aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/libcurl/curl_easy_setopt.35
-rw-r--r--include/curl/curl.h7
-rw-r--r--lib/http.c3
-rw-r--r--lib/url.c8
-rw-r--r--lib/urldata.h1
5 files changed, 22 insertions, 2 deletions
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index a1bb2c6df..4763c871a 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -349,6 +349,11 @@ new location and follow new Location: headers all the way until no more such
headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number
of redirects libcurl will follow.
.TP
+.B CURLOPT_UNRESTRICTED_AUTH
+A non-zero parameter tells the library it can continue to send authentication
+(user+password) when following locations, even when hostname changed. Note
+that this is meaningful only when setting \fICURLOPT_FOLLOWLOCATION\fP.
+.TP
.B CURLOPT_MAXREDIRS
Pass a long. The set number will be the redirection limit. If that many
redirections have been followed, the next redirect will cause an error
diff --git a/include/curl/curl.h b/include/curl/curl.h
index e9c8c1dbd..e7f5d5fd9 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -619,6 +619,11 @@ typedef enum {
/* Set aliases for HTTP 200 in the HTTP Response header */
CINIT(HTTP200ALIASES, OBJECTPOINT, 104),
+ /* Continue to send authentication (user+password) when following locations,
+ even when hostname changed. This can potentionally send off the name
+ and password to whatever host the server decides. */
+ CINIT(UNRESTRICTED_AUTH, LONG, 105),
+
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;
@@ -809,7 +814,7 @@ CURLcode curl_global_init(long flags);
void curl_global_cleanup(void);
/* This is the version number */
-#define LIBCURL_VERSION "7.10.4-pre2"
+#define LIBCURL_VERSION "7.10.4-pre5"
#define LIBCURL_VERSION_NUM 0x070a04
/* linked-list structure for the CURLOPT_QUOTE option (and other) */
diff --git a/lib/http.c b/lib/http.c
index 850731ce3..1a9bd2a1d 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -663,7 +663,8 @@ CURLcode Curl_http(struct connectdata *conn)
host due to a location-follow, we do some weirdo checks here */
if(!data->state.this_is_a_follow ||
!data->state.auth_host ||
- curl_strequal(data->state.auth_host, conn->hostname)) {
+ curl_strequal(data->state.auth_host, conn->hostname) ||
+ data->set.http_disable_hostname_check_before_authentication) {
sprintf(data->state.buffer, "%s:%s",
data->state.user, data->state.passwd);
if(Curl_base64_encode(data->state.buffer, strlen(data->state.buffer),
diff --git a/lib/url.c b/lib/url.c
index 8a61d05ae..43e92b961 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -503,6 +503,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
*/
data->set.http_follow_location = va_arg(param, long)?TRUE:FALSE;
break;
+ case CURLOPT_UNRESTRICTED_AUTH:
+ /*
+ * Send authentication (user+password) when following locations, even when
+ * hostname changed.
+ */
+ data->set.http_disable_hostname_check_before_authentication =
+ va_arg(param, long)?TRUE:FALSE;
+ break;
case CURLOPT_HTTP_VERSION:
/*
* This sets a requested HTTP version to be used. The value is one of
diff --git a/lib/urldata.h b/lib/urldata.h
index 93ad35b60..eb5952174 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -736,6 +736,7 @@ struct UserDefined {
bool hide_progress;
bool http_fail_on_error;
bool http_follow_location;
+ bool http_disable_hostname_check_before_authentication;
bool include_header;
#define http_include_header include_header /* former name */