summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* openssl: fix build error with OpenSSL < 1.0.2Georeth Zhou2021-04-201-2/+2
| | | | Closes https://github.com/curl/curl/pull/6920
* urlapi: "normalize" numerical IPv4 host namesDaniel Stenberg2021-04-191-2/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the host name in a URL is given as an IPv4 numerical address, the address can be specified with dotted numericals in four different ways: a32, a.b24, a.b.c16 or a.b.c.d and each part can be specified in decimal, octal (0-prefixed) or hexadecimal (0x-prefixed). Instead of passing on the name as-is and leaving the handling to the underlying name functions, which made them not work with c-ares but work with getaddrinfo, this change now makes the curl URL API itself detect and "normalize" host names specified as IPv4 numericals. The WHATWG URL Spec says this is an okay way to specify a host name in a URL. RFC 3896 does not allow them, but curl didn't prevent them before and it seems other RFC 3896-using tools have not either. Host names used like this are widely supported by other tools as well due to the handling being done by getaddrinfo and friends. I decided to add the functionality into the URL API itself so that all users of these functions get the benefits, when for example wanting to compare two URLs. Also, it makes curl built to use c-ares now support them as well and make curl builds more consistent. The normalization makes HTTPS and virtual hosted HTTP work fine even when curl gets the address specified using one of the "obscure" formats. Test 1560 is extended to verify. Fixes #6863 Closes #6871
* libssh: fix "empty expression statement has no effect" warningsDaniel Stenberg2021-04-191-39/+63
| | | | | | | | | | ... by fixing macros to do-while constructs and moving out the calls to "break" outside of the actual macro. It also fixes the problem where the macro was used witin a loop and the break didn't do right. Reported-by: Emil Engler Fixes #6847 Closes #6909
* hsts: enable by defaultDaniel Stenberg2021-04-199-19/+26
| | | | | | No longer considered experimental. Closes #6700
* vtls: refuse setting any SSL versionDaniel Stenberg2021-04-197-144/+20
| | | | | | | | | ... previously they were supported if a TLS library would (unexpectedly) still support them, but from this change they will be refused already in curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for many years now. Closes #6773
* openldap: protect SSL-specific code with proper #ifdefDaniel Stenberg2021-04-151-0/+2
| | | | Closes #6901
* libssh2: fix Value stored to 'sshp' is never readDaniel Stenberg2021-04-151-3/+1
| | | | | | Pointed out by scan-build Closes #6900
* rustls: only return CURLE_AGAIN when TLS session is fully drainedJavier Blazquez2021-04-151-5/+8
| | | | | | | | | | | | | | The code in cr_recv was returning prematurely as soon as the socket reported no more data to read. However, this could be leaving some unread plaintext data in the rustls session from a previous call, causing causing the transfer to hang if the socket never receives further data. We need to ensure that the session is fully drained of plaintext data before returning CURLE_AGAIN to the caller. Reviewed-by: Jacob Hoffman-Andrews Closes #6894
* cookie: CURLOPT_COOKIEFILE set to NULL switches off cookiesDaniel Stenberg2021-04-141-0/+14
| | | | | | | | | Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears the cookiejar from memory. Reported-by: Stefan Karpinski Fixes #6889 Closes #6891
* ngtcp2: Use ALPN h3-29 for nowTatsuhiro Tsujikawa2021-04-131-4/+6
| | | | | Fixes #6864 Cloes #6886
* ntlm: fix negotiated flags usagePatrick Monnerat2021-04-091-13/+19
| | | | | | | | | | | | | | | | | According to Microsoft document MS-NLMP, current flags usage is not accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of extended security in an NTLM authentication message and NTLM version 2 cannot be negotiated within the protocol. The solution implemented here is: if the extended security flag is set, prefer using NTLM version 2 (as a server featuring extended security should also support version 2). If version 2 has been disabled at compile time, use extended security. Tests involving NTLM are adjusted to this new behavior. Fixes #6813 Closes #6849
