"ext-curl": "Needed for HTTPS, HTTP2 and HTTP 1.1 support, NTLM Auth etc...",
"ext-zlib": "Needed for sending compressed requests and receiving compressed responses, if cURL is not available",
"ext-mbstring": "Needed to allow reception of requests/responses in character sets other than ASCII,LATIN-1,UTF-8",
- "phpxmlrpc/extras": "Adds more featured Server classes and other useful bits",
+ "phpxmlrpc/extras": "Adds more featured Server classes, including self-documenting and ajax-enabled servers",
"phpxmlrpc/jsonrpc": "Adds support for the JSON-RPC protocol"
},
"scripts": {
__NB__ These files are meant for _demo_ purposes. They should _not_ be dumped onto a production web server where they are
directly accessible by the public at large. We take absolutely _no responsibility_ for any consequences if you do that.
+
+## More demos
+
+Please take a look at the demo code in the phpxmlrpc/extras package for more examples of cool Server functionality,
+such as having a server generate html documentation for all its xml-rpc methods, act as a reverse proxy, or generate
+javascript code to call the xml-rpc methods it exposes.
+
+See: https://github.com/gggeek/phpxmlrpc-extras/tree/master/demo
// let the xml-rpc server know that the method-handler functions expect plain php values
$srv->functions_parameters_type = 'phpvals';
-// let code exceptions float all the way to the remote caller as xml-rpc faults - it helps debugging
-$srv->exception_handling = 1;
+// let code exceptions float all the way to the remote caller as xml-rpc faults - it helps debugging.
+// At the same time, it opens a wide security hole, and should never be enabled on public or production servers...
+//$srv->exception_handling = 1;
// NB: take care not to output anything else after this call, as it will mess up the responses and it will be hard to
// debug. In case you have to do so, at least re-emit a correct Content-Length http header (requires output buffering)
$s->setDebug(3);
// Out-of-band information: let the client manipulate the server operations.
-// We do this to help the testsuite script: do not reproduce in production!
+// We do this to help the testsuite script: *** do not reproduce in production or public environments! ***
if (defined('TESTMODE')) {
if (isset($_GET['RESPONSE_ENCODING'])) {
$s->response_charset_encoding = $_GET['RESPONSE_ENCODING'];
facilitate debugging is to use the server's `SetDebug` method with debug level 3 (see <<setdebug>>).
Exceptions thrown during execution of handler functions are caught by default and an XML-RPC error response is generated
-instead. This behaviour can be fine-tuned by usage of the `$exception_handling` server property (see <<exception_handling>>).
+instead. This behaviour can be fine-tuned by usage of the `$exception_handling` server property (see <<exception_handling>>);
+please be aware that allowing publicly accessible servers to return the information from php exceptions as part of
+the xml-rpc response is a sure way to get hacked.
===== Manual type conversion
false
);
$srv->functions_parameters_type = 'phpvals';
-$srv->exception_handling = 1;
$srv->service();
----
* to return an xml-rpc error, the method handler function must return an instance of Response. The only other way for the
server to know when an error response should be served to the client is to throw an exception and set the server's
- `exception_handling` member var to 1 (as shown above);
+ `exception_handling` member var to 1 (but please not that this is generally a _very bad idea_ for servers with public
+ access);
* to return a base64 value, the method handler function must encode it on its own, creating an instance of a Value
object;
This property controls the behaviour of the server when an exception is thrown by a method handler php function. Valid
values: 0,1,2, with 0 being the default. At level 0, the server catches the exception and returns an 'internal error'
xml-rpc response; at 1 it catches the exception and returns an xml-rpc response with the error code and error message
-corresponding to the exception that was thrown; at 2, the exception is floated to the upper layers in the code.
+corresponding to the exception that was thrown - never enable it for publicly accessible servers!; at 2, the exception
+is floated to the upper layers in the code - which hopefully do not display it to end users.
===== $response_charset_encoding
Please note that similar results to the above, i.e. adding to the server's dispatch map an existing php function which
is not aware of xml-rpc, can be obtained without the Wrapper class and the need for introspection, simply by setting
-`+$server->unctions_parameters_type = 'phpvals'+`
and `+$server->exception_handling = 1+` (see chapter <<autoserver>>).
+`+$server->unctions_parameters_type = 'phpvals'+` (see chapter <<autoserver>>).
The main difference is that, using the Wrapper class, you get for free the documentation for the xmlrpc-method.
==== wrapPhpClass
/**
* @var int
* Controls whether the server is going to echo debugging messages back to the client as comments in response body.
+ * SECURITY SENSITIVE!
* Valid values:
* 0 =
* 1 =
* @var int
* Controls behaviour of server when the invoked method-handler function throws an exception (within the `execute` method):
* 0 = catch it and return an 'internal error' xmlrpc response (default)
- * 1 = catch it and return an xmlrpc response with the error corresponding to the exception
+ * 1 = SECURITY SENSITIVE DO NOT ENABLE ON PUBLIC SERVERS!!! catch it and return an xmlrpc response with the error
+ * corresponding to the exception, both its code and message.
* 2 = allow the exception to float to the upper layers
*/
public $exception_handling = 0;
}
}
} catch (\Exception $e) {
- // (barring errors in the lib) an uncatched exception happened in the called function, we wrap it in a
+ // (barring errors in the lib) an uncaught exception happened in the called function, we wrap it in a
// proper error-response
switch ($this->exception_handling) {
case 2:
$r = new Response(0, PhpXmlRpc::$xmlrpcerr['server_error'], PhpXmlRpc::$xmlrpcstr['server_error']);
}
} catch (\Error $e) {
- // (barring errors in the lib) an uncatched exception happened in the called function, we wrap it in a
+ // (barring errors in the lib) an uncaught exception happened in the called function, we wrap it in a
// proper error-response
switch ($this->exception_handling) {
case 2:
git://git.onelab.eu / plcapi.git / commitdiff