Commit 24ab0f1

committed

Fixed GH-18458: Authorization set with CURLOPT_USERPWD with NULL value.

1 parent 9c555f5 commit 24ab0f1Copy full SHA for 24ab0f1

File tree

+44

-3

lines changed

+44

-3

lines changed

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,11 @@ PHP NEWS`
`2`	`2`	`\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|`
`3`	`3`	`?? ??? ????, PHP 8.3.22`
`4`	`4`
	`5`	`+- Curl:`
	`6`	`+ . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/`
	`7`	`+ CURLOPT_PASSWORD set the Authorization header when set to NULL).`
	`8`	`+ (David Carlier)`
	`9`	`+`
`5`	`10`	`- Date:`
`6`	`11`	`. Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns`
`7`	`12`	`inaccurate sunrise and sunset times, but other calculated times are`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1900,14 +1900,11 @@ static zend_result _php_curl_setopt(php_curl ch, zend_long option, zval zvalue`
`1900`	`1900`	`case CURLOPT_SSLKEYTYPE:`
`1901`	`1901`	`case CURLOPT_SSL_CIPHER_LIST:`
`1902`	`1902`	`case CURLOPT_USERAGENT:`
`1903`		`- case CURLOPT_USERPWD:`
`1904`	`1903`	`case CURLOPT_COOKIELIST:`
`1905`	`1904`	`case CURLOPT_FTP_ALTERNATIVE_TO_USER:`
`1906`	`1905`	`case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:`
`1907`		`- case CURLOPT_PASSWORD:`
`1908`	`1906`	`case CURLOPT_PROXYPASSWORD:`
`1909`	`1907`	`case CURLOPT_PROXYUSERNAME:`
`1910`		`- case CURLOPT_USERNAME:`
`1911`	`1908`	`case CURLOPT_NOPROXY:`
`1912`	`1909`	`case CURLOPT_SOCKS5_GSSAPI_SERVICE:`
`1913`	`1910`	`case CURLOPT_MAIL_FROM:`
`@@ -2021,6 +2018,12 @@ static zend_result _php_curl_setopt(php_curl ch, zend_long option, zval zvalue`
`2021`	`2018`	`case CURLOPT_HSTS:`
`2022`	`2019`	`#endif`
`2023`	`2020`	`case CURLOPT_KRBLEVEL:`
	`2021`	`+ // Authorization header would be implictly set`
	`2022`	`+ // with an empty string thus we explictly set the option`
	`2023`	`+ // to null to avoid this unwarranted side effect`
	`2024`	`+ case CURLOPT_USERPWD:`
	`2025`	`+ case CURLOPT_USERNAME:`
	`2026`	`+ case CURLOPT_PASSWORD:`
`2024`	`2027`	`{`
`2025`	`2028`	`if (Z_ISNULL_P(zvalue)) {`
`2026`	`2029`	`error = curl_easy_setopt(ch->cp, option, NULL);`

Lines changed: 33 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,33 @@`
	`1`	`+--TEST--`
	`2`	`+GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)`
	`3`	`+--EXTENSIONS--`
	`4`	`+curl`
	`5`	`+--SKIPIF--`
	`6`	`+<?php`
	`7`	`+include 'skipif-nocaddy.inc';`
	`8`	`+?>`
	`9`	`+--FILE--`
	`10`	`+<?php`
	`11`	`+`
	`12`	`+$ch = curl_init("https://localhost/userpwd");`
	`13`	`+curl_setopt($ch, CURLOPT_USERPWD, null);`
	`14`	`+curl_setopt($ch, CURLOPT_VERBOSE, true);`
	`15`	`+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);`
	`16`	`+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));`
	`17`	`+$response = curl_exec($ch);`
	`18`	`+var_dump(str_contains($response, "authorization"));`
	`19`	`+`
	`20`	`+$ch = curl_init("https://localhost/username");`
	`21`	`+curl_setopt($ch, CURLOPT_USERNAME, null);`
	`22`	`+curl_setopt($ch, CURLOPT_PASSWORD, null);`
	`23`	`+curl_setopt($ch, CURLOPT_VERBOSE, true);`
	`24`	`+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);`
	`25`	`+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));`
	`26`	`+$response = curl_exec($ch);`
	`27`	`+var_dump(str_contains($response, "authorization"));`
	`28`	`+?>`
	`29`	`+--EXPECTF--`
	`30`	`+%A`
	`31`	`+bool(false)`
	`32`	`+%A`
	`33`	`+bool(false)`

Comments

(0)