From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 22 Sep 2025 06:33:20 +0000 (+0200)
Subject: managen: strict protocol check
X-Git-Tag: rc-8_17_0-2~399
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f0f0bdb192a71b6b8b654115ee2c08f8411e356;p=thirdparty%2Fcurl.git

managen: strict protocol check

- protocols MUST match one in the accept-list
- protocols are typically all uppercase
- drop All
- use SCP and SFTP instead of SSH
- add Protocols: to some options previously missing one

Closes #18675
---

diff --git a/docs/cmdline-opts/doh-cert-status.md b/docs/cmdline-opts/doh-cert-status.md
index 7c497cf16f..445eb3dcd0 100644
--- a/docs/cmdline-opts/doh-cert-status.md
+++ b/docs/cmdline-opts/doh-cert-status.md
@@ -5,6 +5,7 @@ Long: doh-cert-status
 Help: Verify DoH server cert status OCSP-staple
 Added: 7.76.0
 Category: dns tls
+Protocols: DNS
 Multi: boolean
 See-also:
   - doh-insecure
diff --git a/docs/cmdline-opts/doh-insecure.md b/docs/cmdline-opts/doh-insecure.md
index 72f3cb7725..ee1602a242 100644
--- a/docs/cmdline-opts/doh-insecure.md
+++ b/docs/cmdline-opts/doh-insecure.md
@@ -5,6 +5,7 @@ Long: doh-insecure
 Help: Allow insecure DoH server connections
 Added: 7.76.0
 Category: dns tls
+Protocols: DNS
 Multi: boolean
 See-also:
   - doh-url
diff --git a/docs/cmdline-opts/doh-url.md b/docs/cmdline-opts/doh-url.md
index dcc6e52f8a..60cf6caab0 100644
--- a/docs/cmdline-opts/doh-url.md
+++ b/docs/cmdline-opts/doh-url.md
@@ -6,6 +6,7 @@ Arg: <URL>
 Help: Resolve hostnames over DoH
 Added: 7.62.0
 Category: dns
+Protocols: DNS
 Multi: single
 See-also:
   - doh-insecure
diff --git a/docs/cmdline-opts/follow.md b/docs/cmdline-opts/follow.md
index 47d9128441..e791e36adf 100644
--- a/docs/cmdline-opts/follow.md
+++ b/docs/cmdline-opts/follow.md
@@ -4,6 +4,7 @@ SPDX-License-Identifier: curl
 Long: follow
 Help: Follow redirects per spec
 Category: http
+Protocols: HTTP
 Added: 8.16.0
 Multi: boolean
 See-also:
diff --git a/docs/cmdline-opts/form-escape.md b/docs/cmdline-opts/form-escape.md
index 0f93fde7eb..7cf1cb7403 100644
--- a/docs/cmdline-opts/form-escape.md
+++ b/docs/cmdline-opts/form-escape.md
@@ -3,7 +3,7 @@ c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Long: form-escape
 Help: Escape form fields using backslash
-Protocols: HTTP imap smtp
+Protocols: HTTP IMAP SMTP
 Added: 7.81.0
 Category: http upload post
 Multi: single
diff --git a/docs/cmdline-opts/ip-tos.md b/docs/cmdline-opts/ip-tos.md
index 3d6473f312..f5ef589e23 100644
--- a/docs/cmdline-opts/ip-tos.md
+++ b/docs/cmdline-opts/ip-tos.md
@@ -6,7 +6,6 @@ Arg: <string>
 Help: Set IP Type of Service or Traffic Class
 Added: 8.9.0
 Category: connection
-Protocols: All
 Multi: single
 See-also:
   - tcp-nodelay
diff --git a/docs/cmdline-opts/key.md b/docs/cmdline-opts/key.md
index 967119a8b5..cc4bc73fa5 100644
--- a/docs/cmdline-opts/key.md
+++ b/docs/cmdline-opts/key.md
@@ -3,7 +3,7 @@ c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Long: key
 Arg: <key>
-Protocols: TLS SSH
+Protocols: TLS SCP SFTP
 Help: Private key filename
 Category: tls ssh
 Added: 7.9.3
diff --git a/docs/cmdline-opts/pass.md b/docs/cmdline-opts/pass.md
index 0527334f2a..79c2f8738a 100644
--- a/docs/cmdline-opts/pass.md
+++ b/docs/cmdline-opts/pass.md
@@ -4,7 +4,7 @@ SPDX-License-Identifier: curl
 Long: pass
 Arg: <phrase>
 Help: Passphrase for the private key
-Protocols: SSH TLS
+Protocols: TLS SCP SFTP
 Category: ssh tls auth
 Added: 7.9.3
 Multi: single
diff --git a/docs/cmdline-opts/sasl-authzid.md b/docs/cmdline-opts/sasl-authzid.md
index 4c4282d14d..4e92a20541 100644
--- a/docs/cmdline-opts/sasl-authzid.md
+++ b/docs/cmdline-opts/sasl-authzid.md
@@ -4,6 +4,7 @@ SPDX-License-Identifier: curl
 Long: sasl-authzid
 Arg: <identity>
 Help: Identity for SASL PLAIN authentication
+Protocols: LDAP IMAP POP3 SMTP
 Added: 7.66.0
 Category: auth
 Multi: single
diff --git a/docs/cmdline-opts/sasl-ir.md b/docs/cmdline-opts/sasl-ir.md
index 0f759c6d10..206bf29317 100644
--- a/docs/cmdline-opts/sasl-ir.md
+++ b/docs/cmdline-opts/sasl-ir.md
@@ -3,6 +3,7 @@ c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 Long: sasl-ir
 Help: Initial response in SASL authentication
+Protocols: LDAP IMAP POP3 SMTP
 Added: 7.31.0
 Category: auth
 Multi: boolean
diff --git a/docs/cmdline-opts/socks5-gssapi-nec.md b/docs/cmdline-opts/socks5-gssapi-nec.md
index eef6b2de9d..9cd91b9615 100644
--- a/docs/cmdline-opts/socks5-gssapi-nec.md
+++ b/docs/cmdline-opts/socks5-gssapi-nec.md
@@ -5,6 +5,7 @@ Long: socks5-gssapi-nec
 Help: Compatibility with NEC SOCKS5 server
 Added: 7.19.4
 Category: proxy auth
+Protocols: GSS/kerberos
 Multi: boolean
 See-also:
   - socks5
diff --git a/docs/cmdline-opts/socks5-gssapi.md b/docs/cmdline-opts/socks5-gssapi.md
index e17425431b..b8520b22cc 100644
--- a/docs/cmdline-opts/socks5-gssapi.md
+++ b/docs/cmdline-opts/socks5-gssapi.md
@@ -5,6 +5,7 @@ Long: socks5-gssapi
 Help: Enable GSS-API auth for SOCKS5 proxies
 Added: 7.55.0
 Category: proxy auth
+Protocols: GSS/kerberos
 Multi: boolean
 See-also:
   - socks5
diff --git a/docs/cmdline-opts/telnet-option.md b/docs/cmdline-opts/telnet-option.md
index a332b1a5cd..ca82a4ceb8 100644
--- a/docs/cmdline-opts/telnet-option.md
+++ b/docs/cmdline-opts/telnet-option.md
@@ -6,6 +6,7 @@ Short: t
 Arg: <opt=val>
 Help: Set telnet option
 Category: telnet
+Protocols: TELNET
 Added: 7.7
 Multi: append
 See-also:
diff --git a/docs/cmdline-opts/upload-flags.md b/docs/cmdline-opts/upload-flags.md
index e30fb3dbdb..d176148768 100644
--- a/docs/cmdline-opts/upload-flags.md
+++ b/docs/cmdline-opts/upload-flags.md
@@ -4,6 +4,7 @@ SPDX-License-Identifier: curl
 Long: upload-flags
 Arg: <flags>
 Help: IMAP upload behavior
+Protocols: IMAP
 Category: curl output
 Added: 8.13.0
 Multi: single
diff --git a/docs/cmdline-opts/url-query.md b/docs/cmdline-opts/url-query.md
index 43bf43d932..3953eda4c7 100644
--- a/docs/cmdline-opts/url-query.md
+++ b/docs/cmdline-opts/url-query.md
@@ -4,7 +4,6 @@ SPDX-License-Identifier: curl
 Long: url-query
 Arg: <data>
 Help: Add a URL query part
-Protocols: all
 Added: 7.87.0
 Category: http post upload
 Multi: append
diff --git a/docs/cmdline-opts/vlan-priority.md b/docs/cmdline-opts/vlan-priority.md
index 34dc8ce066..c49c659e5c 100644
--- a/docs/cmdline-opts/vlan-priority.md
+++ b/docs/cmdline-opts/vlan-priority.md
@@ -6,7 +6,6 @@ Arg: <priority>
 Help: Set VLAN priority
 Added: 8.9.0
 Category: connection
-Protocols: All
 Multi: single
 See-also:
   - ip-tos
diff --git a/scripts/managen b/scripts/managen
index 9290680670..4849fe8378 100755
--- a/scripts/managen
+++ b/scripts/managen
@@ -241,8 +241,38 @@ sub overrides {
     }
 }
 
