PEAR XML_RPC Bug #4231
-
Today I submitted Bug #4231 to PEAR. An expanded version of my bug report can be found on this website.
One thing that using Python’s bundled xmlrpclib on the Python interactive shell has taught me is that it’s very easy to make RPC method calls with bad parameters. Using a server built on PEAR’s
XML_RPC_Server
, calling a method with a bad parameter count will cause PHP undefined variable notices to be prepended to the return payload if notices have not been disabled.This is a security issue because the notices reveal the script path to the client. Also, this makes troubleshooting RPC calls somewhat difficult because although the server’s XML response remains intact, most clients I have tried will report a parse error when the PHP notices are encountered. This is true of the clients in PEAR’s
XML_RPC
, Python’sxmlrpclib
, and CPAN’sXMLRPC::Lite
for Perl.Update 9-May-2005: This bug has now been fixed in the CVS, although it took a little work to get there including an addendum to my original report. While this problem has now been corrected, you may still find the examples in the addendum helpful if you’re interested in getting a little extra out of the dispatch map through multiple signatures for an RPC method.