From 5fcf96930efcafb483adc262f8899e4e8f9c79aa Mon Sep 17 00:00:00 2001 From: XYenon Date: Fri, 9 Aug 2024 17:30:40 +0800 Subject: [PATCH] docs: add description of effect of --location-trusted on cookie Closes #14471 --- docs/cmdline-opts/location-trusted.md | 15 ++++++++++----- docs/cmdline-opts/location.md | 7 ++++--- src/tool_listhelp.c | 2 +- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/docs/cmdline-opts/location-trusted.md b/docs/cmdline-opts/location-trusted.md index edbd0b5395..06458a4678 100644 --- a/docs/cmdline-opts/location-trusted.md +++ b/docs/cmdline-opts/location-trusted.md @@ -2,7 +2,7 @@ c: Copyright (C) Daniel Stenberg, , et al. SPDX-License-Identifier: curl Long: location-trusted -Help: As --location, but send auth to other hosts +Help: As --location, but send secrets to other hosts Protocols: HTTP Category: http auth Added: 7.10.4 @@ -11,11 +11,16 @@ See-also: - user Example: - --location-trusted -u user:password $URL + - --location-trusted -H "Cookie: session=abc" $URL --- # `--location-trusted` -Like --location, but allows sending the name + password to all hosts that the -site may redirect to. This may or may not introduce a security breach if the -site redirects you to a site to which you send your authentication info (which -is clear-text in the case of HTTP Basic authentication). +Instructs curl to like --location follow HTTP redirects, but permits it to +send credentials and other secrets along to other hosts than the initial one. + +This may or may not introduce a security breach if the site redirects you to a +site to which you send this sensitive data to. Another host means that one or +more of hostname, protocol scheme or port number changed. + +This option also allows curl to pass long cookies set explicitly with --header. diff --git a/docs/cmdline-opts/location.md b/docs/cmdline-opts/location.md index 5a9e6ed92e..57b24ae405 100644 --- a/docs/cmdline-opts/location.md +++ b/docs/cmdline-opts/location.md @@ -22,9 +22,10 @@ location (indicated with a Location: header and a 3XX response code), this option makes curl redo the request on the new place. If used together with --show-headers or --head, headers from all requested pages are shown. -When authentication is used, curl only sends its credentials to the initial -host. If a redirect takes curl to a different host, it does not get the -user+password pass on. See also --location-trusted on how to change this. +When authentication is used, or send cookie with `-H Cookie:`, curl only sends +its credentials to the initial host. If a redirect takes curl to a different +host, it does not get the credentials pass on. See also--location-trusted on +how to change this. Limit the amount of redirects to follow by using the --max-redirs option. diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index 43635c22e0..fa29a51c1f 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -357,7 +357,7 @@ const struct helptxt helptext[] = { "Follow redirects", CURLHELP_HTTP}, {" --location-trusted", - "As --location, but send auth to other hosts", + "As --location, but send secrets to other hosts", CURLHELP_HTTP | CURLHELP_AUTH}, {" --login-options ", "Server login options", -- 2.47.3