Fix GH-12423: Changed to prioritize DSN authentication information over arguments.

SakiTakamachi · devnexen · commit b5c287e4b4c4 · 2023-10-15T20:24:30.000+01:00
Added connection test Close GH-12424
diff --git a/NEWS b/NEWS
@@ -16,6 +16,10 @@ Intl:
 Opcache:
   . Added large shared segments support for FreeBSD. (David Carlier)
 
+PDO_PGSQL:
+  . Fixed GH-12423, DSN credentials being prioritized over the user/password
+    PDO constructor arguments. (SakiTakamachi)
+
 PGSQL:
   . Added the possibility to have no conditions for pg_select. (OmarEmaraDev)
 
diff --git a/UPGRADING b/UPGRADING
@@ -26,6 +26,10 @@ PHP 8.4 UPGRADE NOTES
     Consult sections 2. New Features and 6. New Functions for a list of
     newly implemented methods and constants.
 
+- PDO_PGSQL:
+  . The DSN's credentials, when set, are given priority over their PDO
+    constructor counterparts, being closer to the documentation states.
+
 - SimpleXML:
   . Get methods called, or casting to a string on a SimpleXMLElement will no
     longer implicitly reset the iterator data, unless explicitly rewound.
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
@@ -1281,8 +1281,8 @@ static int pdo_pgsql_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{
 	}
 
 	/* escape username and password, if provided */
-	tmp_user = _pdo_pgsql_escape_credentials(dbh->username);
-	tmp_pass = _pdo_pgsql_escape_credentials(dbh->password);
+	tmp_user = !strstr((char *) dbh->data_source, "user=") ? _pdo_pgsql_escape_credentials(dbh->username) : NULL;
+	tmp_pass = !strstr((char *) dbh->data_source, "password=") ? _pdo_pgsql_escape_credentials(dbh->password) : NULL;
 
 	/* support both full connection string & connection string + login and/or password */
 	if (tmp_user && tmp_pass) {
diff --git a/ext/pdo_pgsql/tests/gh12423.phpt b/ext/pdo_pgsql/tests/gh12423.phpt
@@ -0,0 +1,78 @@
+--TEST--
+GitHub #12424 (Fix GH-12423: [pdo_pgsql] Changed to prioritize DSN authentication information over arguments.)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded');
+require __DIR__ . '/../../../ext/pdo/tests/pdo_test.inc';
+require __DIR__ . '/config.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require __DIR__ . '/config.inc';
+
+[
+    'ENV' => [
+        'PDOTEST_DSN' => $dsnWithCredentials,
+        'PDOTEST_USER' => $user,
+        'PDOTEST_PASS' => $password,
+    ],
+] = __DIR__ . '/common.phpt';
+
+$dsn = str_replace(" user={$user} password={$password}", '', $dsnWithCredentials);
+
+echo "dsn without credentials / correct user / correct password\n";
+try {
+    $db = new PDO($dsn, $user, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with credentials / no user / no password\n";
+try {
+    $db = new PDO("{$dsn} user={$user} password={$password}", null, null, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct user / incorrect user / correct password\n";
+try {
+    $db = new PDO("{$dsn} user={$user}", 'hoge', $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct password / correct user / incorrect password\n";
+try {
+    $db = new PDO("{$dsn} password={$password}", $user, 'fuga', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct credentials / incorrect user / incorrect password\n";
+try {
+    $db = new PDO("{$dsn} user={$user} password={$password}", 'hoge', 'fuga', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECT--
+dsn without credentials / correct user / correct password
+Connected.
+
+dsn with credentials / no user / no password
+Connected.
+
+dsn with correct user / incorrect user / correct password
+Connected.
+
+dsn with correct password / correct user / incorrect password
+Connected.
+
+dsn with correct credentials / incorrect user / incorrect password
+Connected.

Original file line number	Diff line number	Diff line change
`@@ -1281,8 +1281,8 @@ static int pdo_pgsql_handle_factory(pdo_dbh_t dbh, zval driver_options) /* {{{`
`1281`	`1281`	`}`
`1282`	`1282`
`1283`	`1283`	`/* escape username and password, if provided */`
`1284`		`- tmp_user = _pdo_pgsql_escape_credentials(dbh->username);`
`1285`		`- tmp_pass = _pdo_pgsql_escape_credentials(dbh->password);`
	`1284`	`+ tmp_user = !strstr((char *) dbh->data_source, "user=") ? _pdo_pgsql_escape_credentials(dbh->username) : NULL;`
	`1285`	`+ tmp_pass = !strstr((char *) dbh->data_source, "password=") ? _pdo_pgsql_escape_credentials(dbh->password) : NULL;`
`1286`	`1286`
`1287`	`1287`	`/* support both full connection string & connection string + login and/or password */`
`1288`	`1288`	`if (tmp_user && tmp_pass) {`