I have some code which uses curl_easy_setopt(curl, CURLOPT_USERPWD,
NULL) to tell curl to forget the current user name and password. I
discovered that upon upgrading from curl 7.18.1 to 7.19.5 this no
longer works yet still results in CURLE_OK being so the client code
cannot detect the failure. Using "" rather than NULL does work with
7.19.5.

It looks like this difference appeared near change 1.752/1.753 of
lib/url.c where the behaviour was moved to a new function. I think
this was between 7.19.0 and 7.19.1.

Whether or not NULL was considered to be a valid value for this option
it did used to be accepted and work so other code may use it.
Depending on the setting of other options this could lead to a
password being unintentionally revealed to a remote site that requests
authentication although I admit this is a long shot.

Even if NULL is not a valid value for this option I think at least an
error return would be helpful. Even so code that doesn't bother
checking (which is probably common given the small chance of failure)
risks revealing a password unintentionally.

I believe that the following provides the previous behaviour:

--- curl-7.19.5/lib/url.c.orig 2009-05-26 13:05:34.232113602 +0100
+++ curl-7.19.5/lib/url.c 2009-05-26 13:06:00.317103212 +0100
@@ -275,9 +275,14 @@ static CURLcode setstropt_userpwd(char *
   char* separator;
   CURLcode result = CURLE_OK;
 
- if(!option)
- return result;
-
+ if(!option) {
+ Curl_safefree(*user_storage);
+ *user_storage = (char *) NULL;
+ Curl_safefree(*pwd_storage);
+ *pwd_storage = (char *) NULL;
+ return CURLE_OK;
+ }
+
   separator = strchr(option, ':');
   if (separator != NULL) {
 
Thanks.

Mike.
Received on 2009-05-26