path: root/modules/xmlrpc/ChangeLog

2005-06-28  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpcs.inc: fixed security vulnerability (PHP code injection) in handling of
	BASE64 vals and NAME tags

	* xmlrpc.inc, xmlrpcs.inc: catch errors in evaluated PHP code and return an
	error to the calling code in case any are found

	* testsuite.php: added a test case for caling methods without params, plus
	a couple to test the code injection fixes

	* bumped up rev number and released as 1.1.1

2005-04-24  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpcs.inc: removed charset declaration from xml prologue of responses,
	since we are now escaping all non-ascii chars in an encoding-independent way

	* bug_http.xml: modified to exercise some extra functonality of the lib
	(it should now be failed by the current PEAR implementation of the lib)

	* xmlrpc.inc: bumped up rev. number to 1.1

	* doc/xmlrpc_php.xml, doc/announce1_1.txt: documentation updates

	* Makefile: updated to reflect new xml doc source, modified filelist

2005-04-17  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* client.php, agesort.php, introspect.php, introspect_demo.php,
	which.php, test.pl, test.py: use as default target the server.php page hosted
	on phpxmlrpc.sf.net

	* server.php: fix for register_globals off; refer to docs on phpxmlrpc.sf.net

2005-04-15 Miles Lott <milos@groupwhere.org>

	code formatting and comments

2005-04-03  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: make use of global var $xmlrpcName in building User_Agent HTTP
	header (in conjunction with $xmlrpcVersion)

	* agesort.php, client.php, comment.php, dicuss.php, mail.php, server.php,
	which.php: various janitorial fixes
	+ always html escape content received from xmlrpc server or from user input
	+ make the scripts run fine with register_globals off an register_long_arrays off
	+ always use the functions php_xmlrpc_en(de)code, even if the EPI extension
	is not installed
	+ in mail.php, allow user to see script source even if support for .phps files
	is not configured in the local web server

	* testsuite.php: better detection of local webserver hostname for running tests
	against (if the user did not supply a webserver name)

2005-03-21  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpcs.inc: revert to a PHP3 compatible script (change '=& new' to '= new')

	* xmlrpc.inc: revert to a PHP3 compatible script (lottsa fixes)

	* testsuite.php: default to using local server as test target if no user
	provided values are available instead of heddley.com server

	* testsuite.php: play nice to PHP3 in retrieving user-passed values

	* testsuite.php: fix constructor method name for a type of tests

	* phpunit.php: fix all cases of call-time-pass-by-ref

	* phpunit.php: rename Exception class to _Exception if the script is run with
	PHP 5 (exception is a reserverd word)

2005-03-19  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: fixed bug in new http header parsing code in case there is
	no correct separator between response headers and body

	* xmlrpc.inc: added recognizing and stripping of HTTP/1.1 100 response headers

	* xmlrpc.inc: strip extra whitespace from response body, as well as any junk
	that comes after the last </MethodResponse> tag. It allows the server code to
	be put on public providers that add e.g. javascript advertising to served pages

	* xmlrpc.inc: removed unused parts of code, trailing whitespace

	* xmlrpc.inc: fix possible bug (?) in xmlrpc_ee for BOOLEAN values: true was
	being handled differently than false

	* testsuite.php: added a new file-based test to stress the response parsing
	modifications recently introduced; enabled debugging for file based tests

2005-03-15  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: fixed missing declaration of global vars in xmlrpc_dh,
	sendpayloadhttps and sendpayloadhttp10

	* xmlrpc.inc: changed error message for invalid responses: 'enable debugging'
	is more clear that 'enabling debugging' (the user is being encouraged to do it)

	* xmlrpc.inc: rewrote HTTP response header parsing. It should be more tolerant
	of invalid headers, give more accurate error messages and be marginally faster,
	too.

