php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed GH-18458: Authorization set with CURLOPT_USERPWD with NULL value.

Browse Source 
Close GH-18460
This commit is contained in:
David Carlier
2025-04-29 22:42:43 +01:00
parent 9c555f5a84
commit 24ab0f1ea1
3 changed files with 44 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
NEWS
View File

@@ -2,6 +2,11 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.3.22
- Curl:
. Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/
CURLOPT_PASSWORD set the Authorization header when set to NULL).
(David Carlier)
- Date:
. Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns
inaccurate sunrise and sunset times, but other calculated times are

9
ext/curl/interface.c
View File

@@ -1900,14 +1900,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
case CURLOPT_SSLKEYTYPE:
case CURLOPT_SSL_CIPHER_LIST:
case CURLOPT_USERAGENT:
case CURLOPT_USERPWD:
case CURLOPT_COOKIELIST:
case CURLOPT_FTP_ALTERNATIVE_TO_USER:
case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
case CURLOPT_PASSWORD:
case CURLOPT_PROXYPASSWORD:
case CURLOPT_PROXYUSERNAME:
case CURLOPT_USERNAME:
case CURLOPT_NOPROXY:
case CURLOPT_SOCKS5_GSSAPI_SERVICE:
case CURLOPT_MAIL_FROM:
@@ -2021,6 +2018,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
case CURLOPT_HSTS:
#endif
case CURLOPT_KRBLEVEL:
// Authorization header would be implictly set
// with an empty string thus we explictly set the option
// to null to avoid this unwarranted side effect
case CURLOPT_USERPWD:
case CURLOPT_USERNAME:
case CURLOPT_PASSWORD:
{
if (Z_ISNULL_P(zvalue)) {
error = curl_easy_setopt(ch->cp, option, NULL);

33
ext/curl/tests/gh18458.phpt Normal file
View File

@@ -0,0 +1,33 @@
--TEST--
GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
--EXTENSIONS--
curl
--SKIPIF--
<?php
include 'skipif-nocaddy.inc';
?>
--FILE--
<?php
$ch = curl_init("https://localhost/userpwd");
curl_setopt($ch, CURLOPT_USERPWD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
$response = curl_exec($ch);
var_dump(str_contains($response, "authorization"));
$ch = curl_init("https://localhost/username");
curl_setopt($ch, CURLOPT_USERNAME, null);
curl_setopt($ch, CURLOPT_PASSWORD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
$response = curl_exec($ch);
var_dump(str_contains($response, "authorization"));
?>
--EXPECTF--
%A
bool(false)
%A
bool(false)