From: Rich Bowen <rbowen@apache.org>
Date: Fri, 1 May 2026 18:06:50 +0000 (+0000)
Subject: Bug 66341: Note that HttpProtocolOptions Strict blocks credentials in FTP proxy URLs
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd6dd69f1f2eeb72fdfc7da4a6c54c92cdcab092;p=thirdparty%2Fapache%2Fhttpd.git

Bug 66341: Note that HttpProtocolOptions Strict blocks credentials in FTP proxy URLs

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933682 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_proxy_ftp.xml b/docs/manual/mod/mod_proxy_ftp.xml
index 476b91abe3..be6aec914a 100644
--- a/docs/manual/mod/mod_proxy_ftp.xml
+++ b/docs/manual/mod/mod_proxy_ftp.xml
@@ -122,6 +122,14 @@ ForceType application/octet-stream
         ftp://<var>username</var>@<var>host</var>/myfile
       </example>
 
+      <note><title>HttpProtocolOptions</title>
+        <p>By default, <directive module="core"
+        >HttpProtocolOptions</directive> is set to <code>Strict</code>,
+        which rejects URLs containing userinfo (username or password)
+        per RFC 7230.  To use credentials in FTP URLs, you must set
+        <code>HttpProtocolOptions Unsafe</code>.</p>
+      </note>
+
       <p>If the FTP server asks for a password when given this username (which
       it should), then Apache will reply with a <code>401</code> (Authorization
       required) response, which causes the Browser to pop up the