summaryrefslogtreecommitdiff
path: root/lib/http.c
Commit message (Collapse)AuthorAgeFilesLines
* cookies: skip custom cookies when redirecting cross-siteKatsuhiko YOSHIDA2019-01-091-1/+2
| | | | Closes #3417
* Revert "http_negotiate: do not close connection until negotiation is completed"Daniel Stenberg2019-01-071-1/+2
| | | | | | | | | This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. This also reopens PR #3275 which brought the change now reverted. Fixes #3384 Closes #3439
* http: added options for allowing HTTP/0.9 responsesDaniel Stenberg2018-12-211-0/+8
| | | | | | | | | | | | Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. For now, both the tool and library allow HTTP/0.9 by default. docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 months after the 7.64.0 release. The options are added already now so that applications/scripts can start using them already now. Fixes #2873 Closes #3383
* http: Implement trailing headers for chunked transfersAyoub Boudhar2018-12-141-0/+46
| | | | | | | | | | | | | This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION options that allow a callback based approach to sending trailing headers with chunked transfers. The test server (sws) was updated to take into account the detection of the end of transfer in the case of trailing headers presence. Test 1591 checks that trailing headers can be sent using libcurl. Closes #3350
* cookies: leave secure cookies aloneDaniel Gustafsson2018-12-131-1/+3
| | | | | | | | | | | Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* http: fix HTTP auth to include query in URIJay Satiro2018-12-111-4/+13
| | | | | | | | | | - Include query in the path passed to generate HTTP auth. Recent changes to use the URL API internally (46e1640, 7.62.0) inadvertently broke authentication URIs by omitting the query. Fixes https://github.com/curl/curl/issues/3353 Closes #3356
* http: don't set CURLINFO_CONDITION_UNMET for http status code 204Michael Kaufmann2018-12-111-7/+7
| | | | | | | | The http status code 204 (No Content) should not change the "condition unmet" flag. Only the http status code 304 (Not Modified) should do this. Closes #359
* NTLM: force the connection to HTTP/1.1Johannes Schindelin2018-12-071-0/+6
| | | | | | | | | | | | | | | | Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces the capability. However, NTLM authentication only works with HTTP/1.1, and will likely remain in that boat (for details, see https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). When we just found out that we want to use NTLM, and when the current connection runs in HTTP/2 mode, let's force the connection to be closed and to be re-opened using HTTP/1.1. Fixes https://github.com/curl/curl/issues/3341. Closes #3345 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-231-20/+20
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* http_negotiate: do not close connection until negotiation is completedElia Tufarolo2018-11-161-1/+0
| | | | | | Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
* spelling fixes [ci skip]Viktor Szakats2018-10-081-1/+1
| | | | | | | as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* http: fix memleak in rewind error pathDaniel Stenberg2018-09-251-8/+7
| | | | | | | | | If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 Closes #3044
* http: add missing return code checkDaniel Stenberg2018-09-231-6/+3
| | | | | | | | Detected by Coverity. CID 1439610. Follow-up from 46e164069d1a523 Closes #3034
* url: use the URL API internally as wellDaniel Stenberg2018-09-221-49/+76
| | | | | | ... to make it a truly unified URL parser. Closes #3017
* http: made Curl_add_buffer functions take a pointer-pointerDaniel Stenberg2018-09-161-52/+60
| | | | | | | ... so that they can clear the original pointer on failure, which makes the error-paths and their cleanups easier. Closes #2992
* upload: allocate upload buffer on-demandDaniel Stenberg2018-08-181-11/+18
| | | | | | | Saves 16KB on the easy handle for operations that don't need that buffer. Part 1 of #2888
* http: fix for tiny "HTTP/0.9" responseDaniel Stenberg2018-08-131-23/+45
| | | | | | | | | | | Deal with tiny "HTTP/0.9" (header-less) responses by checking the status-line early, even before a full "HTTP/" is received to allow detecting 0.9 properly. Test 1266 and 1267 added to verify. Fixes #2420 Closes #2872
* CURLINFO_SIZE_UPLOAD: fix missing counter updateDaniel Stenberg2018-08-111-0/+2
| | | | | | | | Adds test 1522 for verification. Reported-by: cjmsoregan Fixes #2847 Closes #2864
* auth: pick Bearer authentication whenever a token is availableJohannes Schindelin2018-07-241-1/+1
| | | | | | | | | So far, the code tries to pick an authentication method only if user/password credentials are available, which is not the case for Bearer authentictation... Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
* auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer tokenJohannes Schindelin2018-07-241-4/+9
