diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/MANUAL | 7 | ||||
| -rw-r--r-- | docs/curl.1 | 6 |
2 files changed, 13 insertions, 0 deletions
diff --git a/docs/MANUAL b/docs/MANUAL index 26bb8f65a..86449d7d3 100644 --- a/docs/MANUAL +++ b/docs/MANUAL @@ -299,6 +299,13 @@ POST (HTTP) curl -F "docpicture=@dog.gif" -F "catpicture=@cat.gif" + To send a field value literally without interpreting a leading '@' + or '<', or an embedded ';type=', use --form-string instead of + -F. This is recommended when the value is obtained from a user or + some other unpredictable source. Under these circumstances, using + -F instead of --form-string would allow a user to trick curl into + uploading a file. + REFERRER A HTTP request has the option to include information about which address diff --git a/docs/curl.1 b/docs/curl.1 index 3b6fb3ce1..f216db68f 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -388,6 +388,12 @@ setting filename=, like this: See further examples and details in the MANUAL. This option can be used multiple times. +.IP "--form-string <name=string>" +(HTTP) Similar to \fI--form\fP except that the value string for the named +parameter is used literally. Leading \&'@' and \&'<' characters, and the +\&';type=' string in the value have no special meaning. Use this in +preference to \fI--form\fP if there's any possibility that the string value +may accidentally trigger the \&'@' or \&'<' features of \fI--form\f{. .IP "-g/--globoff" This option switches off the "URL globbing parser". When you set this option, you can specify URLs that contain the letters {}[] without having them being |