summaryrefslogtreecommitdiff
path: root/lib/url.c
Commit message (Collapse)AuthorAgeFilesLines
* url: normalize CURLINFO_EFFECTIVE_URLbagder/effective-urlDaniel Stenberg2019-10-161-0/+10
| | | | | | | | | | | | | | | The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as input in most cases, which made it not get a scheme prefixed like before if the URL was given without one, and it didn't remove dotdot sequences etc. Added test case 1907 to verify that this now works as intended and as before 7.62.0. Regression introduced in 7.62.0 Reported-by: Christophe Dervieux Fixes #4491
* cookies: change argument type for Curl_flush_cookiesDaniel Stenberg2019-10-031-1/+1
| | | | | | | The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
* http2: move state-init from creation to pre-transferDaniel Stenberg2019-10-031-2/+0
| | | | | | | | | | | To make sure that the HTTP/2 state is initialized correctly for duplicated handles. It would otherwise easily generate "spurious" PRIORITY frames to get sent over HTTP/2 connections when duplicated easy handles were used. Reported-by: Daniel Silverstone Fixes #4303 Closes #4442
* url: don't set appconnect time for non-ssl/non-ssh connectionsJay Satiro2019-09-261-1/+3
| | | | | | | | | | | | | | | | Prior to this change non-ssl/non-ssh connections that were reused set TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH handshake took place. [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in libcurl and %{time_appconnect} in the curl tool. It is documented as "the time until the SSL/SSH handshake is completed". Reported-by: Marcel Hernandez Ref: https://github.com/curl/curl/issues/3760 Closes https://github.com/curl/curl/pull/3773
* url: fix the NULL hostname compiler warning caseJay Satiro2019-09-251-6/+2
| | | | Closes #4403
* url: remove dead codeDaniel Stenberg2019-09-201-7/+0
| | | | | Fixes warning detected by PVS-Studio Fixes #4374
* url: part of expression is always true: (bundle->multiuse == 0)Daniel Stenberg2019-09-201-1/+1
| | | | | Fixes warning detected by PVS-Studio Fixes #4374
* url: only reuse TLS connections with matching pinningDaniel Stenberg2019-09-191-0/+4
| | | | | | | | | | If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the connection should not be reused. Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html Reported-by: Sebastian Haglund Closes #4347
* url: cleanup dangling DOH request headers tooDaniel Stenberg2019-09-181-0/+1
| | | | | | | | | Follow-up to 9bc44ff64d9081 Credit to OSS-Fuzz Bug: https://crbug.com/oss-fuzz/17269 Closes #4372
* doh: clean up dangling DOH handles and memory on easy closeDaniel Stenberg2019-09-161-0/+6
| | | | | | | | | If you set the same URL for target as for DoH (and it isn't a DoH server), like "https://example.com" in both, the easy handles used for the DoH requests could be left "dangling" and end up not getting freed. Reported-by: Paul Dreik Closes #4366
* cleanup: move functions out of url.c and make them staticDaniel Stenberg2019-09-031-203/+0
| | | | Closes #4289
* cleanup: remove DOT_CHAR completelyDaniel Stenberg2019-08-201-2/+1
| | | | | | | | | | | | Follow-up to f9c7ba9096ec The use of DOT_CHAR for ".ssh" was probably a mistake and is removed now. Pointed-out-by: Gisle Vanem Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 Closes #4247
* alt-svc: add protocol version selection maskingDaniel Stenberg2019-08-081-16/+25
| | | | | | | | | | | So that users can mask in/out specific HTTP versions when Alt-Svc is used. - Removed "h2c" and updated test case accordingly - Changed how the altsvc struct is laid out - Added ifdefs to make the unittest run even in a quiche-tree Closes #4201
* http3: fix the HTTP/3 in the request, make alt-svc set right versionsDaniel Stenberg2019-08-081-3/+3
| | | | Closes #4200
* alt-svc: send Alt-Used: in redirected requestsDaniel Stenberg2019-08-081-0/+1
| | | | | | | | | | | | | | | RFC 7838 section 5: When using an alternative service, clients SHOULD include an Alt-Used header field in all requests. Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus this is deemed ok). You can disable sending this header just like you disable any other HTTP header in libcurl. Closes #4199
* curl.h: add CURL_HTTP_VERSION_3 to the version enumDaniel Stenberg2019-08-071-1/+1
| | | | | It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with CURLINFO_HTTP_VERSION.
* sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme2019-08-061-0/+9
| | | | | | | | | | | | | | | | | Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186
* http09: disable HTTP/0.9 by default in both tool and libraryDaniel Stenberg2019-08-061-1/+1
| | | | | | | | As the plan has been laid out in DEPRECATED. Update docs accordingly and verify in test 1174. Now requires the option to be set to allow HTTP/0.9 responses. Closes #4191
* url: make use of new HTTP version if alt-svc has oneDaniel Stenberg2019-08-031-2/+31
|
* url: set conn->transport to default TCP at init timeDaniel Stenberg2019-08-031-1/+1
|
* timediff: make it 64 bit (if possible) even with 32 bit time_tDaniel Stenberg2019-08-011-1/+2
| | | | | | | ... to make it hold microseconds too. Fixes #4165 Closes #4168
* cleanup: remove the 'numsocks' argument used in many placesDaniel Stenberg2019-07-301-6/+4
| | | | | | | | | It was used (intended) to pass in the size of the 'socks' array that is also passed to these functions, but was rarely actually checked/used and the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries that should be used instead. Closes #4169
* HTTP3: initial (experimental) supportDaniel Stenberg2019-07-211-1/+1
| | | | | | | | | USe configure --with-ngtcp2 or --with-quiche Using either option will enable a HTTP3 build. Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> Closes #3500
* libcurl: Restrict redirect schemes (follow-up)Jay Satiro2019-07-171-1/+2
| | | | | | | | | | | | - Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115
* libcurl: Restrict redirect schemesLinos Giannopoulos2019-07-141-3/+1
| | | | | | | | | | | | | | | | | | | | All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094
* conn_maxage: move the check to prune_dead_connections()Daniel Stenberg2019-06-171-27/+25
| | | | | | | | ... and avoid the locking issue. Reported-by: Kunal Ekawde Fixes #4029 Closes #4032
* url: Fix CURLOPT_MAXAGE_CONN time comparisonCliff Crosland2019-06-121-1/+1
| | | | | | | | | Old connections are meant to expire from the connection cache after CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x that value. This occurs because a time value measured in milliseconds is accidentally divided by 1M instead of by 1,000. Closes https://github.com/curl/curl/pull/4013
* multi: make sure 'data' can present in several sockhash entriesDaniel Stenberg2019-06-101-8/+1
| | | | | | | | | | | | | | | | | | | Since more than one socket can be used by each transfer at a given time, each sockhash entry how has its own hash table with transfers using that socket. In addition, the sockhash entry can now be marked 'blocked = TRUE'" which then makes the delete function just set 'removed = TRUE' instead of removing it "for real", as a way to not rip out the carpet under the feet of a parent function that iterates over the transfers of that same sockhash entry. Reported-by: Tom van der Woerdt Fixes #3961 Fixes #3986 Fixes #3995 Fixes #4004 Closes #3997
* url: Load if_nametoindex() dynamically from iphlpapi.dll on WindowsSteve Holme2019-05-291-2/+13
| | | | | | | | | | This fixes the static dependency on iphlpapi.lib and allows curl to build for targets prior to Windows Vista. This partially reverts 170bd047. Fixes #3960 Closes #3958
* parse_proxy: make sure portptr is initializedDaniel Stenberg2019-05-281-1/+1
| | | | | | Reported-by: Benbuck Nason fixes #3959
* url: default conn->port to the same as conn->remote_portDaniel Stenberg2019-05-281-1/+1
| | | | | | | | | | | | | | ... so that it has a sensible value when ConnectionExists() is called which needs it set to differentiate host "bundles" correctly on port number! Also, make conncache:hashkey() use correct port for bundles that are proxy vs host connections. Probably a regression from 7.62.0 Reported-by: Tom van der Woerdt Fixes #3956 Closes #3957
* conncache: make "bundles" per host name when doing proxy tunnelsDaniel Stenberg2019-05-281-8/+9
| | | | | | | | | Only HTTP proxy use where multiple host names can be used over the same connection should use the proxy host name for bundles. Reported-by: Tom van der Woerdt Fixes #3951 Closes #3955
* Revert all SASL authzid (new feature) commitsJay Satiro2019-05-251-9/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Revert all commits related to the SASL authzid feature since the next release will be a patch release, 7.65.1. Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined for the next release, assuming it would be a feature release 7.66.0. However instead the next release will be a patch release, 7.65.1 and will not contain any new features. After the patch release after the reverted commits can be restored by using cherry-pick: git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 Details for all reverted commits: Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. Revert "tests: Fix the line endings for the SASL alt-auth tests" This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177.
