Skip to content

Commit

Permalink
Remove curl auth on cross-domain redirects
Browse files Browse the repository at this point in the history
  • Loading branch information
@kkopachev
kkopachev committed Jan 28, 2021
1 parent 34bc199 commit d6612a6
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 1 deletion.
7 changes: 6 additions & 1 deletion src/RedirectMiddleware.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ private function guardMax(RequestInterface $request, ResponseInterface $response
}
}

public function modifyRequest(RequestInterface $request, array $options, ResponseInterface $response): RequestInterface
public function modifyRequest(RequestInterface $request, array &$options, ResponseInterface $response): RequestInterface
{
// Request modifications to apply.
$modify = [];
Expand Down Expand Up @@ -191,6 +191,11 @@ public function modifyRequest(RequestInterface $request, array $options, Respons
// Remove Authorization header if host is different.
if ($request->getUri()->getHost() !== $modify['uri']->getHost()) {
$modify['remove_headers'][] = 'Authorization';

// If authorization is handled by curl, unset it too
if (defined('\CURLOPT_HTTPAUTH') && defined('\CURLOPT_USERPWD')) {
unset($options['curl'][\CURLOPT_HTTPAUTH], $options['curl'][\CURLOPT_USERPWD]);
}
}

return Psr7\Utils::modifyRequest($request, $modify);
Expand Down
58 changes: 58 additions & 0 deletions tests/RedirectMiddlewareTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,6 +300,64 @@ static function (RequestInterface $request) {
$client->get('http://example.com?a=b', ['auth' => ['testuser', 'testpass']]);
}

/**
* @testWith ["digest"]
* ["ntlm"]
*/
public function testRemoveCurlAuthorizationOptionsOnRedirect($auth)
{
if (!defined('\CURLOPT_HTTPAUTH') || !defined('\CURLOPT_USERPWD')) {
self::markTestSkipped('ext-curl is required for this test');
}

$mock = new MockHandler([
new Response(302, ['Location' => 'http://test.com']),
static function (RequestInterface $request, $options) {
self::assertFalse(
isset($options['curl'][\CURLOPT_HTTPAUTH]),
'curl options still contain CURLOPT_HTTPAUTH entry'
);
self::assertFalse(
isset($options['curl'][\CURLOPT_USERPWD]),
'curl options still contain CURLOPT_USERPWD entry'
);
return new Response(200);
}
]);
$handler = HandlerStack::create($mock);
$client = new Client(['handler' => $handler]);
$client->get('http://example.com?a=b', ['auth' => ['testuser', 'testpass', $auth]]);
}

/**
* @testWith ["digest"]
* ["ntlm"]
*/
public function testNotRemoveCurlAuthorizationOptionsOnRedirect($auth)
{
if (!defined('\CURLOPT_HTTPAUTH') || !defined('\CURLOPT_USERPWD')) {
self::markTestSkipped('ext-curl is required for this test');
}

$mock = new MockHandler([
new Response(302, ['Location' => 'http://example.com/2']),
static function (RequestInterface $request, $options) {
self::assertTrue(
isset($options['curl'][\CURLOPT_HTTPAUTH]),
'curl options does not contain expected CURLOPT_HTTPAUTH entry'
);
self::assertTrue(
isset($options['curl'][\CURLOPT_USERPWD]),
'curl options does not contain expected CURLOPT_USERPWD entry'
);
return new Response(200);
}
]);
$handler = HandlerStack::create($mock);
$client = new Client(['handler' => $handler]);
$client->get('http://example.com?a=b', ['auth' => ['testuser', 'testpass', $auth]]);
}

/**
* Verifies how RedirectMiddleware::modifyRequest() modifies the method and body of a request issued when
* encountering a redirect response.
Expand Down

0 comments on commit d6612a6

Please sign in to comment.