Download & Extend
Issues

Password of "0" ignored in drupal_http_request()

Posted by lyricnz on September 18, 2011 at 10:51am
Project:Drupal core
Version:8.x-dev
Component:base system
Category:bug report
Priority:normal
Assigned:Unassigned
Status:closed (fixed)
Issue tags:needs backport to D7, Novice

Issue Summary

Yet another example of empty("0") returning TRUE and causing issues.

<?php
  // If the server URL has a user then attempt to use basic authentication.
  if (isset($uri['user'])) {
    $options['headers']['Authorization'] = 'Basic ' . base64_encode($uri['user'] . (!empty($uri['pass']) ? ":" . $uri['pass'] : ''));
  }
?>

$uri['pass'] comes from parsing the URL, so something like this will demonstrate the issue:

<?php
drupal_http_request('http://bob:0@localhost');
?>
Login or register to post comments

Comments

#1

Posted by lyricnz on September 18, 2011 at 12:46pm

Code should probably check for array_key_exists()

#2

Posted by valthebald on September 18, 2011 at 3:15pm

Replaced !empty() with isset() + replaced double quotes "" with ''

AttachmentSizeStatusTest resultOperations
empty-password-http-request-1282986-2.patch691 bytesIdlePASSED: [[SimpleTest]]: [MySQL] 32,981 pass(es).View details

#3

Posted by valthebald on September 18, 2011 at 3:16pm
Status:active» needs review

#4

Posted by rickmanelius on September 18, 2011 at 5:35pm

I'm unable to recreate the issue with the current 8.x dev snapshot. I tested against 2 sites: one with a browser password required and another publicly available one. I took the response of drupal_http_request('http://user:0@site') and output the results using dpm.

On a site with a browser password
When I used the correct user/pass, I got a 200 response ok.
When I used the incorrect user/pass, I get a 401 response (authorization required)
When I use "0" or "" for the password, I also get a 401 response.

On a site without a browser password, there is never an issue.

What response are you getting in order to recreate? Or is there supposed to be a different error than 401?

#5

Posted by valthebald on September 18, 2011 at 6:21pm

In order to recreate, user password must be '0' (or '00', or any longer combination).
Without patch, you should get 401, with patch - 200

#6

Posted by rickmanelius on September 18, 2011 at 7:15pm

#5 Thanks. Will retest knowing that.

#7

Posted by tstoeckler on September 18, 2011 at 7:31pm

Code looks fine but this should be tested.
EDIT: Tested as in tested manually. I don't think we can write automated tests for drupal_http_request()

#8

Posted by rickmanelius on September 18, 2011 at 10:26pm
Status:needs review» reviewed & tested by the community

cool. It works now. Unless anyone can think of a situation where isset would be inappropriate, marking reviewed and tested by the community.

#9

Posted by valthebald on September 19, 2011 at 6:17am
Issue tags:+needs backport to D7

Same patch applies to D7 as well, adding 'needs backport to D7'

#10

Posted by Dries on September 25, 2011 at 8:26am
Status:reviewed & tested by the community» fixed

Committed to 7.x and 8.x. Thanks!

#11

Posted by System Message on October 9, 2011 at 8:31am
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.