summaryrefslogtreecommitdiff
path: root/lib/urlapi.c
Commit message (Collapse)AuthorAgeFilesLines
* misc: fix "warning: empty expression statement has no effect"Daniel Stenberg2020-12-261-6/+8
| | | | | | | | | | Turned several macros into do-while(0) style to allow their use to work find with semicolon. Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279 Follow-up to 08e8455dddc5e4 Reported-by: Gisle Vanem Closes #6376
* urlapi: don't accept blank port number field without schemeDaniel Stenberg2020-12-071-4/+9
| | | | | | | | | | ... as it makes the URL parser accept "very-long-hostname://" as a valid host name and we don't want that. The parser now only accepts a blank (no digits) after the colon if the URL starts with a scheme. Reported-by: d4d on hackerone Closes #6283
* curl.se: new homeDaniel Stenberg2020-11-041-1/+1
| | | | Closes #6172
* urlapi: URL encode a '+' in the query partDaniel Stenberg2020-10-151-20/+7
| | | | | | | | | ... when asked to with CURLU_URLENCODE. Extended test 1560 to verify. Reported-by: Dietmar Hauser Fixes #6086 Closes #6087
* urlapi: use more Curl_safefreeEmil Engler2020-09-171-4/+2
| | | | Closes #5968
* terminology: call them null-terminated stringsDaniel Stenberg2020-06-281-4/+4
| | | | | | | | | | | Updated terminology in docs, comments and phrases to refer to C strings as "null-terminated". Done to unify with how most other C oriented docs refer of them and what users in general seem to prefer (based on a single highly unscientific poll on twitter). Reported-by: coinhubs on github Fixes #5598 Closes #5608
* escape: make the URL decode able to reject only %00 bytesDaniel Stenberg2020-06-251-1/+4
| | | | | | ... or all "control codes" or nothing. Assisted-by: Nicolas Sterchele
* urlapi: accept :: as a valid IPv6 addressDaniel Stenberg2020-05-081-1/+1
| | | | | | | | Text 1560 is extended to verify. Reported-by: Pavel Volgarev Fixes #5344 Closes #5351
* urlapi: guess scheme correct even with credentials givenDaniel Stenberg2020-01-281-31/+37
| | | | | | | | | In the "scheme-less" parsing case, we need to strip off credentials first before we guess scheme based on the host name! Assisted-by: Jay Satiro Fixes #4856 Closes #4857
* urlapi: fix use-after-free bugDaniel Stenberg2019-10-031-35/+36
| | | | | | | | | | | Follow-up from 2c20109a9b5d04 Added test 663 to verify. Reported by OSS-Fuzz Bug: https://crbug.com/oss-fuzz/17954 Closes #4453
* urlapi: fix URL encoding when setting a full URLDaniel Stenberg2019-10-021-1/+16
|
* urlapi: fix unused variable warningMarcel Raad2019-10-011-0/+2
| | | | | | `dest` is only used with `ENABLE_IPV6`. Closes https://github.com/curl/curl/pull/4444
* urlapi: question mark within fragment is still fragmentDaniel Stenberg2019-09-241-4/+4
| | | | | | | | | | | The parser would check for a query part before fragment, which caused it to do wrong when the fragment contains a question mark. Extended test 1560 to verify. Reported-by: Alex Konev Fixes #4412 Closes #4413
* urlapi: avoid index underflow for short ipv6 hostnamesPaul Dreik2019-09-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If the input hostname is "[", hlen will underflow to max of size_t when it is subtracted with 2. hostname[hlen] will then cause a warning by ubsanitizer: runtime error: addition of unsigned offset to 0x<snip> overflowed to 0x<snip> I think that in practice, the generated code will work, and the output of hostname[hlen] will be the first character "[". This can be demonstrated by the following program (tested in both clang and gcc, with -O3) int main() { char* hostname=strdup("["); size_t hlen = strlen(hostname); hlen-=2; hostname++; printf("character is %d\n",+hostname[hlen]); free(hostname-1); } I found this through fuzzing, and even if it seems harmless, the proper thing is to return early with an error. Closes #4389
* urlapi: Expression 'storep' is always trueDaniel Stenberg2019-09-201-1/+2
| | | | | Fixes warning detected by PVS-Studio Fixes #4374
* urlapi: 'scheme' is always trueDaniel Stenberg2019-09-201-16/+15
| | | | | Fixes warning detected by PVS-Studio Fixes #4374
* urlapi: part of conditional expression is always true: (relurl[0] == '/')Daniel Stenberg2019-09-201-1/+1
| | | | | Fixes warning detected by PVS-Studio Fixes #4374
* urlapi: CURLU_NO_AUTHORITY allows empty authority/host partJens Finkhaeuser2019-09-191-11/+25
| | | | | | | CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not "file:///") to override cURL's default demand that an authority exists. Closes #4349
* urlapi: one colon is enough for the strspn() input (typo)Daniel Stenberg2019-09-101-1/+1
|
* urlapi: verify the IPv6 numerical addressDaniel Stenberg2019-09-101-4/+13
| | | | | | | | | It needs to parse correctly. Otherwise it could be tricked into letting through a-f using host names that libcurl would then resolve. Like '[ab.be]'. Reported-by: Thomas Vegas Closes #4315
* urlapi: increase supported scheme length to 40 bytesOmar Ramadan2019-05-201-2/+5
| | | | | | | The longest currently registered URI scheme at IANA is 36 bytes long. Closes #3905 Closes #3900
* lib: reduce variable scopesMarcel Raad2019-05-201-2/+2
| | | | | | Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
* urlapi: require a non-zero host name length when parsing URLDaniel Stenberg2019-05-141-0/+2
| | | | | | Updated test 1560 to verify. Closes #3880
* urlapi: add CURLUPART_ZONEID to set and getDaniel Stenberg2019-05-051-13/+22
