curl does not parse the authority component of the URL correctly when the host
name part ends with a hash (#
) character, and could instead be tricked into
connecting to a different host. This may have security implications if you for
example use a URL parser that follows the RFC to check for allowed domains
before using curl to request them.
Passing in http://example.com#@evil.com/x.txt
would wrongly make curl send a
request to evil.com while your browser would connect to example.com given the
same URL.
The problem exists for most protocol schemes.