David Houlder added --form-string

2 files changed, 13 insertions, 0 deletions

diff --git a/docs/MANUAL b/docs/MANUAL
index 26bb8f65a..86449d7d3 100644
--- a/docs/MANUAL
+++ b/docs/MANUAL
@@ -299,6 +299,13 @@ POST (HTTP)
 
         curl -F "docpicture=@dog.gif" -F "catpicture=@cat.gif" 
 
+  To send a field value literally without interpreting a leading '@'
+  or '<', or an embedded ';type=', use --form-string instead of
+  -F. This is recommended when the value is obtained from a user or
+  some other unpredictable source. Under these circumstances, using
+  -F instead of --form-string would allow a user to trick curl into
+  uploading a file.
+
 REFERRER
 
   A HTTP request has the option to include information about which address
diff --git a/docs/curl.1 b/docs/curl.1
index 3b6fb3ce1..f216db68f 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -388,6 +388,12 @@ setting filename=, like this:
 See further examples and details in the MANUAL.
 
 This option can be used multiple times.
+.IP "--form-string <name=string>"
+(HTTP) Similar to \fI--form\fP except that the value string for the named
+parameter is used literally. Leading \&'@' and \&'<' characters, and the
+\&';type=' string in the value have no special meaning. Use this in
+preference to \fI--form\fP if there's any possibility that the string value
+may accidentally trigger the \&'@' or \&'<' features of \fI--form\f{.
 .IP "-g/--globoff"
 This option switches off the "URL globbing parser". When you set this option,
 you can specify URLs that contain the letters {}[] without having them being