| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
... to avoid memory leaks!
libssh2 is tricky as we have to deal with the non-blockiness even in
close and shutdown cases. In the cases when we shutdown after a timeout
already expired, it is crucial that curl doen't let the timeout abort
the shutdown process as that then leaks memory!
Reported-by: Benjamin Riefenstahl
Fixes #6990
|
| |
|
|
|
|
|
|
|
|
| |
... and moved the HTTP/2 issues to its own section
Closes #6606
Closes #6510
Closes #6494
|
|
|
|
|
|
|
|
|
|
| |
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT
Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
Closes #6721
|
|
|
|
| |
Closes #6985
|
|
|
|
| |
Closes #6993
|
|
|
|
| |
Closes #6993
|
|
|
|
| |
Closes #6993
|
|
|
|
| |
Closes #6993
|
|
|
|
|
|
|
| |
The code would wrongly check for it using an additional colon.
Reported-by: Blake Burkhart
Closes #6988
|
|
|
|
|
|
|
|
|
|
|
|
| |
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
Closes #6986
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Closes #6986
|
|
|
|
|
|
| |
Update required rustls to 0.5.0
Closes #6960
|
|
|
|
|
|
|
|
| |
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
used.
Closes #6981
|
|
|
|
| |
Closes #6980
|
|
|
|
|
|
|
|
|
| |
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.
Closes #6959
|
|
|
|
| |
Closes #6954
|
|
|
|
|
|
|
| |
At all call sites with an explicit 0 len, pass an appropriate nonzero
len.
Closes #6954
|
|
|
|
| |
Closes #6979
|
|
|
|
|
|
|
| |
This commit fixes a small typo in the documentation for the
--fail-with-body flag.
Closes https://github.com/curl/curl/pull/6977
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.
I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.
Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com
Closes https://github.com/curl/curl/pull/6938
|
|
|
|
|
|
|
|
|
|
| |
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
|
| |
|
|
|
|
|
| |
Reported-by: Harry Sintonen
Closes #6970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
the data->set.writeheader header buffer, even though it is null. This
led to NPE segfaults attempting to use libcurl+Hyper with Git, for
example.
Instead, process the client write for the status line using the same
logic we use to process the client write for the later HTTP headers,
which contains the appropriate guard logic. As a side benefit,
data->set.writeheader is now only read in one file instead of two.
Fixes #6619
Fixes abetterinternet/crustls#49
Fixes hyperium/hyper#2438
Closes #6971
|
|
|
|
|
|
| |
Reported-by: Timo Lange
Closes #6967
|
|
|
|
| |
Closes #6965
|
|
|
|
| |
Closes #6966
|
|
|
|
| |
Closes #6942
|
|
|
|
|
| |
Reviewed-by: Kamil Dudka
Closes #6945
|
| |
|
|
|
|
|
|
|
|
| |
Port 8443 does not work now.
Correct origin is in the quicwg's wiki.
https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
Closes #6964
|
|
|
|
|
|
|
|
| |
... because it makes the knowledge and usage cross-transfer in funny and
unexpected ways.
Reported-by: Harry Sintonen
Closes #6963
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously compiling rustls on Mac would only complete if you also
compiled the SecureTransport TLS backend, which curl would prefer to
the Rust backend.
Appending these flags to LDFLAGS makes it possible to compile the
Rustls backend on Mac without the SecureTransport backend, which means
this patch will make it possible for Mac users to use the Rustls
backend for TLS.
Reviewed-by: Jacob Hoffman-Andrews
Fixes #6955
Cloes #6956
|
|
|
|
| |
Closes #6947
|
|
|
|
|
|
|
|
|
| |
wording taken from man page for CURLOPT_URL.3
As far as I can see, the URL part is either malloc'ed before due to
encoding or it is strdup'ed.
Closes #6953
|
|
|
|
| |
Closes #6951
|
|
|
|
|
| |
Ref: https://curl.se/mail/lib-2021-04/0085.html
Closes #6943
|
|
|
|
|
| |
Reviewed-by: Jakub Zakrzewski
Closes #6933
|
|
|
|
|
|
|
|
| |
Fixes the segfault in ldaps disconnect.
Reported-by: Illarion Taev
Fixes #6934
Closes #6937
|
|
|
|
| |
Reported-by: Pontus Lundkvist
|
| |
|
|
|
|
|
|
|
|
| |
- Add gsasl_version string and bump to CURLVERSION_TENTH.
Ref: https://curl.se/mail/lib-2021-04/0003.html
Closes https://github.com/curl/curl/pull/6843
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Support enabling strong crypto via optional user cipher list when
USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.
MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
versions that may be otherwise enabled for better interoperability."
Ref: https://curl.se/mail/lib-2021-02/0066.html
Ref: https://curl.se/docs/manpage.html#--ciphers
Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred
Closes https://github.com/curl/curl/pull/6734
|
| |
|
| |
|
|
|
|
| |
... and put those functions in separate m4 files per TLS library.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
configure no longer tries to find a TLS library by default, but all
libraries are now equal: the user needs to explicitly ask what TLS
library or libraries to use.
If no TLS library is selected, configure will error out unless
--without-ssl is explicitly used to request a built without TLS (as that
is very rare these days).
Removes: --with-winssl, --with-darwinssl and all --without-* options for
TLS libraries.
Closes #6897
|