From 946ce5b61fc3832935ea92b4388116c7f637fb8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Stenberg?= <bjorn@haxx.se>
Date: Sun, 25 Feb 2018 20:17:25 +0100
Subject: option: disallow username in URL

Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes
libcurl reject URLs with a username in them.

Closes #2340
---
 docs/libcurl/curl_easy_setopt.3                    |  2 +
 .../opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3        | 56 ++++++++++++++++++++++
 docs/libcurl/opts/Makefile.inc                     |  1 +
 docs/libcurl/symbols-in-versions                   |  1 +
 4 files changed, 60 insertions(+)
 create mode 100644 docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3

(limited to 'docs/libcurl')

diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index 317c7a646..35c183d7b 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -258,6 +258,8 @@ HTTP proxy authentication methods. See \fICURLOPT_PROXYAUTH(3)\fP
 Enable SASL initial response. See \fICURLOPT_SASL_IR(3)\fP
 .IP CURLOPT_XOAUTH2_BEARER
 OAuth2 bearer token. See \fICURLOPT_XOAUTH2_BEARER(3)\fP
+.IP CURLOPT_DISALLOW_USERNAME_IN_URL
+Don't allow username in URL. See \fICURLOPT_DISALLOW_USERNAME_IN_URL(3)\fP
 .SH HTTP OPTIONS
 .IP CURLOPT_AUTOREFERER
 Automatically set Referer: header. See \fICURLOPT_AUTOREFERER(3)\fP
diff --git a/docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3 b/docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3
new file mode 100644
index 000000000..ac5f913a3
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3
@@ -0,0 +1,56 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_DISALLOW_USERNAME_IN_URL 3 "30 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_DISALLOW_USERNAME_IN_URL \- disallow specifying username in the url
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DISALLOW_USERNAME_IN_URL, long disallow);
+.SH DESCRIPTION
+A long parameter set to 1 tells the library to not allow URLs that include a
+username.
+.SH DEFAULT
+0 (disabled) - user names are allowed by default.
+.SH PROTOCOLS
+Several
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+
+  curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
+  curl_easy_setopt(curl, CURLOPT_DISALLOW_USERNAME_IN_URL, 1L);
+
+  curl_easy_perform(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in libcurl 7.61.0
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
+
+curl_easy_perform() will return CURLE_LOGIN_DENIED if this option is enabled
+and a URL containing a username is specified.
+.SH "SEE ALSO"
+.BR libcurl-security "(3), ", CURLOPT_PROTOCOLS "(3)"
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index 5db8b8f3e..32485e292 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -114,6 +114,7 @@ man_MANS =                                      \
   CURLOPT_DEBUGFUNCTION.3                       \
   CURLOPT_DEFAULT_PROTOCOL.3                    \
   CURLOPT_DIRLISTONLY.3                         \
+  CURLOPT_DISALLOW_USERNAME_IN_URL.3            \
   CURLOPT_DNS_CACHE_TIMEOUT.3                   \
   CURLOPT_DNS_INTERFACE.3                       \
   CURLOPT_DNS_LOCAL_IP4.3                       \
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 4b6e74346..7448b4f43 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -376,6 +376,7 @@ CURLOPT_DEBUGDATA               7.9.6
 CURLOPT_DEBUGFUNCTION           7.9.6
 CURLOPT_DEFAULT_PROTOCOL        7.45.0
 CURLOPT_DIRLISTONLY             7.17.0
+CURLOPT_DISALLOW_USERNAME_IN_URL 7.61.0
 CURLOPT_DNS_CACHE_TIMEOUT       7.9.3
 CURLOPT_DNS_INTERFACE           7.33.0
 CURLOPT_DNS_LOCAL_IP4           7.33.0
-- 
cgit v1.2.3