Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression 8.2.0: Basic authentication does not follow with -L #11486

Closed
CloudoguSiebels opened this issue Jul 20, 2023 · 4 comments
Closed

Regression 8.2.0: Basic authentication does not follow with -L #11486

CloudoguSiebels opened this issue Jul 20, 2023 · 4 comments
Assignees
@bagder
Labels
authentication regression

Comments

@CloudoguSiebels
Copy link

I did this

I have the following small PHP script that redirects to itself and display the basic authentication user.

<?php
if (!isset($_GET['redirected']))
	header("Location: http://localhost:8080/index.php?redirected");
else
	echo "redirected ", $_SERVER['PHP_AUTH_USER']??null;

I start this server using php -S 0.0.0.0:8080.

Then I request the url with basic auth and follow redirects. I use docker to specify the curl version:

docker run -it --network=host curlimages/curl:8.2.0 -uadmin:admin -X POST http://localhost:8080/index.php -v -L 
* processing: http://localhost:8080/index.php
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
* Server auth using Basic with user 'admin'
> POST /index.php HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.2.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:17:54 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Location: http://localhost:8080/index.php?redirected
< Content-type: text/html; charset=UTF-8
< 
* Closing connection
* Issue another request to this URL: 'http://localhost:8080/index.php?redirected'
* Hostname localhost was found in DNS cache
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> POST /index.php?redirected HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.2.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:17:54 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Content-type: text/html; charset=UTF-8
< 
* Closing connection
redirected

With curl 8.1.2 it works:

docker run -it --network=host curlimages/curl:8.1.2 -uadmin:admin -X POST http://localhost:8080/index.php -v -L
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'admin'
> POST /index.php HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/1.1 302 Found
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:19:29 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Location: http://localhost:8080/index.php?redirected
< Content-type: text/html; charset=UTF-8
< 
* Closing connection 0
* Issue another request to this URL: 'http://localhost:8080/index.php?redirected'
* Hostname localhost was found in DNS cache
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#1)
* Server auth using Basic with user 'admin'
> POST /index.php?redirected HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:19:29 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Content-type: text/html; charset=UTF-8
< 
* Closing connection 1
redirected admin⏎

Note that when using --location-trusted it works as expected.
When specifying a relative Location header without protocol or host, it works as well.

I expected the following

No change between 8.1.2 and 8.2.0.
I expected that the Authorization header is passed to all requests when following with -L.

curl/libcurl version

docker run -it --network=host curlimages/curl:8.2.0 -V
curl 8.2.0 (x86_64-pc-linux-musl) libcurl/8.2.0 OpenSSL/3.1.1 zlib/1.2.13 brotli/1.0.9 libidn2/2.3.4 libssh2/1.10.0 nghttp2/1.53.0
Release-Date: 2023-07-19
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB SSL threadsafe TLS-SRP UnixSockets

operating system

Linux HP-ProBook-455-15-6-inch-G9-Notebook-PC 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Probably irrelevant as I'm using the docker image to reproduce.
@bagder bagder self-assigned this Jul 20, 2023
CloudoguSiebels added a commit to cloudogu/gitops-playground that referenced this issue Jul 20, 2023
@CloudoguSiebels
Fix jenkins plugin installation
16300de 
We were successfully uploading and installing the plugin
and then following the redirect to the progress page.
However, curl was removing the basic authentication.
As a result, we were encountering error 403 for the redirect,
not for the upload.

This is a bug in curl: curl/curl#11486

Therefore, we temporarily replaced -L with --location-trusted for
jenkins
@CloudoguSiebels CloudoguSiebels mentioned this issue Jul 20, 2023
Merged
@bagder
Copy link
Member

bagder commented Jul 20, 2023

Regression caused by dd4d1a2

bagder added a commit that referenced this issue Jul 20, 2023
@bagder
transfer: do not clear the credentials on redirect to absolute URL
aab1eec 
Makes test 979 work

Fixes #11486
Reported-by: Cloudogu Siebels
bagder added a commit that referenced this issue Jul 20, 2023
@bagder
transfer: do not clear the credentials on redirect to absolute URL
c1effdf 
Makes test 979 work. Regression shipped in 8.2.0 from commit
dd4d1a2

Fixes #11486
Reported-by: Cloudogu Siebels
@bagder bagder mentioned this issue Jul 20, 2023
Closed
@bagder bagder closed this as completed in 90bdd25 Jul 21, 2023
@dfandrich
Copy link
Contributor

dfandrich commented Jul 21, 2023 via email

@dfandrich
Copy link
Contributor

dfandrich commented Jul 21, 2023 via email

@CloudoguSiebels
Copy link
Author

Thank you for fixing this so quickly! :)

CloudoguSiebels added a commit to cloudogu/gitops-playground that referenced this issue Jul 26, 2023
@CloudoguSiebels
Remove workaround for curl 8.2.0
6132e93 
A bug in curl (curl/curl#11486) broke the
jenkins plugin installation. We introduced a workaround in 16300de.

A fix for curl is released and we can remove the workaround now.
@CloudoguSiebels CloudoguSiebels mentioned this issue Jul 26, 2023
Merged
ptitSeb pushed a commit to wasix-org/curl that referenced this issue Sep 25, 2023
@bagder @ptitSeb
transfer: do not clear the credentials on redirect to absolute URL
94ecb62 
Makes test 979 work. Regression shipped in 8.2.0 from commit
dd4d1a2

Fixes curl#11486
Reported-by: Cloudogu Siebels
Closes curl#11492
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
authentication regression
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

do not clear the credentials on redirect to absolute URL curl/curl
3 participants
@bagder @dfandrich @CloudoguSiebels