CURLOPT_UNRESTRICTED_AUTH.md (2550B)
1 --- 2 c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 SPDX-License-Identifier: curl 4 Title: CURLOPT_UNRESTRICTED_AUTH 5 Section: 3 6 Source: libcurl 7 See-also: 8 - CURLINFO_REDIRECT_COUNT (3) 9 - CURLOPT_FOLLOWLOCATION (3) 10 - CURLOPT_MAXREDIRS (3) 11 - CURLOPT_REDIR_PROTOCOLS_STR (3) 12 - CURLOPT_USERPWD (3) 13 Protocol: 14 - HTTP 15 Added-in: 7.10.4 16 --- 17 18 # NAME 19 20 CURLOPT_UNRESTRICTED_AUTH - send credentials to other hosts too 21 22 # SYNOPSIS 23 24 ~~~c 25 #include <curl/curl.h> 26 27 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_UNRESTRICTED_AUTH, 28 long goahead); 29 ~~~ 30 31 # DESCRIPTION 32 33 Set the long *gohead* parameter to 1L to make libcurl continue to send 34 authentication (user+password) credentials or explicitly set cookie headers 35 when following locations, even when the host changes. This option is 36 meaningful only when setting CURLOPT_FOLLOWLOCATION(3). 37 38 Further, when this option is not used or set to **0L**, libcurl does not send 39 custom nor internally generated `Authentication:` or `Cookie:` headers on 40 requests done to other hosts than the one used for the initial URL. Another 41 host means that one or more of hostname, protocol scheme or port number 42 changed. 43 44 By default, libcurl only sends `Authentication:` or explicitly set `Cookie:` 45 headers to the initial host as given in the original URL, to avoid leaking 46 username + password to other sites. 47 48 This option should be used with caution: when curl follows redirects it 49 blindly fetches the next URL as instructed by the server. Setting 50 CURLOPT_UNRESTRICTED_AUTH(3) to 1L makes curl trust the server and sends 51 possibly sensitive credentials to any host the server points to, possibly 52 again and again as the following hosts can keep redirecting to new hosts. 53 54 Due to the way HTTP works, almost any header can be made to contain data a 55 client may not want to pass on to other servers than the initially intended 56 host and for all other headers than the two mentioned above, there is no 57 protection from this happening when libcurl is told to follow redirects. 58 59 # DEFAULT 60 61 0 62 63 # %PROTOCOLS% 64 65 # EXAMPLE 66 67 ~~~c 68 int main(void) 69 { 70 CURL *curl = curl_easy_init(); 71 if(curl) { 72 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); 73 curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); 74 curl_easy_setopt(curl, CURLOPT_UNRESTRICTED_AUTH, 1L); 75 curl_easy_perform(curl); 76 } 77 } 78 ~~~ 79 80 # %AVAILABILITY% 81 82 # RETURN VALUE 83 84 curl_easy_setopt(3) returns a CURLcode indicating success or error. 85 86 CURLE_OK (0) means everything was OK, non-zero means an error occurred, see 87 libcurl-errors(3).