From dd4d1a26959f63a2c0c3217d6e4096f05db148e1 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 8 Jul 2023 23:57:29 +0200
Subject: [PATCH] transfer: clear credentials when redirecting to absolute URL

Make sure the user and password for the second request is taken from the
redirected-to URL.

Add test case 899 to verify.

Reported-by: James Lucas
Fixes #11410
Closes #11412
---
 lib/transfer.c          |  7 ++++-
 lib/url.c               |  2 +-
 tests/data/Makefile.inc | 42 +++++++++++++--------------
 tests/data/test899      | 64 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 24 deletions(-)
 create mode 100644 tests/data/test899

diff --git a/lib/transfer.c b/lib/transfer.c
index 62bccbd95c..52cd6a0153 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1554,10 +1554,15 @@ CURLcode Curl_follow(struct Curl_easy *data,
 
   if((type != FOLLOW_RETRY) &&
      (data->req.httpcode != 401) && (data->req.httpcode != 407) &&
-     Curl_is_absolute_url(newurl, NULL, 0, FALSE))
+     Curl_is_absolute_url(newurl, NULL, 0, FALSE)) {
     /* If this is not redirect due to a 401 or 407 response and an absolute
        URL: don't allow a custom port number */
     disallowport = TRUE;
+    if(!data->set.allow_auth_to_other_hosts) {
+      Curl_safefree(data->state.aptr.user);
+      Curl_safefree(data->state.aptr.passwd);
+    }
+  }
 
   DEBUGASSERT(data->state.uh);
   uc = curl_url_set(data->state.uh, CURLUPART_URL, newurl,
diff --git a/lib/url.c b/lib/url.c
index 0d5e7d0caf..e3e7f4507b 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1864,7 +1864,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
    * User name and password set with their own options override the
    * credentials possibly set in the URL.
    */
-  if(!data->state.aptr.passwd) {
+  if(!data->set.str[STRING_PASSWORD]) {
     uc = curl_url_get(uh, CURLUPART_PASSWORD, &data->state.up.password, 0);
     if(!uc) {
       char *decoded;
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index ca5faf9b58..8ee1394d4e 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -102,28 +102,26 @@ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
 test709 test710 test711 test712 test713 test714 test715 test716 test717 \
 test718 test719 test720 test721 \
 \
-test799 \
-test800 test801 test802 test803 test804 test805 test806 test807 test808 \
-test809 test810 test811 test812 test813 test814 test815 test816 test817 \
-test818 test819 test820 test821 test822 test823 test824 test825 test826 \
-test827 test828 test829 test830 test831 test832 test833 test834 test835 \
-test836 test837 test838 test839 test840 test841 test842 test843 test844 \
-test845 test846 test847 test848 test849 test850 test851 test852 test853 \
-test854 test855 test856 test857 test858 test859 test860 test861 test862 \
-test863 test864 test865 test866 test867 test868 test869 test870 test871 \
-test872 test873 test874 test875 test876 test877 test878 test879 test880 \
-test881 test882 test883 test884 test885 test886 test887 test888 test889 \
-test890 test891 test892 test893 test894 test895 test896 test897 test898 \
-\
-test900 test901 test902 test903 test904 test905 test906 test907 test908 \
-test909 test910 test911 test912 test913 test914 test915 test916 test917 \
-test918 test919 test920 test921 test922 test923 test924 test925 test926 \
-test927 test928 test929 test930 test931 test932 test933 test934 test935 \
-test936 test937 test938 test939 test940 test941 test942 test943 test944 \
-test945 test946 test947 test948 test949 test950 test951 test952 test953 \
-test954 test955 test956 test957 test958 test959 test960 test961 test962 \
-test963 test964 test965 test966 test967 test968 test969 test970 test971 \
-test972 test973 test974 test975 test976 test977 test978 \
+test799 test800 test801 test802 test803 test804 test805 test806 test807 \
+test808 test809 test810 test811 test812 test813 test814 test815 test816 \
+test817 test818 test819 test820 test821 test822 test823 test824 test825 \
+test826 test827 test828 test829 test830 test831 test832 test833 test834 \
+test835 test836 test837 test838 test839 test840 test841 test842 test843 \
+test844 test845 test846 test847 test848 test849 test850 test851 test852 \
+test853 test854 test855 test856 test857 test858 test859 test860 test861 \
+test862 test863 test864 test865 test866 test867 test868 test869 test870 \
+test871 test872 test873 test874 test875 test876 test877 test878 test879 \
+test880 test881 test882 test883 test884 test885 test886 test887 test888 \
+test889 test890 test891 test892 test893 test894 test895 test896 test897 \
+test898 test899 test900 test901 test902 test903 test904 test905 test906 \
+test907 test908 test909 test910 test911 test912 test913 test914 test915 \
+test916 test917 test918 test919 test920 test921 test922 test923 test924 \
+test925 test926 test927 test928 test929 test930 test931 test932 test933 \
+test934 test935 test936 test937 test938 test939 test940 test941 test942 \
+test943 test944 test945 test946 test947 test948 test949 test950 test951 \
+test952 test953 test954 test955 test956 test957 test958 test959 test960 \
+test961 test962 test963 test964 test965 test966 test967 test968 test969 \
+test970 test971 test972 test973 test974 test975 test976 test977 test978 \
 \
 test980 test981 test982 test983 test984 test985 test986 test987 test988 \
 test989 \
diff --git a/tests/data/test899 b/tests/data/test899
new file mode 100644
index 0000000000..d1f1936fc0
--- /dev/null
+++ b/tests/data/test899
@@ -0,0 +1,64 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+Basic
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data crlf="yes" nocheck="yes">
+HTTP/1.1 302 go go go
+Content-Length: 8
+Location: http://user:pass@%HOSTIP:%HTTPPORT/basic-auth/user/%TESTNUMBER0002
+Content-Type: text/html
+Funny-head: yesyes
+
+notreal
+</data>
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Content-Length: 6
+Content-Type: text/html
+Funny-head: yesyes
+
+final
+</data2>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+URL with credentials redirects to URL with different credentials
+</name>
+<command>
+http://first:secret@%HOSTIP:%HTTPPORT/%TESTNUMBER -L
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+GET /%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Zmlyc3Q6c2VjcmV0
+User-Agent: curl/%VERSION
+Accept: */*
+
+GET /basic-auth/user/%TESTNUMBER0002 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>