Fixed GH-18458: Authorization set with CURLOPT_USERPWD with NULL value.

devnexen · devnexen · commit 24ab0f1ea10b · 2025-05-02T21:31:50.000+01:00
Close GH-18460
diff --git a/NEWS b/NEWS
@@ -2,6 +2,11 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.22
 
+- Curl:
+  . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/
+    CURLOPT_PASSWORD set the Authorization header when set to NULL).
+    (David Carlier)
+
 - Date:
   . Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns
     inaccurate sunrise and sunset times, but other calculated times are
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
@@ -1900,14 +1900,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_SSLKEYTYPE:
 		case CURLOPT_SSL_CIPHER_LIST:
 		case CURLOPT_USERAGENT:
-		case CURLOPT_USERPWD:
 		case CURLOPT_COOKIELIST:
 		case CURLOPT_FTP_ALTERNATIVE_TO_USER:
 		case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
-		case CURLOPT_PASSWORD:
 		case CURLOPT_PROXYPASSWORD:
 		case CURLOPT_PROXYUSERNAME:
-		case CURLOPT_USERNAME:
 		case CURLOPT_NOPROXY:
 		case CURLOPT_SOCKS5_GSSAPI_SERVICE:
 		case CURLOPT_MAIL_FROM:
@@ -2021,6 +2018,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_HSTS:
 #endif
 		case CURLOPT_KRBLEVEL:
+		// Authorization header would be implictly set
+		// with an empty string thus we explictly set the option
+		// to null to avoid this unwarranted side effect
+		case CURLOPT_USERPWD:
+		case CURLOPT_USERNAME:
+		case CURLOPT_PASSWORD:
 		{
 			if (Z_ISNULL_P(zvalue)) {
 				error = curl_easy_setopt(ch->cp, option, NULL);
diff --git a/ext/curl/tests/gh18458.phpt b/ext/curl/tests/gh18458.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+include 'skipif-nocaddy.inc';
+?>
+--FILE--
+<?php
+
+$ch = curl_init("https://localhost/userpwd");
+curl_setopt($ch, CURLOPT_USERPWD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+
+$ch = curl_init("https://localhost/username");
+curl_setopt($ch, CURLOPT_USERNAME, null);
+curl_setopt($ch, CURLOPT_PASSWORD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+?>
+--EXPECTF--
+%A
+bool(false)
+%A
+bool(false)
