option: disallow username in URL

Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340
author: Björn Stenberg <bjorn@haxx.se> 2018-02-25 20:17:25 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-05-31 11:27:16 +0200
commit: 946ce5b61fc3832935ea92b4388116c7f637fb8c (patch)
tree: 3d4ef97037f869fdccb509940e35c972d476ee82 /lib/url.c
parent: 71d35e4a1d96011076d3e81cad4e7b417d9a3985 (diff)
download: curl-946ce5b61fc3832935ea92b4388116c7f637fb8c.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/url.c b/lib/url.c
index 411a0c814..c62221048 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3170,6 +3170,13 @@ static CURLcode parse_url_login(struct Curl_easy *data,
   if(userp) {
     char *newname;
 
+    if(data->set.disallow_username_in_url) {
+      failf(data, "Option DISALLOW_USERNAME_IN_URL is set "
+                  "and url contains username.");
+      result = CURLE_LOGIN_DENIED;
+      goto out;
+    }
+
     /* We have a user in the URL */
     conn->bits.userpwd_in_url = TRUE;
     conn->bits.user_passwd = TRUE; /* enable user+password */
author	Björn Stenberg <bjorn@haxx.se>	2018-02-25 20:17:25 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-05-31 11:27:16 +0200
commit	946ce5b61fc3832935ea92b4388116c7f637fb8c (patch)
tree	3d4ef97037f869fdccb509940e35c972d476ee82 /lib/url.c
parent	71d35e4a1d96011076d3e81cad4e7b417d9a3985 (diff)
download	curl-946ce5b61fc3832935ea92b4388116c7f637fb8c.tar.gz