http: prevent custom Authorization headers in redirects

... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
author: Daniel Stenberg <daniel@haxx.se> 2018-01-19 13:19:25 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-01-22 10:00:00 +0100
commit: af32cd3859336ab963591ca0df9b1e33a7ee066b (patch)
tree: ae91ca52a3cbbfabe89c74dda181abbbc40c1150 /lib/setopt.c
parent: 993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/setopt.c b/lib/setopt.c
index 66f30ea65..a5ef75c72 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -442,7 +442,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
      * Send authentication (user+password) when following locations, even when
      * hostname changed.
      */
-    data->set.http_disable_hostname_check_before_authentication =
+    data->set.allow_auth_to_other_hosts =
       (0 != va_arg(param, long)) ? TRUE : FALSE;
     break;
author	Daniel Stenberg <daniel@haxx.se>	2018-01-19 13:19:25 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-01-22 10:00:00 +0100
commit	af32cd3859336ab963591ca0df9b1e33a7ee066b (patch)
tree	ae91ca52a3cbbfabe89c74dda181abbbc40c1150 /lib/setopt.c
parent	993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff)