tool: enable header separation for HTTPS proxies

When using a proxy, --header specified headers were leaking into CONNECT
requests. This could break corporate proxies that reject custom
User-Agent headers in CONNECT.

Enable CURLHEADER_SEPARATE only for HTTPS through proxy or when
--proxytunnel is used, ensuring:

- --header affects only HTTP requests (not CONNECT)
- --proxy-header affects only CONNECT requests
- --user-agent affects both consistently

Fixes the redirect + proxy + custom UA issue while maintaining
compatibility with HTTP proxy scenarios.

Closes #20398

diff --git a/src/config2setopts.c b/src/config2setopts.c
index 83fa062ef3bdba01fbfbcbb76e604205ed6faea1..4ea65f453c24faee45d9bba96233bfd95f13cec1 100644 (file)
--- a/src/config2setopts.c
+++ b/src/config2setopts.c
@@ -498,7 +498,6 @@ static CURLcode http_setopts(struct OperationConfig *config, CURL *curl)
 
   if(config->proxyheaders) {
     my_setopt_slist(curl, CURLOPT_PROXYHEADER, config->proxyheaders);
-    my_setopt_long(curl, CURLOPT_HEADEROPT, CURLHEADER_SEPARATE);
   }
 
   my_setopt_long(curl, CURLOPT_MAXREDIRS, config->maxredirs);
@@ -882,6 +881,11 @@ CURLcode config2setopts(struct OperationConfig *config,
       result = cookie_setopts(config, curl);
     if(result)
       return result;
+    /* Enable header separation when using a proxy with HTTPS or proxytunnel
+     * to prevent --header content from leaking into CONNECT requests */
+    if((config->proxy || config->proxyheaders) &&
+       (use_proto == proto_https || config->proxytunnel))
+      my_setopt_long(curl, CURLOPT_HEADEROPT, CURLHEADER_SEPARATE);
   }
 
   if(use_proto == proto_ftp || use_proto == proto_ftps) {