	* xmlrpc.inc: cosmetic whitespace fixes and remove useless one-liners

	* xmlrpc.inc: build a shorter PHP command line to be evaluated for rebuilding
	values from parsed xml: use '$val =& nex xmlrpcval("value")' for string values
	instead of '$val =& nex xmlrpcval("value", $xmlrpcString)'

	* xmlrpc.inc: fix change introduced 2005/01/30 moving call to curl_close()
	too early: it did not work on error situations

	* testsuite.php: fix name of testAddingTest method, renamed testErrosString
	into testErrorString and removed useless warning for register_globals=off case

2005-02-27  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: do not echo XML parsing error to screen (it is already dumped
	into error log)

	* xmlrpc.inc: set hdrs field into response object in case of XML parsing error
	(uniform behaviour with other responses)
		
2005-02-26  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: use global var $xmlrpcVersion as number for user agent string

	* xmlrpcs.inc: eliminate server side PHP wanring and give back to caller
	a better error msg in case the called method exists but no signature matches
	the number of parameters

2005-02-20  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: accept a + sign in front of floats / integers, since the spec
	clearly mentions it

	* xmlrpc.inc, xmlrpcs.inc: renamed function XmlEntities to xmlrpc_encode_entitites,
	to avoid using the same name as an array already defined

	* xmlrpc.inc: fix bug introduced with escaping of UTF8 chars in xmlrpc error
	responses: correct behaviour is to escape chars inside serialize(), not when
	calling the xmlrpcresp creator

	* testsuite.php: made test suite more friendly to modern PHP configs, allowing
	register_globals to be off and to set in the URL all testing parameters;
	added tests for newly introduced fixes; renamed existing tests acording to the
	docs inside phpunit.php (e.g. no subclass of TestCase should have a name
	starting with test...)

2005-02-19  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: accept patch 683153 by mah0: if timeout is set, allow all socket
	operations to timeout at the given time, not only the socket connection

2005-02-13  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: be tolerant to double values received in exponential notation:
	even though the spec forbids their usage PHP is fine with them

	* xmlrpc.inc: fix bug: new xmlrpcval('-1') was creating an empty value instead
	of a string value!

	* xmlrpc.inc, xmlrpcs.inc: fix the payload encoding changes introduced by
	Andres Salomon on 2004-03-17: sending named html entities inside an xml chunk
	makes it invalid, and thus renders the lib absolutely non-interoperable with
	any other xmlrpc implementation; moreover the current implementation only ever
	worked for non-ascii requests, while breaking client-parsing of responses 
	containing non-ascii chars.
	The principle of using entities is preserved though, because it allows the
	client to send correct xml regardless of php internal charset encoding vs.
	xml request charset encoding, but using 'character references' instead.

	* xmlrpc.inc: encode (non-ascii) chars into charset entities also for error
	strings

	* xmlrpcs.inc: encode (non-ascii) chars into charset entities also for debug
	messages

	* xmlrpcs.inc: added 'Accept-Charset' header in http request to let the server
	know what kind of charset encoding we do expect to be used for responses

	* xmlrpc.inc, xmlrpcs.inc: explicitly tell the xml parser what charset the
	application expects to receive content in (notably strings). A new variable,
	$xmlrpc_internalencoding, (defaulting to ISO-8859-1) defines what charset the
	parser will use for passing back string xmlrpcvals to the PHP application
	(both server-side and client-side).
	This allows transparent usage of e.g. UTF-8 for encoding xml messages between
	server and client and ISO-8859-1 for internal string handling.
	ISO-8859-1 is, AFAIK, PHP internal encoding for all installs except
	mbstring-enabled ones.

2005-02-12  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpcs.inc: use '$var =& new(' construct to assign objects: on older versions
	of PHP objects are first built then copied over if the ampersand is omitted.
	Using it should make the code a little bit faster...

	* doc/xmlrpc.php: update lib version number, release date in preparation for
	next release

	* makefile: update lib version number in preparation for next release

	* xmlrpc.inc: split up parsing of xmlrpc INT and DOUBLE values. This allows
	finer-grained control over valid values: now the '.' char is not allowed
	any more inside int values.

