From 24ab0f1ea10b6d398359c1bdaf7b22dc79b5faa1 Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Tue, 29 Apr 2025 22:42:43 +0100
Subject: [PATCH] Fixed GH-18458: `Authorization` set with CURLOPT_USERPWD with
 NULL value.

Close GH-18460
---
 NEWS                        |  5 +++++
 ext/curl/interface.c        |  9 ++++++---
 ext/curl/tests/gh18458.phpt | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 ext/curl/tests/gh18458.phpt

diff --git a/NEWS b/NEWS
index 37f2f7f0819..a0df1b1b6ce 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 8.3.22
 
+- Curl:
+  . Fixed GH-18460 (curl_easy_setopt with CURLOPT_USERPWD/CURLOPT_USERNAME/
+    CURLOPT_PASSWORD set the Authorization header when set to NULL).
+    (David Carlier)
+
 - Date:
   . Fixed bug GH-18076 (Since PHP 8, the date_sun_info() function returns
     inaccurate sunrise and sunset times, but other calculated times are
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index fe647dbafd4..1a270a1c32c 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1900,14 +1900,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_SSLKEYTYPE:
 		case CURLOPT_SSL_CIPHER_LIST:
 		case CURLOPT_USERAGENT:
-		case CURLOPT_USERPWD:
 		case CURLOPT_COOKIELIST:
 		case CURLOPT_FTP_ALTERNATIVE_TO_USER:
 		case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
-		case CURLOPT_PASSWORD:
 		case CURLOPT_PROXYPASSWORD:
 		case CURLOPT_PROXYUSERNAME:
-		case CURLOPT_USERNAME:
 		case CURLOPT_NOPROXY:
 		case CURLOPT_SOCKS5_GSSAPI_SERVICE:
 		case CURLOPT_MAIL_FROM:
@@ -2021,6 +2018,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_HSTS:
 #endif
 		case CURLOPT_KRBLEVEL:
+		// Authorization header would be implictly set
+		// with an empty string thus we explictly set the option
+		// to null to avoid this unwarranted side effect
+		case CURLOPT_USERPWD:
+		case CURLOPT_USERNAME:
+		case CURLOPT_PASSWORD:
 		{
 			if (Z_ISNULL_P(zvalue)) {
 				error = curl_easy_setopt(ch->cp, option, NULL);
diff --git a/ext/curl/tests/gh18458.phpt b/ext/curl/tests/gh18458.phpt
new file mode 100644
index 00000000000..702737ac369
--- /dev/null
+++ b/ext/curl/tests/gh18458.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+include 'skipif-nocaddy.inc';
+?>
+--FILE--
+<?php
+
+$ch = curl_init("https://localhost/userpwd");
+curl_setopt($ch, CURLOPT_USERPWD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+
+$ch = curl_init("https://localhost/username");
+curl_setopt($ch, CURLOPT_USERNAME, null);
+curl_setopt($ch, CURLOPT_PASSWORD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+?>
+--EXPECTF--
+%A
+bool(false)
+%A
+bool(false)