update xmlrpc to v4.11.2

dleffler · dleffler · commit f76cf6bb9c98 · 2025-06-25T07:39:07.000-04:00
diff --git a/external/xmlrpc/NEWS.md b/external/xmlrpc/NEWS.md
@@ -1,3 +1,21 @@
+## XML-RPC for PHP version 4.11.2 - 2025/6/20
+
+* fixed: the Client would not honour the timeout when in Socket mode (issue #127, thanks to @dima-bzzz for PR #84)
+
+* fixed: the Client would use a timeout off by 1 second when in CURL mode
+
+* fixed: the Client would not honour options set via `OPT_EXTRA_SOCKET_OPTS`
+
+* fixed: teach the vm.sh script how to properly configure test envs using Ubuntu versions from xenial (16) to noble (24)
+
+* improved: default the local testing container to using PHP 8.1 on Ubuntu Jammy
+
+* improved: make the vm.sh script more amenable to be used in parallel / quickly switching between different test envs
+
+* improved: added script `tests/ci/matrix.sh` to run the testsuite locally against a matrix of environments, kinda
+  like the test matrix which is run on commit on github
+
+
 ## XML-RPC for PHP version 4.11.1 - 2025/1/17
 
 * fixed: removed one warning emitted by the Server on php 8.4 and later (issue #125, thanks @ziegenberg)
diff --git a/external/xmlrpc/README.md b/external/xmlrpc/README.md
@@ -61,5 +61,5 @@ Use of this software is subject to the terms in the [license.txt](license.txt) f
 [![Latest Stable Version](https://poser.pugx.org/phpxmlrpc/phpxmlrpc/v/stable)](https://packagist.org/packages/phpxmlrpc/phpxmlrpc)
 [![Total Downloads](https://poser.pugx.org/phpxmlrpc/phpxmlrpc/downloads)](https://packagist.org/packages/phpxmlrpc/phpxmlrpc)
 
-[![Build Status](https://github.com/gggeek/phpxmlrpc/actions/workflows/ci.yaml/badge.svg)](https://github.com/gggeek/phpxmlrpc/actions/workflows/ci.yml)
+[![Build Status](https://github.com/gggeek/phpxmlrpc/actions/workflows/ci.yaml/badge.svg)](https://github.com/gggeek/phpxmlrpc/actions/workflows/ci.yaml)
 [![Code Coverage](https://codecov.io/gh/gggeek/phpxmlrpc/branch/master/graph/badge.svg)](https://app.codecov.io/gh/gggeek/phpxmlrpc)
diff --git a/external/xmlrpc/src/Client.php b/external/xmlrpc/src/Client.php
@@ -143,9 +143,12 @@ class Client
      */
     protected $verifyhost = 2;
     /**
-     * @var int
+     * @var int Corresponds to CURL_SSLVERSION_DEFAULT. Other CURL_SSLVERSION_ values are supported when in curl mode,
+     *          and in socket mode different values from 0 to 7, matching the corresponding curl value. Old php versions
+     *          do not support all values, php 5.4 and 5.5 do not support any in fact.
+     *          NB: please do not use any version lower than TLS 1.3 (value: 7) as they are considered insecure.
      */
-    protected $sslversion = 0; // corresponds to CURL_SSLVERSION_DEFAULT. Other  CURL_SSLVERSION_ values are supported
+    protected $sslversion = 0;
     /**
      * @var string
      */
@@ -582,9 +585,12 @@ public function setSSLVerifyHost($i)
     }
 
     /**
-     * Set attributes for SSL communication: SSL version to use. Best left at 0 (default value): let cURL decide
+     * Set attributes for SSL communication: SSL version to use. Best left at 0 (default value): let PHP decide.
      *
-     * @param int $i see  CURL_SSLVERSION_ constants
+     * @param int $i use CURL_SSLVERSION_ constants. When in socket mode, use the same values: 2 (SSLv2) to 7 (TLSv1.3),
+     *               0 for auto (note that old php versions do not support all TLS versions).
+     *               Note that, in curl mode, the actual ssl version in use might be higher than requested.
+     *               NB: please do not use any version lower than TLS 1.3 as they are considered insecure.
      * @return $this
      * @deprecated use setOption
      */
@@ -713,6 +719,7 @@ public function setCurlOptions($options)
 
     /**
      * @param int $useCurlMode self::USE_CURL_ALWAYS, self::USE_CURL_AUTO or self::USE_CURL_NEVER
+     *                         In 'auto' mode, curl is picked up based on features used, such as fe. NTLM auth, or https
      * @return $this
      * @deprecated use setOption
      */
@@ -724,7 +731,6 @@ public function setUseCurl($useCurlMode)
         return $this;
     }
 
