From: Daniel Stenberg Date: Thu, 2 Nov 2023 12:05:10 +0000 (+0100) Subject: docs: clarify that curl passes on input unfiltered X-Git-Tag: curl-8_5_0~154 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63e1a9a1e7a6808a3f325547fe586c6b58d32fc7;p=thirdparty%2Fcurl.git docs: clarify that curl passes on input unfiltered ... for several options. Reported-by: Ophir Lojkine Closes #12249 --- diff --git a/docs/cmdline-opts/header.d b/docs/cmdline-opts/header.d index f5b7685524..95c1565e8f 100644 --- a/docs/cmdline-opts/header.d +++ b/docs/cmdline-opts/header.d @@ -34,7 +34,8 @@ with no-value then its header must be terminated with a semicolon, such as \-H curl makes sure that each header you add/replace is sent with the proper end-of-line marker, you should thus **not** add that as a part of the header content: do not add newlines or carriage returns, they only mess things up for -you. +you. curl passes on the verbatim string you give it without any filter or +other safe guards. That includes white space and control characters. This option can take an argument in @filename style, which then adds a header for each line in the input file. Using @- makes curl read the header file from diff --git a/docs/cmdline-opts/request-target.d b/docs/cmdline-opts/request-target.d index 61ead5f2b0..be53c658cb 100644 --- a/docs/cmdline-opts/request-target.d +++ b/docs/cmdline-opts/request-target.d @@ -14,3 +14,6 @@ Tells curl to use an alternative "target" (path) instead of using the path as provided in the URL. Particularly useful when wanting to issue HTTP requests without leading slash or other data that does not follow the regular URL pattern, like "OPTIONS *". + +curl passes on the verbatim string you give it its the request without any +filter or other safe guards. That includes white space and control characters. diff --git a/docs/cmdline-opts/request.d b/docs/cmdline-opts/request.d index 0020babf91..6afd535648 100644 --- a/docs/cmdline-opts/request.d +++ b/docs/cmdline-opts/request.d @@ -12,6 +12,9 @@ See-also: request-target Multi: single --- Change the method to use when starting the transfer. + +curl passes on the verbatim string you give it its the request without any +filter or other safe guards. That includes white space and control characters. .RS .TP 15 **HTTP** diff --git a/docs/libcurl/opts/CURLOPT_CUSTOMREQUEST.3 b/docs/libcurl/opts/CURLOPT_CUSTOMREQUEST.3 index 00132854e2..0f2d16bf5b 100644 --- a/docs/libcurl/opts/CURLOPT_CUSTOMREQUEST.3 +++ b/docs/libcurl/opts/CURLOPT_CUSTOMREQUEST.3 @@ -39,6 +39,9 @@ When you change the request \fImethod\fP by setting libcurl behaves or acts in regards to the particular request method, it only changes the actual string sent in the request. +libcurl passes on the verbatim string in its request without any filter or +other safe guards. That includes white space and control characters. + Restore to the internal default by setting this to NULL. This option can be used to specify the request: diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 index 4817927ab8..04b5a5087c 100644 --- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 @@ -55,7 +55,9 @@ semicolon). The headers included in the linked list \fBmust not\fP be CRLF-terminated, because libcurl adds CRLF after each header item itself. Failure to comply -with this might result in strange behavior. +with this might result in strange behavior. libcurl passes on the verbatim +strings you give it, without any filter or other safe guards. That includes +white space and control characters. The first line in an HTTP request (containing the method, usually a GET or POST) is not a header and cannot be replaced using this option. Only the lines diff --git a/docs/libcurl/opts/CURLOPT_REQUEST_TARGET.3 b/docs/libcurl/opts/CURLOPT_REQUEST_TARGET.3 index bd26a95b61..50d037a9d1 100644 --- a/docs/libcurl/opts/CURLOPT_REQUEST_TARGET.3 +++ b/docs/libcurl/opts/CURLOPT_REQUEST_TARGET.3 @@ -34,6 +34,9 @@ CURLcode curl_easy_setopt(CURL *handle, CURLOPT_REQUEST_TARGET, string); .SH DESCRIPTION Pass a char * to string which libcurl uses in the upcoming request instead of the path as extracted from the URL. + +libcurl passes on the verbatim string in its request without any filter or +other safe guards. That includes white space and control characters. .SH DEFAULT NULL .SH PROTOCOLS