Changed to prioritize DSN authentication information over arguments.

SakiTakamachi · SakiTakamachi · commit 38deddd11725 · 2023-10-16T00:09:56.000+09:00
Added connection test

fixed PR number
diff --git a/ext/pdo_pgsql/pgsql_driver.c b/ext/pdo_pgsql/pgsql_driver.c
@@ -1281,8 +1281,8 @@ static int pdo_pgsql_handle_factory(pdo_dbh_t *dbh, zval *driver_options) /* {{{
 	}
 
 	/* escape username and password, if provided */
-	tmp_user = _pdo_pgsql_escape_credentials(dbh->username);
-	tmp_pass = _pdo_pgsql_escape_credentials(dbh->password);
+	tmp_user = !strstr((char *) dbh->data_source, "user=") ? _pdo_pgsql_escape_credentials(dbh->username) : NULL;
+	tmp_pass = !strstr((char *) dbh->data_source, "password=") ? _pdo_pgsql_escape_credentials(dbh->password) : NULL;
 
 	/* support both full connection string & connection string + login and/or password */
 	if (tmp_user && tmp_pass) {
diff --git a/ext/pdo_pgsql/tests/gh12423.phpt b/ext/pdo_pgsql/tests/gh12423.phpt
@@ -0,0 +1,78 @@
+--TEST--
+GitHub #12424 (Fix GH-12423: [pdo_pgsql] Changed to prioritize DSN authentication information over arguments.)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded');
+require __DIR__ . '/../../../ext/pdo/tests/pdo_test.inc';
+require __DIR__ . '/config.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require __DIR__ . '/config.inc';
+
+[
+    'ENV' => [
+        'PDOTEST_DSN' => $dsnWithCredentials,
+        'PDOTEST_USER' => $user,
+        'PDOTEST_PASS' => $password,
+    ],
+] = __DIR__ . '/common.phpt';
+
+$dsn = str_replace(" user={$user} password={$password}", '', $dsnWithCredentials);
+
+echo "dsn without credentials / correct user / correct password\n";
+try {
+    $db = new PDO($dsn, $user, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with credentials / no user / no password\n";
+try {
+    $db = new PDO("{$dsn} user={$user} password={$password}", null, null, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct user / incorrect user / correct password\n";
+try {
+    $db = new PDO("{$dsn} user={$user}", 'hoge', $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct password / correct user / incorrect password\n";
+try {
+    $db = new PDO("{$dsn} password={$password}", $user, 'fuga', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+echo "dsn with correct credentials / incorrect user / incorrect password\n";
+try {
+    $db = new PDO("{$dsn} user={$user} password={$password}", 'hoge', 'fuga', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    echo "Connected.\n";
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+?>
+--EXPECT--
+dsn without credentials / correct user / correct password
+Connected.
+
+dsn with credentials / no user / no password
+Connected.
+
+dsn with correct user / incorrect user / correct password
+Connected.
+
+dsn with correct password / correct user / incorrect password
+Connected.
+
+dsn with correct credentials / incorrect user / incorrect password
+Connected.

Original file line number	Diff line number	Diff line change
`@@ -1281,8 +1281,8 @@ static int pdo_pgsql_handle_factory(pdo_dbh_t dbh, zval driver_options) /* {{{`
`1281`	`1281`	`}`
`1282`	`1282`
`1283`	`1283`	`/* escape username and password, if provided */`
`1284`		`- tmp_user = _pdo_pgsql_escape_credentials(dbh->username);`
`1285`		`- tmp_pass = _pdo_pgsql_escape_credentials(dbh->password);`
	`1284`	`+ tmp_user = !strstr((char *) dbh->data_source, "user=") ? _pdo_pgsql_escape_credentials(dbh->username) : NULL;`
	`1285`	`+ tmp_pass = !strstr((char *) dbh->data_source, "password=") ? _pdo_pgsql_escape_credentials(dbh->password) : NULL;`
`1286`	`1286`
`1287`	`1287`	`/* support both full connection string & connection string + login and/or password */`
`1288`	`1288`	`if (tmp_user && tmp_pass) {`