1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_URL 5Section: 3 6Source: libcurl 7See-also: 8 - CURLINFO_REDIRECT_URL (3) 9 - CURLOPT_CURLU (3) 10 - CURLOPT_FORBID_REUSE (3) 11 - CURLOPT_FRESH_CONNECT (3) 12 - CURLOPT_PATH_AS_IS (3) 13 - CURLOPT_PROTOCOLS_STR (3) 14 - curl_easy_perform (3) 15 - curl_url_get (3) 16 - curl_url_set (3) 17Protocol: 18 - All 19Added-in: 7.1 20--- 21 22# NAME 23 24CURLOPT_URL - URL for this transfer 25 26# SYNOPSIS 27 28~~~c 29#include <curl/curl.h> 30 31CURLcode curl_easy_setopt(CURL *handle, CURLOPT_URL, char *URL); 32~~~ 33 34# DESCRIPTION 35 36Pass in a pointer to the *URL* to work with. The parameter should be a 37char * to a null-terminated string which must be URL-encoded in the following 38format: 39 40scheme://host:port/path 41 42For a greater explanation of the format please see RFC 3986. 43 44libcurl does not validate the syntax or use the URL until the transfer is 45started. Even if you set a crazy value here, curl_easy_setopt(3) might 46still return *CURLE_OK*. 47 48If the given URL is missing a scheme name (such as "http://" or "ftp://" etc) 49then libcurl guesses based on the host. If the outermost subdomain name 50matches DICT, FTP, IMAP, LDAP, POP3 or SMTP then that protocol gets used, 51otherwise HTTP is used. Since 7.45.0 guessing can be disabled by setting a 52default protocol, see CURLOPT_DEFAULT_PROTOCOL(3) for details. 53 54Should the protocol, either as specified by the URL scheme or deduced by 55libcurl from the hostname, not be supported by libcurl then 56*CURLE_UNSUPPORTED_PROTOCOL* is returned from either the curl_easy_perform(3) 57or curl_multi_perform(3) functions when you call them. Use 58curl_version_info(3) for detailed information of which protocols are supported 59by the build of libcurl you are using. 60 61CURLOPT_PROTOCOLS_STR(3) can be used to limit what protocols libcurl may 62use for this transfer, independent of what libcurl has been compiled to 63support. That may be useful if you accept the URL from an external source and 64want to limit the accessibility. 65 66The CURLOPT_URL(3) string is ignored if CURLOPT_CURLU(3) is set. 67 68Either CURLOPT_URL(3) or CURLOPT_CURLU(3) must be set before a 69transfer is started. 70 71The application does not have to keep the string around after setting this 72option. 73 74Using this option multiple times makes the last set string override the 75previous ones. Set it to NULL to disable its use again. Note however that 76libcurl needs a URL set to be able to performed a transfer. 77 78The parser used for handling the URL set with CURLOPT_URL(3) is the same 79that curl_url_set(3) uses. 80 81# ENCODING 82 83The string pointed to in the CURLOPT_URL(3) argument is generally 84expected to be a sequence of characters using an ASCII compatible encoding. 85 86If libcurl is built with IDN support, the server name part of the URL can use 87an "international name" by using the current encoding (according to locale) or 88UTF-8 (when WinIDN is used; or a Windows Unicode build using libidn2). 89 90If libcurl is built without IDN support, the server name is used exactly as 91specified when passed to the name resolver functions. 92 93# DEFAULT 94 95NULL. If this option is not set, no transfer can be performed. 96 97# SECURITY CONCERNS 98 99Applications may at times find it convenient to allow users to specify URLs 100for various purposes and that string would then end up fed to this option. 101 102Getting a URL from an external untrusted party brings several security 103concerns: 104 105If you have an application that runs as or in a server application, getting an 106unfiltered URL can easily trick your application to access a local resource 107instead of a remote. Protecting yourself against localhost accesses is hard 108when accepting user provided URLs. 109 110Such custom URLs can also access other ports than you planned as port numbers 111are part of the regular URL format. The combination of a local host and a 112custom port number can allow external users to play tricks with your local 113services. 114 115Accepting external URLs may also use other protocols than http:// or other 116common ones. Restrict what accept with CURLOPT_PROTOCOLS_STR(3). 117 118User provided URLs can also be made to point to sites that redirect further on 119(possibly to other protocols too). Consider your 120CURLOPT_FOLLOWLOCATION(3) and CURLOPT_REDIR_PROTOCOLS_STR(3) settings. 121 122# %PROTOCOLS% 123 124# EXAMPLE 125 126~~~c 127int main(void) 128{ 129 CURL *curl = curl_easy_init(); 130 if(curl) { 131 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); 132 133 curl_easy_perform(curl); 134 } 135} 136~~~ 137 138# %AVAILABILITY% 139 140# RETURN VALUE 141 142Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient 143heap space. 144 145Note that curl_easy_setopt(3) does not parse the given string so given a 146bad URL, it is not detected until curl_easy_perform(3) or similar is 147called. 148
