MDL-82136 curl: Send credentials to redirect URL if allowed

Curl has the option CURLOPT_UNRESTRICTED_AUTH. If true, curl will send the credentials to a different host. If false, they will not be sent. CURLOPT_UNRESTRICTED_AUTH can only work if the CURLOPT_FOLLOWLOCATION option is true. The filelib forces the CURLOPT_FOLLOWLOCATION option to be false, because all redirects are emulated at the PHP level. So, in this case, the CURLOPT_UNRESTRICTED_AUTH option is only being used in our logic and will not work as you might expect it to. This patch works almost the same as CURLOPT_UNRESTRICTED_AUTH in ideal conditions. It will check whether the host is different. If so, the system will check what value CURLOPT_UNRESTRICTED_AUTH has. If it is not specified, then by default, it will be false. If false, then credentials will not be sent.
sbourget · Aug 7, 2024 · 7a6e504 · 7a6e504
1 parent a8157c1
commit 7a6e504
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/lib/filelib.php b/lib/filelib.php
@@ -3899,9 +3899,22 @@ protected function request($url, $options = array()) {
 
                 curl_setopt($curl, CURLOPT_URL, $redirecturl);
 
-                if (parse_url($currenturl)['host'] !== parse_url($redirecturl)['host']) {
+                // If CURLOPT_UNRESTRICTED_AUTH is empty/false, don't send credentials to other hosts.
+                // Ref: https://curl.se/libcurl/c/CURLOPT_UNRESTRICTED_AUTH.html.
+                $isdifferenthost = parse_url($currenturl)['host'] !== parse_url($redirecturl)['host'];
+                $sendauthentication = !empty($this->options['CURLOPT_UNRESTRICTED_AUTH']);
+                if ($isdifferenthost && !$sendauthentication) {
                     curl_setopt($curl, CURLOPT_HTTPAUTH, null);
                     curl_setopt($curl, CURLOPT_USERPWD, null);
+                    // Check whether the CURLOPT_HTTPHEADER is specified.
+                    if (!empty($this->options['CURLOPT_HTTPHEADER'])) {
+                        // Remove the "Authorization:" header, if any.
+                        $headerredirect = array_filter(
+                            $this->options['CURLOPT_HTTPHEADER'],
+                            fn($header) => strpos($header, 'Authorization:') === false
+                        );
+                        curl_setopt($curl, CURLOPT_HTTPHEADER, $headerredirect);
+                    }
                 }
 
                 $ret = curl_exec($curl);