Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl manual: cross-reference --location-trusted from flag documentation related to specifying authentication #16160

Closed
deliciouslytyped opened this issue Feb 4, 2025 · 3 comments
Closed

curl manual: cross-reference --location-trusted from flag documentation related to specifying authentication #16160

deliciouslytyped opened this issue Feb 4, 2025 · 3 comments
Labels
cmdline tool documentation HTTP

Comments

@deliciouslytyped
Copy link

deliciouslytyped commented Feb 4, 2025
edited
Loading

Specify which documentation you found a problem with

The problem is in the curl manual page up to 8.11.1 assuming https://curl.se/docs/manpage.html is up to date.
This is more a quality-of-life issue than an error.

The problem

It's not entirely obvious on initial inspection why curl isn't forwarding -H "Authorization: ..." (which where manual implies -H is permanent, though presumably curl specifically strips the Authorization header subsequently..) or -u use:pass when following redirects according to -L . The -L documentation does describe the problem and cross references to --location-trusted, but for me it was more intuitive to look under -H and -u when I initially discovered the "missing" authorization headers in -v output.

-H (which is more generic) and -u give no mention of stripping (under redirects).
@deliciouslytyped
Copy link
Author

Actually, -H says WARNING: headers set with this option are set in all HTTP requests - even after redirects are followed, like when told with [-L, --location](https://curl.se/docs/manpage.html#-L). This can lead to the header being sent to other hosts than the original host, so sensitive headers should be used with caution combined with following redirects., so it may be a bug after all?

@bagder bagder added the HTTP label Feb 4, 2025
@bagder
Copy link
Member

bagder commented Feb 4, 2025

It is on purpose, just not documented properly. I'll do a PR for it.

bagder added a commit that referenced this issue Feb 4, 2025
@bagder
header.md: mention Authorization: and Cookie: special treatment
4add428 
Fixes #16160
Reported-by: deliciouslytyped on github
@bagder bagder mentioned this issue Feb 4, 2025
Closed
@deliciouslytyped
Copy link
Author

Sorry, I meant documentation bug. Thanks. :)

@bagder bagder closed this as completed in 448e71d Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cmdline tool documentation HTTP
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

header.md: mention Authorization: and Cookie: special treatment curl/curl
2 participants
@bagder @deliciouslytyped