CURLOPT_UNRESTRICTED_AUTH man page: No mention of Authorization header behaviour #8724
Assignees
Labels
Comments
bagder
added a commit
that referenced
this issue
Apr 19, 2022
Include details about Authentication headers. Reported-by: Brad Spencer Fixes #8724
|
Give #8726 a look! |
|
Looks great! (Do I close this or do I let #8726 close it automatically?) |
|
Just leave it. 8726 will close this automatically when we merge that! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The docs for
CURLOPT_UNRESTRICTED_AUTHimply that "credentials" means "user+password" and nothing else, but this optional actually controls various different kinds of authentication information.A security bulletin from a few years ago clarifies that, specifically, the
Authorizationheader is no longer forwarded to different hosts, and experiment confirms that current curl does still behave this way.To be clear, the current behaviour is good! :)
I suggest that the documentation for
CURLOPT_UNRESTRICTED_AUTHbe clarified to indicate precisely which kinds of authentication it controls. It's not only "user+password" (such as could be set byCURLOPT_USERPWD, which is linked-to from this doc page), but also any application-providedAuthenticationheader, and I think also any headers set internally by various other curl-supported authentication mechanisms.I'm not sure of the total list of what this controls, so I haven't drafted a doc patch myself. It would be helpful to me as an API user if I could look at the
CURLOPT_UNRESTRICTED_AUTHdocs and know immediately:Authenticationheaders are not forwarded to other hosts when this is 0, andand also that such headers are forwarded when this is 1.
Thanks again!
The text was updated successfully, but these errors were encountered: