A php library for building xmlrpc clients and servers
OTHER License
Bot releases are visible (Hide)
fixed: class autoloading got broken in rel 4.10.0 for users of the legacy API (issue #111)
fixed: let the Server create Response objects whose class can be overridden by subclasses (this is required by the
json-rpc server now that the xml_header
method has been moved to the Request
object)
fixed: let the Client create Requests whose class can be overridden by subclasses, within the _try_multicall
method,
which is called from multicall
fixed: declare the library not to be compatible with old versions of 'phpxmlrpc/extras' and 'phpxmlrpc/jsonrpc'
Published by github-actions[bot] over 1 year ago
changed: the minimum php version required has been increased to 5.4
changed: dropped support for parsing cookie headers which follow the obsolete Cookie2 specification
new: it is now possible to make the library generate warning messages whenever a deprecated feature is used, such as
calling deprecated methods, using deprecated method parameters, or reading/writing deprecated object properties.
This is disabled by default, and can be enabled by setting PhpXmlRpc\PhpXmlRpc::xmlrpc_silence_deprecations = false
.
Note that the deprecation warnings will be by default added to the php error log, and not be displayed on screen.
If you prefer them to be handled in some other way, you should take over the Logger, as described below here
new: allow to specify other charsets than the canonical three (UTF-8, ISO-8859-1, ASCII), when mbstring is
available, both for outgoing and incoming data (issue #42).
For outgoing data, this can be set in $client->request_charset_encoding
and $server->response_charset_encoding
.
The library will then transcode the data fed to it by the application into the desired charset when serializing
it for transmission.
For incoming data, this can be set using PhpXmlRpc::$internal_encoding
. The library will then transcode the data
received from 3rd parties into the desired charset when handling it back to the application.
An example of using this feature has been added to demo file windowscharset.php
new: allow the library to pass to the application DateTime objects instead of string for all received dateTime.iso8601
xml-rpc values. This includes both client-side, for data within the $response->value()
, and server-side, for data
passed to xml-rpc method handlers, and works for both 'xmlrpcvals' and 'phpvals' modes.
In order to enable this, you should set PhpXmlRpc\PhpXmlRpc::$xmlrpc_return_datetimes = true
.
NB: since the xml-rpc spec mandates that no Timezone is used on the wire for dateTime values, the DateTime objects
created by the library will be set to the default php timezone, set using the 'date.timezone' ini setting.
NB: if the received strings are not parseable as dates, NULL will be returned instead of an object, but that can
be avoided by setting PhpXmlRpc\PhpXmlRpc::$xmlrpc_reject_invalid_values = true
, see below.
improved: be more strict in the Response
constructor and in Request::addParam
: both of those will now generate
an error message in the log if passed unexpected values
improved: be more strict in the data accepted as valid for dateTime xml-rpc values. Clearly invalid dates such as a
month '13', day '32' or hour '25' will cause an error message to be logged or the value to be rejected, depending
on configuration
improved: be more strict in the data accepted as valid for 'float' and 'int' xml-rpc values. If you need to allow
different formats for numbers, you can set a custom value to PhpXmlRpc\PhpXmlRpc::$xmlrpc_double_format
and
PhpXmlRpc\PhpXmlRpc::$xmlrpc_int_format
new: allow the library to be stricter in parsing the received xml: by setting
PhpXmlRpc\PhpXmlRpc::$xmlrpc_reject_invalid_values = true
, incoming xml which has data not conforming to the expected
format for value elements of type date, int, float, double, base64 and methodname will be rejected instead of passed
on to the application. The same will apply for elements of type struct-member which miss either the name or the value
new: it is now possible to tell the library to allow non-standard formats for received datetime value, such as f.e.
datetimes with a timezone specifier, by setting a custom value to PhpXmlRpc\PhpXmlRpc::$xmlrpc_datetime_format
(issue #46).
new: it is now possible to tell the library to allow non-standard formats for received int and float values, as well
as for methdoname elements. See the api docs for PhpXmlRpc\PhpXmlRpc
static variables.
fixed: when a server is configured with its default value of 'xmlrpcvals' for $functions_parameters_type
, and
a method handler in the dispatch was defined with 'parameters_type' = 'phpvals'
, the handler would be passed a
Request object instead of plain php values.
fixed: made sure all debug output goes through the logger at response parsing time (there was one printf call left)
fixed: Client::send
will now return an error Response when it is requested to use an auth method that it does not
support, instead of logging an error message and continuing with another auth schema. The returned error code is 20
fixed: when calling Client::multicall()
with $client->return_type = 'xml'
, the code would be always falling back to
non-multicall requests
fixed: support calling Client::setSSLVersion()
for the case of not using curl transport
fixed: receiving integers which use the 'EX:I8' xml tag
fixed: setting/retrieving the php value from a Value object using array notation would fail if the object was created
using i4
then accessed using int
, eg: $v = new Value(1, 'i4'); $v[$v->scalrtyp()] = 2;
fixed: setting values to deprecated Response property cookies
would trigger a PHP notice, ex:
$response->_cookies['name'] = ['value' => 'something'];
(introduced in 4.6.0)
fixed: made deprecated method Value::structEach
work again with php 8.0 and later
new: method PhpXmlRpc::useInteropFaults()
can be used to make the library change the error codes it generates to
match the spec described at https://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php
new: both Request
and Response
acquired methods getPayload
and getContentType
new: method Response::valueType()
new: method Client::getUrl()
new: method Server::setDispatchMap()
new: added methods getOption
, setOption
, setOptions
and getOptions
to both Client and Server, meant to replace
direct access to all public properties as well as the $timeout
argument in calls to Client::send
and Client::multicall
new: by using Client::setOption('extracurlopts')
, it is possible to pass in protocol=specific options for when
using the Socket http transport. The value has to be an array with key being 'socket' or 'ssl', and the value an array
(see https://www.php.net/manual/en/context.socket.php and https://www.php.net/manual/en/context.ssl.php)
new: it is now possible to inject a custom logger into helper classes Charset
, Http
, XMLParser
, inching a step
closer to supporting DIC patterns (issue #78)
new: method PhpXmlRpc::setLogger()
, to simplify injecting a custom logger into all classes of the library in one step
improved: the Client will automatically try to use cURL for requests using Digest/NTLM auth, unless told explicitly
told not to do so via option 'use_curl'
improved: the Client is more verbose in logging issues when trying to compress a Request for sending
improved: the Logger
class now sports methods adhering to Psr\Log\LoggerInterface
improved: limit the size of incoming data which will be used in error responses and logged error messages, making
it slightly harder to carry out DOS attacks against the library
new: passing value -1 to $client->setDebug
will avoid storing the full http response data in the returned Response
object when executing call
. This could be useful in reducing memory usage for big responses
new: when calling Wrapper::wrapXmlrpcMethod
and wrapXmlrpcServer
, it is possible to pass 'throw_on_fault' as option
to argument $extraOptions
. This will make the generated function throw on http errors and xml-rpc faults instead of
returning a Response object
new: when calling Wrapper::wrapXmlrpcMethod
, wrapXmlrpcServer
, wrapPhpFunction
and wrapPhpClass
it is possible
to pass 'encode_nulls' as option to argument $extraOptions
. This will make the generated code emit a ''
xml-rpc element for php null values, instead of emitting an empty-string xml-rpc element
new: methods Wrapper::holdObject()
and Wrapper::getheldObject()
, allowing flexibility in storing object instances
for code-generation scenarios involving Wrapper::wrapPhpClass
and Wrapper::wrapPhpFunction
improved: all Value
methods now follow snakeCase convention
improved: all the Exceptions thrown by the library are now \PhpXmlRpc\Exception
or subclasses thereof
improved: all the Client's setSomething()
methods now return the client object, allowing for usage of fluent style
calling. The same applies to Request::setDebug
improved: when calling Client::multicall()
, the returned Response
objects did not have any data in their httpResponse
new: method Helper\Date::iso8601Encode
now accepts a DateTime input beside a timestamp
new: in the dispatch map, it is now possible to set different exception handling modes for each exposed xml-rpc method
new: method Server::add_to_map
is deprecated in favour of addToMap
. It has also acquired new parameters:
$parametersType = false, $exceptionHandling = false
improved: the XMLParser
accepts more options in its constructor (see phpdocs for details)
improved: removed usage of extension_loaded
in favour of function_exists
when checking for mbstring. This allows
for mbstring functions to be polyfilled
improved: the code generated by the various code-generating methods of Wrapper
are formatted better, and include
more phpdoc blocks too
improved: made the Wrapper
and Client
classes easy to subclass for use by the PhpJsonRpc library
improved: added the library version number to the debugger title line
improved: the debugger will now sport the "load method synopsis" button when interacting with json-rpc servers
improved: added an example Symfony Client and Server to the demo files (using Symfony 6 / PHP 8 syntax)
improved: added to the taskfile
command an option to automatically set up the git hooks for development
improved: made sure the test container and gha test runners have at least one locale with comma as decimal separator
BC notes:
NB Given the considerable amount of API changes in this release, a set of tables listing every change has been
added in doc/api_changes_v4.10.md; a textual description follows.
Besides what can be inferred from the changes listed above, for library users:
PhpXmlRpc::$internal_encoding
PhpXmlRpc::$internal_encoding
to a custom character set didPhpXmlRpc\PhpXmlRpc::$xmlrpc_double_format
and PhpXmlRpc\PhpXmlRpc::$xmlrpc_int_format
PhpXmlRpc\PhpXmlRpc::$xmlrpc_datetime_format
PhpXmlRpc\PhpXmlRpc::$xmlrpc_methodname_format
$timeout
and $method
are now considered deprecated in Client::send()
and Client::multicall()
$errno
and $errstring
are now deprecatedsetOption
/ getOption
. The same applies to the following "setter" methods of the Client: setSSLVerifyPeer
,setSSLVerifyHost
, setSSLVersion
, setRequestCompression
, setCurlOptions
, setUseCurl
, setUserAgent
Wrapper::$objHolder
is now deprecatedFor library extenders:
$options
argument passed to XMLParser::parse
will now contain both options intended to be passed down toXMLParser
parse
methods, or wholesale replaced it, you will have to adapt your code: both for that,$this->current_parsing_options['xmlrpc_null_extension']
fromPhpXmlRpc::$xmlrpc_null_extension
XMLParser::parse
, be warned that:
$this->_xh
instead of void_xh['isf'] > 3
Client
protected methods sendPayloadSocket
, sendPayloadCURL
and prepareCurlHandle
are now deprecated. TheysendViaSocket
, sendViaCURL
and createCurlHandle
respectivelyClient
class, take care of new static variables $requestClass
and $responseClass
,Client::_try_multicall
, be warned its returned data haserror
, warning
and debug
Value::serializeData
is now deprecatedsetCharsetEncoder
Charset::knownCharsets
, Http::parseAcceptHeader
, XMLParser::truncateValueForLog
Response::xml_header
has replaced Server::xml_header
Server::$accepted_charset_encodings
is now deprecated\PhpXmlRpc\Exception\PhpXmlRpcException
is deprecated. Use \PhpXmlRpc\Exception
insteadPublished by github-actions[bot] almost 2 years ago
improved: revised all demo files. Showcase more features in client demos; isolate better testsuite functions in server demos and make sure they are not active unless triggered by running the tests; add demos for code-generation for both clients and servers
improved: added cli command taskfile
, which can be used to download the demo files or the visualeditor component for the debugger (requires bash, curl and a smattering of other common unix/linux/macos? tools)
improved: for php 7 and up, catch php Errors besides Exceptions thrown by method handler functions (ie. server-side)
fixed: when using the Exception or Error thrown by a method handler function to build the xml-rpc response, override fault Code 0, as it breaks response serialization
Published by github-actions[bot] almost 2 years ago
improved: updated the user's manual to be inline with the version4 API and modern coding practices.
