From 946ce5b61fc3832935ea92b4388116c7f637fb8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Stenberg?= Date: Sun, 25 Feb 2018 20:17:25 +0100 Subject: option: disallow username in URL Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340 --- lib/setopt.c | 4 ++++ lib/url.c | 7 +++++++ lib/urldata.h | 1 + 3 files changed, 12 insertions(+) (limited to 'lib') diff --git a/lib/setopt.c b/lib/setopt.c index 93a4dd2b5..5ecf5b97f 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -2590,6 +2590,10 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, case CURLOPT_DNS_SHUFFLE_ADDRESSES: data->set.dns_shuffle_addresses = (0 != va_arg(param, long)) ? TRUE:FALSE; break; + case CURLOPT_DISALLOW_USERNAME_IN_URL: + data->set.disallow_username_in_url = + (0 != va_arg(param, long)) ? TRUE : FALSE; + break; default: /* unknown tag and its companion, just ignore: */ result = CURLE_UNKNOWN_OPTION; diff --git a/lib/url.c b/lib/url.c index 411a0c814..c62221048 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3170,6 +3170,13 @@ static CURLcode parse_url_login(struct Curl_easy *data, if(userp) { char *newname; + if(data->set.disallow_username_in_url) { + failf(data, "Option DISALLOW_USERNAME_IN_URL is set " + "and url contains username."); + result = CURLE_LOGIN_DENIED; + goto out; + } + /* We have a user in the URL */ conn->bits.userpwd_in_url = TRUE; conn->bits.user_passwd = TRUE; /* enable user+password */ diff --git a/lib/urldata.h b/lib/urldata.h index f1b67c3d1..7e647a2a6 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1689,6 +1689,7 @@ struct UserDefined { curl_resolver_start_callback resolver_start; /* optional callback called before resolver start */ void *resolver_start_client; /* pointer to pass to resolver start callback */ + bool disallow_username_in_url; /* disallow username in url */ }; struct Names { -- cgit v1.2.3