Debian Bug report logs - #883747
php7.0-xmlrpc: Wrong numeric entities convertion in xmlrpc_encode_request

Package: libxmlrpc-epi0; Maintainer for libxmlrpc-epi0 is Robin Cornelius <robin.cornelius@gmail.com>; Source for libxmlrpc-epi0 is src:xmlrpc-epi (PTS, buildd, popcon).

Reported by: Mathieu Petit-Clair <mathieu@temlaz.ws>

Date: Thu, 7 Dec 2017 06:27:01 UTC

Severity: normal

Found in version xmlrpc-epi/0.54.2-1.2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, mathieu@temlaz.ws, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#883747; Package php7.0-xmlrpc. (Thu, 07 Dec 2017 06:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Petit-Clair <mathieu@temlaz.ws>:
New Bug report received and forwarded. Copy sent to mathieu@temlaz.ws, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 07 Dec 2017 06:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php7.0-xmlrpc
Version: 7.0.26-1
Severity: normal

Dear Maintainer,

There is bug in the xmlrpc extension, when calling xmlrpc_encode() with
a range of characters.

To reproduce using php -a :

echo xmlrpc_encode('Π');

Result in sid:

<?xml version="1.0" encoding="utf-8"?>
<params>
<param>
 <value>
  <string>&#26;&#160;</string>
 </value>
</param>
</params>

Expected:

The value in <string>...</string> should be &#206;&#160; (note the extra
zero).

The good value can also be found on http://graphemica.com/%CE%A0 as the
"URL Escape Code", as seen in this URL and by
converting 206 to 0xCE and 160 to 0xA0.

We got the expected result by compiling PHP ourselves, which makes this
look like a Debian specific bug.

PHP bug 28597 - https://bugs.php.net/bug.php?id=28597 - provides a
solution to this issue, but does not appear to prevent it in this case.

Thanks for your help,


-- Package-specific info:
==== Additional PHP 7.0 information ====

++++ PHP @PHP_VERSION SAPI (php7.0query -S): ++++

++++ PHP 7.0 Extensions (php7.0query -M -v): ++++

++++ Configuration files: ++++
**** /etc/php/7.0/mods-available/xmlrpc.ini ****
extension=xmlrpc.so


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_GB (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php7.0-xmlrpc depends on:
ii  libc6           2.25-3
ii  libxml2         2.9.4+dfsg1-5.1
ii  libxmlrpc-epi0  0.54.2-1.2
ii  php-common      1:56
ii  php7.0-common   7.0.26-1
ii  ucf             3.0036

php7.0-xmlrpc recommends no packages.

php7.0-xmlrpc suggests no packages.

Versions of packages php7.0-common depends on:
ii  libc6       2.25-3
ii  libssl1.1   1.1.0g-2
ii  php-common  1:56
ii  ucf         3.0036

Versions of packages php7.0-cli depends on:
ii  libc6            2.25-3
ii  libedit2         3.1-20170329-1
ii  libmagic1        1:5.32-1
ii  libpcre3         2:8.39-8
ii  libssl1.1        1.1.0g-2
ii  libxml2          2.9.4+dfsg1-5.1
ii  mime-support     3.60
ii  php7.0-common    7.0.26-1
ii  php7.0-json      7.0.26-1
ii  php7.0-opcache   7.0.26-1
ii  php7.0-readline  7.0.26-1
ii  tzdata           2017c-1
ii  ucf              3.0036
ii  zlib1g           1:1.2.8.dfsg-5

Versions of packages php7.0-cli suggests:
ii  php-pear  1:1.10.5+submodules+notgz-1

Versions of packages libapache2-mod-php7.0 depends on:
ii  apache2-bin [apache2-api-20120211]  2.4.29-1
ii  libc6                               2.25-3
ii  libmagic1                           1:5.32-1
ii  libpcre3                            2:8.39-8
ii  libssl1.1                           1.1.0g-2
ii  libxml2                             2.9.4+dfsg1-5.1
ii  mime-support                        3.60
ii  php7.0-cli                          7.0.26-1
ii  php7.0-common                       7.0.26-1
ii  php7.0-json                         7.0.26-1
ii  php7.0-opcache                      7.0.26-1
ii  tzdata                              2017c-1
ii  ucf                                 3.0036
ii  zlib1g                              1:1.2.8.dfsg-5

Versions of packages libapache2-mod-php7.0 recommends:
ii  apache2  2.4.29-1

Versions of packages libapache2-mod-php7.0 suggests:
ii  php-pear  1:1.10.5+submodules+notgz-1

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#883747; Package php7.0-xmlrpc. (Thu, 07 Dec 2017 08:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Mathieu Petit-Clair <mathieu@temlaz.ws>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 07 Dec 2017 08:27:03 GMT) (full text, mbox, link).

Message #10 received at 883747@bugs.debian.org (full text, mbox, reply):

Hi,

Upon further research, we see that PHP links with libxmlrpc-epi0, which 
does not have the patch mentionned earlier. The fix was not sent 
upstream apparently, so is only present in PHP's version.

I guess this bug could be reassigned to libxmlrpc-epi0, which could 
hopefully include PHP's patch.

Thanks,

Mathieu

Acknowledgement sent to Lior Kaplan <kaplan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 07 Dec 2017 08:51:04 GMT) (full text, mbox, link).

Message #15 received at 883747@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

reassign 883747 libxmlrpc-epi0  0.54.2-1.2
thanks

Patch used in PHP patch is at
https://github.com/php/php-src/commit/98a6986d97fd2d09fef2c4b870f6d77b5d29efe0

Kaplan

[Message part 2 (text/html, inline)]

Bug reassigned from package 'php7.0-xmlrpc' to 'libxmlrpc-epi0'. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Thu, 07 Dec 2017 08:51:06 GMT) (full text, mbox, link).

No longer marked as found in versions php7.0/7.0.26-1. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Thu, 07 Dec 2017 08:51:07 GMT) (full text, mbox, link).

Marked as found in versions xmlrpc-epi/0.54.2-1.2. Request was from Lior Kaplan <kaplan@debian.org> to control@bugs.debian.org. (Thu, 07 Dec 2017 08:51:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Robin Cornelius <robin.cornelius@gmail.com>:
Bug#883747; Package libxmlrpc-epi0. (Tue, 25 Sep 2018 07:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Zwirner <TZwirner@viosys.com>:
Extra info received and forwarded to list. Copy sent to Robin Cornelius <robin.cornelius@gmail.com>. (Tue, 25 Sep 2018 07:45:04 GMT) (full text, mbox, link).

Message #26 received at 883747@bugs.debian.org (full text, mbox, reply):

Hi,

this bug is still present in actual Debian 9 libxmlrpc-epi0. To reproduce simply follow the steps above.

Used libxmlrpc-epi0:amd64 in version 0.54.2-1.2

Could you please fix this problem?

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:46:54 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #883747 php7.0-xmlrpc: Wrong numeric entities convertion in xmlrpc_encode_request

Debian Bug report logs - #883747
php7.0-xmlrpc: Wrong numeric entities convertion in xmlrpc_encode_request