Debian
php5 package

php5-curl: Curl truncates basic auth password after semicolon

Bug #1281646 reported by Michael Kliewe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php5 (Debian)
Fix Released
Unknown
php5 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Hi there,

I'm not sure where to report this bug, if it's Ubuntu, Debian or curl.

I'm using newest stable Ubuntu 13.10 with PHP 5.5.3-1ubuntu2.1. Basic authentication via curl does not work anymore if the password contains a semicolon:

$curlSettings[CURLOPT_HTTPAUTH] = CURLAUTH_BASIC;
$curlSettings[CURLOPT_USERPWD] = '1testuser:pass;word';

$curl = curl_init('http://www.phpgangsta.de/download/curl_auth_test.php');
               // content: echo 'Password: '.$_SERVER['PHP_AUTH_PW'];
curl_setopt_array($curl, $curlSettings);

curl_exec($curl);

It outputs just "pass" instead of "pass;word".
The same happens if you do this on a command line:
  curl --basic --user "1testuser:pass;word" http://www.phpgangsta.de/download/curl_auth_test.php

The problem seems to be the curl version that is used. I did a few tests:

not affected: 5.4.14 (curl 7.19.7)
affected: 5.5.3-1ubuntu2.1 (curl 7.32.0)
not affected: 5.5.3 (curl 7.22.0)
affected: 5.5.9 (curl 7.32.0)
not affected: 5.5.9 (curl 7.22.0)
not affected: 5.6-alpha2 (curl 7.22.0)

The problem seems to be curl 7.32.0 (plus maybe versions before and after)

While searching for that bug I just found 1 occurrence, but I cannot believe hat it has not been fixed since July 2013.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717267

Maybe you can tell me where to report this bug so it gets fixed in current stable Ubuntu 13.10.

Michael

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

> Maybe you can tell me where to report this bug so it gets fixed in current stable Ubuntu 13.10.

I'm sorry that this bug hasn't yet been fixed for you. Reporting a bug doesn't by itself mean that the bug will necessarily be fixed, since this requires developer resource, which is limited and must be prioritised. This is generally done on the perception of how many users are affected, which here appears to be two users in six months. If you'd like to get the bug fixed to your schedule, then please provide a patch, or find somebody who can - ideally to Debian, so that both distributions can benefit.

Changed in php5 (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Michael Kliewe (0-vnfo-a) wrote :

Hi Robie,

after more investigation it was a bug in curl itself, so it affects all applications that use curl and its parameter CURLOPT_USERPWD. I don't know if other scripting languages use curl and that feature, but also shell scripts using curl are affected, so potentially many users.

It has been fixed in curl 7.34.0:
- login options: remove the ;[options] support from CURLOPT_USERPWD

See: http://curl.haxx.se/changes.html
http://sourceforge.net/p/curl/bugs/1311/

I don't know when the new curl version will be available in 13.10, or if this specific bugfix will be packported.

Revision history for this message
Robie Basak (racb) wrote :

Michael,

Thanks - that's very useful.

If I understand this correctly, the ';' had special meaning, so backporting this might affect other users who are relying on this feature. Thus, on balance, I don't think it makes sense to backport this patch to 13.10; we'd just be swapping one set of broken users for another.

The current development release (Trusty) is on 7.35.0, so this bug is presumed fixed now. Since the bug status reflects the state of the current development release, I'll change it accordingly.

Changed in php5 (Ubuntu):
status: New → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in php5 (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in php5 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.