The manual is now bundled in the default distribution tarball, and is easily viewable as html, provided you can
serve it using a webserver. It is also available as pdf at https://gggeek.github.io/phpxmlrpc/doc-4/phpxmlrpc_manual.pdf
improved: automated the process of creating the github release when pushing a release-tag to GitHub; also add a tarball
of the demo files as release asset, and automatically update both http://gggeek.github.io and the code on altervista.org
improved: added a pre-push git hook script, to avoid pushing tagged versions with inconsistent version tags in code.
To install it, execute composer run-script setup-git-hooks
(NB: it is only useful for developers of this library,
not for the developers simply using it)
fixed: the value for error 'no_http2' has been switched from 15 to 19 to avoid a collision
Published by gggeek almost 2 years ago
improved: avoid stalling the webserver when using the debugger with the php cli-webserver and testing the demo server within the same install
improved: allow installation of the jsxmlrpc library within the debugger folder via composer or npm to enable the visual-editing capabilities of the debugger, as this works well when the debugger is used as web-root (target usage scenario being f.e. using the php cli-webserver to run the debugger)
Published by gggeek almost 2 years ago
security fix: removed the possibility of an XSS attack in the debugger.
Since the debugger is not designed to be exposed to end users but only to the developers using this library, and in the default configuration it is not exposed to requests from the web, the severity of this issue can be considered low.
improved: the debugger now uses jsxmlrpc lib version 0.6. It loads it from a cdn rather than locally.
It also can make use of a 2nd constant to help telling it where the visual-editor form the jsxmlrpc lib is located, in case its path on disk relative to the debugger and its url relative to the web root do not match.
Published by gggeek almost 2 years ago
security fix: hardened the Client::send()
method against misuse of the $method
argument (issue #81).
Abusing its value, it was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url (the one used in the Client constructor).
This weakness only affects installations where all the following conditions apply, at the same time:
$method
argument of method Client::send()
, in conjunction with conditions which trigger usage of curl as http transport (ie. either using the https, http11 or http2 protocols, or calling Client::setUseCurl()
beforehand)return_type
property to 'xml', or make the resulting Response's object httpResponse
member, which is intended to be used for debugging purposes only, available to 3rd parties, eg. by displaying it to the end user or serializing it in some storage (note that the same data can also be accessed via magic property Response::raw_data
, and in the Request's httpResponse
member)This is most likely a very uncommon usage scenario, and as such the severity of this issue can be considered low.
If it is not possible to upgrade to this release of the library at this time, a proactive security measure, to avoid the Client accessing any local file on the server which hosts it, is to add the following call to your code:
$client->setCurlOptions([CURLOPT_PROTOCOLS, CURLPROTO_HTTPS|CURLPROTO_HTTP]);
security fix: hardened the Wrapper::buildClientWrapperCode
method's code generation against code injection via usage of a malevolent $client
argument (issue #80).
In order for this weakness to be exploited, the following conditions have to apply, at the same time:
Wrapper::buildClientWrapperCode
, or any methods which depend on it, such as Wrapper::wrapXmlrpcServer
, Wrapper::wrapXmlrpcMethod
or Wrapper::buildWrapMethodSource
must be in use. Note that they are not used by default in either the Client or Server classes provided by the library; the developer has to specifically make use of them in his/her own code$client
argument to either of those methods should have been built with malicious data, ie. data controlled by a 3rd party, passed to its constructor callThis is most likely an uncommon usage scenario, and as such the severity of this issue can be considered low.
