Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Yet another example of empty("0") returning TRUE and causing issues.
// If the server URL has a user then attempt to use basic authentication.
if (isset($uri['user'])) {
$options['headers']['Authorization'] = 'Basic ' . base64_encode($uri['user'] . (!empty($uri['pass']) ? ":" . $uri['pass'] : ''));
}
$uri['pass'] comes from parsing the URL, so something like this will demonstrate the issue:
drupal_http_request('http://bob:0@localhost');
Comment | File | Size | Author |
---|---|---|---|
#2 | empty-password-http-request-1282986-2.patch | 691 bytes | valthebald |
Comments
Comment #1
lyricnz CreditAttribution: lyricnz commentedCode should probably check for array_key_exists()
Comment #2
valthebaldReplaced !empty() with isset() + replaced double quotes "" with ''
Comment #3
valthebaldComment #4
rickmanelius CreditAttribution: rickmanelius commentedI'm unable to recreate the issue with the current 8.x dev snapshot. I tested against 2 sites: one with a browser password required and another publicly available one. I took the response of drupal_http_request('http://user:0@site') and output the results using dpm.
On a site with a browser password
When I used the correct user/pass, I got a 200 response ok.
When I used the incorrect user/pass, I get a 401 response (authorization required)
When I use "0" or "" for the password, I also get a 401 response.
On a site without a browser password, there is never an issue.
What response are you getting in order to recreate? Or is there supposed to be a different error than 401?
Comment #5
valthebaldIn order to recreate, user password must be '0' (or '00', or any longer combination).
Without patch, you should get 401, with patch - 200
Comment #6
rickmanelius CreditAttribution: rickmanelius commented#5 Thanks. Will retest knowing that.
Comment #7
tstoecklerCode looks fine but this should be tested.
EDIT: Tested as in tested manually. I don't think we can write automated tests for drupal_http_request()
Comment #8
rickmanelius CreditAttribution: rickmanelius commentedcool. It works now. Unless anyone can think of a situation where isset would be inappropriate, marking reviewed and tested by the community.
Comment #9
valthebaldSame patch applies to D7 as well, adding 'needs backport to D7'
Comment #10
Dries CreditAttribution: Dries commentedCommitted to 7.x and 8.x. Thanks!