Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Yet another example of empty("0") returning TRUE and causing issues.
// If the server URL has a user then attempt to use basic authentication.
if (isset($uri['user'])) {
$options['headers']['Authorization'] = 'Basic ' . base64_encode($uri['user'] . (!empty($uri['pass']) ? ":" . $uri['pass'] : ''));
}
$uri['pass'] comes from parsing the URL, so something like this will demonstrate the issue:
drupal_http_request('http://bob:0@localhost');
Comment | File | Size | Author |
---|---|---|---|
#2 | empty-password-http-request-1282986-2.patch | 691 bytes | valthebald |
Comments
Comment #1
lyricnz CreditAttribution: lyricnz commentedCode should probably check for array_key_exists()
Comment #2
valthebaldReplaced !empty() with isset() + replaced double quotes "" with ''
Comment #3
valthebaldComment #4
rickmanelius CreditAttribution: rickmanelius commentedI'm unable to recreate the issue with the current 8.x dev snapshot. I tested against 2 sites: one with a browser password required and another publicly available one. I took the response of drupal_http_request('http://user:0@site') and output the results using dpm.
On a site with a browser password
When I used the correct user/pass, I got a 200 response ok.
When I used the incorrect user/pass, I get a 401 response (authorization required)
When I use "0" or "" for the password, I also get a 401 response.
On a site without a browser password, there is never an issue.
What response are you getting in order to recreate? Or is there supposed to be a different error than 401?
Comment #5
valthebaldIn order to recreate, user password must be '0' (or '00', or any longer combination).
Without patch, you should get 401, with patch - 200
Comment #6
rickmanelius CreditAttribution: rickmanelius commented#5 Thanks. Will retest knowing that.
Comment #7
tstoecklerCode looks fine but this should be tested.
EDIT: Tested as in tested manually. I don't think we can write automated tests for drupal_http_request()
Comment #8
rickmanelius CreditAttribution: rickmanelius commentedcool. It works now. Unless anyone can think of a situation where isset would be inappropriate, marking reviewed and tested by the community.
Comment #9
valthebaldSame patch applies to D7 as well, adding 'needs backport to D7'
Comment #10
Dries CreditAttribution: Dries commentedCommitted to 7.x and 8.x. Thanks!