From: Jacek Migacz <jmigacz@redhat.com>
Date: Thu, 22 Jan 2026 10:36:44 +0000 (+0000)
Subject: tool: enable header separation for HTTPS proxies
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aacbe4d9bf4590247819bed5318835b89eafe533;p=thirdparty%2Fcurl.git

tool: enable header separation for HTTPS proxies

When using a proxy, --header specified headers were leaking into CONNECT
requests. This could break corporate proxies that reject custom
User-Agent headers in CONNECT.

Enable CURLHEADER_SEPARATE only for HTTPS through proxy or when
--proxytunnel is used, ensuring:

- --header affects only HTTP requests (not CONNECT)
- --proxy-header affects only CONNECT requests
- --user-agent affects both consistently

Fixes the redirect + proxy + custom UA issue while maintaining
compatibility with HTTP proxy scenarios.

Closes #20398
---

diff --git a/src/config2setopts.c b/src/config2setopts.c
index 83fa062ef3..4ea65f453c 100644
--- a/src/config2setopts.c
+++ b/src/config2setopts.c
@@ -498,7 +498,6 @@ static CURLcode http_setopts(struct OperationConfig *config, CURL *curl)
 
   if(config->proxyheaders) {
     my_setopt_slist(curl, CURLOPT_PROXYHEADER, config->proxyheaders);
-    my_setopt_long(curl, CURLOPT_HEADEROPT, CURLHEADER_SEPARATE);
   }
 
   my_setopt_long(curl, CURLOPT_MAXREDIRS, config->maxredirs);
@@ -882,6 +881,11 @@ CURLcode config2setopts(struct OperationConfig *config,
       result = cookie_setopts(config, curl);
     if(result)
       return result;
+    /* Enable header separation when using a proxy with HTTPS or proxytunnel
+     * to prevent --header content from leaking into CONNECT requests */
+    if((config->proxy || config->proxyheaders) &&
+       (use_proto == proto_https || config->proxytunnel))
+      my_setopt_long(curl, CURLOPT_HEADEROPT, CURLHEADER_SEPARATE);
   }
 
   if(use_proto == proto_ftp || use_proto == proto_ftps) {