| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Reported-by: Roger Young
Fixes #7967
Closes #7976
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.
This fix detects pipelined STARTTLS responses and rejects them with an
error.
CVE-2021-22947
Bug: https://curl.se/docs/CVE-2021-22947.html
|
|
|
|
|
|
|
|
|
|
|
|
| |
In imap and pop3, check if TLS is required even when capabilities
request has failed.
In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.
Bug: https://curl.se/docs/CVE-2021-22946.html
CVE-2021-22946
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The reverted commit introduced a logic error in code that was
correct.
The client using libcurl would notice the error since FTP file
uploads in active transfer mode would somtimes complete with
success despite no transfer having been performed and the
"uploaded" file thus not being on the remote server afterwards.
The FTP server would notice the error because it receives a
RST on the data connection it has established with the client
before any data was transferred at all.
The logic error happens if the STOR response from the server have
arrived by the time ftp_multi_statemach() in the affected code path
is called, but the incoming data connection have not arrived yet.
In that case, the processing of the STOR response will cause
'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
in the code. Since 'complete' will also be set, later logic would
believe the transfer was done.
In most cases, the STOR response will not have arrived yet when
the affected code path is executed, or the incoming connection will
also have arrived, and thus the error would not express itself.
But if the speed difference of the device using libcurl and the
FTP server is exactly right, the error may happen as often as in
one out of hundred file transfers.
This reverts commit 49f3117a238b6eac0e22a32f50699a9eddcb66ab.
Bug: https://curl.se/mail/lib-2021-07/0025.html
Closes #7362
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application
- it makes infof() work like failf() and consistency is good
- there's an assert that triggers on newlines in the format string
- Also removes a few instances of "..."
- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()
Closes #7357
|
|
|
|
|
|
|
|
|
|
|
| |
The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a connection gets
attached to a transfer, the protocol handler now allows for a custom
function to get used to set things up correctly.
Reported-by: Michael O'Farrell
Fixes #6898
Closes #7078
|
|
|
|
|
|
|
| |
At all call sites with an explicit 0 len, pass an appropriate nonzero
len.
Closes #6954
|
|
|
|
|
|
| |
... remove '== NULL' and '!= 0'
Closes #6912
|
|
|
|
|
|
|
|
|
| |
If after a transfer is complete Curl_GetFTPResponse() returns an error,
curl would not free the ftp->pathalloc block.
Found by torture-testing test 576
Closes #6737
|
|
|
|
|
|
|
|
|
| |
Added test 362 to verify.
Reported-by: Jordan Brown
Regression since 7ea2e1d0c5a7f (7.73.0)
Fixes #6715
Closes #6725
|
|
|
|
|
|
| |
Increment `bytes` only if it is non-null.
Closes https://github.com/curl/curl/pull/6576
|
|
|
|
|
|
|
|
|
| |
and rename it from 'ftp_list_only' since it is also used for SSH and
POP3. The state is updated internally for 'type=D' FTP URLs.
Added test case 1570 to verify.
Closes #6578
|
|
|
|
|
|
|
|
|
|
|
| |
... and make sure the code never updates 'set.prefer_ascii' as it breaks
handle reuse which should use the setting as the user specified it.
Added test 1569 to verify: it first makes an FTP transfer with ';type=A'
and then another without type on the same handle and the second should
then use binary. Previously, curl failed this.
Closes #6578
|
|
|
|
|
|
|
|
|
|
| |
Since the set value then risks getting used like that when the easy
handle is reused by the application.
Also: renamed the struct field from 'ftp_append' to 'remote_append'
since it is also used for SSH protocols.
Closes #6579
|
|
|
|
|
|
|
|
|
|
|
| |
... as we ignore it anyway because servers don't report the correct size
and proftpd even blatantly returns a 550.
Updates a set of tests accordingly.
Reported-by: awesomenode on github
Fixes #6564
Closes #6565
|
|
|
|
| |
Using an FTP prefix for PP provided functionality was misleading.
|
|
|
|
|
|
| |
... as the numerical IP address is already stored and kept in 'primary_ip'.
Closes #6534
|
|
|
|
| |
Closes #6515
|
|
|
|
|
|
|
| |
... as it's superfluous now when Curl_easy is passed in and we can
derive the connection from that instead and avoid the duplicate copy.
Closes #6525
|
|
|
|
| |
Closes #6513
|
|
|
|
|
|
|
| |
This also moves the 'async' struct from the connectdata struct into the
Curl_easy struct, which seems like a better home for it.
Closes #6497
|
| |
|
|
|
|
| |
Closes #6496
|
|
|
|
| |
Closes #6479
|
|
|
|
| |
Closes #6474
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... in most cases instead of 'struct connectdata *' but in some cases in
addition to.
- We mostly operate on transfers and not connections.