NB the graphical debugger which is shipped as part of the library is vulnerable to this, when used with the option "Generate stub for method call" selected. In that case, the debugger will display but not execute the malicious code, which would have to be provided via carefully crafted values for the "Address" and "Path" inputs.
The attack scenario in this case is that a developer copies into his/her own source code the php snippet generated by the debugger, in a situation where the debugger is used with "Address"/"Path" input values supplied by a 3rd party.
The malicious payload in the "Address"/"Path" input values should be easily recognized as suspicious by any barely proficient developer, as it resembles a bog-standard injection attack.
It goes without saying that a responsible developer should not blindly copy and paste into his/her own code anything generated by a 3rd party tool, such as the phpxmlrpc debugger, without giving it at least a cursory scan.
fixed: a php warning on php 8 when parsing responses which do not have a Content-Type header (issue #104)
fixed: added a missing html-escaping call in demo file introspect.php
fixed: decoding of responses with latin-1 charset declared in the xml prolog but not in http headers, when on php 5.4, 5.5
fixed: DateTimeInterface is not present in php 5.4 (error introduced in ver. 4.8.1)
fixed: use of uninitialized var when accessing nonexisting member of legacy class xmlrpc_server
- thanks SonarQube
new: the Client class now supports making calls which follow http redirections (issue #77). For that to work, use this code:
$client->setUseCurl(\PhpXmlRpc\Client::USE_CURL_ALWAYS);
$client->setCurlOptions([CURLOPT_FOLLOWLOCATION => true, CURLOPT_POSTREDIR => 3]);
new: allow users of the library to get more fine-grained information about errors in parsing received responses by overriding the integer value of PhpXmlRpc::$xmlrpcerr['invalid_xml']
, PhpXmlRpc::$xmlrpcerr['xml_not_compliant']
, PhpXmlRpc::$xmlrpcerr['xml_parsing_error']
and the equivalent PhpXmlRpc::$xmlrpcstr
strings (feature req. #101)
improved: added the HTTP/2 protocol to the debugger
improved: CI tests now run on php versions 5.4 and 5.5, besides all more recent ones
improved: the test container for local testing now defaults to php 7.4 on ubuntu 20 focal
Published by gggeek almost 2 years ago
improved: remove warnings with php 8.1 due to usage of strftime
improved: cast correctly php objects sporting DateTimeInterface
to phpxmlrpc datetime values
Published by gggeek over 2 years ago
improved: added method Client::prepareCurlHandle
, to make it easier to send multiple requests in parallel when using
curl and the server does not support system.multicall
. See new demo file parallel.php
for how this can be done.
fixed: error 'Class "PhpXmlRpc\Exception\PhpXmlrpcException" not found' when including xmlrpc.inc
and on php 8.1
(might also happen on other php versions)
fixed: the benchmark.php
file had seen some tests accidentally dropped
Published by gggeek over 2 years ago
modified the strings used to tell the client to use http/2: to avoid users mistaking 'http2' for the preferred value, we switched to using h2
and h2c
improved: the benchmark.php
file does now also test calls using https and http/2 protocols
Published by gggeek over 2 years ago
http/2 on non-https requests (known as h2c) works in either "prior-knowledge" mode or "upgrade" mode.
Given the fact that upgrade mode is not compatible with POST requests, we switched to using "prior-knowledge" mode for requests sent with the http2
argument passed to the client's constructor or send
method.
NB: this means that requests sent with http2
are only compatible with servers and proxies known to be http/2 compliant.
Please don't use this version, go straight to 4.7.2 or later.
Published by gggeek over 2 years ago
HTTP/2 is supported by both the Client and Server components (with the php cURL extension being required to use it client-side).
To force the client to use http/2 and http/2-tls requests, pass http2
or http2tls
as 3rd argument to Client::send
.
Please don't use this version, go straight to 4.7.2 or later.
