| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
| |
For the HMAC_SHA256 macro.
Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
Follow-up to 08e8455dddc5e4
Reported-by: Gisle Vanem
|
| |
|
|
|
|
|
|
|
| |
... as failf adds one itself.
Also: add an assert() to failf() that triggers on a newline in the
format string!
Closes #6365
|
| |
|
|
|
|
|
|
|
|
|
| |
Paused transfers should not be stopped due to slow speed even when
CURLOPT_LOW_SPEED_LIMIT is set. Additionally, the slow speed timer is
now reset when the transfer is unpaused - as otherwise it would easily
just trigger immediately after unpausing.
Reported-by: Harry Sintonen
Fixes #6358
Closes #6359
|
| |
|
|
|
|
|
|
|
|
| |
... as the socket might be readable all the time when paused and thus
causing a busy-loop.
Reported-by: Harry Sintonen
Reviewed-by: Jay Satiro
Fixes #6356
Closes #6357
|
| |
|
|
|
|
| |
This patch allow to call the v4 signature introduce in previous commit
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is a security process for HTTP.
It doesn't seems to be standard, but it is used by some cloud providers.
Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually
most of the code is in lib/http_v4_signature.c
Information require by the algorithm:
- The URL
- Current time
- some prefix that are append to some of the signature parameters.
The data extracted from the URL are: the URI, the region,
the host and the API type
example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
~~~ ~~~~~~~~ ~~~~~~~~~~~~~~~~~~~
^ ^ ^
/ \ URI
API type region
Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
the get data, the canonical header, the signed header
and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
the date, and above hash
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
Closes #5703
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It seems current hmac implementation use md5 for the hash,
V4 signature require sha256, so I've added the needed struct in
this commit.
I've added the functions that do the hmac in v4 signature file
as a static function ,in the next patch of the serie,
because it's used only by this file.
Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The linux kernel does not report all ICMP errors back to userspace due
to historical reasons.
IP*_RECVERR sockopt must be turned on to have the correct behaviour
which is to pass all ICMP errors to userspace.
See https://bugzilla.kernel.org/show_bug.cgi?id=202355
Closes #6341
|
| |
|
|
|
|
|
|
|
| |
Identified by clang on windows.
Reported-by: Gisle Vanem
Bug: 58974d25d8173aec154e593ed9d866da566c9811
Closes #6351
|
| |
|
|
|
|
| |
... as the mqtt code reuses the "method" originally used for HTTP.
Closes #6344
|
| |
|
|
|
| |
Fixes #6112
Closes #6135
|
| |
|
|
|
|
|
|
|
| |
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28735
Added test 1916 and 1917 to verify.
Closes #6338
|
| |
|
|
| |
... as an alternative HTTP backend within libcurl.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
When the initial request isn't possible to send in its entirety, the
remainder of request would be delivered to the debug callback as data
and would wrongly be counted internally as body-bytes sent.
Extended test 1295 to verify.
Closes #6328
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When failing in TOOFAST, the multi_done() wasn't called so the same
cleanup and handling wasn't done like when it fails in PERFORM, which in
the case of FTP could mean that the control connection wouldn't be
marked as "dead" for the CURLE_ABORTED_BY_CALLBACK case. Which caused
ftp_disconnect() to use it to send "QUIT", which could end up waiting
for a response a long time before giving up!
Reported-by: Tomas Berger
Fixes #6333
Closes #6337
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces a "gophers" handler inside the gopher protocol if
USE_SSL is defined. This protocol is no different than the usual gopher
prococol, with the added TLS encapsulation upon connecting. The protocol
has been adopted in the gopher community, and many people have enabled
TLS in their gopher daemons like geomyidae(8), and clients, like clic(1)
and hurl(1).
I have not implemented test units for this protocol because my knowledge
of Perl is sub-par. However, for someone more knowledgeable it might be
fairly trivial, because the same test that tests the plain gopher
protocol can be used for "gophers" just by adding a TLS listener.
Signed-off-by: parazyd <parazyd@dyne.org>
Closes #6208
|
| |
|
|
|
|
|
| |
OSS-Fuzz found it
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28676
Closes #6327
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The error is shown with infof rather than failf so that the user will
see the extended error message information only in verbose mode, and
will still see the standard CURLE_AUTH_ERROR message. For example:
---
* schannel: InitializeSecurityContext failed: SEC_E_QOP_NOT_SUPPORTED
(0x8009030A) - The per-message Quality of Protection is not supported by
the security package
* multi_done
* Connection #1 to host 127.0.0.1 left intact
curl: (94) An authentication function returned an error
---
Ref: https://github.com/curl/curl/issues/6302
Closes https://github.com/curl/curl/pull/6315
|
| |
|
|
|
| |
To allow the test suite to know if wakeup support is disabled in the
build.
|
| |
|
|
| |
Closes #6296
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If supported, defer port selection until connect() time
if --interface is given and source port is 0.