- We need the transfer handle to log, store data and more. Everything in
libcurl is driven by a transfer (the CURL * in the public API).
- This work clarifies and separates the transfers from the connections
better.
- We should avoid "conn->data". Since individual connections can be used
by many transfers when multiplexing, making sure that conn->data
points to the current and correct transfer at all times is difficult
and has been notoriously error-prone over the years. The goal is to
ultimately remove the conn->data pointer for this reason.
Closes #6425
|
|
|
|
|
|
|
|
|
| |
... as failf adds one itself.
Also: add an assert() to failf() that triggers on a newline in the
format string!
Closes #6365
|
|
|
|
|
|
|
|
| |
CVE-2020-8285
Fixes #6255
Bug: https://curl.se/docs/CVE-2020-8285.html
Reported-by: xnynx on github
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case of TFO, the remote host name is not resolved at the
connetion time.
For FTP that has lead to missing hostname for the secondary connection.
Therefore the name resolution is done at the time, when FTP requires it.
Fixes #6252
Closes #6265
Closes #6282
|
|
|
|
|
|
|
| |
... to avoid the use of 'void *' for the protocol specific structs done
per transfer.
Closes #6238
|
|
|
|
| |
Closes #6172
|
|
|
|
|
|
| |
... and fix a few occurances
Closes #6088
|
|
|
|
|
|
|
|
|
| |
Added test 348 to verify. Added a 'STOR' command to the test FTP
server to enable test 348. Documented the command in FILEFORMAT.md
Reported-by: Duncan Wilcox
Fixes #6016
Closes #6017
|
|
|
|
|
|
|
|
|
|
| |
When using HTTPS proxy, SSL is used but not in the view of the FTP
protocol handler itself so separate the connection's use of SSL from the
FTP control connection's sue.
Reported-by: Mingtao Yang
Fixes #5523
Closes #6006
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
... reuses the same dynamic buffer instead of doing repeated malloc/free
cycles.
Test case 100 (FTP dir list PASV) does 7 fewer memory allocation calls
after this change in my test setup (132 => 125), curl 7.72.0 needed 140
calls for this.
Test case 103 makes 9 less allocations now (130). Down from 149 in
7.72.0.
Closes #6004
|
|
|
|
|
|
|
|
|
| |
Follow-up from f4873ebd0be32cf
Turns out some older openssl installations go bananas otherwise.
Reported-by: Tom van der Woerdt
Fixes #5995
Closes #5996
|
|
|
|
|
|
|
|
|
|
|
| |
These two files were always tightly connected and it was hard to
understand what went into which. This also allows us to make the
ftpsend() function static (moved from ftp.c).
Removed security.c
Renamed curl_sec.h to krb5.h
Closes #5987
|
|
|
|
|
|
|
| |
Makes get_protocol_family() faster and it moves the knowledge about the
"families" to each protocol handler, where it belongs.
Closes #5986
|
|
|
|
|
|
|
|
|
| |
If the received PASV response doesn't match the expected pattern, we
could end up reading uninitialized integers for IP address and port
number.
Issue pointed out by muse.dev
Closes #5972
|
|
|
|
|
|
|
| |
The use of such a macro hides some of what's actually going on to the
reader and is generally disapproved of in the project.
Closes #5971
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is primarily interesting for cases where CURLOPT_NOBODY is set as
previously curl would not return an error for this case.
MDTM getting 550 now also returns this error (it returned
CURLE_FTP_COULDNT_RETR_FILE before) in order to unify return codes for
missing files across protocols and specific FTP commands.
libcurl already returns error on a 550 as a MDTM response (when
CURLOPT_FILETIME is set). If CURLOPT_NOBODY is not set, an error would
happen subsequently anyway since the RETR command would fail.
Add test 1913 and 1914 to verify. Updated several tests accordingly due
to the updated SIZE behavior.
Reported-by: Tomas Berger
Fixes #5953
Closes #5957
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shutdown function is for downgrading a connection from TLS to plain,
and this is not requested here.
Have ssl_close reset the TLS connection state.
This partially reverts commit f002c850d98d
Reported-by: Rasmus Melchior Jacobsen
Reported-by: Denis Goleshchikhin
Fixes #5797
|
|
|
|
|
|
|
|
|
|
|
| |
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).
Reported-by: coinhubs on github
Fixes #5598
Closes #5608
|
|
|
|
|
|
| |
... or all "control codes" or nothing.
Assisted-by: Nicolas Sterchele
|
|
|
|
|
|
| |
Reported-by: Siva Sivaraman
Fixes #5412
Closes #5597
|
|
|
|
|
|
| |
Added build to travis to verify
Closes #5466
|
|
|
|
|
|
|
| |
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.
Closes #5479
|
|
|
|
|
|
| |
And remove a few unused booleans!
Closes #5461
|
| |
|
|
|
|
|
|
| |
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
|