| | | | | | | | The zoneid can be used with IPv6 numerical addresses. Updated test 1560 to verify. Closes #3834
* urlapi: strip off scope id from numerical IPv6 addressesDaniel Stenberg2019-05-031-9/+54
| | | | | | | | | | ... to make the host name "usable". Store the scope id and put it back when extracting a URL out of it. Also makes curl_url_set() syntax check CURLUPART_HOST. Fixes #3817 Closes #3822
* CURL_MAX_INPUT_LENGTH: largest acceptable string input sizeDaniel Stenberg2019-04-291-0/+8
| | | | | | | | | | | | | | | | | This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805
* urlapi: stricter CURLUPART_PORT parsingDaniel Stenberg2019-04-131-2/+9
| | | | | | | | | | | Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753 Closes #3762
* urlapi: urlencode characters above 0x7f correctlyJakub Zakrzewski2019-04-071-3/+3
| | | | | fixes #3741 Closes #3742
* cleanup: make local functions staticDaniel Stenberg2019-02-101-12/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static
* urlapi: reduce variable scope, remove unreachable 'break'Daniel Stenberg2019-02-091-10/+10
| | | | | | Both nits pointed out by codacy.com Closes #3540
* urlapi: fix parsing ipv6 with zone indexDaniel Gustafsson2018-12-301-2/+5
| | | | | | | | | | | | | | The previous fix for parsing IPv6 URLs with a zone index was a paddle short for URLs without an explicit port. This patch fixes that case and adds a unit test case. This bug was highlighted by issue #3408, and while it's not the full fix for the problem there it is an isolated bug that should be fixed regardless. Closes #3411 Reported-by: GitYuanQu on github Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* urlapi: distinguish possibly empty queryLeonardo Taccari2018-12-131-3/+3
| | | | | | | | | | If just a `?' to indicate the query is passed always store a zero length query instead of having a NULL query. This permits to distinguish URL with trailing `?'. Fixes #3369 Closes #3370
* urlapi: Fix port parsing of eol colonDaniel Gustafsson2018-12-121-16/+16
| | | | | | | | | A URL with a single colon without a portnumber should use the default port, discarding the colon. Fix, add a testcase and also do little bit of comment wordsmithing. Closes #3365 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* tests: add urlapi unittestDaniel Gustafsson2018-12-111-2/+8
| | | | | | | | | | This adds a new unittest intended to cover the internal functions in the urlapi code, starting with parse_port(). In order to avoid name collisions in debug builds, parse_port() is renamed Curl_parse_port() since it will be exported. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* urlapi: fix portnumber parsing for ipv6 zone indexDaniel Gustafsson2018-12-111-6/+20
| | | | | | | | | | | | | | An IPv6 URL which contains a zone index includes a '%%25<zode id>' string before the ending ']' bracket. The parsing logic wasn't set up to cope with the zone index however, resulting in a malformed url error being returned. Fix by breaking the parsing into two stages to correctly handle the zone index. Closes #3355 Closes #3319 Reported-by: tonystz on Github Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-231-5/+5
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg2018-11-071-1/+6
| | | | | | | | | APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-061-1/+1
| | | | | | | | | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
* Revert "url: a short host name + port is not a scheme"Daniel Stenberg2018-11-051-1/+1
| | | | | | | This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-031-1/+1
| | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
* URL: fix IPv6 numeral address parserDaniel Stenberg2018-11-031-2/+6
| | | | | | | | Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
* urlapi: starting with a drive letter on win32 is not an abs urlDaniel Stenberg2018-10-021-14/+18
| | | | | | | | | | ... and libcurl doesn't support any single-letter URL schemes (if there even exist any) so it should be fairly risk-free. Reported-by: Marcel Raad Fixes #3070 Closes #3071
* urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg2018-09-211-6/+2
| | | | Closes #3024
* urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptanceDaniel Stenberg2018-09-191-11/+37
| | | | | | | | | | | | | | | In order for this API to fully work for libcurl itself, it now offers a CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host name prefix just like libcurl always did. If there's no known prefix, it will guess "http://". Separately, it relaxes the check of the host name so that IDN host names can be passed in as well. Both these changes are necessary for libcurl itself to use this API. Assisted-by: Daniel Gustafsson Closes #3018
* urlapi: don't set value which is never readDaniel Gustafsson2018-09-191-1/+0
| | | | | | | | | In the CURLUPART_URL case, there is no codepath which invokes url decoding so remove the assignment of the urldecode variable. This fixes the deadstore bug-report from clang static analysis. Closes #3015 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* misc: fix typos in commentsDaniel Gustafsson2018-09-101-1/+1
| | | | Closes #2963
* urlapi: avoid derefencing a possible NULL pointerDaniel Stenberg2018-09-081-2/+2
| | | | Coverity CID 1439134
* URL-APIDaniel Stenberg2018-09-081-0/+1315
See header file and man pages for API. All documented API details work and are tested in the 1560 test case. Closes #2842
View Lorry Controller Status