docs: Update the redirect protocols disabled by default

(Added in 7.20.2)

.IP "--proto-redir <protocols>"

Tells curl to use the listed protocols after a redirect. See --proto for

how protocols are represented.

Tells curl to use the listed protocols on redirect. See --proto for how

protocols are represented.

Example:

.RS

.IP "--proto-redir -all,http,https"

Allow only HTTP and HTTPS on redirect.

.RE

By default curl will allow all protocols on redirect except several disabled

for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0

SMB and SMBS are also disabled. Specifying \fIall\fP or \fI+all\fP enables all

protocols on redirect, including those disabled for security.

(Added in 7.20.2)

.IP "--proxy-anyauth"

.IP "Redirects"

The \fICURLOPT_FOLLOWLOCATION(3)\fP option automatically follows HTTP

redirects sent by a remote server.  These redirects can refer to any kind of

URL, not just HTTP.  A redirect to a file: URL would cause the libcurl to read

(or write) arbitrary files from the local filesystem.  If the application

returns the data back to the user (as would happen in some kinds of CGI

scripts), an attacker could leverage this to read otherwise forbidden data

(e.g.  file://localhost/etc/passwd).

URL, not just HTTP. By default libcurl will allow all protocols on redirect

except several disabled for security reasons: Since 7.19.4 FILE and SCP are

disabled, and since 7.40.0 SMB and SMBS are also disabled.

A redirect to a file: URL would cause the libcurl to read (or write) arbitrary

files from the local filesystem.  If the application returns the data back to

the user (as would happen in some kinds of CGI scripts), an attacker could

leverage this to read otherwise forbidden data (e.g.

file://localhost/etc/passwd).

If authentication credentials are stored in the ~/.netrc file, or Kerberos

is in use, any other URL type (not just file:) that requires

redirects libcurl will follow.

libcurl can limit to what protocols it will automatically follow. The accepted

protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP and it excludes the

FILE protocol by default.

protocols are set with \fICURLOPT_REDIR_PROTOCOLS(3)\fP. By default libcurl

will allow all protocols on redirect except several disabled for security

reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0 SMB and SMBS

are also disabled.

For users who think the existing location following is too naive, too simple

or just lacks features, it is very easy to instead implement your own redirect

CURLPROTO_SCP

CURLPROTO_SFTP

CURLPROTO_SMB

CURLPROTO_SMBS

CURLPROTO_SMTP

CURLPROTO_SMTPS

CURLPROTO_TELNET

limits what protocols libcurl may use in a transfer that it follows to in a

redirect when \fICURLOPT_FOLLOWLOCATION(3)\fP is enabled. This allows you to

limit specific transfers to only be allowed to use a subset of protocols in

redirections. By default libcurl will allow all protocols except for FILE and

SCP.

redirections.

By default libcurl will allow all protocols on redirect except several disabled

for security reasons: Since 7.19.4 FILE and SCP are disabled, and since 7.40.0

SMB and SMBS are also disabled. \fICURLPROTO_ALL\fP enables all protocols on

redirect, including those disabled for security.

These are the available protocol defines:

.nf

CURLPROTO_SCP

CURLPROTO_SFTP

CURLPROTO_SMB

CURLPROTO_SMBS

CURLPROTO_SMTP

CURLPROTO_SMTPS

CURLPROTO_TELNET

CURLPROTO_TFTP

.fi

.SH DEFAULT

All protocols except for FILE, SCP and SMB.

All protocols except for FILE, SCP and since 7.40.0 SMB and SMBS.

.SH PROTOCOLS

All

.SH EXAMPLE