summaryrefslogtreecommitdiff
path: root/lib/urlapi.c
Commit message (Collapse)AuthorAgeFilesLines
* CURL_MAX_INPUT_LENGTH: largest acceptable string input sizeDaniel Stenberg2019-04-291-0/+8
| | | | | | | | | | | | | | | | | This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805
* urlapi: stricter CURLUPART_PORT parsingDaniel Stenberg2019-04-131-2/+9
| | | | | | | | | | | Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753 Closes #3762
* urlapi: urlencode characters above 0x7f correctlyJakub Zakrzewski2019-04-071-3/+3
| | | | | fixes #3741 Closes #3742
* cleanup: make local functions staticDaniel Stenberg2019-02-101-12/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static
* urlapi: reduce variable scope, remove unreachable 'break'Daniel Stenberg2019-02-091-10/+10
| | | | | | Both nits pointed out by codacy.com Closes #3540
* urlapi: fix parsing ipv6 with zone indexDaniel Gustafsson2018-12-301-2/+5
| | | | | | | | | | | | | | The previous fix for parsing IPv6 URLs with a zone index was a paddle short for URLs without an explicit port. This patch fixes that case and adds a unit test case. This bug was highlighted by issue #3408, and while it's not the full fix for the problem there it is an isolated bug that should be fixed regardless. Closes #3411 Reported-by: GitYuanQu on github Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* urlapi: distinguish possibly empty queryLeonardo Taccari2018-12-131-3/+3
| | | | | | | | | | If just a `?' to indicate the query is passed always store a zero length query instead of having a NULL query. This permits to distinguish URL with trailing `?'. Fixes #3369 Closes #3370
* urlapi: Fix port parsing of eol colonDaniel Gustafsson2018-12-121-16/+16
| | | | | | | | | A URL with a single colon without a portnumber should use the default port, discarding the colon. Fix, add a testcase and also do little bit of comment wordsmithing. Closes #3365 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* tests: add urlapi unittestDaniel Gustafsson2018-12-111-2/+8
| | | | | | | | | | This adds a new unittest intended to cover the internal functions in the urlapi code, starting with parse_port(). In order to avoid name collisions in debug builds, parse_port() is renamed Curl_parse_port() since it will be exported. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* urlapi: fix portnumber parsing for ipv6 zone indexDaniel Gustafsson2018-12-111-6/+20
| | | | | | | | | | | | | | An IPv6 URL which contains a zone index includes a '%%25<zode id>' string before the ending ']' bracket. The parsing logic wasn't set up to cope with the zone index however, resulting in a malformed url error being returned. Fix by breaking the parsing into two stages to correctly handle the zone index. Closes #3355 Closes #3319 Reported-by: tonystz on Github Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-231-5/+5
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg2018-11-071-1/+6
| | | | | | | | | APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-061-1/+1
| | | | | | | | | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
* Revert "url: a short host name + port is not a scheme"Daniel Stenberg2018-11-051-1/+1
| | | | | | | This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-031-1/+1
| | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
* URL: fix IPv6 numeral address parserDaniel Stenberg2018-11-031-2/+6
| | | | | | | | Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
* urlapi: starting with a drive letter on win32 is not an abs urlDaniel Stenberg2018-10-021-14/+18
| | | | | | | | | | ... and libcurl doesn't support any single-letter URL schemes (if there even exist any) so it should be fairly risk-free. Reported-by: Marcel Raad Fixes #3070 Closes #3071
* urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg2018-09-211-6/+2
| | | | Closes #3024
* urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptanceDaniel Stenberg2018-09-191-11/+37
| | | | | | | | | | | | | | | In order for this API to fully work for libcurl itself, it now offers a CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host name prefix just like libcurl always did. If there's no known prefix, it will guess "http://". Separately, it relaxes the check of the host name so that IDN host names can be passed in as well. Both these changes are necessary for libcurl itself to use this API. Assisted-by: Daniel Gustafsson Closes #3018
* urlapi: don't set value which is never readDaniel Gustafsson2018-09-191-1/+0
| | | | | | | | | In the CURLUPART_URL case, there is no codepath which invokes url decoding so remove the assignment of the urldecode variable. This fixes the deadstore bug-report from clang static analysis. Closes #3015 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* misc: fix typos in commentsDaniel Gustafsson2018-09-101-1/+1
| | | | Closes #2963
* urlapi: avoid derefencing a possible NULL pointerDaniel Stenberg2018-09-081-2/+2
| | | | Coverity CID 1439134
* URL-APIDaniel Stenberg2018-09-081-0/+1315
See header file and man pages for API. All documented API details work and are tested in the 1560 test case. Closes #2842
View Lorry Controller Status