| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
The debug output used ssherr instead of sftperr which not only outputs
the wrong error code but also casues a warning on Windows.
Follow-up to 7370b4e39f1
Reported-by: Gisle Vanem
Bug: https://github.com/curl/curl/commit/7370b4e39f1390e701f5b68d910c619151daf72b#r41334700
Closes #5799
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shutdown function is for downgrading a connection from TLS to plain,
and this is not requested here.
Have ssl_close reset the TLS connection state.
This partially reverts commit f002c850d98d
Reported-by: Rasmus Melchior Jacobsen
Reported-by: Denis Goleshchikhin
Fixes #5797
|
|
|
|
| |
Closes #5792
|
|
|
|
| |
Closes #5786
|
|
|
|
| |
Closes #5778
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous h2 trailer fix in 54a2b63 was wrong and caused a
regression: it cannot deal with trailers immediately when read since
they may be read off the connection by the wrong 'data' owner.
This change reverts the logic back to gathering all trailers into a
single buffer, like before 54a2b63.
Reported-by: Tadej Vengust
Fixes #5663
Closes #5769
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Classic mingw and 10y+ old versions of mingw-w64 don't ship with
Windows headers having the typedef necessary for Unix Sockets
support, so try detecting these environments to disable this
feature.
Ref: https://sourceforge.net/p/mingw-w64/mingw-w64/ci/cf6afc57179a5910621215f8f4037d406892072c/
Reviewed-by: Daniel Stenberg
Fixes #5674
Closes #5758
|
|
|
|
| |
Closes https://github.com/curl/curl/pull/5754
|
|
|
|
|
|
|
| |
Reported by Codacy.
Reviewed-by: Marcel Raad
Closes #5759
|
|
|
|
|
|
|
|
|
| |
`SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
introduced in LibreSSL 2.9.1 [0].
[0] https://github.com/libressl-portable/openbsd/commit/0db809ee178457c8170abfae3931d7bd13abf3ef
Closes https://github.com/curl/curl/pull/5757
|
|
|
|
|
|
|
|
|
| |
Previously any connect-only connections in a multi handle would be kept
alive until the multi handle was closed. Since these connections cannot
be re-used, they can be marked for closure when the associated easy
handle is removed from the multi handle.
Closes #5749
|
|
|
|
|
|
| |
Reviewed-by: Daniel Stenberg
Closes #5708
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
incorrectly used for the location follow, resulting in infinite requests
to the original location.
Reported-by: sspiri@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/5709
Closes https://github.com/curl/curl/pull/5713
|
|
|
|
|
|
|
|
|
| |
They're not thread-safe so they should not be used in libcurl code.
Explictly enabled when deemed necessary and in examples and tests
Reviewed-by: Nicolas Sterchele
Closes #5732
|
|
|
|
| |
Closes #5734
|
|
|
|
|
|
|
|
|
| |
On systems with 32 bit long the expression is always false. Avoid
the warning.
Reported-by: Gisle Vanem
Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232
Closes #5736
|
|
|
|
|
|
|
|
|
|
| |
Previously a file that isn't user-readable but is user-writable would
not be properly avoided and would get overwritten.
Reported-by: BrumBrum on hackerone
Assisted-by: Jay Satiro
Bug: https://hackerone.com/reports/926638
Closes #5731
|
|
|
|
|
|
|
|
|
| |
Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1,
2013-08-02), the easy handle list is not circular but ends with
->next pointing to NULL.
Reported-by: Masaya Suzuki <masayasuzuki@google.com>
Closes #5737
|
|
|
|
|
| |
Reported-by: Tatsuhiro Tsujikawa
Closes #5733
|
|
|
|
|
|
|
|
|
|
|
| |
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
action but before 7.71.0 that used to switch back to GET and with this
change (assuming the method is still set to HEAD) this behavior is
brought back.
Reported-by: causal-agent on github
Fixes #5725
Closes #5728
|
|
|
|
|
|
|
| |
Also choose a different wolfSSL function to test for NTLM support.
Fixes #5605
Closes #5682
|
|
|
|
|
|
| |
Reported-by: lilongyan-huawei on github
Fixes #5726
Closes #5727
|
|
|
|
|
|
|
|
|
| |
- Avoid re-using retry_after value from preceding request
- Add libtest 3010 to verify
Reported-by: joey-l-us on github
Fixes #5661
Closes #5672
|
|
|
|
|
|
|
|
|
|
| |
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.
Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stack overflows can occur with precisions for integers and floats.
Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);
Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.
The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.
Also see CVE-2016-9586 which partially fixed the float aspect.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Closes https://github.com/curl/curl/pull/5722
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.
