option: disallow username in URL

Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes
libcurl reject URLs with a username in them.

Closes #2340

3 files changed, 12 insertions, 0 deletions

diff --git a/lib/setopt.c b/lib/setopt.c
index 93a4dd2b5..5ecf5b97f 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2590,6 +2590,10 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
   case CURLOPT_DNS_SHUFFLE_ADDRESSES:
     data->set.dns_shuffle_addresses = (0 != va_arg(param, long)) ? TRUE:FALSE;
     break;
+  case CURLOPT_DISALLOW_USERNAME_IN_URL:
+    data->set.disallow_username_in_url =
+      (0 != va_arg(param, long)) ? TRUE : FALSE;
+    break;
   default:
     /* unknown tag and its companion, just ignore: */
     result = CURLE_UNKNOWN_OPTION;
diff --git a/lib/url.c b/lib/url.c
index 411a0c814..c62221048 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3170,6 +3170,13 @@ static CURLcode parse_url_login(struct Curl_easy *data,
   if(userp) {
     char *newname;
 
+    if(data->set.disallow_username_in_url) {
+      failf(data, "Option DISALLOW_USERNAME_IN_URL is set "
+                  "and url contains username.");
+      result = CURLE_LOGIN_DENIED;
+      goto out;
+    }
+
     /* We have a user in the URL */
     conn->bits.userpwd_in_url = TRUE;
     conn->bits.user_passwd = TRUE; /* enable user+password */
diff --git a/lib/urldata.h b/lib/urldata.h
index f1b67c3d1..7e647a2a6 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1689,6 +1689,7 @@ struct UserDefined {
   curl_resolver_start_callback resolver_start; /* optional callback called
                                                   before resolver start */
   void *resolver_start_client; /* pointer to pass to resolver start callback */
+  bool disallow_username_in_url; /* disallow username in url */
 };
 
 struct Names {