setopt: clear proxy auth properly on NULL

Verify NULLed proxy credentials with test1648 Closes #21696
2026-05-21 19:06:21 +03:00 · 2026-05-20 13:39:25 +02:00 · 2026-05-20 13:39:25 +02:00 · 88c7e16cce
commit 88c7e16cce
parent f902c3c486
5 changed files with 206 additions and 8 deletions
--- a/lib/setopt.c
+++ b/lib/setopt.c
@ -1661,16 +1661,16 @@ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option,
    result = setstropt_userpwd(ptr, &u, &p);

    /* URL decode the components */
-    if(!result && u) {
+    if(!result) {
      curlx_safefree(s->str[STRING_PROXYUSERNAME]);
-      result = Curl_urldecode(u, 0, &s->str[STRING_PROXYUSERNAME], NULL,
-                              REJECT_ZERO);
-    }
-    if(!result && p) {
      curlx_safefree(s->str[STRING_PROXYPASSWORD]);
+      if(u)
+        result = Curl_urldecode(u, 0, &s->str[STRING_PROXYUSERNAME], NULL,
+                                REJECT_ZERO);
+    }
+    if(!result && p)
      result = Curl_urldecode(p, 0, &s->str[STRING_PROXYPASSWORD], NULL,
                              REJECT_ZERO);
-    }
    curlx_free(u);
    curlx_free(p);
    break;
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -216,7 +216,7 @@ test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 \
 test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 \
 test1628 test1629 test1630 test1631 test1632 test1633 test1634 test1635 \
 test1636 test1637 test1638 test1639 test1640 test1641 test1642 test1643 \
-test1644 test1645 test1646 test1647 \
+test1644 test1645 test1646 test1647 test1648 \
 \
 test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 \
 test1658 test1659 test1660 test1661 test1662 test1663 test1664 test1665 \
--- a/tests/data/test1648
+++ b/tests/data/test1648
@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP proxy
+HTTP proxy auth
+</keywords>
+</info>
+
+# Server-side
+<reply>
+
+# this is returned first since we get no proxy-auth
+<data crlf="headers" nocheck="yes">
+HTTP/1.1 407 Authorization Required to proxy me my dear
+Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345"
+Content-Length: 33
+
+And you should ignore this data.
+</data>
+
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+# tool is what to use instead of 'curl'
+<tool>
+lib%TESTNUMBER
+</tool>
+<features>
+proxy
+</features>
+<name>
+HTTP proxy with auth, change proxy, clear auth
+</name>
+<command>
+%HOSTIP %HTTPPORT
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="headers">
+GET http://example.com/ HTTP/1.1
+Host: example.com
+Proxy-Authorization: Basic %b64[victim:secret]b64%
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://example.com/ HTTP/1.1
+Host: example.com
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+
+</verify>
+</testcase>
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@ -99,7 +99,7 @@ TESTS_C = \
  lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c \
  lib1591.c lib1592.c lib1593.c lib1594.c                     lib1597.c \
  lib1598.c lib1599.c \
-  lib1647.c \
+  lib1647.c lib1648.c \
  lib1662.c \
  lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c \
  lib1908.c           lib1910.c lib1911.c lib1912.c lib1913.c \
--- a/tests/libtest/lib1648.c
+++ b/tests/libtest/lib1648.c
@ -0,0 +1,135 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+/*
+ * URL = host
+ * arg2 = port
+ */
+
+#include "first.h"
+
+/* this is meant to pick up the proxy from the environment variable */
+static CURLcode init1648(CURL *curl, const char *url, const char *proxy)
+{
+  CURLcode result = CURLE_OK;
+
+  res_easy_setopt(curl, CURLOPT_URL, url);
+  if(result)
+    goto init_failed;
+
+  res_easy_setopt(curl, CURLOPT_PROXY, proxy);
+  if(result)
+    goto init_failed;
+
+  res_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
+  if(result)
+    goto init_failed;
+
+  return CURLE_OK; /* success */
+
+init_failed:
+  return result; /* failure */
+}
+
+static CURLcode run1648(CURL *curl, const char *url, const char *userpwd)
+{
+  CURLcode result = CURLE_OK;
+
+  result = init1648(curl, url, userpwd);
+  if(result)
+    return result;
+
+  return curl_easy_perform(curl);
+}
+
+#define GET_THIS "http://example.com/"
+
+/*
+ * First get the URL over 'firstproxy' with auth.
+ * Then clear the auth and get the URL again over 'secondproxy'.
+ */
+static CURLcode test_lib1648(const char *hostip)
+{
+  CURLcode result = CURLE_OK;
+  CURL *curl = NULL;
+  struct curl_slist *host = NULL;
+  struct curl_slist *host2 = NULL;
+  char proxy1_resolve[128];
+  char proxy2_resolve[128];
+  char proxy1_connect[128];
+  char proxy2_connect[128];
+
+  curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve),
+                 "firstproxy:%s:%s", libtest_arg2, hostip);
+  curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve),
+                 "secondproxy:%s:%s", libtest_arg2, hostip);
+
+  /* we connect to the fake host name but the right port number */
+  curl_msnprintf(proxy1_connect, sizeof(proxy1_connect),
+                 "firstproxy:%s", libtest_arg2);
+  curl_msnprintf(proxy2_connect, sizeof(proxy2_connect),
+                 "secondproxy:%s", libtest_arg2);
+
+  res_global_init(CURL_GLOBAL_ALL);
+  if(result)
+    return result;
+
+  curl = curl_easy_init();
+  if(!curl) {
+    curl_mfprintf(stderr, "curl_easy_init() failed\n");
+    curl_global_cleanup();
+    return TEST_ERR_MAJOR_BAD;
+  }
+
+  host = curl_slist_append(NULL, proxy1_resolve);
+  if(!host)
+    goto test_cleanup;
+  host2 = curl_slist_append(host, proxy2_resolve);
+  if(!host2)
+    goto test_cleanup;
+  host = host2;
+
+  start_test_timing();
+
+  easy_setopt(curl, CURLOPT_RESOLVE, host);
+  easy_setopt(curl, CURLOPT_PROXYUSERPWD, "victim:secret");
+
+  curl_mprintf("--- First get over %s\n", proxy1_connect);
+  result = run1648(curl, GET_THIS, proxy1_connect);
+  if(result)
+    goto test_cleanup;
+
+  easy_setopt(curl, CURLOPT_PROXYUSERPWD, NULL);
+
+  curl_mprintf("--- Then over '%s'\n", proxy2_connect);
+  result = run1648(curl, GET_THIS, proxy2_connect);
+
+test_cleanup:
+
+  /* proper cleanup sequence - type PB */
+
+  curl_easy_cleanup(curl);
+  curl_global_cleanup();
+  curl_slist_free_all(host);
+  return result;
+}