On Tue, 6 Feb 2018, Christian Schmitz wrote:
Can we disallow login & password in URLs? e.g. get an option to make perform
fail with error, if there is a @ in the URL before domain?
That seems like it should be a pretty straight forward thing to add, sure!
But in the context of "dangerous things", how do see the user + password in
the URL used to harm the application or the server?
And the Use SSL options being 3 would it fail with HTTP:// URL?
CURLOPT_PROTOCOLS is the option to enable/disable specific protocols. There's
no generic "disable all non-authenticated protocols" option.
Of course, an interesting idea is to let CURLOPT_USE_SSL affect *all*
protocols so that you can require TLS/SSL to be used with that option even for
HTTP(S). But that's not how that option works right now...
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
