mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-18 14:03:52 +01:00
Code Issues Projects Releases Wiki Activity

MDL-82136 curl: Send credentials to redirect URL if allowed

Browse Source 
Curl has the option CURLOPT_UNRESTRICTED_AUTH. If true, curl will send
the credentials to a different host. If false, they will not be sent.

CURLOPT_UNRESTRICTED_AUTH can only work if the CURLOPT_FOLLOWLOCATION
option is true. The filelib forces the CURLOPT_FOLLOWLOCATION option
to be false, because all redirects are emulated at the PHP level. So,
in this case, the CURLOPT_UNRESTRICTED_AUTH option is only being used
in our logic and will not work as you might expect it to.

This patch works almost the same as CURLOPT_UNRESTRICTED_AUTH in ideal
conditions. It will check whether the host is different. If so, the
system will check what value CURLOPT_UNRESTRICTED_AUTH has. If it is
not specified, then by default, it will be false. If false, then
credentials will not be sent.
This commit is contained in:
meirzamoodle 2024-06-25 09:04:05 +07:00 committed by Jenkins
parent e930abfcf8
commit 835505681c
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/filelib.php
View File

@ -3904,9 +3904,22 @@ class curl {
curl_setopt($curl, CURLOPT_URL, $redirecturl);
if (parse_url($currenturl)['host'] !== parse_url($redirecturl)['host']) {
// If CURLOPT_UNRESTRICTED_AUTH is empty/false, don't send credentials to other hosts.
// Ref: https://curl.se/libcurl/c/CURLOPT_UNRESTRICTED_AUTH.html.
$isdifferenthost = parse_url($currenturl)['host'] !== parse_url($redirecturl)['host'];
$sendauthentication = !empty($this->options['CURLOPT_UNRESTRICTED_AUTH']);
if ($isdifferenthost && !$sendauthentication) {
curl_setopt($curl, CURLOPT_HTTPAUTH, null);
curl_setopt($curl, CURLOPT_USERPWD, null);
// Check whether the CURLOPT_HTTPHEADER is specified.
if (!empty($this->options['CURLOPT_HTTPHEADER'])) {
// Remove the "Authorization:" header, if any.
$headerredirect = array_filter(
$this->options['CURLOPT_HTTPHEADER'],
fn($header) => strpos($header, 'Authorization:') === false
);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headerredirect);
}
}
$ret = curl_exec($curl);