* Fix typo.Gisle Vanem2019-05-241-1/+1
|
* config-win32: add support for if_nametoindex and getsocknameZenju2019-05-231-1/+3
| | | | Closes https://github.com/curl/curl/pull/3923
* url: fix bad #ifdefDaniel Stenberg2019-05-231-1/+1
| | | | | | | | Regression since e91e48161235272ff485. Reported-by: Tom Greenslade Fixes #3924 Closes #3925
* sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme2019-05-221-0/+9
| | | | | | | | | | Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixed #3653 Closes #3790
* parse_proxy: use the IPv6 zone id if givenDaniel Stenberg2019-05-221-25/+36
| | | | | | | | | | If the proxy string is given as an IPv6 numerical address with a zone id, make sure to use that for the connect to the proxy. Reported-by: Edmond Yu Fixes #3482 Closes #3918
* url: convert the zone id from a IPv6 URL to correct scope idDaniel Stenberg2019-05-211-43/+22
| | | | | | Reported-by: GitYuanQu on github Fixes #3902 Closes #3914
* libcurl: #ifdef away more code for disabled features/protocolsDaniel Stenberg2019-05-171-2/+4
|
* parse_proxy: use the URL parser APIDaniel Stenberg2019-05-151-147/+82
| | | | | | | As we treat a given proxy as a URL we should use the unified URL parser to extract the parts out of it. Closes #3878
* http_ntlm: Move the NTLM state out of the ntlmdata structureSteve Holme2019-05-151-4/+4
| | | | | Given that this member variable is not used by the SASL based protocols there is no need to have it here.
* url: Remove duplicate clean up of the winbind variables in conn_shutdown()Steve Holme2019-05-141-6/+0
| | | | | | | | Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior to calling conn_shutdown() and it in turn performs this, there is no need to perform the same action in conn_shutdown(). Closes #3881
* url: Remove unnecessary initialisation from allocate_conn()Steve Holme2019-05-141-14/+1
| | | | | | No need to set variables to zero as calloc() does this for us. Closes #3879
* proxy: acknowledge DISABLE_PROXY moreDaniel Stenberg2019-05-131-0/+5
|
* auth: Rename the various authentication clean up functionsSteve Holme2019-05-121-4/+4
| | | | | | For consistency and to a avoid confusion. Closes #3869
* http_digest: Don't expose functions when HTTP and Crypto Auth are disabledSteve Holme2019-05-111-0/+2
| | | | Closes #3861
* ssh: define USE_SSH if SSH is enabled (any backend)Daniel Stenberg2019-05-061-2/+2
| | | | Closes #3846
* ConnectionExists: improve non-multiplexing use caseDaniel Stenberg2019-05-011-2/+7
| | | | | | - better log output - make sure multiplex is enabled for it to be used
* CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuseDaniel Stenberg2019-04-211-1/+22
| | | | | | | | | ... and disconnect too old ones instead of trying to reuse. Default max age is set to 118 seconds. Ref: #3722 Closes #3782
View Lorry Controller Status