From 946ce5b61fc3832935ea92b4388116c7f637fb8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Stenberg?= Date: Sun, 25 Feb 2018 20:17:25 +0100 Subject: option: disallow username in URL Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340 --- lib/url.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/url.c') diff --git a/lib/url.c b/lib/url.c index 411a0c814..c62221048 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3170,6 +3170,13 @@ static CURLcode parse_url_login(struct Curl_easy *data, if(userp) { char *newname; + if(data->set.disallow_username_in_url) { + failf(data, "Option DISALLOW_USERNAME_IN_URL is set " + "and url contains username."); + result = CURLE_LOGIN_DENIED; + goto out; + } + /* We have a user in the URL */ conn->bits.userpwd_in_url = TRUE; conn->bits.user_passwd = TRUE; /* enable user+password */ -- cgit v1.2.3