Regression 8.2.0: Basic authentication does not follow with -L #11486
Description
I did this
I have the following small PHP script that redirects to itself and display the basic authentication user.
<?php
if (!isset($_GET['redirected']))
header("Location: http://localhost:8080/index.php?redirected");
else
echo "redirected ", $_SERVER['PHP_AUTH_USER']??null;I start this server using php -S 0.0.0.0:8080.
Then I request the url with basic auth and follow redirects. I use docker to specify the curl version:
docker run -it --network=host curlimages/curl:8.2.0 -uadmin:admin -X POST http://localhost:8080/index.php -v -L
* processing: http://localhost:8080/index.php
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
* Server auth using Basic with user 'admin'
> POST /index.php HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.2.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:17:54 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Location: http://localhost:8080/index.php?redirected
< Content-type: text/html; charset=UTF-8
<
* Closing connection
* Issue another request to this URL: 'http://localhost:8080/index.php?redirected'
* Hostname localhost was found in DNS cache
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> POST /index.php?redirected HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.2.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:17:54 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Content-type: text/html; charset=UTF-8
<
* Closing connection
redirected
With curl 8.1.2 it works:
docker run -it --network=host curlimages/curl:8.1.2 -uadmin:admin -X POST http://localhost:8080/index.php -v -L
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'admin'
> POST /index.php HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 302 Found
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:19:29 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Location: http://localhost:8080/index.php?redirected
< Content-type: text/html; charset=UTF-8
<
* Closing connection 0
* Issue another request to this URL: 'http://localhost:8080/index.php?redirected'
* Hostname localhost was found in DNS cache
* Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#1)
* Server auth using Basic with user 'admin'
> POST /index.php?redirected HTTP/1.1
> Host: localhost:8080
> Authorization: Basic YWRtaW46YWRtaW4=
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Thu, 20 Jul 2023 10:19:29 GMT
< Connection: close
< X-Powered-By: PHP/8.1.2-1ubuntu2.13
< Content-type: text/html; charset=UTF-8
<
* Closing connection 1
redirected admin⏎
Note that when using --location-trusted it works as expected.
When specifying a relative Location header without protocol or host, it works as well.
I expected the following
No change between 8.1.2 and 8.2.0.
I expected that the Authorization header is passed to all requests when following with -L.
curl/libcurl version
docker run -it --network=host curlimages/curl:8.2.0 -V
curl 8.2.0 (x86_64-pc-linux-musl) libcurl/8.2.0 OpenSSL/3.1.1 zlib/1.2.13 brotli/1.0.9 libidn2/2.3.4 libssh2/1.10.0 nghttp2/1.53.0
Release-Date: 2023-07-19
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM NTLM_WB SSL threadsafe TLS-SRP UnixSockets
operating system
Linux HP-ProBook-455-15-6-inch-G9-Notebook-PC 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Probably irrelevant as I'm using the docker image to reproduce.