From: Daniel Stenberg Date: Tue, 19 Apr 2022 16:15:02 +0000 (+0200) Subject: CURLOPT_UNRESTRICTED_AUTH.3: extended explanation X-Git-Tag: curl-7_83_0~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=774dbd520ad0810df0715b19a0868d62e411b0c7;p=thirdparty%2Fcurl.git CURLOPT_UNRESTRICTED_AUTH.3: extended explanation Include details about Authentication headers. Reported-by: Brad Spencer Fixes #8724 Closes #8726 --- diff --git a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 index 9f87db3de8..fad4a6fac9 100644 --- a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 +++ b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -35,9 +35,19 @@ authentication (user+password) credentials when following locations, even when hostname changed. This option is meaningful only when setting \fICURLOPT_FOLLOWLOCATION(3)\fP. -By default, libcurl will only send given credentials to the initial host name -as given in the original URL, to avoid leaking username + password to other -sites. +Further, when this option is not used or set to \fB0L\fP, libcurl will not +send custom set nor internally generated Authentication: headers on requests +done to other hosts than the one used for the initial URL. + +By default, libcurl will only send credentials and Authentication headers to +the initial host name as given in the original URL, to avoid leaking username ++ password to other sites. + +This option should be used with caution: when curl follows redirects it +blindly fetches the next URL as instructed by the server. Setting +\fICURLOPT_UNRESTRICTED_AUTH(3)\fP to 1L will therefore also make curl trust +the server and send possibly sensitive credentials to a host the server points +out. .SH DEFAULT 0 .SH PROTOCOLS