php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70101 curl with digest authentication does work (all the time)
Submitted: 2015-07-19 09:51 UTC Modified: 2020-02-09 04:22 UTC
Votes:14
Avg. Score:4.2 ± 1.1
Reproduced:13 of 13 (100.0%)
Same Version:6 (46.2%)
Same OS:12 (92.3%)
From: roeycohen at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: cURL related
PHP Version: 5.6.11 OS: windows and linux
Private report: No CVE-ID: None
View Developer Edit
 [2015-07-19 09:51 UTC] roeycohen at gmail dot com 
Description:
------------
trying to use curl_exec with digest authentication does not work properly.
running the test script always fails to pass the security challenge.
using the browser or wget directly works perfectly.

also, trying to run the same test on another server of mine, works from an amazon linux with php 5.5.21 but does not work from my windows 7 x64 machine with php 5.6.11.

trying to run the test with php 5.5 or 5.4 using CLI on several windows machines caused a complete crush of the php executable.

it seems like bug #69088 is related, but this bug also happens on linux (5.5).


Test script:
---------------
<?
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	CURLOPT_USERPWD => 'test_user:password',
	CURLOPT_URL => 'http://test_user:password@httpbin.org/digest-auth/auth/user/password',
	CURLOPT_HEADER => true,
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);

Expected result:
----------------
{
  "authenticated": true, 
  "user": "user"
}

Actual result:
--------------
"Authentication failed" (with header 401)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-20 10:51 UTC] laruence@php.net 
which version of lib curl do you use?

I can not reproduce this error(it works fine with lib curl 7.22.0) here
 [2015-07-20 10:52 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-07-20 10:57 UTC] roeycohen at gmail dot com
-Status: Feedback +Status: Open
 [2015-07-20 10:57 UTC] roeycohen at gmail dot com 
according to phpinfo(), i have curl version 7.42.1.

i am using php 5.6.11 downloaded from here: 
http://windows.php.net/downloads/releases/php-5.6.11-nts-Win32-VC11-x86.zip
 [2015-08-10 10:06 UTC] luca dot horn at gmail dot com 
I am experiencing same problem on PHP 5.6.12 x86, cURL 7.42.1, Windows 8.1 x64.
It instead seems to work as expected on my Ubuntu machine (running PHP 5.6.11 and cURL 7.35.0).
 [2015-10-26 16:21 UTC] dougk dot ff7 at gmail dot com 
On Windows specifically, this seems to be related to the change to using SSPI with  cURL.  curl_sasl_sspi.c adds "Curl_override_sspi_http_realm()" in curl-7.43.0. Going all the way back to php-5.3.29 works (php-5.4 through php-5.5 crash due to the aforementioned bug).  Building my own version of cURL based on 7.43.0 (from [1]) and building it into php-5.6.14 manually works as expected.

Note that this only explains the Windows case of this issue (where Realm is sent back to the server as an empty string).  This can be verified using CURLOPT_VERBOSE = true.

[1] https://github.com/winlibs/cURL
 [2015-10-26 16:46 UTC] dougk dot ff7 at gmail dot com 
One other note: it seems curl in general is having issues with httpbin's digest test service (I have the same issues with both curl and wget on the command line)... this one seems to work fine (hosted by webdav.org), though it returns a 404:

<?php
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	#CURLOPT_USERPWD => 'user:passwd',
	#CURLOPT_URL => 'http://httpbin.org/digest-auth/auth/user/passwd',
	CURLOPT_USERPWD => 'user1:user1',
	CURLOPT_URL => 'http://test.webdav.org/auth-digest',
	CURLOPT_HEADER => true,
        CURLOPT_VERBOSE => true
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);
?>
 [2015-10-26 17:37 UTC] dougk dot ff7 at gmail dot com 
One last post, with working httpbin.org support (note that they test for the presence of a fake cookie -- instead of setting up a cookie jar, I've just passed back the fake cookie):

<?php
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	CURLOPT_USERPWD => 'user:passwd',
	CURLOPT_URL => 'http://httpbin.org/digest-auth/auth/user/passwd',
	CURLOPT_HEADER => true,
        CURLOPT_VERBOSE => true,
        CURLOPT_COOKIE => 'fake=fake_value'
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);
?>
 [2015-12-28 16:33 UTC] gohel at basicguru dot de 
I have the same problem with PHP-clients/scripts and the CalDAV/SabreDAV-framework (also included in Owncloud, Baikal, etc.) on my Apache 2.4.17 (Win32/VC11 from Apachelounge on Win7/64).

I've played a little bit with different versions of the PHP 5.6.x releases and found the following:

php_curl.dll  <= v5.6.4     - no problems
php_curl.dll  v5.6.5/v5.6.6 - crash with Auth_Digest
php_curl.dll  => v5.6.7     - Auth_Digest failed

The bug is also in the PHP 5.5 release and PHP 5.4 (last stable PHP_CURL.DLL I've found in v5.4.36)
 [2017-07-01 07:56 UTC] gohel at basicguru dot de 
I am experiencing same problem now on PHP 7.0.20 x86, Windows x64. 

It instead to work as expected on the same PHP installation, but with the Curl-Lib from PHP 7.0.14.
 [2020-01-27 12:13 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-01-27 12:13 UTC] cmb@php.net 
The given test script works as expected for me with PHP-7.3 using
7.67.0.  Can anybody else still reproduce the reported issue with
any of the supported PHP versions[1] using a somewhat recent
libcurl?

[1] <https://www.php.net/supported-versions.php>
 [2020-02-09 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Nov 25 09:01:30 2024 UTC