Welcome to the homepage of "XML-RPC for PHP". It is a library implementing the XML-RPC protocol, written in PHP. It is also known as PHPXMLRPC. It is designed for ease of use, flexibility and completeness. High speed and reduced memory footprint are not the main goals of the project. Note that this is not the same library as the one that is part of PEAR. They both share a common ancestry, since the PEAR version is a branch of the original phpxmlrpc library, now independently maintained. This is also not the library which can be compiled as a php extension xmlrpc has been bundled with php since version 4. PHPXMLRPC or derivative versions are or have been used in many open source projects, including AmpacheXarayaDrupal only up to releases 4. XML-RPC for PHP was isenabledforextensions developed by Edd Dumbill of Useful Information Company. As of the 1. It is hosted on GitHub since December The latest stable release is version 4. The previous stable release is version 3. A demo server is active at the address http: It exposes functions that can be used for interoperability testing. You can see the source code here: A demo xmlrpc debugger application, built on top of this library, is active at the address http: You can use the debugger to e. GitHub home page downloads, source code and bug tracker. See also the TODO file at http: This was a further and proactive response to the second security breach below. All use of eval has been removed since it was still a potential exploit. So it was written within those constraints to use eval in xmlrpc of the functions called by the xml parser. Due to this usage, the server class also used eval since it had to parse xml using the same functions. These handler functions, and the array used to maintain the content of the original message, have been rewritten to construct php values instead of building php xmlrpc for evaluation. This should remove any potential for code execution. The security vulnerability discovered by James Bercegay of GulfTech Security Research on the the 27th of June,has caused quite a stir. It has made it to the front page of Salshdot, has been mentioned on Netcraft, LWN xmlrpc many other sites. Detailed instructions on building exploit code have been released on the internet, and many web hosting administrators are left wondering what is the best defense plan, and what are the real risks. Here are some answers. News Features Requirements Download Documentation Online demo server Online xmlrpc debugger Development Mailing lists Contact Roadmap Security. Introduction Welcome to the homepage of "XML-RPC for PHP". Features Support for creating both xmlrpc clients and servers Fully automated or fully manual, fine-grained encoding and decoding from php values to isenabledforextensions Support for UTF8, Latin-1 and ASCII character encodings. With the php mbstring extension enabled, even more character sets isenabledforextensions supported. Support for http compression of both requests and responses, cookies, proxies, basic auth and https, ntlm auth and keepalives with the php cURL extension Optional validation of parameter types of incoming xmlrpc request Support for system. Download The latest stable release is version 4. This is the first time - ever - that the API sees major changes, doing away with the past and starts a transition to modern-day php. Namespaces have been introduced, and the default character set in use if UTF-8; support for mbstring has been added, and much more. For a complete list of changes, head on to the announcement on Github 19th of April, Released lib version 3. Documentation A full user manual for version 4 is not yet available; for the moment the API docs will have to do. Documentation for OLD version 3, in HTML or PDF format note: Development GitHub home page downloads, source code and bug tracker. Mailing lists User's mailing list - very low traffic Developers' mailing isenabledforextensions - discontinued as of December Contact Isenabledforextensions home page for the complete list of maintainers, file a bug xmlrpc, feature request or patch. Needs better documentation and lots of testing. Server side work ok, but there are known limitations with multicall support. Add to server and client the capability to emit xml in a user chosen charset instead of always using US-ASCII OK. The server can even honour the accept-charset http header if the client sends it Add to server the ability to display xmlrpc info about its API OK: OK Fix echoing of client requests inside server-emitted debug messages OK: If xmlrpc client has debug enabled, this info is automatically decoded and printed to screen. Implement some benchmarks to measure e. Tests to be augmented Complete Javadoc documentation of code Almost? Add the possibility to choose formatting of the xml messages Similar to what the php native xmlrpc extension does Add functionality to automatically have methods exposed to client-side javascript ie. Complete support for the JSON-RPC protocol Initial release of json-rpc added to the EXTRAS package. Many enhancements in version 2. Better support for mbstring when it's enabled Should make e. Is there any defined standard for