docs: mention umask need when curl creates files

for cookies, alt-svc and HSTS, command line and library Closes #19396
2026-01-26 15:03:21 +00:00 · 2025-11-07 13:42:36 +01:00 · 2025-11-07 13:42:36 +01:00 · d8bad9926c
commit d8bad9926c
parent 891714acb4
7 changed files with 22 additions and 0 deletions
--- a/.github/scripts/pyspelling.words
+++ b/.github/scripts/pyspelling.words
@ -889,6 +889,7 @@ UI
 UID
 UIDL
 Ultrix
+umask
 Unary
 unassign
 UNC
--- a/docs/cmdline-opts/alt-svc.md
+++ b/docs/cmdline-opts/alt-svc.md
@ -24,5 +24,8 @@ filename again if it has been modified.
 Specify a "" filename (zero length) to avoid loading/saving and make curl just
 handle the cache in memory.

+You may want to restrict your umask to prevent other users on the same system
+to access the created file.
+
 If this option is used several times, curl loads contents from all the
 files but the last one is used for saving.
--- a/docs/cmdline-opts/cookie-jar.md
+++ b/docs/cmdline-opts/cookie-jar.md
@ -37,3 +37,6 @@ If the cookie jar cannot be created or written to, the whole curl operation
 does not fail or even report an error clearly. Using --verbose gets a warning
 displayed, but that is the only visible feedback you get about this possibly
 lethal situation.
+
+You may want to restrict your umask to prevent other users on the same system
+to access the created file.
--- a/docs/cmdline-opts/hsts.md
+++ b/docs/cmdline-opts/hsts.md
@ -28,5 +28,8 @@ performed.
 Specify a "" filename (zero length) to avoid loading/saving and make curl just
 handle HSTS in memory.

+You may want to restrict your umask to prevent other users on the same system
+to access the created file.
+
 If this option is used several times, curl loads contents from all the
 files but the last one is used for saving.
--- a/docs/libcurl/opts/CURLOPT_ALTSVC.md
+++ b/docs/libcurl/opts/CURLOPT_ALTSVC.md
@ -47,6 +47,10 @@ libcurl cannot fully protect against attacks where an attacker has write
 access to the same directory where it is directed to save files. This is
 particularly sensitive if you save files using elevated privileges.

+libcurl creates the file to store the alt-svc cache in using default file
+permissions, meaning that on *nix systems you may need to restrict your umask
+to prevent other users on the same system to access the file.
+
 # DEFAULT

 NULL. The alt-svc cache is not read nor written to file.
--- a/docs/libcurl/opts/CURLOPT_COOKIEJAR.md
+++ b/docs/libcurl/opts/CURLOPT_COOKIEJAR.md
@ -58,6 +58,10 @@ libcurl cannot fully protect against attacks where an attacker has write
 access to the same directory where it is directed to save files. This is
 particularly sensitive if you save files using elevated privileges.

+libcurl creates the file to store cookies using default file permissions,
+meaning that on *nix systems you may need to restrict your umask to prevent
+other users on the same system to access the file.
+
 # DEFAULT

 NULL
--- a/docs/libcurl/opts/CURLOPT_HSTS.md
+++ b/docs/libcurl/opts/CURLOPT_HSTS.md
@ -67,6 +67,10 @@ libcurl cannot fully protect against attacks where an attacker has write
 access to the same directory where it is directed to save files. This is
 particularly sensitive if you save files using elevated privileges.

+libcurl creates the file to store HSTS data in using default file permissions,
+meaning that on *nix systems you may need to restrict your umask to prevent
+other users on the same system to access the file.
+
 # %PROTOCOLS%

 # EXAMPLE