phpxmlrpc

• improved: avoid stalling the webserver when using the debugger with the php cli-webserver and testing the demo server within the same install

• improved: allow installation of the jsxmlrpc library within the debugger folder via composer or npm to enable the visual-editing capabilities of the debugger, as this works well when the debugger is used as web-root (target usage scenario being f.e. using the php cli-webserver to run the debugger)

• security fix: removed the possibility of an XSS attack in the debugger.
  Since the debugger is not designed to be exposed to end users but only to the developers using this library, and in the default configuration it is not exposed to requests from the web, the severity of this issue can be considered low.

• improved: the debugger now uses jsxmlrpc lib version 0.6. It loads it from a cdn rather than locally.
  It also can make use of a 2nd constant to help telling it where the visual-editor form the jsxmlrpc lib is located, in case its path on disk relative to the debugger and its url relative to the web root do not match.

• fixed: php warnings on php 8.2. This includes preferring usage of mbstring for converting between Latin1 and UTF8

• improved: CI tests now also run on php 8.2

• security fix: hardened the Client::send() method against misuse of the $method argument (issue #81).
  Abusing its value, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor).

  This weakness only affects installations where all the following conditions apply, at the same time:

  • the xmlrpc Client is used, ie. not xmlrpc servers
  • untrusted data (eg. data from remote users) is used as value for the $method argument of method Client::send(), in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or calling Client::setUseCurl() beforehand)
  • either have set the Clients return_type property to 'xml', or make the resulting Response's object httpResponse member, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be accessed via magic property Response::raw_data, and in the Request's httpResponse member)

  This is most likely a very uncommon usage scenario, and as such the severity of this issue can be considered low.

  If it is not possible to upgrade to this release of the library at this time, a proactive security measure, to avoid the Client accessing any local file on the server which hosts it, is to add the following call to your code:

  $client->setCurlOptions([CURLOPT_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP]);
  

• security fix: hardened the Wrapper::buildClientWrapperCode method's code generation against code injection via usage of a malevolent $client argument (issue #80).

  In order for this weakness to be exploited, the following conditions have to apply, at the same time:

  • method Wrapper::buildClientWrapperCode, or any methods which depend on it, such as Wrapper::wrapXmlrpcServer, Wrapper::wrapXmlrpcMethod or Wrapper::buildWrapMethodSource must be in use. Note that they are not used by default in either the Client or Server classes provided by the library; the developer has to specifically make use of them in his/her own code
  • the $client argument to either of those methods should have been built with malicious data, ie. data controlled by a 3rd party, passed to its constructor call

  This is most likely an uncommon usage scenario, and as such the severity of this issue can be considered low.

  NB the graphical debugger which is shipped as part of the library is vulnerable to this, when used with the option "Generate stub for method call" selected. In that case, the debugger will display but not execute the malicious code, which would have to be provided via carefully crafted values for the "Address" and "Path" inputs.

  The attack scenario in this case is that a developer copies into his/her own source code the php snippet generated by the debugger, in a situation where the debugger is used with "Address"/"Path" input values supplied by a 3rd party.
  The malicious payload in the "Address"/"Path" input values should be easily recognized as suspicious by any barely proficient developer, as it resembles a bog-standard injection attack.
  It goes without saying that a responsible developer should not blindly copy and paste into his/her own code anything generated by a 3rd party tool, such as the phpxmlrpc debugger, without giving it at least a cursory scan.

• fixed: a php warning on php 8 when parsing responses which do not have a Content-Type header (issue #104)

• fixed: added a missing html-escaping call in demo file introspect.php

• fixed: decoding of responses with latin-1 charset declared in the xml prolog but not in http headers, when on php 5.4, 5.5

• fixed: DateTimeInterface is not present in php 5.4 (error introduced in ver. 4.8.1)

• fixed: use of uninitialized var when accessing nonexisting member of legacy class xmlrpc_server - thanks SonarQube

• new: the Client class now supports making calls which follow http redirections (issue #77). For that to work, use this code:

  $client->setUseCurl(\PhpXmlRpc\Client::USE_CURL_ALWAYS);
  $client->setCurlOptions([CURLOPT_FOLLOWLOCATION => true, CURLOPT_POSTREDIR => 3]);
  

• new: allow users of the library to get more fine-grained information about errors in parsing received responses by overriding the integer value of PhpXmlRpc::$xmlrpcerr['invalid_xml'], PhpXmlRpc::$xmlrpcerr['xml_not_compliant'], PhpXmlRpc::$xmlrpcerr['xml_parsing_error'] and the equivalent PhpXmlRpc::$xmlrpcstr strings (feature req. #101)

• improved: added the HTTP/2 protocol to the debugger

• improved: CI tests now run on php versions 5.4 and 5.5, besides all more recent ones

• improved: the test container for local testing now defaults to php 7.4 on ubuntu 20 focal

• improved: remove warnings with php 8.1 due to usage of strftime

• improved: cast correctly php objects sporting DateTimeInterface to phpxmlrpc datetime values

• improved: added method Client::prepareCurlHandle, to make it easier to send multiple requests in parallel when using
  curl and the server does not support system.multicall. See new demo file parallel.php for how this can be done.

