I don't think this warning is really needed but if it is does it really need two paragraphs?

Hi, the rationale (from the hacker1 report) was that untrusted user input that contain newlines could be used to perform all sorts of bad stuff. This has appeared before, such as in https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545.

This update to the documentation aims to address that by informing users that libcurl will not sanitize headers, and that user have to sanitize headers by themselves. However, after thinking about it for a while, I think only libcurl-security.3 should have this warning, to reduce clutter in the options documentation. wdyt?

This update to the documentation aims to address that by informing users that libcurl will not sanitize headers, and that user have to sanitize headers by themselves. However, after thinking about it for a while, I think only libcurl-security.3 should have this warning, to reduce clutter in the options documentation. wdyt?

I agree. I just landed that and I changed the warning sentence slightly so that it is broader than just new headers injection: "someone malicious may be able to modify the request in a way you didn't intend such as injecting new headers." Someone malicious could do \r\n\r\n and inject into the body, and there are probably other things I'm not thinking of.