| | | | | | | | | | | | | | | | | | | | | | | | The Bearer authentication was added to cURL 7.61.0, but there is a problem: if CURLAUTH_ANY is selected, and the server supports multiple authentication methods including the Bearer method, we strongly prefer that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer authentication fails, we will never even try to attempt any other method. This is particularly unfortunate when we already know that we do not have any Bearer token to work with. Such a scenario happens e.g. when using Git to push to Visual Studio Team Services (which supports Basic and Bearer authentication among other methods) and specifying the Personal Access Token directly in the URL (this aproach is frequently taken by automated builds). Let's make sure that we have a Bearer token to work with before we select the Bearer authentication among the available authentication methods. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
* http2: several cleanupsDaniel Stenberg2018-07-201-5/+8
| | | | | | | | - separate easy handle from connections better - added asserts on a number of places - added sanity check of pipelines for debug builds Closes #2751
* Curl_debug: remove dead printhost codeDaniel Stenberg2018-06-121-5/+4
| | | | | | | | | The struct field is never set (since 5e0d9aea3) so remove the use of it and remove the connectdata pointer from the prototype. Reported-by: Tejas Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html Closes #2647
* cppcheck: fix warningsMarian Klymov2018-06-111-6/+4
| | | | | | | | | | | | | - Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
* strictness: correct {infof, failf} format specifiersRikard Falkeborn2018-05-311-1/+1
| | | | Closes #2623
* httpauth: add support for Bearer tokensLinus Lewandowski2018-05-241-1/+54
| | | | Closes #2102
* http resume: skip body if http code 416 (range error) is ignored.Patrick Monnerat2018-05-221-13/+10
| | | | | | | | | | | | This avoids appending error data to already existing good data. Test 92 is updated to match this change. New test 1156 checks all combinations of --range/--resume, --fail, Content-Range header and http status code 200/416. Fixes #1163 Reported-By: Ithubg on github Closes #2578
* checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg2018-05-211-1/+1
| | | | | | ... and unify the source code to adhere. Closes #2563
* lib: Fix format specifiersRikard Falkeborn2018-05-141-2/+2
|
* http: restore buffer pointer when bad response-line is parsedDaniel Stenberg2018-05-141-1/+5
| | | | | | | | | | | ... leaving the k->str could lead to buffer over-reads later on. CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
* http: don't set the "rewind" flag when not uploading anythingDaniel Stenberg2018-05-041-1/+1
| | | | | | | | It triggers an assert. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 Closes #2546
* lib: silence null-dereference warningsMarcel Raad2018-04-091-2/+0
| | | | | | | | | | In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
* cookies: when reading from a file, only remove_expired onceLauri Kasanen2018-04-021-1/+1
| | | | | | This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
* CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocolLawrence Matthews2018-03-171-0/+50
| | | | | | Add --haproxy-protocol for the command line tool Closes #2162
* HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg2018-03-111-64/+70
| | | | | | Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
* http: fix the max header length detection logicDaniel Stenberg2018-02-161-11/+10
| | | | | | | | | | | Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
* TODO fixed: Detect when called from within callbacksBjörn Stenberg2018-02-151-0/+2
| | | | Closes #2302
* time_t-fixes: remove typecasts to 'long' for info.filetimeDaniel Stenberg2018-02-011-1/+1
| | | | | | | | They're now wrong. Reported-by: Michael Kaufmann Closes #2277
* http: prevent custom Authorization headers in redirectsDaniel Stenberg2018-01-221-1/+9
| | | | | | | | | | | | ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
* HTTP: bail out on negative Content-Length: valuesDaniel Stenberg2018-01-131-19/+23
| | | | | | | | | | ... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
* HTTP: support multiple Content-EncodingsPatrick Monnerat2017-11-051-61/+7
| | | | | | | | | | This is implemented as an output streaming stack of unencoders, the last calling the client write procedure. New test 230 checks this feature. Bug: https://github.com/curl/curl/pull/2002 Reported-By: Daniel Bankhead
* include: remove conncache.h inclusion from where its not neededDaniel Stenberg2017-11-011-1/+0
|
* RTSP: avoid integer overflow on funny RTSP responseDaniel Stenberg2017-10-091-2/+4
| | | | | | | | | ... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz. Closes #1969
* http: add custom empty headers to repeated requestsMichael Kaufmann2017-09-281-2/+6
| | | | Closes #1920
* code style: remove wrong uses of multiple spacesDaniel Stenberg2017-09-121-2/+2
| | | | Closes #1878
* code style: use space after semicolonDaniel Stenberg2017-09-121-1/+2
|
* code style: use spaces around plusesDaniel Stenberg2017-09-111-10/+10
|
* code style: use spaces around equals signsDaniel Stenberg2017-09-111-21/+21
|
* Curl_checkheaders: make it available for IMAP and SMTP tooDaniel Stenberg2017-09-111-21/+0
| | | | | | ... not only HTTP uses this now. Closes #1875
* mime: new MIME API.Patrick Monnerat2017-09-021-114/+145
| | | | | | | Available in HTTP, SMTP and IMAP. Deprecates the FORM API. See CURLOPT_MIMEPOST. Lib code and associated documentation.
* http: fix a memory leakage in checkrtspprefix().Patrick Monnerat2017-09-021-6/+8
|
View Lorry Controller Status