diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-01-19 13:19:25 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-01-22 10:00:00 +0100 |
commit | af32cd3859336ab963591ca0df9b1e33a7ee066b (patch) | |
tree | ae91ca52a3cbbfabe89c74dda181abbbc40c1150 /lib/setopt.c | |
parent | 993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff) | |
download | curl-af32cd3859336ab963591ca0df9b1e33a7ee066b.tar.gz |
http: prevent custom Authorization headers in redirects
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.
Note: this changes behavior slightly, for the sake of reducing mistakes.
Added test 317 and 318 to verify.
Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
Diffstat (limited to 'lib/setopt.c')
-rw-r--r-- | lib/setopt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/setopt.c b/lib/setopt.c index 66f30ea65..a5ef75c72 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -442,7 +442,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long)) ? TRUE : FALSE; break; |