From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 10 Dec 2025 10:40:47 +0000 (+0100)
Subject: curl_sasl: if redirected, require permission to use bearer
X-Git-Tag: rc-8_18_0-2~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a822275d333dc6da6043497160fd04c8fa48640;p=thirdparty%2Fcurl.git

curl_sasl: if redirected, require permission to use bearer

Closes #19933
---

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index 3e4bafc19a..b93bafbefa 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -452,7 +452,9 @@ static bool sasl_choose_ntlm(struct Curl_easy *data, struct sasl_ctx *sctx)
 
 static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx)
 {
-  const char *oauth_bearer = data->set.str[STRING_BEARER];
+  const char *oauth_bearer =
+    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
+    data->set.str[STRING_BEARER] : NULL;
 
   if(sctx->user && oauth_bearer &&
      (sctx->enabledmechs & SASL_MECH_OAUTHBEARER)) {
@@ -477,7 +479,9 @@ static bool sasl_choose_oauth(struct Curl_easy *data, struct sasl_ctx *sctx)
 
 static bool sasl_choose_oauth2(struct Curl_easy *data, struct sasl_ctx *sctx)
 {
-  const char *oauth_bearer = data->set.str[STRING_BEARER];
+  const char *oauth_bearer =
+    (!data->state.this_is_a_follow || data->set.allow_auth_to_other_hosts) ?
+    data->set.str[STRING_BEARER] : NULL;
 
   if(sctx->user && oauth_bearer &&
      (sctx->enabledmechs & SASL_MECH_XOAUTH2)) {