-
     /**
      * Set user-agent string that will be used by this client instance in http headers sent to the server.
      *
@@ -745,7 +751,8 @@ public function setUserAgent($agentString)
     /**
      * @param null|int $component allowed values: PHP_URL_SCHEME, PHP_URL_HOST, PHP_URL_PORT, PHP_URL_PATH
      * @return string|int Notes: the path component will include query string and fragment; NULL is a valid value for port
-     *                    (in which case the default port for http/https will be used);
+     *                    (in which case the default port for http/https will be used); the url scheme component will
+     *                    reflect the `$method` used in the constructor, so it might not be http or https
      * @throws ValueErrorException on unsupported component
      */
     public function getUrl($component = null)
@@ -796,7 +803,10 @@ public function getUrl($component = null)
      *                         will be used. If that is 0, a platform specific timeout will apply.
      *                         This timeout value is passed to fsockopen(). It is also used for detecting server
      *                         timeouts during communication (i.e. if the server does not send anything to the client
-     *                         for $timeout seconds, the connection will be closed).
+     *                         for $timeout seconds, the connection will be closed). When in CURL mode, this is the
+     *                         CURL timeout.
+     *                         NB: in both CURL and Socket modes, some conditions might lead to the client not
+     *                        respecting the given timeout. Eg. if the network is not connected
      * @param string $method deprecated. Use the same value in the constructor instead.
      *                       Valid values are 'http', 'http11', 'https', 'h2' and 'h2c'. If left empty,
      *                       the http protocol chosen during creation of the object will be used.
@@ -839,12 +849,17 @@ public function send($req, $timeout = 0, $method = '')
         // where req is a Request
         $req->setDebug($this->debug);
 
-        /// @todo we could be smarter about this and not force usage of curl for https if not present as well as use the
-        ///       presence of curl_extra_opts or socket_extra_opts as a hint
+        /// @todo we could be smarter about this:
+        ///       - not force usage of curl if it is not present
+        ///       - not force usage of curl for https (minor BC)
+        ///       - use the presence of curl_extra_opts or socket_extra_opts as a hint
         $useCurl = ($this->use_curl == self::USE_CURL_ALWAYS) || ($this->use_curl == self::USE_CURL_AUTO && (
             in_array($method, array('https', 'http11', 'h2c', 'h2')) ||
             ($this->username != '' && $this->authtype != 1) ||
             ($this->proxy != '' && $this->proxy_user != '' && $this->proxy_authtype != 1)
+            // uncomment the following if not forcing curl always for 'https'
+            //|| ($this->sslversion == 7 && PHP_MAJOR_VERSION . '.' . PHP_MINOR_VERSION == '7.3')
+            //|| ($this->sslversion != 0 && PHP_MAJOR_VERSION < 6)
         ));
 
         // BC - we go through sendPayloadCURL/sendPayloadSocket in case some subclass reimplemented those
@@ -978,20 +993,32 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
             $connectServer = $opts['proxy'];
             $connectPort = $opts['proxyport'];
             $transport = 'tcp';
-            /// @todo check: should we not use https in some cases?
-            $uri = 'http://' . $server . ':' . $port . $path;
+            $protocol = $method;
+            if ($method === 'http10' || $method === 'http11') {
+                $protocol = 'http';
+            } elseif ($method === 'h2') {
+                $protocol = 'https';
+            } else if (strpos($protocol, ':') !== false) {
+                $this->getLogger()->error('XML-RPC: ' . __METHOD__ . ": warning - attempted hacking attempt?. The protocol requested for the call is: '$protocol'");
+                return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['unsupported_option'], PhpXmlRpc::$xmlrpcerr['unsupported_option'] .
+                    " attempted hacking attempt?. The protocol requested for the call is: '$protocol'");
+            }
+            /// @todo this does not work atm (tested at least with an http proxy forwarding to an https server) - we
+            ///       should implement the CONNECT protocol
+            $uri = $protocol . '://' . $server . ':' . $port . $path;
             if ($opts['proxy_user'] != '') {
                 if ($opts['proxy_authtype'] != 1) {
                     $this->getLogger()->error('XML-RPC: ' . __METHOD__ . ': warning. Only Basic auth to proxy is supported with HTTP 1.0');
                     return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['unsupported_option'],
-                        PhpXmlRpc::$xmlrpcerr['unsupported_option'] . ': only Basic auth to proxy is supported with HTTP 1.0');
+                        PhpXmlRpc::$xmlrpcerr['unsupported_option'] . ': only Basic auth to proxy is supported with socket transport');
                 }
                 $proxyCredentials = 'Proxy-Authorization: Basic ' . base64_encode($opts['proxy_user'] . ':' .
                     $opts['proxy_pass']) . "\r\n";
             }
         } else {
             $connectServer = $server;
             $connectPort = $port;
+            /// @todo should we add support for 'h2' method? If so, is it 'tls' or 'tcp' ?
             $transport = ($method === 'https') ? 'tls' : 'tcp';
             $uri = $path;
         }
@@ -1014,7 +1041,8 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
         }
 
