From 2f8085af15468741266e162af15804061d960d85 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 12 Mar 2005 19:39:27 +0000 Subject: David Houlder added --form-string --- docs/MANUAL | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/MANUAL') diff --git a/docs/MANUAL b/docs/MANUAL index 26bb8f65a..86449d7d3 100644 --- a/docs/MANUAL +++ b/docs/MANUAL @@ -299,6 +299,13 @@ POST (HTTP) curl -F "docpicture=@dog.gif" -F "catpicture=@cat.gif" + To send a field value literally without interpreting a leading '@' + or '<', or an embedded ';type=', use --form-string instead of + -F. This is recommended when the value is obtained from a user or + some other unpredictable source. Under these circumstances, using + -F instead of --form-string would allow a user to trick curl into + uploading a file. + REFERRER A HTTP request has the option to include information about which address -- cgit v1.2.3