Description
Description
The following code:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.example.com/test");
curl_setopt($ch, CURLOPT_USERPWD, null);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_exec($ch);Resulted in this output:
...
> GET /test HTTP/2
Host: www.example.com
authorization: Basic Og==
accept: */*
...
But I expected this output instead:
...
> GET /test HTTP/2
Host: www.example.com
accept: */*
...
In PHP versions 8.1.19 and older, the HTTP request is sent without the Authorization header, as expected. Starting in PHP version 8.1.20 (and continuing to the most recent PHP version), the HTTP request is sent with an Authorization header set to "Basic Og==". "Og==" is the Base64-encoded string ":".
Although sending an extra Authorization header to services that don't expect it usually does not cause any problems, it can cause errors when making HTTP requests to services that support multiple authentication methods (e.g. authentication via URL query parameters or POST parameters). In this case, a service may reject the request because of the invalid credentials in the Authorization header.
PHP version 8.1.20 is the first version that uses libcurl 7.88.1. Previous versions used libcurl 7.74.0 where this error did not occur. I think that this issue was introduced in curl/curl#8451 .
It seems that in older versions, libcurl treated null and empty-string values of the CURLOPT_USERPWD option the same way, but subsequently empty-string values would cause the Authorization header to be set. Arguably this could be considered a breaking change with libcurl rather than an issue in PHP's curl extension. However, it seems that when setting CURLOPT_USERPWD to null from PHP, PHP internally converts the null to an empty string when calling libcurl, so there doesn't appear to be any way from PHP to remove the CURLOPT_USERPWD option from an existing curl handle, other than by not setting the CURLOPT_USERPWD option at all.
PHP Version
PHP 8.4.6 (cli) (built: Apr 28 2025 21:46:53) (NTS)
Copyright (c) The PHP Group
Built by https://github.com/docker-library/php
Zend Engine v4.4.6, Copyright (c) Zend Technologies
Operating System
No response