Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CURLOPT_AUTOREFERER.3: highlight the privacy leak risk #9757

wants to merge 1 commit into from


Copy link

@bagder bagder commented Oct 18, 2022

No description provided.

Copy link

vszakats commented Oct 18, 2022

I happen to use this option to retain a meaningful source URL when downloading certain files. GitHub ones are maybe the most trivial examples:

$ curl -LO --xattr
$ xattr -l curl-7.85.0.tar.xz

That is a temporary URL, so unusable for re-download, and non-trivial even to find out which repo it came from.


$ curl --referer ';auto' -LO --xattr
$ xattr -l curl-7.85.0.tar.xz
user.xdg.origin.url: [ above...]

The referrer now points to the original URL.

This is a rather bad solution with unwanted side-effects, loss-of-privacy being just one of them.

This use-case might be fixed by storing the original URL (after unglobbing) to user.xdg.origin.url. By default, or with an extra option?

Copy link
Member Author

bagder commented Oct 18, 2022

This use-case might be fixed by storing the original URL

Maybe that is actually the more correct action, as that is after all the URL you used in the command line...

Slightly unrelated to this PR though. I will proceed and merge this. Feel free to create an issue about your remark and we can work on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Successfully merging this pull request may close these issues.

None yet

2 participants