SOAP::Lite - deserialize - start decoding:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ping xmlns="TRONServer">
      <c-gensym3 xsi:type="xsd:int">42</c-gensym3>
    </ping>
  </soap:Body>
</soap:Envelope>

[download]
For the output on the console screen i get two different outputs. For the first (working) try I get 
SOAP::Lite - deserialize - start decoding:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope 
    soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
    xmlns:tron="http://pts.ecce-terram.de/TRONServer" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
    <pingResponse xmlns="TRONServer">
      <numerPlusOne xsi:type="xsd:int">43</numerPlusOne>
    </pingResponse>
  </soap:Body>
</soap:Envelope>

[download]
while for the second and any other tries it prints out 
SOAP::Lite - SOAP::Parser - start decoding: 
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope 
    soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:tron="http://pts.ecce-terram.de/TRONServer"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <soap:Body>
    <soap:Fault>
      <faultcode>soap:Client</faultcode>
      <faultstring>Application failed during request deserialization: 
+Unresolved prefix 'soap' for attribute 'soap:Envelope'
      </faultstring>
    </soap:Fault>
  </soap:Body>
</soap:Envelope>

[download]
Notice that in both cases I use the same STDERR method within the SOAP::Lite module: 
print STDERR "SOAP::Lite - deserialize - start decoding: $_[0]\n";
my $parsed = $self->decode($_[0]);

[download]
For the first run this runs through nicely. For any further runs the call seems to crash during the decode process. The decode sub looks like the following: 
sub decode { SOAP::Trace::trace('()');
  my $self = shift;

  $self->parser->setHandlers(
    Final => sub { shift; $self->final(@_) },
    Start => sub { shift; $self->start(@_) },
    End   => sub { shift; $self->end(@_)   },
    Char  => sub { shift; $self->char(@_)  },
    ExternEnt => sub { shift; die "External entity (pointing to '$_[1]
+') is not allowed" },
  );
  #  my $parsed = $self->parser->parse($_[0]);
  #  return $parsed;
  # 
  my $ret = undef;
  eval {
    $ret = $self->parser->parse($_[0]);
  };
  if ($@) {
    print STDERR "SOAP::Lite - SOAP::Parser - Error Message: $@\n";
    $self->final; # Clean up in the event of an error
    die $@; # Pass back the error
  }
  return $ret;
}

[download]
The eval part crashes with the following exit message: 
SOAP::Lite - SOAP::Parser - Error Message: Can't use string ("1") as a
+n ARRAY ref while "strict refs" in use at (re_eval 159) line 1.

[download]
Up to this point I couldn't figure out why this is the case and where it crash.

I think I found the problem. I dogged into the XML::Parser:Lite modul a little deeper and stumbled about a compile sub that did not make much sense for me: 

sub compile { local $^W; 
  # try regexp as it should be, apply patch if doesn't work
  foreach (regexp(), regexp('??')) {
    eval qq{sub parse_re { use re "eval"; 1 while \$_[0] =~ m{$_}go };
+ 1} or die;
    last if eval { parse_re('<foo>bar</foo>'); 1 }
  };

  *compile = sub {};
}

[download]
Especially with the parse_re sub it didn't make much sense with me. So I replaced that sub with the XML::Parser::Lite parse_re sub I found in the 0.721 Version of the Lite Modul I found on CPAN - and now it works. I probably have some more testing to do to verify that but for now it seems to work. Thanks for listening :)

Replies are listed 'Best First'.
Re: XML Entity Injection with SOAP::Lite
by Anonymous Monk on Sep 02, 2015 at 22:24 UTC

    Especially with the parse_re sub it didn't make much sense with me. So I replaced that sub with the XML::Parser::Lite parse_re sub I found in the 0.721 Version of the Lite Modul I found on CPAN - and now it works. I probably have some more testing to do to verify that but for now it seems to work. Thanks for listening :)

    Why not simply upgrade the module?

[reply]

Back to Seekers of Perl Wisdom