	* xmlrpc.inc: fix for bug #560303: ints and doubles starting with '0' chars are
	no more parsed as octal values

2005-01-30  Gaetano Giunta <giunta.gaetano@sea-aeroportimilano.it>

	* xmlrpc.inc: Modifed last change by Miles: the functions php_xmlrpc_encode
	and php_xmlrpc_decode are now always defined, regardless of the existence of
	XMLRPC-EPI.  This allows users to start using these functions as the 'default'
	functions, and pave the way for future deprecation of xmlrpc_encode/encode
	while maintaining a stable API.

	* xmlrpc.inc: use '$var =& new(' construct to assign objects: on older versions
	of PHP objects are first built then copied over if the ampersand is omitted.
	Using it should make the code a little bit faster...

	* xmlrpc.inc: close curl connection as soon as possible for https requests:
	it could save some memory / resources.

	* xmlrpc.inc: added some extra info in the PHP error log message generated 
	when an invalid xmlrpc integer/float value is encountered and we try to
	deserialize it.

	* xmlrpc.inc: added @ char before fsockopen to avoid echoing useless warnings
	when connection to server fails; added the same to avoid echoing warnings when
	deserializing data of an unknown type

	* xmlrpc.inc: reset the _xh array on each xmlrpc call: otherwise a new array
	member is created for each consecutive call and never destroyed, thus making it
	impossible to build an xmlrpc-client daemon beacuse of memory leaking.

	* xmlrpc.inc: declare global the variables that are used as 'constants',
	so that xmlrpc.inc will work even if it is included from within a function

2004-12-27  Miles Lott <milos@groupwhere.org>
	* xmlrpc.inc: A new constant, XMLRPC_EPI_ENABLED, is defined depending on
	the existence of the function, xmlrpc_decode.  This function will exist in
	PHP if the 	extension, XMLRPC-EPI (http://xmlrpc-epi.sourceforge.net), is
	loaded.  It defines the functions xmlrpc_encode and xmlrpc_decode, which
	will conflict with functions of the same name in xmlrpc.inc.  If this
	extension is loaded, we instead use the names php_xmlrpc_encode and
	php_xmlrpc_decode.  Please look at server.php, testsuite.php, etc., for
	how this should be handled if using these functions.

2003-04-17  Andres Salomon  <dilinger@voxel.net>
	* xmlrpc.inc: encode strings using htmlentities() instead of
	htmlspecialchars(), and add xmlrpc_html_entity_xlate().  This
	should fix longstanding issues with sending weird chars (from
	non-USASCII codesets like UTF-8, ISO-8859-1, etc) that caused
	the xml parser to choke.  Multi-byte chars are now changed to
	entities before sending, so that the xmlrpc server doesn't need
	to know the encoding type of the POST data.
	* xmlrpcs.inc: call xmlrpc_html_entity_xlate before parsing
	request packet.  The parser chokes on unknown entities (the
	entities created by htmlentities() are exactly that; html
	entities, not xml entities), so they must be converted from
	name form (&eacute;) to numerical form (&#233;).

2003-01-12  Andres Salomon  <dilinger@voxel.net>

	* released 1.0.99.2.
	* Makefile: separate doc/Makefile a bit more from Makefile,
	and add clean rules.

2003-01-10  Andres Salomon  <dilinger@voxel.net>

	* xmlrpc.inc: xmlrpcresp and parseResponse cleanups; variable
	name renames ('xv' to 'val', for example), type checking, and
	stricter default values.
	* xmlrpc.inc: fix xmlrpcresp's faultcode; return -1 for FAULT
	responses from the server whose faultcodes don't reflect any
	errors.

2003-01-08  Andres Salomon  <dilinger@voxel.net>

	* xmlrpc.inc: rename $_xh[$parser]['ha'] to
	$_xh[$parser]['headers'].
	* xmlrpc.inc: fix bugs related to $_xh[$parser]['headers];
	some places treated this as an array, others as a scalar.
	Treat unconditionally as an array.  Also wrap header debugging
	output in PRE tags.

