In user_external/lib/basicauth.php there are two calls of stream_context_set_default. The first call resets the method="GET" options. The second call sets "authorization: Basic" options for method="GET".
This can cause some security problems:
A globally assigned authorization header can be redirected to foreign servers, e.g. if the configured HTTP server has a temporary redirection which is not noticed by the Nextcloud administrator.
In Nextcloud there are many other function calls of file_get_contents and popen. These functions can use the globally configured "authorization: Basic" data and send them to foreign servers.
The first problem can be solved with the max_redirects=1 option. The second problem can be solved with a local context in get_headers (available since PHP 7.1.0).
In user_external/lib/basicauth.php there are two calls of stream_context_set_default. The first call resets the method="GET" options. The second call sets "authorization: Basic" options for method="GET".
This can cause some security problems:
The first problem can be solved with the max_redirects=1 option. The second problem can be solved with a local context in get_headers (available since PHP 7.1.0).