Published by gggeek over 2 years ago
fixed: one php warning with php 8 and up
Published by gggeek almost 3 years ago
fixed: compatibility with php 8.1
improved: when encoding utf8 text into us-ascii xml, use character entity references for characters number 0-31 (ascii non printable characters), as we were already doing when encoding iso-8859-1 text into us-ascii xml
new: method Server::getDispatchMap()
. Useful for non-child classes which want to f.e. introspect the server
new: increase flexibility in class composition by adopting a Dependency Injection (...ish) pattern: it is now possible to swap out the Logger, XMLParser and Charset classes with similar ones of your own making.
Example code:
// 1. create an instance of a custom character encoder
// $myCharsetEncoder = ...
// 2. then use it while serializing a Request:
Request::setCharsetEncoder($myCharsetEncoder);
$request->serialize($funkyCharset);
new: method XMLParser::parse()
acquired a 4th argument
new: method Wrapper::wrapPhpClass
allows to customize the names of the phpxmlrpc methods by stripping the original class name and accompanying namespace and replace it with a user-defined prefix, via option replace_class_name
new: Response
constructor gained a 4th argument
deprecated: properties Response::hdrs
, Response::_cookies
, Response::raw_data
. Use Response::httpResponse()
instead.
That method returns an array which also holds the http response's status code - useful in case of http errors.
deprecated: method Request::createPayload
. Use Request::serialize
instead
deprecated: property Request::httpResponse
improved: Http::parseResponseHeaders
now throws a more specific exception in case of http errors
improved: Continuous Integration is now running on Github Actions instead of Travis
Published by gggeek almost 4 years ago
improved: better phpdocs in the the php code generated by the Wrapper class
improved: debugger favicon and page title when used from the phpjsonrpc library
fixed: allow Encoder::decode
to properly support different target character sets for polyfill-xmlrpc decode functions
improved: allow usage of 'epivals' for the 'parameters_type' member of methods definitions in the Server dispatch map
Published by gggeek almost 4 years ago
improved: made it easier to subclass the Helper\Charset class by allowing instance
to use late static binding
fixed: reinstated access to xmlrpc_server->dmap
(for users of the v3 API)
fixed: method xmlrpc_encode_entitites
(for users of the v3 API)
improved: split the code of the demo server in multiple files, describing better the purpose of each
Published by gggeek almost 4 years ago
new: it is now possible to control the precision used when serializing DOUBLE values via usage of
PhpXmlRpc::$xmlpc_double_precision
fixed: Encoder::encode
would not correctly encode DateTime and DateTimeImmutable objects
improvements to to the Helper\Date class in rejecting invalid date strings
improvements to the Wrapper class in identifying the required arguments types from phpdoc: support 'array[]',
'DateTime' and 'DateTimeImmutable'
improvements to the support of the XMLRPC extension emulation (as provided by the phpxmlrpc/polyfill-xmlrpc package)
improvements in the inline phpdoc: tagged many methods and class member as for internal usage only
minor improvements in the debugger to allow easier integration of phpxmlrpc/jsonrpc and friends
reorganized the test suite to be more manageable
removed obsolete files from the 'extras' folder; updated and moved to the 'demo' folders the perl and python client scripts; moved benchmark.php and verify_compat.php to the 'extras' folder
Published by gggeek almost 4 years ago
fixed: compatibility with PHP 8.0 (fixes to the debugger, to the server's 'system.methodHelp' method and to the PhpXmlRpc\Wrapper class).
Note that method Value::structeach
has not been removed from the API, but it is not supported when running on PHP 8.0 or later - in that case it will always throw an Error.
improvements to the test stack: it is now possible to run it via Docker besides Travis; avoid using any external
server when running tests; run Travis tests also on php 8.0; bump PHPUnit versions in use
Published by gggeek over 4 years ago
Fixed: client->setCookie()
bug: cookie values that contain spaces are now properly encoded in a way that gets them decoded back to spaces on the receiving end if the server running on php 7.4 (or does RFC-compliant cookie decoding).
Beforehand we were encoding spaces to '+' characters.