         // omit port if default
-        if (($port == 80 && in_array($method, array('http', 'http10'))) || ($port == 443 && $method == 'https')) {
+        /// @todo add handling of http2, h2c in case they start being supported by fosckopen
+        if (($port == 80 && in_array($method, array('http', 'http10', 'http11'))) || ($port == 443 && $method == 'https')) {
             $port = '';
         } else {
             $port = ':' . $port;
@@ -1059,27 +1087,35 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
             $contextOptions['ssl']['verify_peer_name'] = $opts['verifypeer'];
 
             if ($opts['sslversion'] != 0) {
-                /// @see https://www.php.net/manual/en/function.curl-setopt.php, https://www.php.net/manual/en/migration56.openssl.php
+                /// @see https://www.php.net/manual/en/curl.constants.php,
+                ///      https://www.php.net/manual/en/function.stream-socket-enable-crypto.php
+                ///      https://www.php.net/manual/en/migration56.openssl.php,
+                ///      https://wiki.php.net/rfc/improved-tls-constants
                 switch($opts['sslversion']) {
-                    /// @todo what does this map to? 1.0-1.3?
-                    //case 1: // TLSv1
-                    //    break;
+                    case 1: // TLSv1x
+                        if (version_compare(PHP_VERSION, '7.2.0', '>=')) {
+                            $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_TLS_CLIENT;
+                        } else {
+                            return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['unsupported_option'],
+                                PhpXmlRpc::$xmlrpcerr['unsupported_option'] . ': TLS-any only is supported with PHP 7.2 or later');
+                        }
+                        break;
                     case 2: // SSLv2
                         $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv2_CLIENT;
                         break;
                     case 3: // SSLv3
                         $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_SSLv3_CLIENT;
                         break;
-                    case 4: // TLSv1.0
+                    case 4: // TLSv1.0 - not always available?
                         $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT;
                         break;
-                    case 5: // TLSv1.1
+                    case 5: // TLSv1.1 - not always available?
                         $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;
                         break;
-                    case 6: // TLSv1.2
+                    case 6: // TLSv1.2 - not always available?
                         $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT;
                         break;
-                    case 7: // TLSv1.3
+                    case 7: // TLSv1.3 - not always available
                         if (defined('STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT')) {
                             $contextOptions['ssl']['crypto_method'] = STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT;
                         } else {
@@ -1094,7 +1130,7 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
             }
         }
 
-        foreach ($opts['extracurlopts'] as $proto => $protoOpts) {
+        foreach ($opts['extrasockopts'] as $proto => $protoOpts) {
             foreach ($protoOpts as $key => $val) {
                 $contextOptions[$proto][$key] = $val;
             }
@@ -1111,6 +1147,13 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
         $this->errno = 0;
         $this->errstr = '';
 
+        /// @todo using `error_get_last` does not give us very detailed messages for connections errors, eg. for ssl
+        ///       problems on php 5.6 we get 'Connect error: stream_socket_client(): unable to connect to tls://localhost:443 (Unknown error) (0)',
+        ///       versus the more detailed warnings 'PHP Warning:  stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
+        ///         error:0A0C0103:SSL routines::internal error in /home/docker/workspace/src/Client.php on line 1121
+        ///         PHP Warning:  stream_socket_client(): Failed to enable crypto in /home/docker/workspace/src/Client.php on line 1121
+        ///         PHP Warning:  stream_socket_client(): unable to connect to tls://localhost:443 (Unknown error) in /home/docker/workspace/src/Client.php on line 1121'
+        ///       This could be obviated by removing the `@` and capturing warnings via ob_start and co
         $fp = @stream_socket_client("$transport://$connectServer:$connectPort", $this->errno, $this->errstr, $connectTimeout,
             STREAM_CLIENT_CONNECT, $context);
         if ($fp) {
@@ -1124,24 +1167,40 @@ protected function sendViaSocket($req, $method, $server, $port, $path, $opts)
             }
 
             $this->errstr = 'Connect error: ' . $this->errstr;
-            $r = new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['http_error'], $this->errstr . ' (' . $this->errno . ')');
-
-            return $r;
+            return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['http_error'], $this->errstr . ' (' . $this->errno . ')');
         }
 
