Guillaume Cottenceau's patch that adds CURLOPT_UNRESTRICTED_AUTH that

disables the host name check in the FOLLOWLOCATION code. With that option
set, libcurl will send user+password to all hosts.

docs/libcurl/curl_easy_setopt.3

@@ -349,6 +349,11 @@ new location and follow new Location: headers all the way until no more such
 headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number
 of redirects libcurl will follow.
 .TP
+.B CURLOPT_UNRESTRICTED_AUTH
+A non-zero parameter tells the library it can continue to send authentication
+(user+password) when following locations, even when hostname changed. Note
+that this is meaningful only when setting \fICURLOPT_FOLLOWLOCATION\fP.
+.TP
 .B CURLOPT_MAXREDIRS
 Pass a long. The set number will be the redirection limit. If that many
 redirections have been followed, the next redirect will cause an error

include/curl/curl.h

@@ -619,6 +619,11 @@ typedef enum {
   /* Set aliases for HTTP 200 in the HTTP Response header */
   CINIT(HTTP200ALIASES, OBJECTPOINT, 104),
 
+  /* Continue to send authentication (user+password) when following locations,
+     even when hostname changed. This can potentionally send off the name
+     and password to whatever host the server decides. */
+  CINIT(UNRESTRICTED_AUTH, LONG, 105),
+
   CURLOPT_LASTENTRY /* the last unused */
 } CURLoption;
 
@@ -809,7 +814,7 @@ CURLcode curl_global_init(long flags);
 void curl_global_cleanup(void);
 
 /* This is the version number */
-#define LIBCURL_VERSION "7.10.4-pre2"
+#define LIBCURL_VERSION "7.10.4-pre5"
 #define LIBCURL_VERSION_NUM 0x070a04
 
 /* linked-list structure for the CURLOPT_QUOTE option (and other) */

lib/http.c

@@ -663,7 +663,8 @@ CURLcode Curl_http(struct connectdata *conn)
        host due to a location-follow, we do some weirdo checks here */
     if(!data->state.this_is_a_follow ||
        !data->state.auth_host ||
-       curl_strequal(data->state.auth_host, conn->hostname)) {
+       curl_strequal(data->state.auth_host, conn->hostname) ||
+       data->set.http_disable_hostname_check_before_authentication) {
       sprintf(data->state.buffer, "%s:%s",
               data->state.user, data->state.passwd);
       if(Curl_base64_encode(data->state.buffer, strlen(data->state.buffer),

lib/url.c

@@ -503,6 +503,14 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, ...)
      */
     data->set.http_follow_location = va_arg(param, long)?TRUE:FALSE;
     break;
+  case CURLOPT_UNRESTRICTED_AUTH:
+    /*
+     * Send authentication (user+password) when following locations, even when
+     * hostname changed.
+     */
+    data->set.http_disable_hostname_check_before_authentication =
+      va_arg(param, long)?TRUE:FALSE;
+    break;
   case CURLOPT_HTTP_VERSION:
     /*
      * This sets a requested HTTP version to be used. The value is one of

lib/urldata.h

@@ -736,6 +736,7 @@ struct UserDefined {
   bool hide_progress;
   bool http_fail_on_error;
   bool http_follow_location;
+  bool http_disable_hostname_check_before_authentication;
   bool include_header;
 #define http_include_header include_header /* former name */