Also do not read behind boundaries of illegal format strings.
These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.
Closes https://github.com/curl/curl/pull/5722
|
|
|
|
|
|
|
|
|
| |
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
Closes #5724
|
|
|
|
| |
Closes https://github.com/curl/curl/pull/5704
|
|
|
|
|
|
|
| |
They are marked as deprecated for -mmacosx-version-min >= 10.15,
which might result in warnings-as-errors.
Closes https://github.com/curl/curl/pull/5695
|
|
|
|
|
|
|
| |
It confuses code analyzers with its use of -1 for unsigned value. Also,
a check that's not normally used in strdup() code - and not necessary.
Closes #5697
|
|
|
|
| |
Closes #5690
|
|
|
|
|
|
|
|
|
| |
... by adding support for a new dedicated return code.
Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
|
|
|
|
|
|
|
| |
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.
Closes #5667
|
|
|
|
|
|
|
| |
Provide the HTTP method that was used on the latest request, which might
be relevant for users when there was one or more redirects involved.
Closes #5511
|
|
|
|
|
|
|
| |
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken
Closes #5491
|
|
|
|
|
| |
Detected by Codacy
Closes #5676
|
|
|
|
|
|
|
|
| |
Use the unsigned type (size_t) in the arithmetic of pointers. In this
context, the signed type (ssize_t) is used unnecessarily.
Authored-by: ihsinme on github
Closes #5654
|
|
|
|
|
|
|
|
|
| |
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu
Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
|
|
|
|
|
|
|
|
| |
- not used
- used the wrong number of arguments
- confused the Codeacy code analyzer
Closes #5647
|
|
|
|
| |
Closes #5675
|
|
|
|
|
|
|
|
| |
Added test case 674 to reproduce and verify the bug report.
Fixes #5665
Reported-by: NobodyXu on github
Closes #5673
|
|
|
|
|
|
|
|
| |
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.
Reviewed-by: Nicolas Sterchele
Closes #5666
|
|
|
|
|
|
|
| |
Follow-up to ef86daf4d3
Closes #5650
Fixes #5646
|
|
|
|
|
|
|
|
|
| |
`http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
if `CURL_DISABLE_PROXY` is enabled. Repair the build with that
configuration.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Closes #5645
|
|
|
|
|
| |
Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge")
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Well-behaving HTTP2 servers send two GOAWAY messages. The first
message is a warning that indicates that the server is going to
stop accepting streams. The second one actually closes the stream.
nghttp2 reports this state (and the other state of no more stream
identifiers) via the call nghttp2_session_check_request_allowed().
In this state the client should not create more streams on the
session (tcp connection), and in curl this means that the server
has requested that the connection is closed.
It would be also be possible to put the connclose() call into the
on_http2_frame_recv() function that triggers on the GOAWAY message.
This fixes a bug seen when the client sees the following sequence of
frames:
// advisory GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1]
... some additional frames
// final GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ]
Before this change, curl will attempt to reuse the connection even
after the last stream, will encounter this error:
* Found bundle for host localhost: 0x5595f0a694e0 [can multiplex]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 10443 (#0)
* Using Stream ID: 9 (easy handle 0x5595f0a72e30)
> GET /index.html?5 HTTP/2
> Host: localhost:10443
> user-agent: curl/7.68.0
> accept: */*
>
* stopped the pause stream!
* Connection #0 to host localhost left intact
curl: (16) Error in the HTTP2 framing layer
This error may posion the connection cache, causing future requests
which resolve to the same curl connection to go through the same error
path.
Closes #5643
|
|
|
|
|
|
|
|
|
| |
Confusingly, nghttp2 has two different error code enums:
- nghttp2_error, to be used with nghttp2_strerror
- nghttp2_error_code, to be used with nghttp2_http2_strerror
Closes #5641
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since commit f3d501dc678, if proxy support is disabled, MSVC warns:
url.c : warning C4701: potentially uninitialized local variable
'hostaddr' used
url.c : error C4703: potentially uninitialized local pointer variable
'hostaddr' used
That could actually only happen if both `conn->bits.proxy` and
`CURL_DISABLE_PROXY` were enabled.
Initialize it to NULL to silence the warning.
Closes https://github.com/curl/curl/pull/5638
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8bc25c590e530de87595d1bb3577f699eb1309b9.
That commit (from #5397) introduced a regression in 7.71.0.
Reported-by: tmkk on github
Fixes #5631
Closes #5632
|
|
|
|
|
|
|
|
| |
ngtcp2 added two new callbacks
Reported-by: Lucien Zürcher
Fixes #5624
Closes #5627
|