diff options
author | Daniel Stenberg <daniel@haxx.se> | 2022-04-19 18:15:02 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2022-04-19 18:15:02 +0200 |
commit | 774dbd520ad0810df0715b19a0868d62e411b0c7 (patch) | |
tree | c89a42930a629cd463ade49c9dd304e02d1cb61b /docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 | |
parent | c3b27c31411e2444d79c06d0e668ba9fff7f0821 (diff) | |
download | curl-774dbd520ad0810df0715b19a0868d62e411b0c7.tar.gz |
CURLOPT_UNRESTRICTED_AUTH.3: extended explanation
Include details about Authentication headers.
Reported-by: Brad Spencer
Fixes #8724
Closes #8726
Diffstat (limited to 'docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3')
-rw-r--r-- | docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 index 9f87db3de..fad4a6fac 100644 --- a/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 +++ b/docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. +.\" * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -35,9 +35,19 @@ authentication (user+password) credentials when following locations, even when hostname changed. This option is meaningful only when setting \fICURLOPT_FOLLOWLOCATION(3)\fP. -By default, libcurl will only send given credentials to the initial host name -as given in the original URL, to avoid leaking username + password to other -sites. +Further, when this option is not used or set to \fB0L\fP, libcurl will not +send custom set nor internally generated Authentication: headers on requests +done to other hosts than the one used for the initial URL. + +By default, libcurl will only send credentials and Authentication headers to +the initial host name as given in the original URL, to avoid leaking username ++ password to other sites. + +This option should be used with caution: when curl follows redirects it +blindly fetches the next URL as instructed by the server. Setting +\fICURLOPT_UNRESTRICTED_AUTH(3)\fP to 1L will therefore also make curl trust +the server and send possibly sensitive credentials to a host the server points +out. .SH DEFAULT 0 .SH PROTOCOLS |