Guillaume Cottenceau's patch that adds CURLOPT_UNRESTRICTED_AUTH that

disables the host name check in the FOLLOWLOCATION code. With that option
set, libcurl will send user+password to all hosts.

5 files changed, 22 insertions, 2 deletions

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index a1bb2c6df..4763c871a 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -349,6 +349,11 @@ new location and follow new Location: headers all the way until no more such
 headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number
 of redirects libcurl will follow.
 .TP
+.B CURLOPT_UNRESTRICTED_AUTH
+A non-zero parameter tells the library it can continue to send authentication
+(user+password) when following locations, even when hostname changed. Note
+that this is meaningful only when setting \fICURLOPT_FOLLOWLOCATION\fP.
+.TP
 .B CURLOPT_MAXREDIRS
 Pass a long. The set number will be the redirection limit. If that many
 redirections have been followed, the next redirect will cause an error
diff --git a/include/curl/curl.h b/include/curl/curl.h
index e9c8c1dbd..e7f5d5fd9 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -619,6 +619,11 @@ typedef enum {
   /* Set aliases for HTTP 200 in the HTTP Response header */
   CINIT(HTTP200ALIASES, OBJECTPOINT, 104),
 
+  /* Continue to send authentication (user+password) when following locations,
+     even when hostname changed. This can potentionally send off the name
+     and password to whatever host the server decides. */
+  CINIT(UNRESTRICTED_AUTH, LONG, 105),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -809,7 +814,7 @@ CURLcode curl_global_init(long flags);
 void curl_global_cleanup(void);
 
 /* This is the version number */
-#define LIBCURL_VERSION "7.10.4-pre2"
+#define LIBCURL_VERSION "7.10.4-pre5"
 #define LIBCURL_VERSION_NUM 0x070a04
 
 /* linked-list structure for the CURLOPT_QUOTE option (and other) */
diff --git a/lib/http.c b/lib/http.c
index 850731ce3..1a9bd2a1d 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -663,7 +663,8 @@ CURLcode Curl_http(struct connectdata *conn)
        host due to a location-follow, we do some weirdo checks here */
     if(!data->state.this_is_a_follow ||
        !data->state.auth_host ||
-       curl_strequal(data->state.auth_host, conn->hostname)) {
+       curl_strequal(data->state.auth_host, conn->hostname) ||
+       data->set.http_disable_hostname_check_before_authentication) {
       sprintf(data->state.buffer, "%s:%s",
               data->state.user, data->state.passwd);
       if(Curl_base64_encode(data->state.buffer, strlen(data->state.buffer),
diff --git a/lib/url.c b/lib/url.c
index 8a61d05ae..43e92b961 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -503,6 +503,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
      */
     data->set.http_follow_location = va_arg(param, long)?TRUE:FALSE;
     break;
+  case CURLOPT_UNRESTRICTED_AUTH:
+    /*
+     * Send authentication (user+password) when following locations, even when
+     * hostname changed.
+     */
+    data->set.http_disable_hostname_check_before_authentication =
+      va_arg(param, long)?TRUE:FALSE;
+    break;
   case CURLOPT_HTTP_VERSION:
     /*
      * This sets a requested HTTP version to be used. The value is one of
diff --git a/lib/urldata.h b/lib/urldata.h
index 93ad35b60..eb5952174 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -736,6 +736,7 @@ struct UserDefined {
   bool hide_progress;
   bool http_fail_on_error;
   bool http_follow_location;
+  bool http_disable_hostname_check_before_authentication;
   bool include_header;
 #define http_include_header include_header /* former name */