those? Relax NG is a definitely better alternative, but there is little support in other toolkits for using it in conjunction with a WSDL file Support http redirects Add to sf. The second security breach: Scope of the problem the bug affects the two libraries known as PEAR:: Most high-profile projects have been extremely quick in xmlrpc new versions of their respective apps, but it will take a much longer time for every single user to update his system. It has to be said that many applications had been shipping until recently with extremely outdated versions of the phpxmlrpc library included; a first injection bug had been fixed in without anyone apparently taking notice This makes it unfortunately a lot harder for sysadmins to find an easy cure for the problem: How the vulnerability is isenabledforextensions to trigger the bug an attacker needs to have some specially crafted xml evaluated in the creation process of an xmlrpcval object. Xmlrpcval objects are created when the server script decodes xmlrpc requests or when some php scripts acts as an xmlrpc client and decodes a response sent by a server. The server script is application specific, and it is often named server. Since the PHP engine runs under the same user as the isenabledforextensions server, this is the first line of defense: If you are a public host and are not doing this, chances are your server has been rooted anyway. This prevents the php scripts from using any function you deem to be unsafe, such as system or eval The hard block: This may of course prevent some user applications from working so you should inform your users at the time you do it. Some internals of the lib objects changed from version 0. The xml sent over-the-wire has changed too with respect to some older versions of the lib in particular: A couple of isenabledforextensions error response codes have been added, too. According to some, this actually entails a "path disclosure security breach" i. I also know for a fact that there are many places in xmlrpc. Is this the end of the world? The reason is there are tens of PHP applications out there that suffer from code injection exploits. Just take a look at the security track of bulletin boards The first security breach: With his permission it is reproduced here. Note that this exploit is fixed in revisions 1. Using the latest release of Xmlrpc Inc's php xmlrpc library, version 1. I was able to execute arbitrary php code, and with php's safe-mode turned off, system commands. An attacker could easily use this as a gateway for launching viruses. I isenabledforextensions the problem by modifying the server. I bypassed the standard server code, and simply echo'd responses back to the client. I was able to get the client to execute arbitrary php code. I isenabledforextensions restored the server. I was also able to make code execute on the server, albeit requiring a slightly different syntax. The attack centers around use of php's eval function. Since I knew that the xml-rpc library uses eval to construct its data structures from xml input, it was just a matter of structuring the input xml in such a manner that it: Here is a typical xml-rpc response: Finally, here's one that will print the contents of the xmlrpc directory: Have a nice day. The server exploit is just about the same as the client, except that the server is using a different eval command, and thus it requires slightly different begin and ending syntax to avoid php syntax errors. Here is the same code as above, but it will work against a server. It is very dangerous to have this. This else seems to be intended for numeric data, and great pains are taken to set and unset the "qt" quote variable which turns escaping on and off. Finish coding a faster xml-rpc decoding path, for when user wants to deal directly with native php types instead of xmlrpcval objects. Add to server and client the capability to emit xml in a user chosen charset instead of always using US-ASCII. Allow object methods to be used in server dispatch map using the class:: Add functionality to automatically have methods exposed to client-side javascript ie. Expand automatic php function to xmlrpc method wrapper to take advantage of exception handling and return xmlrpc error responses. Add a possibility to use standard error messages instead of the native error codes. Add support for the system. Some problems exist in using an XSD to strictly define xmlrpc.
This idea is communicated through a range of characters in the film and a wide variety of verbal and visual techniques were used to show the viewer that although we may not think we are rascist, pressure put upon us can lead to stereotypes being brought to the surface.
This idea is communicated through a range of characters in the film and a wide variety of verbal and visual techniques were used to show the viewer that although we may not think we are rascist, pressure put upon us can lead to stereotypes being brought to the surface.
Lucas has changed his story soooo many times since he did his first interview about SW that nothing he says anymore can be taken at face value.
Well, here I made a vow to lead a solitary and half-way celibate life.