From 774dbd520ad0810df0715b19a0868d62e411b0c7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 19 Apr 2022 18:15:02 +0200 Subject: [PATCH] CURLOPT_UNRESTRICTED_AUTH.3: extended explanation Include details about Authentication headers. Reported-by: Brad Spencer Fixes #8724 Closes #8726 --- docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 index 9f87db3de8..fad4a6fac9 100644 --- a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 +++ b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -35,9 +35,19 @@ authentication (user+password) credentials when following locations, even when hostname changed. This option is meaningful only when setting \fICURLOPT_FOLLOWLOCATION(3)\fP. -By default, libcurl will only send given credentials to the initial host name -as given in the original URL, to avoid leaking username + password to other -sites. +Further, when this option is not used or set to \fB0L\fP, libcurl will not +send custom set nor internally generated Authentication: headers on requests +done to other hosts than the one used for the initial URL. + +By default, libcurl will only send credentials and Authentication headers to +the initial host name as given in the original URL, to avoid leaking username ++ password to other sites. + +This option should be used with caution: when curl follows redirects it +blindly fetches the next URL as instructed by the server. Setting +\fICURLOPT_UNRESTRICTED_AUTH(3)\fP to 1L will therefore also make curl trust +the server and send possibly sensitive credentials to a host the server points +out. .SH DEFAULT 0 .SH PROTOCOLS -- 2.47.3