Skip to content

Commit

Permalink
Remove curl auth on cross-domain redirects without BC break
Browse files Browse the repository at this point in the history
  • Loading branch information
@kkopachev
kkopachev committed Jan 28, 2021
1 parent d6612a6 commit c78f124
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 7 deletions.
17 changes: 11 additions & 6 deletions src/RedirectMiddleware.php
View file
Expand Up @@ -88,6 +88,16 @@ public function checkRedirect(RequestInterface $request, array $options, Respons
$this->guardMax($request, $response, $options);
$nextRequest = $this->modifyRequest($request, $options, $response);

// If authorization is handled by curl, unset it if host is different.
if ($request->getUri()->getHost() !== $nextRequest->getUri()->getHost()
&& defined('\CURLOPT_HTTPAUTH')
) {
unset(
$options['curl'][\CURLOPT_HTTPAUTH],
$options['curl'][\CURLOPT_USERPWD]
);
}

if (isset($options['allow_redirects']['on_redirect'])) {
($options['allow_redirects']['on_redirect'])(
$request,
Expand Down Expand Up @@ -148,7 +158,7 @@ private function guardMax(RequestInterface $request, ResponseInterface $response
}
}

public function modifyRequest(RequestInterface $request, array &$options, ResponseInterface $response): RequestInterface
public function modifyRequest(RequestInterface $request, array $options, ResponseInterface $response): RequestInterface
{
// Request modifications to apply.
$modify = [];
Expand Down Expand Up @@ -191,11 +201,6 @@ public function modifyRequest(RequestInterface $request, array &$options, Respon
// Remove Authorization header if host is different.
if ($request->getUri()->getHost() !== $modify['uri']->getHost()) {
$modify['remove_headers'][] = 'Authorization';

// If authorization is handled by curl, unset it too
if (defined('\CURLOPT_HTTPAUTH') && defined('\CURLOPT_USERPWD')) {
unset($options['curl'][\CURLOPT_HTTPAUTH], $options['curl'][\CURLOPT_USERPWD]);
}
}

return Psr7\Utils::modifyRequest($request, $modify);
Expand Down
2 changes: 1 addition & 1 deletion tests/RedirectMiddlewareTest.php
View file
Expand Up @@ -306,7 +306,7 @@ static function (RequestInterface $request) {
*/
public function testRemoveCurlAuthorizationOptionsOnRedirect($auth)
{
if (!defined('\CURLOPT_HTTPAUTH') || !defined('\CURLOPT_USERPWD')) {
if (!defined('\CURLOPT_HTTPAUTH')) {
self::markTestSkipped('ext-curl is required for this test');
}

Expand Down

0 comments on commit c78f124

Please sign in to comment.