2002-12-17  Andres Salomon  <dilinger@voxel.net>
	
	* released 1.0.99.
	* Makefile: changed the tarball format/dist rule to a more
	conventional form, as well as normal release updates.
	* xmlrpc.inc: added setSSLVerifyPeer and setSSLVerifyHost; as
	of curl 7.10, various certificate checks are done (by default).
	The default for CURLOPT_SSL_VERIFYHOST is to ensure the common
	name on the cert matches the provided hostname.  This breaks a
	lot of stuff, so allow users to override it.
	* doc/xmlrpc_php.sgml: updated documentation accordingly.

2002-09-06  Geoffrey T. Dairiki  <dairiki@dairiki.org>

	Add support for system.multicall() to both the client
	and the server.

	* testsuite.php: Add new tests 'testServerMulticall',
	and 'testClientMulticall'.
	
	* xmlrpc.inc: Added new error messages for system.multicall().
	* xmlrpcs.inc: Added new procedure call system.multicall().
	See http://www.xmlrpc.com/discuss/msgReader$1208 for details.

	* xmlrpc.inc: Added system.multicall functionality to
	xmlrpc_client.  xmlrpc_client::send can now take an array of
	xmlrpcmsg's as an argument.  In that case it will attempt
	to execute the whole array of procure calls in a single
	HTTP request using system.multicall().  (If that attempt fails,
	then the calls will be excuted one at a time.)  The return
	value will be an array of xmlrpcresp's (or 0 upon transport
	failure.)

2001-11-29  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpc.inc: fixed problem with processing HTTP headers that
	broke any payload with more than one consecutive newline in it.
	also initialise the 'ac' array member to empty string at start.
	* testsuite.php: added unit test to exercise above bug
	* xmlrpcs.inc: fixed uninitialized variable $plist

2001-09-25  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpc.inc: applied urgent security fixes as identified by Dan
	Libby

2001-08-27  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpc.inc: Merged in HTTPS support from Justin Miller, with a
	few additions for better traceability of failure conditions. Added
	small fix from Giancarlo Pinerolo. Bumped rev to 1.0. Changed
	license to BSD license.

2001-06-15  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpcs.inc: Added \r into return MIME headers for server class

2001-04-25  Edd Dumbill  <edd@usefulinc.com>

	* server.php: Added interop suite of methods.

2001-04-24  Edd Dumbill  <edd@usefulinc.com>

	* testsuite.php: added in test case for string handling bug.

	* xmlrpc.inc: merged in minor fixes from G Giunta to fix
	noninitialization. Created new method, getval(), which includes
	experimental support for recreating nested arrays, from Giunta and
	Sofer. Fixed string handling bug where characters after </string>
	but before </value> weren't ignored. Added in support for native
	boolean type into xmlrpc_encode (Giunta).

	* xmlrpcs.inc: updated copyright notice

2001-01-15  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpc.inc: fixed bug with creation of booleans. Put checks in
	to ensure that numbers were really numeric. Fixed bug with
	non-escaping of dollar signs in strings.

	* testsuite.php: created test suite.

2000-08-26  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpcs.inc: added xmlrpc_debugmsg() function which outputs
	debug information in comments inside the return payload XML

	* xmlrpc.inc: merged in some changes from Dan Libby which fix up
	whitespace handling.
	
	* xmlrpcs.inc: added Content-length header on response (bug from
	Jan Varga <varga@utcru.sk>. This means you can no longer print
	during processing

	* xmlrpc.inc: changed ereg_replace to str_replace in several
	places (thanks to Dan Libby <dan@libby.com> for this).

	* xmlrpc.inc: added xmlrpc_encode() and xmlrpc_decode() from Dan
	Libby--these helper routines make it easier to work in native PHP
	data structures.

2000-07-21  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpc.inc: added xmlrpc_client::setCredentials method to pass
	in authorization information, and modified sendPayload* methods to
	send this OK. Thanks to Grant Rauscher for the impetus to do this.
	Also, made the client send empty <params></params> if there are no
	parameters set by the user.

	* doc/xmlrpc_php.sgml: updated documentation to reflect recent
	changes
	

2000-07-18  Edd Dumbill  <edd@usefulinc.com>

	* server.php: added examples.invertBooleans method to server as a
	useful test method for boolean values.

	* xmlrpc.inc: rearranged the way booleans are handled to fix
	outstanding problems. Fixed calling addScalar() on arrays so it
	works. Finally fixed backslashification issues to remove the
	problem will dollar signs disappearing.

	* booltest.php: really fixed booleans this time.

2000-06-03  Edd Dumbill  <edd@usefulinc.com>

	* xmlrpcs.inc: made signature verification more useful - now
	returns what it found was wrong

	* xmlrpc.inc: fixed bug with decoding dateTimes. Also fixed a bug
	which meant a PHP syntax error happened when attempting to receive
	empty arrays or structs. Also fixed bug with booleans always being
	interpreted as 'true'.

	* server.php: Added validator1 suite of tests to test against
	validator.xmlrpc.com
	

2000-05-06  Edd Dumbill  <edd@usefulinc.com>

	* released 1.0b6

	* added test.pl and test.py, Perl and Python scripts that exercise
	server.php somewhat (but not a lot)
	
	* added extra fault condition for a non 200 OK response from the
	remote server.

	* added iso8601_encode() and iso8601_decode() to give some support
	for passing dates around. They translate to and from UNIX
	timestamps. Updated documentation accordingly.

	* fixed string backslashification -- was previously a little
	overzealous! new behavior is '\' --> '\\' and '"' -->
	'\"'. Everything else gets left alone.

2000-04-12  Edd Dumbill  <edd@usefulinc.com>

	* updated and bugfixed the documentation

	* fixed base 64 encoding to only happen at serialize() time,
	rather than when a base64 value is created. This fixes the double
	encoding bug reported by Nicolay Mausz
	<castor@flying-dog.com>. The same approach ought to be taken with
	encoding XML entities in the data - this is a TODO.

	* integrated further code from Peter Kocks: used his new code for
	send(), adding a second, optional, parameter which is a timeout
	parameter to fsockopen()

1999-10-11  Edd Dumbill  <edd@usefulinc.com>

	* added bug fixes from Peter Kocks <peter.kocks@baygate.com>

1999-10-10  Edd Dumbill  <edd@usefulinc.com>

	* updated the documentation

1999-10-08  Edd Dumbill  <edd@usefulinc.com>

	* added system.* methods and dispatcher, plus documentation

	* fixed bug which meant request::getNumParams was returning an
	incorrect value

	* added signatures into the dispatch map. This BREAKS
	COMPATIBILITY with previous releases of this code

1999-08-18  Edd Dumbill  <edd@usefulinc.com>

	* made entity encoding and decoding transparent now on string
	passing.

	* de-globalised the globals in the parse routines, using an
	associative array to hold all parser state $_xh

	* changed default input encoding to be UTF-8 to match expectation

	* separated out parseResponse into parseResponse and
	parseResponseFile so that you can call parseResponse on a string
	if you have one handy

1999-07-20  Edd Dumbill  <edd@usefulinc.com>

	* Moved documentation into Docbook format

1999-07-19  Edd Dumbill  <edd@usefulinc.com>

	* Added an echo server into server.php and echotest.php, a client
	which will exercise the new echo routine.

	* Added test for no valid value returned: in this case will now
	throw the error "invalid payload"

	* Added serialize() method to xmlrpcresp to return a string with
	the response serialized as XML

	* Added automatic encoding and decoding for base64 types

	* Added setDebug() method to client to enable HTML output
	debugging in the client

1999-07-08  Edd Dumbill  <edd@usefulinc.com>

	* Improved XML parse error reporting on the server side to send it
	back in a faultCode packet. expat errors now begin at 100
	
1999-07-07  Edd Dumbill  <edd@usefulinc.com>

	* Changed the structmem and arraymem methods of xmlrpcval to always
	return xmlrpc vals whether they referred to scalars or complex
	types.
	 
	* Added the server class and demonstrations
       
	* Fixed bugs in the XML parsing and reworked it

$Id: ChangeLog,v 1.26 2005/04/24 18:32:22 ggiunta Exp $