curl -- Automatic referer leaks credentials

2021-03-31T00:00:00
ID B1194286-958E-11EB-9C34-080027F515EA
Type freebsd
Reporter FreeBSD
Modified 2021-03-31T00:00:00

Description

Daniel Stenberg reports:

    libcurl does not strip off user credentials from the URL when
    automatically populating the Referer: HTTP request header field
    in outgoing HTTP requests, and therefore risks leaking sensitive
    data to the server that is the target of the second HTTP request.


    libcurl automatically sets the Referer: HTTP request header field
    in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
    With the curl tool, it is enabled with --referer ";auto".