Reproducer:
* start fast webserver on port 80
* starve system of ephemeral ports
$ sysctl net.ipv4.ip_local_port_range="60990 60999"
* start a curl/libcurl "crawler"
$curl --keepalive --parallel --parallel-immediate --head --interface
127.0.0.2 "http://127.0.0.[1-254]/file[001-002].txt"
current result:
(possible some successful data)
curl: (45) bind failed with errno 98: Address already in use
result after patch:
(complete success or few connections failing, higlhy depending on load)
Fail only when all the possible 4-tuple combinations are exhausted,
which is impossible to do when port is selected at bind() time becuse
the kernel does not know if socket will be listen()'ed on or connect'ed
yet.
Closes #6295
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Valgrind will complain that ssrem buffer usage if not explicit
initialized, hence initialize it to zero.
This completes the change intially started in commit 2c0d7212151 ('ftp:
retry getpeername for FTP with TCP_FASTOPEN') where the ssloc buffer has
a similar memset to zero.
Signed-off-by: Hans-Christian Noren Egtvedt <hegtvedt@cisco.com>
Closes #6289
|
| |
|
|
|
|
|
| |
This comment was originally on the `use` field, but was separated from
its field in 62a2534.
Closes https://github.com/curl/curl/pull/6287
|
| |
|
|
|
|
|
|
| |
CVE-2020-8286
Reported by anonymous
Bug: https://curl.se/docs/CVE-2020-8286.html
|
| |
|
|
|
|
|
|
| |
CVE-2020-8285
Fixes #6255
Bug: https://curl.se/docs/CVE-2020-8285.html
Reported-by: xnynx on github
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The command line tool also independently sets --ftp-skip-pasv-ip by
default.
Ten test cases updated to adapt the modified --libcurl output.
Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284
Reported-by: Varnavas Papaioannou
|
| |
|
|
|
|
|
|
|
|
| |
... as it makes the URL parser accept "very-long-hostname://" as a valid
host name and we don't want that. The parser now only accepts a blank
(no digits) after the colon if the URL starts with a scheme.
Reported-by: d4d on hackerone
Closes #6283
|
| |
|
|
|
|
|
|
|
|
|
| |
This reverts commit d2a7d7c185f98df8f3e585e5620cbc0482e45fac.
This commit also reverts the subsequent follow-ups to that commit, which
were all done within windows #ifdefs that are removed in this
change. Marc helped me verify this.
Fixes #6146
Closes #6281
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the case of TFO, the remote host name is not resolved at the
connetion time.
For FTP that has lead to missing hostname for the secondary connection.
Therefore the name resolution is done at the time, when FTP requires it.
Fixes #6252
Closes #6265
Closes #6282
|
| |
|
|
|
|
|
| |
Reported-by: Kovalkov Dmitrii and Per Nilsson
Fixes #6254
Fixes #6256
Closes #6260
|
| |
|
|
|
|
| |
Reported-by: Junho Choi
Fixes #6213
Closes #6217
|
| |
|
|
|
|
|
|
|
|
| |
- NGTCP2_CRYPTO_LEVEL_APP -> NGTCP2_CRYPTO_LEVEL_APPLICATION
ngtcp2/ngtcp2@76232e9 changed the name.
ngtcp2 master is required to build curl with http3 support.
Closes https://github.com/curl/curl/pull/6271
|
| |
|
|
|
|
| |
The HAVE_LINUX_TCP_H define was not set by cmake.
Closes #6252
|
| |
|
|
|
|
|
| |
... and remove the old unused proto for the old Curl_splayremove
version.
Closes #6269
|
| |
|
|
|
|
| |
To fix a memory-leak.
Closes #6267
|
| |
|
|
|
|
| |
Follow-up to 4c9768565ec3a9 (from Sep 2008)
Closes #6268
|
| |
|
|
|
|
|
|
| |
... and simplify the too-long checks somewhat.
Detected by OSS-Fuzz
Closes #6264
|
| |
|
|
| |
Closes #6250
|
| |
|
|
| |
Closes #6250
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This field needs to be wide enough to hold sockaddr_in6 when
connecting via IPv6. Otherwise, ngtcp2_conn_read_pkt will drop the
packets because of the address mismatch:
I00000022 [...] con ignore packet from unknown path
We can safely assume that struct sockaddr_storage is available, as it
is used in the public interface of ngtcp2.
Closes #6250
|
| |
|
|
|
|
|
|
|
|
| |
The resolve call is done with the right port number, but the subsequent
check used the wrong one, which then could find a previous resolve which
would return and leave the fresh resolve "incomplete" and leaking
memory.
Fixes #6247
Closes #6253
|
| |
|
|
| |
... so don't define it when instructed to use c-ares!
|
| |
|
|
|
|
|
|
|
| |
file_disconnect() is identical with file_do() except the function header
but as the arguments are unused anyway so why not just return file_do()
directly!
Reviewed-by: Daniel Stenberg
Closes #6249
|
| |
|
|
|
|
| |
Update a few format specifiers to match what is being printed.
Closes #6241
|
