php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9730 When following redirects, username and password ignored
Submitted: 2001-03-13 19:50 UTC Modified: 2001-07-22 16:07 UTC
From: edink at proventum dot net Assigned:
Status: Closed Package: *URL Functions
PHP Version: 4.0 Latest CVS (13/03/2001) OS: Linux
Private report: No CVE-ID: None
 [2001-03-13 19:50 UTC] edink at proventum dot net
fopen() and friends when opening "http://user:pass@site"  do not send username and password when following a redirect.

This patch would solve the problem:

Index: http_fopen_wrapper.c
===================================================================
RCS file: /repository/php4/ext/standard/http_fopen_wrapper.c,v
retrieving revision 1.7
diff -u -3 -p -r1.7 http_fopen_wrapper.c
--- http_fopen_wrapper.c	2001/02/26 06:07:17	1.7
+++ http_fopen_wrapper.c	2001/03/13 18:45:50
@@ -71,9 +71,9 @@
 FILE *php_fopen_url_wrap_http(char *path, char *mode, int options, int *issock, int *socketd, char **opened_path)
 {
 	FILE *fp=NULL;
-	php_url *resource=NULL;
+	php_url *resource=NULL, *resource_new=NULL;
 	char tmp_line[128];
-	char location[512];
+	char location[512], location_new[512];
 	char hdr_line[8192];
 	int body = 0;
 	char *scratch;
@@ -269,12 +269,42 @@ FILE *php_fopen_url_wrap_http(char *path
 	if (!reqok) {
 		SOCK_FCLOSE(*socketd);
 		*socketd = 0;
-		free_url(resource);
 		if (location[0] != '\0') {
 			zval **response_header_new, *entry, **entryp;
+
+			if (resource->user == NULL || resource->pass == NULL) {
+			  strcpy(location_new, location);
+			} else {   /* we have username and password */
+			  resource_new = url_parse((char *) location);
+			  if (resource_new == NULL) {
+			    php_error(E_WARNING, "Invalid redirect URL, %s", location);
+			    *issock = BAD_URL;
+			    free_url(resource);
+			    return NULL;
+			  }
+
+			  /* use port 80 if one wasn't specified */
+			  if (resource_new->port == 0) {
+			    resource_new->port = 80;
+			  }
+
+			  snprintf (location_new, sizeof(location_new), "http://%s:%s@%s:%d", resource->user, resource->pass, resource_new->host, resource_new->port);
+
+			  if (resource_new->path != NULL) {
+			    strlcat (location_new, resource_new->path, sizeof (location_new));
+			  }
+			  if (resource_new->query != NULL) {
+			    strlcat (location_new, "?", sizeof(location_new));
+			    strlcat (location_new, resource_new->query , sizeof(location_new));
+			  }
+			  free_url(resource_new);
+			}
+
+
+			free_url(resource);
 			ELS_FETCH();
 
-			fp = php_fopen_url_wrap_http(location, mode, options, issock, socketd, opened_path);
+			fp = php_fopen_url_wrap_http(location_new, mode, options, issock, socketd, opened_path);
 			if (zend_hash_find(EG(active_symbol_table), "http_response_header", sizeof("http_response_header"), (void **) &response_header_new) == SUCCESS) {
 				entryp = &entry;
 				MAKE_STD_ZVAL(entry);
@@ -289,6 +319,7 @@ FILE *php_fopen_url_wrap_http(char *path
 			}
 			goto out;
 		} else {
+			free_url(resource);
 			fp = NULL;
 			goto out;
 		}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-22 16:07 UTC] andy@php.net
Please register at the PHP Development Mailing List at
php-dev-subscribe@lists.php.net and email them your patch.
Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC