From bb431f124c95b9ba003f15df1ad6fbbe768ec7c8 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Tue, 29 Apr 2025 22:41:32 +0100 Subject: [PATCH] Fixed GH-18458: `Authorization` set with CURLOPT_USERPWD with NULL value. --- ext/curl/interface.c | 18 +++++++++++++++++- ext/curl/tests/gh18458.phpt | 20 ++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 ext/curl/tests/gh18458.phpt diff --git a/ext/curl/interface.c b/ext/curl/interface.c index fe647dbafd4..dd4e0db3d77 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1900,7 +1900,6 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue case CURLOPT_SSLKEYTYPE: case CURLOPT_SSL_CIPHER_LIST: case CURLOPT_USERAGENT: - case CURLOPT_USERPWD: case CURLOPT_COOKIELIST: case CURLOPT_FTP_ALTERNATIVE_TO_USER: case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5: @@ -1998,6 +1997,23 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue return ret; } + case CURLOPT_USERPWD: + { + if (Z_ISNULL_P(zvalue)) { + // Authorization header would be implictly set + // with an empty string thus we explictly set the option + // to null to avoid this unwarranted side effect + error = curl_easy_setopt(ch->cp, option, NULL); + } else { + zend_string *tmp_str; + zend_string *str = zval_get_tmp_string(zvalue, &tmp_str); + zend_result ret = php_curl_option_str(ch, option, ZSTR_VAL(str), ZSTR_LEN(str)); + zend_tmp_string_release(tmp_str); + return ret; + } + break; + } + /* Curl nullable string options */ case CURLOPT_CUSTOMREQUEST: case CURLOPT_FTPPORT: diff --git a/ext/curl/tests/gh18458.phpt b/ext/curl/tests/gh18458.phpt new file mode 100644 index 00000000000..34be6797e48 --- /dev/null +++ b/ext/curl/tests/gh18458.phpt @@ -0,0 +1,20 @@ +--TEST-- +GH-18458 authorization header is set despite CURLOPT_USERPWD set to null +--EXTENSIONS-- +curl +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(false)