+        /// @todo from here onwards, we can inject the results of stream_get_meta_data in the response. We could
+        ///       do that f.e. only in new debug level 3, or starting at v1
+
         if (!fputs($fp, $op, strlen($op))) {
             fclose($fp);
             $this->errstr = 'Write error';
             return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['http_error'], $this->errstr);
         }
 
+        $info = stream_get_meta_data($fp);
+        if ($info['timed_out']) {
+            fclose($fp);
+            $this->errstr = 'Write timeout';
+            return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['http_error'], $this->errstr);
+        }
+
         // Close socket before parsing.
         // It should yield slightly better execution times, and make easier recursive calls (e.g. to follow http redirects)
         $ipd = '';
         do {
             // shall we check for $data === FALSE?
             // as per the manual, it signals an error
             $ipd .= fread($fp, 32768);
+
+            $info = stream_get_meta_data($fp);
+            if ($info['timed_out']) {
+                fclose($fp);
+                $this->errstr = 'Read timeout';
+                return new static::$responseClass(0, PhpXmlRpc::$xmlrpcerr['http_error'], $this->errstr);
+            }
+
         } while (!feof($fp));
         fclose($fp);
 
@@ -1364,11 +1423,13 @@ protected function createCURLHandle($req, $method, $server, $port, $path, $opts)
         $headers[] = 'Expect:';
 
         curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
-        // timeout is borked
+        // previous note: "timeout is borked" (on some old php/curl versions? It seems to work on 8.1. Maybe the issue
+        // has to do with dns resolution...)
         if ($opts['timeout']) {
-            curl_setopt($curl, CURLOPT_TIMEOUT, $opts['timeout'] == 1 ? 1 : $opts['timeout'] - 1);
+            curl_setopt($curl, CURLOPT_TIMEOUT, $opts['timeout']);
         }
 
+        // nb: for 'https' we leave it up to curl to decide
         switch ($method) {
             case 'http10':
                 curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
@@ -1495,7 +1556,7 @@ protected function createCURLHandle($req, $method, $server, $port, $path, $opts)
      *                         docs for the send() method". Please use setOption instead to set a timeout
      * @param string $method deprecated. Was: "the http protocol variant to be used. See the details in the docs for the send() method."
      *                       Please use the constructor to set an http protocol variant.
-     * @param boolean $fallback deprecated. Was: "w"hen true, upon receiving an error during multicall, multiple single
+     * @param boolean $fallback deprecated. Was: "when true, upon receiving an error during multicall, multiple single
      *                          calls will be attempted"
      * @return Response[]
      */
@@ -1712,6 +1773,8 @@ private function _try_multicall($reqs, $timeout, $method)
     // *** BC layer ***
 
     /**
+     * NB: always goes via socket, never curl
+     *
      * @deprecated
      *
      * @param Request $req
@@ -1740,6 +1803,8 @@ protected function sendPayloadHTTP10($req, $server, $port, $timeout = 0, $userna
     }
 
     /**
+     * NB: always goes via curl, never socket
+     *
      * @deprecated
      *
      * @param Request $req
@@ -1798,7 +1863,7 @@ protected function sendPayloadHTTPS($req, $server, $port, $timeout = 0, $usernam
      * @param string $method 'http' (synonym for 'http10'), 'http10' or 'https'
      * @param string $key
      * @param string $keyPass @todo not implemented yet.
-     * @param int $sslVersion @todo not implemented yet. See http://php.net/manual/en/migration56.openssl.php
+     * @param int $sslVersion
      * @return Response
      */
     protected function sendPayloadSocket($req, $server, $port, $timeout = 0, $username = '', $password = '',
diff --git a/external/xmlrpc/src/Helper/XMLParser.php b/external/xmlrpc/src/Helper/XMLParser.php
@@ -279,8 +279,8 @@ public function parse($data, $returnType = self::RETURN_XMLRPCVALS, $accept = 3,
         } catch (\Error $e) {
             xml_parser_free($parser);
             $this->current_parsing_options = array();
-                //$this->accept = $prevAccept;
-                /// @todo should we set $this->_xh['isf'] and $this->_xh['isf_reason'] ?
+            //$this->accept = $prevAccept;
+            /// @todo should we set $this->_xh['isf'] and $this->_xh['isf_reason'] ?
             throw $e;
         }
 
diff --git a/external/xmlrpc/src/PhpXmlRpc.php b/external/xmlrpc/src/PhpXmlRpc.php
@@ -119,7 +119,7 @@ class PhpXmlRpc
     /**
      * @var string
      */
-    public static $xmlrpcVersion = "4.11.1";
+    public static $xmlrpcVersion = "4.11.2";
 
     /**
      * @var int
diff --git a/external/xmlrpc/src/Server.php b/external/xmlrpc/src/Server.php
