[HttpFoundation] removed the username and password from generated URL as generated by the Request class (closes symfony#5555)

fabpot · fabpot · commit b8a2f8c646d1 · 2012-09-21T08:13:47.000+02:00
Quoted from the ticket it solves for future reference: "I've been having issues with using htdigest auth (requirement for me to work with) after upgrading to 2.1. Each time a resource is loaded, a prompt is given for the HTTP Auth username and password, and Chrome does not automatically respond to these 401 responses with the credentials it already has. I've traced the issue to being caused by the HttpFoundation Component, specifically Request.php. The request class adds the PHP_AUTH_USER/PHP_AUTH_PW parameters to the request URI (changes http://www.mysite.com requests to http://user:pw@www.mysite.com) in getSchemeAndHttpHost(). This behaviour is not specified in the HTTP RFC, and is incompatible with Chrome as of Chrome 19, IE (as of IE 9) and has special behaviour in Firefox (prompts the user to confirm they know they're logging into the site, which is an ambiguous behaviour at best, but at least it's something if they're going to support it for now). This functionality was added about to HttpFoundation about a year ago, but it really should be removed and standard protocol practices should be followed. This practice makes it possible for cross-site tracking and other malicious behaviours to be performed by hiding information in the authorization headers, which explains why most browsers no longer support or take exception with it. The offending line is specifically this. Replacing it with return $this->getScheme().'://'.$this->getHttpHost(); seems to solve the problem."
diff --git a/src/Symfony/Component/HttpFoundation/Request.php b/src/Symfony/Component/HttpFoundation/Request.php
@@ -795,11 +795,14 @@ public function getRequestUri()
     /**
      * Gets the scheme and HTTP host.
      *
+     * If the URL was called with basic authentication, the user
+     * and the password are not added to the generated string.
+     *
      * @return string The scheme and HTTP host
      */
     public function getSchemeAndHttpHost()
     {
-        return $this->getScheme().'://'.(('' != $auth = $this->getUserInfo()) ? $auth.'@' : '').$this->getHttpHost();
+        return $this->getScheme().'://'.$this->getHttpHost();
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -795,11 +795,14 @@ public function getRequestUri()`
`795`	`795`	`/**`
`796`	`796`	`* Gets the scheme and HTTP host.`
`797`	`797`	`*`
	`798`	`+ * If the URL was called with basic authentication, the user`
	`799`	`+ * and the password are not added to the generated string.`
	`800`	`+ *`
`798`	`801`	`* @return string The scheme and HTTP host`
`799`	`802`	`*/`
`800`	`803`	`public function getSchemeAndHttpHost()`
`801`	`804`	`{`
`802`		`- return $this->getScheme().'://'.(('' != $auth = $this->getUserInfo()) ? $auth.'@' : '').$this->getHttpHost();`
	`805`	`+ return $this->getScheme().'://'.$this->getHttpHost();`
`803`	`806`	`}`
`804`	`807`
`805`	`808`	`/**`