• fixed: error 'Class "PhpXmlRpc\Exception\PhpXmlrpcException" not found' when including xmlrpc.inc and on php 8.1
  (might also happen on other php versions)

• fixed: the benchmark.php file had seen some tests accidentally dropped

• modified the strings used to tell the client to use http/2: to avoid users mistaking 'http2' for the preferred value, we switched to using h2 and h2c

• improved: the benchmark.php file does now also test calls using https and http/2 protocols

http/2 on non-https requests (known as h2c) works in either "prior-knowledge" mode or "upgrade" mode.
Given the fact that upgrade mode is not compatible with POST requests, we switched to using "prior-knowledge" mode for requests sent with the http2 argument passed to the client's constructor or send method.
NB: this means that requests sent with http2 are only compatible with servers and proxies known to be http/2 compliant.

Please don't use this version, go straight to 4.7.2 or later.

HTTP/2 is supported by both the Client and Server components (with the php cURL extension being required to use it client-side).
To force the client to use http/2 and http/2-tls requests, pass http2 or http2tls as 3rd argument to Client::send.

Please don't use this version, go straight to 4.7.2 or later.

fixed: one php warning with php 8 and up

• fixed: compatibility with php 8.1

• improved: when encoding utf8 text into us-ascii xml, use character entity references for characters number 0-31 (ascii non printable characters), as we were already doing when encoding iso-8859-1 text into us-ascii xml

• new: method Server::getDispatchMap(). Useful for non-child classes which want to f.e. introspect the server

• new: increase flexibility in class composition by adopting a Dependency Injection (...ish) pattern: it is now possible to swap out the Logger, XMLParser and Charset classes with similar ones of your own making.
  Example code:

  // 1. create an instance of a custom character encoder
  // $myCharsetEncoder = ...
  // 2. then use it while serializing a Request:
  Request::setCharsetEncoder($myCharsetEncoder);
  $request->serialize($funkyCharset);
  

• new: method XMLParser::parse() acquired a 4th argument

• new: method Wrapper::wrapPhpClass allows to customize the names of the phpxmlrpc methods by stripping the original class name and accompanying namespace and replace it with a user-defined prefix, via option replace_class_name

• new: Response constructor gained a 4th argument

• deprecated: properties Response::hdrs, Response::_cookies, Response::raw_data. Use Response::httpResponse() instead.
  That method returns an array which also holds the http response's status code - useful in case of http errors.

• deprecated: method Request::createPayload. Use Request::serialize instead

• deprecated: property Request::httpResponse

• improved: Http::parseResponseHeaders now throws a more specific exception in case of http errors

• improved: Continuous Integration is now running on Github Actions instead of Travis

• improved: better phpdocs in the the php code generated by the Wrapper class

• improved: debugger favicon and page title when used from the phpjsonrpc library

• fixed: allow Encoder::decode to properly support different target character sets for polyfill-xmlrpc decode functions

• improved: allow usage of 'epivals' for the 'parameters_type' member of methods definitions in the Server dispatch map

• improved: made it easier to subclass the Helper\Charset class by allowing instance to use late static binding

• fixed: reinstated access to xmlrpc_server->dmap (for users of the v3 API)

• fixed: method xmlrpc_encode_entitites (for users of the v3 API)

• improved: split the code of the demo server in multiple files, describing better the purpose of each

• new: it is now possible to control the precision used when serializing DOUBLE values via usage of
  PhpXmlRpc::$xmlpc_double_precision

• fixed: Encoder::encode would not correctly encode DateTime and DateTimeImmutable objects

• improvements to to the Helper\Date class in rejecting invalid date strings

• improvements to the Wrapper class in identifying the required arguments types from phpdoc: support 'array[]',
  'DateTime' and 'DateTimeImmutable'

• improvements to the support of the XMLRPC extension emulation (as provided by the phpxmlrpc/polyfill-xmlrpc package)

• improvements in the inline phpdoc: tagged many methods and class member as for internal usage only

• minor improvements in the debugger to allow easier integration of phpxmlrpc/jsonrpc and friends

• reorganized the test suite to be more manageable

• removed obsolete files from the 'extras' folder; updated and moved to the 'demo' folders the perl and python client scripts; moved benchmark.php and verify_compat.php to the 'extras' folder

• fixed: compatibility with PHP 8.0 (fixes to the debugger, to the server's 'system.methodHelp' method and to the PhpXmlRpc\Wrapper class).
  Note that method Value::structeach has not been removed from the API, but it is not supported when running on PHP 8.0 or later - in that case it will always throw an Error.

• improvements to the test stack: it is now possible to run it via Docker besides Travis; avoid using any external
  server when running tests; run Travis tests also on php 8.0; bump PHPUnit versions in use

Fixed: client->setCookie() bug: cookie values that contain spaces are now properly encoded in a way that gets them decoded back to spaces on the receiving end if the server running on php 7.4 (or does RFC-compliant cookie decoding).
Beforehand we were encoding spaces to '+' characters.

• fixed: allow handling huge xml messages (>=10MB) (issue #71)

• improved: make it easier to overtake the library's usage of error_log

This release makes the legacy api of the library compatible with php 7.2 by removing one more deprecation warning.

This release makes the library compatible with php 7.2 by removing one more deprecation warning.

NB moving to version 4 of the library is the recommended option unless you absolutely can not upgrade, as it comes with many improvements and is fully API compatible with version 3.

This release makes the library compatible with php 7.2 by removing the deprecation warnings.

NB moving to version 4 of the library is the recommended option unless you absolutely can not upgrade, as it comes with many improvements and is fully API compatible with version 3.