php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.4'

Browse Source
This commit is contained in:
David Carlier
2025-05-02 21:33:02 +01:00
parent 60e9fb5a1b 351face053
commit 07959fc007
2 changed files with 39 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ext/curl/interface.c
View File

@@ -1896,14 +1896,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
case CURLOPT_SSLKEYTYPE:
case CURLOPT_SSL_CIPHER_LIST:
case CURLOPT_USERAGENT:
case CURLOPT_USERPWD:
case CURLOPT_COOKIELIST:
case CURLOPT_FTP_ALTERNATIVE_TO_USER:
case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
case CURLOPT_PASSWORD:
case CURLOPT_PROXYPASSWORD:
case CURLOPT_PROXYUSERNAME:
case CURLOPT_USERNAME:
case CURLOPT_NOPROXY:
case CURLOPT_SOCKS5_GSSAPI_SERVICE:
case CURLOPT_MAIL_FROM:
@@ -1997,6 +1994,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
case CURLOPT_HSTS:
#endif
case CURLOPT_KRBLEVEL:
// Authorization header would be implictly set
// with an empty string thus we explictly set the option
// to null to avoid this unwarranted side effect
case CURLOPT_USERPWD:
case CURLOPT_USERNAME:
case CURLOPT_PASSWORD:
{
if (Z_ISNULL_P(zvalue)) {
error = curl_easy_setopt(ch->cp, option, NULL);

33
ext/curl/tests/gh18458.phpt Normal file
View File

@@ -0,0 +1,33 @@
--TEST--
GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
--EXTENSIONS--
curl
--SKIPIF--
<?php
include 'skipif-nocaddy.inc';
?>
--FILE--
<?php
$ch = curl_init("https://localhost/userpwd");
curl_setopt($ch, CURLOPT_USERPWD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
$response = curl_exec($ch);
var_dump(str_contains($response, "authorization"));
$ch = curl_init("https://localhost/username");
curl_setopt($ch, CURLOPT_USERNAME, null);
curl_setopt($ch, CURLOPT_PASSWORD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
$response = curl_exec($ch);
var_dump(str_contains($response, "authorization"));
?>
--EXPECTF--
%A
bool(false)
%A
bool(false)