Hey guys. I know u get this all the time but I'm new here so please be patient with me
I'm trying to get rid of an entity injection problem using Perl/FCGI and SOAP::Lite 0.69. For this I tried to switch the $DO_NOT_USE_XML_PARSER from 0 to 1 within the SOAP::Lite modul. I tested this with a SOAP call from a web service using wget and it worked quiet nice for me.
Now I'm trying the same thing with a SOAP Client - and it doesn't work. At least not always. The first request always looks fine, but any further request fail with an "500 Internal Server Error".
My debugging failed completely. The request always looks nice - in the first call as well as in any further calls - but the response suddenly fails with a "Application failed during request deserialization: Unresolved prefix 'soap' for attribute 'soap:Envelope'" message. What bugs me the most is the different log messages in the error log and the console. The error log always prints out the following (I tried to format the output for u guys to make it easier to read):
For the output on the console screen i get two different outputs. For the first (working) try I getmod_fcgid: stderr: SOAP::Lite - deserialize - start decoding: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ping xmlns="TRONServer"> <c-gensym3 xsi:type="xsd:int">42</c-gensym3> </ping> </soap:Body> </soap:Envelope>
while for the second and any other tries it prints outSOAP::Lite - deserialize - start decoding: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tron="http://pts.ecce-terram.de/TRONServer" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <pingResponse xmlns="TRONServer"> <numerPlusOne xsi:type="xsd:int">43</numerPlusOne> </pingResponse> </soap:Body> </soap:Envelope>
Notice that in both cases I use the same STDERR method within the SOAP::Lite module:SOAP::Lite - SOAP::Parser - start decoding: <?xml version="1.0" encoding="UTF-8"?> <soap:Envelope soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:tron="http://pts.ecce-terram.de/TRONServer" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Client</faultcode> <faultstring>Application failed during request deserialization: +Unresolved prefix 'soap' for attribute 'soap:Envelope' </faultstring> </soap:Fault> </soap:Body> </soap:Envelope>
For the first run this runs through nicely. For any further runs the call seems to crash during the decode process. The decode sub looks like the following:print STDERR "SOAP::Lite - deserialize - start decoding: $_[0]\n"; my $parsed = $self->decode($_[0]);
The eval part crashes with the following exit message:sub decode { SOAP::Trace::trace('()'); my $self = shift; $self->parser->setHandlers( Final => sub { shift; $self->final(@_) }, Start => sub { shift; $self->start(@_) }, End => sub { shift; $self->end(@_) }, Char => sub { shift; $self->char(@_) }, ExternEnt => sub { shift; die "External entity (pointing to '$_[1] +') is not allowed" }, ); # my $parsed = $self->parser->parse($_[0]); # return $parsed; # my $ret = undef; eval { $ret = $self->parser->parse($_[0]); }; if ($@) { print STDERR "SOAP::Lite - SOAP::Parser - Error Message: $@\n"; $self->final; # Clean up in the event of an error die $@; # Pass back the error } return $ret; }
Up to this point I couldn't figure out why this is the case and where it crash.SOAP::Lite - SOAP::Parser - Error Message: Can't use string ("1") as a +n ARRAY ref while "strict refs" in use at (re_eval 159) line 1.
I think I found the problem. I dogged into the XML::Parser:Lite modul a little deeper and stumbled about a compile sub that did not make much sense for me:
Especially with the parse_re sub it didn't make much sense with me. So I replaced that sub with the XML::Parser::Lite parse_re sub I found in the 0.721 Version of the Lite Modul I found on CPAN - and now it works. I probably have some more testing to do to verify that but for now it seems to work. Thanks for listening :)sub compile { local $^W; # try regexp as it should be, apply patch if doesn't work foreach (regexp(), regexp('??')) { eval qq{sub parse_re { use re "eval"; 1 while \$_[0] =~ m{$_}go }; + 1} or die; last if eval { parse_re('<foo>bar</foo>'); 1 } }; *compile = sub {}; }
In reply to XML Entity Injection with SOAP::Lite by Scheißy
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |