Skip to content

Authorization header added after using curl_setopt to set CURLOPT_USERPWD to null #18458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
youngj opened this issue Apr 29, 2025 · 1 comment
Open

Authorization header added after using curl_setopt to set CURLOPT_USERPWD to null #18458

youngj opened this issue Apr 29, 2025 · 1 comment
Assignees
@devnexen
Labels
Bug Extension: curl Status: Verified

Comments

@youngj
Copy link

youngj commented Apr 29, 2025

Description

The following code:

<?php

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.example.com/test");
curl_setopt($ch, CURLOPT_USERPWD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);

Resulted in this output:

...
> GET /test HTTP/2
Host: www.example.com
authorization: Basic Og==
accept: */*
...

But I expected this output instead:

...
> GET /test HTTP/2
Host: www.example.com
accept: */*
...

In PHP versions 8.1.19 and older, the HTTP request is sent without the Authorization header, as expected. Starting in PHP version 8.1.20 (and continuing to the most recent PHP version), the HTTP request is sent with an Authorization header set to "Basic Og==". "Og==" is the Base64-encoded string ":".

Although sending an extra Authorization header to services that don't expect it usually does not cause any problems, it can cause errors when making HTTP requests to services that support multiple authentication methods (e.g. authentication via URL query parameters or POST parameters). In this case, a service may reject the request because of the invalid credentials in the Authorization header.

PHP version 8.1.20 is the first version that uses libcurl 7.88.1. Previous versions used libcurl 7.74.0 where this error did not occur. I think that this issue was introduced in curl/curl#8451 .

It seems that in older versions, libcurl treated null and empty-string values of the CURLOPT_USERPWD option the same way, but subsequently empty-string values would cause the Authorization header to be set. Arguably this could be considered a breaking change with libcurl rather than an issue in PHP's curl extension. However, it seems that when setting CURLOPT_USERPWD to null from PHP, PHP internally converts the null to an empty string when calling libcurl, so there doesn't appear to be any way from PHP to remove the CURLOPT_USERPWD option from an existing curl handle, other than by not setting the CURLOPT_USERPWD option at all.

PHP Version

PHP 8.4.6 (cli) (built: Apr 28 2025 21:46:53) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.4.6, Copyright (c) Zend Technologies

Operating System

No response
@devnexen devnexen self-assigned this Apr 29, 2025
devnexen added a commit to devnexen/php-src that referenced this issue Apr 29, 2025
@devnexen
Fixed phpGH-18458: Authorization set with CURLOPT_USERPWD with NULL…
45d7d13 
… value.
devnexen added a commit that referenced this issue Apr 29, 2025
@devnexen
Revert "Fixed GH-18458: Authorization set with CURLOPT_USERPWD with…
d9d58c9 
… NULL value."

This reverts commit bb431f1.
@devnexen devnexen reopened this Apr 29, 2025
devnexen added a commit to devnexen/php-src that referenced this issue Apr 30, 2025
@devnexen
Fixed phpGH-18458: Authorization set with CURLOPT_USERPWD with NULL…
9030bb0 
… value.
@youngj
Copy link
Author

youngj commented Apr 30, 2025

@devnexen Thanks for looking into this!

Also, the same issue occurs when setting the CURLOPT_USERNAME option to null.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devnexen devnexen

Labels
Bug Extension: curl Status: Verified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@youngj @devnexen