+my %protexists = (
+    'DNS' => 1,
+    'FILE' => 1,
+    'FTP' => 1,
+    'FTPS' => 1,
+    'GSS/kerberos' => 1,
+    'HTTP' => 1,
+    'HTTPS' => 1,
+    'IMAP' => 1,
+    'IPFS' => 1,
+    'LDAP' => 1,
+    'MQTT' => 1,
+    'POP3' => 1,
+    'SCP' => 1,
+    'SFTP' => 1,
+    'SMTP' => 1,
+    'SSL' => 2, # deprecated
+    'TELNET' => 1,
+    'TFTP' => 1,
+    'TLS' => 1,
+    );
+
 sub protocols {
-    my ($manpage, $standalone, $data)=@_;
+    my ($f, $line, $manpage, $standalone, $data)=@_;
+    my @e = split(/ +/, $data);
+    for my $pr (@e) {
+        if(!$protexists{$pr}) {
+
+            print STDERR "$f:$line:1:ERROR: unrecognized protocol: $pr\n";
+            exit 2;
+        }
+    }
     if($standalone) {
         return ".SH \"PROTOCOLS\"\n$data\n";
     }
@@ -716,7 +746,7 @@ sub single {
     }
     my @leading;
     if($protocols) {
-        push @leading, protocols($manpage, $standalone, $protocols);
+        push @leading, protocols($f, $line, $manpage, $standalone, $protocols);
     }
 
     if($standalone) {