php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70101 curl with digest authentication does work (all the time)
Submitted: 2015-07-19 09:51 UTC Modified: 2015-07-20 10:57 UTC
Votes:9
Avg. Score:3.9 ± 1.3
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:8 (88.9%)
From: roeycohen at gmail dot com Assigned:
Status: Open Package: cURL related
PHP Version: 5.6.11 OS: windows and linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: roeycohen at gmail dot com
New email:
PHP Version: OS:

 

 [2015-07-19 09:51 UTC] roeycohen at gmail dot com
Description:
------------
trying to use curl_exec with digest authentication does not work properly.
running the test script always fails to pass the security challenge.
using the browser or wget directly works perfectly.

also, trying to run the same test on another server of mine, works from an amazon linux with php 5.5.21 but does not work from my windows 7 x64 machine with php 5.6.11.

trying to run the test with php 5.5 or 5.4 using CLI on several windows machines caused a complete crush of the php executable.

it seems like bug #69088 is related, but this bug also happens on linux (5.5).


Test script:
---------------
<?
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	CURLOPT_USERPWD => 'test_user:password',
	CURLOPT_URL => 'http://test_user:password@httpbin.org/digest-auth/auth/user/password',
	CURLOPT_HEADER => true,
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);

Expected result:
----------------
{
  "authenticated": true, 
  "user": "user"
}

Actual result:
--------------
"Authentication failed" (with header 401)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-20 10:51 UTC] laruence@php.net
which version of lib curl do you use?

I can not reproduce this error(it works fine with lib curl 7.22.0) here
 [2015-07-20 10:52 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-07-20 10:57 UTC] roeycohen at gmail dot com
-Status: Feedback +Status: Open
 [2015-07-20 10:57 UTC] roeycohen at gmail dot com
according to phpinfo(), i have curl version 7.42.1.

i am using php 5.6.11 downloaded from here: 
http://windows.php.net/downloads/releases/php-5.6.11-nts-Win32-VC11-x86.zip
 [2015-08-10 10:06 UTC] luca dot horn at gmail dot com
I am experiencing same problem on PHP 5.6.12 x86, cURL 7.42.1, Windows 8.1 x64.
It instead seems to work as expected on my Ubuntu machine (running PHP 5.6.11 and cURL 7.35.0).
 [2015-10-26 16:21 UTC] dougk dot ff7 at gmail dot com
On Windows specifically, this seems to be related to the change to using SSPI with  cURL.  curl_sasl_sspi.c adds "Curl_override_sspi_http_realm()" in curl-7.43.0. Going all the way back to php-5.3.29 works (php-5.4 through php-5.5 crash due to the aforementioned bug).  Building my own version of cURL based on 7.43.0 (from [1]) and building it into php-5.6.14 manually works as expected.

Note that this only explains the Windows case of this issue (where Realm is sent back to the server as an empty string).  This can be verified using CURLOPT_VERBOSE = true.

[1] https://github.com/winlibs/cURL
 [2015-10-26 16:46 UTC] dougk dot ff7 at gmail dot com
One other note: it seems curl in general is having issues with httpbin's digest test service (I have the same issues with both curl and wget on the command line)... this one seems to work fine (hosted by webdav.org), though it returns a 404:

<?php
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	#CURLOPT_USERPWD => 'user:passwd',
	#CURLOPT_URL => 'http://httpbin.org/digest-auth/auth/user/passwd',
	CURLOPT_USERPWD => 'user1:user1',
	CURLOPT_URL => 'http://test.webdav.org/auth-digest',
	CURLOPT_HEADER => true,
        CURLOPT_VERBOSE => true
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);
?>
 [2015-10-26 17:37 UTC] dougk dot ff7 at gmail dot com
One last post, with working httpbin.org support (note that they test for the presence of a fake cookie -- instead of setting up a cookie jar, I've just passed back the fake cookie):

<?php
$curl = curl_init();

$curl_options = [
	CURLOPT_HTTPAUTH => CURLAUTH_ANY,
	
	CURLOPT_USERPWD => 'user:passwd',
	CURLOPT_URL => 'http://httpbin.org/digest-auth/auth/user/passwd',
	CURLOPT_HEADER => true,
        CURLOPT_VERBOSE => true,
        CURLOPT_COOKIE => 'fake=fake_value'
];
curl_setopt_array($curl, $curl_options);

curl_exec($curl);
curl_close($curl);
?>
 [2015-12-28 16:33 UTC] gohel at basicguru dot de
I have the same problem with PHP-clients/scripts and the CalDAV/SabreDAV-framework (also included in Owncloud, Baikal, etc.) on my Apache 2.4.17 (Win32/VC11 from Apachelounge on Win7/64).

I've played a little bit with different versions of the PHP 5.6.x releases and found the following:

php_curl.dll  <= v5.6.4     - no problems
php_curl.dll  v5.6.5/v5.6.6 - crash with Auth_Digest
php_curl.dll  => v5.6.7     - Auth_Digest failed

The bug is also in the PHP 5.5 release and PHP 5.4 (last stable PHP_CURL.DLL I've found in v5.4.36)
 [2017-07-01 07:56 UTC] gohel at basicguru dot de
I am experiencing same problem now on PHP 7.0.20 x86, Windows x64. 

It instead to work as expected on the same PHP installation, but with the Curl-Lib from PHP 7.0.14.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Nov 17 00:01:34 2019 UTC