gSOAP Toolkit / Bugs / #1302 Wrong envelope handling

#1302 Wrong envelope handling

Milestone: v1.0 (example)

Status: closed-invalid

Owner: Robert van Engelen

Labels: None

Priority: 5

Updated: 2023-03-22

Created: 2021-12-12

Creator: Denis Porfiryev

Private: No

There is a bug in soap_envelope_begin_in: when request body doesn't contain "SOAP-ENV:Envelope" or "Envelope" tag, it returns status as an error. In my case it's SOAP_POST which is greater than SOAP_STOP. That leads to silent closing of socket without sending any response.

soap_envelope_begin_in(struct soap *soap)
{
  soap->part = SOAP_IN_ENVELOPE;
  if (soap_element_begin_in(soap, "SOAP-ENV:Envelope", 0, NULL))
  {
    if (soap->error == SOAP_TAG_MISMATCH)
    {
      if (!soap_element_begin_in(soap, "Envelope", 0, NULL))
        soap->error = SOAP_VERSIONMISMATCH;
      else if (soap->status == 0
           || (soap->status >= 200 && soap->status <= 299)
           || soap->status == 400
           || soap->status == 500)
        return SOAP_OK; /* allow non-SOAP (REST) XML content to be captured */

      soap->error = soap->status; //<--- this line looks strange 
    }

The mentioned line overrides "soap->error = SOAP_VERSIONMISMATCH" result. I guess the line should be removed so the function returned SOAP_VERSIONMISMATCH when "Envelope" tag exists and SOAP_TAG_MISMATCH (resulting error of the second soap_element_begin_in) when no "Envelope" or "SOAP-ENV:Envelope" tags exist in the body. I've tried removing it and now I got "Validation constraint violation: tag name or namespace mismatch in element 'raml'" response on bad-body requests, which looks good for me.

Discussion

Robert van Engelen - 2023-03-21

This logic is required for SOAP 1.1/1.2 standard compliance. A version mismatch must be reported if the SOAP namespace does not match. In that case it is not a validation constraint error.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Denis Porfiryev - 2023-03-22
  
  Silent closing of socket without sending error response is a bug!
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert van Engelen - 2023-03-21

status: open --> closed-invalid

assigned_to: Robert van Engelen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert van Engelen - 2023-03-22

Not sure where you get that information from. The engine does not silently close the socket. When an error occurs, the server logic responds with an Fault message and then closes the socket, See the code in soap_begin_serve() that is responsible for this. The logic can be improved with a minor change to capture SOAP mismatch errors only when the element tag is qualified:

if (!soap_element_begin_in(soap, ":Envelope", 0, NULL)) return soap->error = SOAP_VERSIONMISMATCH;
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Denis Porfiryev - 2023-03-22

It did close the socket when I reported the bug, not sure how the code was changed since than. I got that from a project I worked at.
Adding return looks very close to removing that strange-looking line as in that case the line will not get control and the only difference is what soap_envelope_begin_in does after if blocks. If that's enough please add the change to the project's source code.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Wrong envelope handling

Development toolkit for Web Services and XML data bindings for C & C++

Group

Searches

Help

#1302 Wrong envelope handling

Discussion