* ntlm: support version 2 on 32-bit platformsPatrick Monnerat2021-04-093-19/+66
| | | | Closes #6849
* curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSIONPatrick Monnerat2021-04-091-3/+2
| | | | | | | ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the whole NTLM. Closes #6849
* lib: remove unused HAVE_INET_NTOA_R* definesDaniel Stenberg2021-04-082-18/+0
| | | | Closes #6867
* configure: include <time.h> unconditionallyMichael Forney2021-04-071-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | In 2682e5f5, several instances of AC_HEADER_TIME were removed since it is a deprecated autoconf macro. However, this was the macro that defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h> can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still used in the configure test body and since it is no longer defined, <time.h> is *not* included on systems that have <sys/time.h>. In particular, at least on musl libc and glibc, <sys/time.h> does not implicitly include <time.h> and does not declare clock_gettime, gmtime_r, or localtime_r. This causes configure to fail to detect those functions. The AC_HEADER_TIME macro deprecation text says > All current systems provide time.h; it need not be checked for. > Not all systems provide sys/time.h, but those that do, all allow > you to include it and time.h simultaneously. So, to fix this issue, simply include <time.h> unconditionally when testing for time-related functions and in libcurl, and don't bother checking for it. Closes #6859
* configure: remove use of RETSIGTYPEMichael Forney2021-04-0714-44/+7
| | | | | | | | | | | This was previously defined by the obsolete AC_TYPE_SIGNAL macro, which was removed in 2682e5f5. The deprecation text says > Your code may safely assume C89 semantics that RETSIGTYPE is void. So, remove it and just use void instead. Closes #6861
* ngtcp2+gnutls: clear credentials when freedDaniel Stenberg2021-04-071-1/+3
| | | | | | | | ... to avoid double-free. Reported-by: Kenneth Davidson Fixes #6824 Closes #6856
* libssh: get rid of PATH_MAXEmil Engler2021-04-051-4/+3
| | | | | | | | This removes the last occurrence of PATH_MAX inside our libssh implementation by calculating the path length from the string length of the two components. Closes #6829
* http_proxy: only loop on 407 + close if we have credentialsDaniel Stenberg2021-04-051-1/+2
| | | | | | | | | | ... to fix the retry-loop. Add test 718 to verify. Reported-by: Daniel Kurečka Fixes #6828 Closes #6850
* h2: allow 100 streams by defaultDaniel Stenberg2021-04-051-1/+1
| | | | | | | | | instead of 13, before the server has told how many streams it accepts. The server can always reject new streams anyway if we go above what it accepts. Ref: #6826 Closes #6852
* file: support GETing directories againLuke Granger-Brown2021-04-051-12/+17
| | | | | | | | | | | | | | After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an expected_size for directories. This has the upshot that when we compare even an empty Range with the available size, we fail. This brings back the previous behaviour, which was to succeed, but with empty content. This also removes the "Accept-ranges: bytes" header, which is nonsensical on directories. Adds test 3016 Fixes #6845 Closes #6846
* TLS: fix HTTP/2 selectionDaniel Stenberg2021-04-027-8/+8
| | | | | | | | | | | for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and wolfSSL... Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0) Reported-by: Kenneth Davidson Reported-by: romamik om github Fixes #6825 Closes #6827
* hostip: Fix for builds that disable all asynchronous DNSJay Satiro2021-04-021-0/+2
| | | | | | | | | | | | | | | - Define Curl_resolver_error function only when USE_CURL_ASYNC. Prior to this change building curl without an asynchronous resolver backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is also asynchronous but independent of resolver backend) would cause a build error since Curl_resolver_error is called by and evaluates variables only available in asynchronous builds. Reported-by: Benbuck Nason Fixes https://github.com/curl/curl/issues/6831 Closes https://github.com/curl/curl/pull/6832
* openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEYGilles Vollant2021-03-311-52/+56
| | | | | | Reported-by: Christian Schmitz Fixes #6816 Closes #6820
* define: remove CURL_DISABLE_NTLM ifdefsbagder/disable-scan-improvementDaniel Stenberg2021-03-292-4/+1
| | | | | | | It was never defined anywhere. Fixed disable-scan (test 1165) to also scan headers, which found this issue. Closes #6809
* vtls: fix addsessionid for non-proxy buildsDaniel Stenberg2021-03-291-3/+0
| | | | | | Follow-up to b09c8ee15771c61 Fixes #6812 Closes #6811
* cmake: support WinIDNLi Xinwei2021-03-291-0/+6
| | | | Closes #6807
* transfer: clear 'referer' in declarationDaniel Stenberg2021-03-291-2/+2
| | | | | | | | | To silence (false positive) compiler warnings about it. Follow-up to 7214288898f5625 Reviewed-by: Marcel Raad Closes #6810
* vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()Daniel Stenberg2021-03-2810-44/+103
| | | | | | | | | To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890
* transfer: strip credentials from the auto-referer header fieldViktor Szakats2021-03-281-2/+23
| | | | | | | | Added test 2081 to verify. CVE-2021-22876 Bug: https://curl.se/docs/CVE-2021-22876.html
* curl_sasl: fix compiler error with --disable-crypto-authDaniel Stenberg2021-03-281-2/+1
| | | | | | ... if libgsasl was found. Closes #6806
* ldap: only set the callback ptr for TLS context when TLS is usedPatrick Monnerat2021-03-281-4/+5
| | | | | | Follow-up to a5eee22e594c2460f Fixes #6804 Closes #6805
* copyright: update copyright year ranges to 2021Daniel Stenberg2021-03-278-8/+9
| | | | | Reviewed-by: Emil Engler Closes #6802
* send_speed: simplify the checks for if a speed limit is setDaniel Stenberg2021-03-273-7/+7
| | | | | ... as we know the value cannot be set to negative: enforced by setopt()
* http: cap body data amount during send speed limitingDaniel Stenberg2021-03-272-11/+40
| | | | | | | | | By making sure never to send off more than the allowed number of bytes per second the speed limit logic is given more room to actually work. Reported-by: Fabian Keil Bug: https://curl.se/mail/lib-2021-03/0042.html Closes #6797
* urldata: merge "struct DynamicStatic" into "struct UrlState"Daniel Stenberg2021-03-2616-141/+127
| | | | | | | | Both were used for the same purposes and there was no logical separation between them. Combined, this also saves 16 bytes in less holes in my test build. Closes #6798
* openssl: ensure to check SSL_CTX_set_alpn_protos return valuesJean-Philippe Menil2021-03-251-1/+4
| | | | | | | | SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com> Closes #6794
* multi: close the connection when h2=>h1 downgradingDaniel Stenberg2021-03-251-0/+1
| | | | | | | | | | Otherwise libcurl is likely to reuse the connection again in the next attempt since the connection reuse logic doesn't take downgrades into account. Reported-by: Anthony Ramine Fixes #6788 Closes #6793
* openssl: set the transfer pointer for logging earlyDaniel Stenberg2021-03-251-0/+1
| | | | | | | | | | | Otherwise, the transfer will be NULL in the trace function when the early handshake details arrive and then curl won't show them. Regresssion in 7.75.0 Reported-by: David Hu Fixes #6783 Closes #6792
* openldap: disconnect betterDaniel Stenberg2021-03-241-1/+1
| | | | | | | | | Instead of clearing the callback argument in disconnect, set it to the (new) transfer to make sure the correct data is passed to the callbacks. Follow-up to e467ea3bd937f38 Assisted-by: Patrick Monnerat Closes #6787
* libssh2: kdb_callback: get the right struct pointerDaniel Stenberg2021-03-231-2/+2
| | | | | | | | | | | | After the recent conn/data refactor in this source file, this function was mistakenly still getting the old struct pointer which would lead to crash on servers with keyboard-interactive auth enabled. Follow-up to a304051620b92e12b (shipped in 7.75.0) Reported-by: Christian Schmitz Fixes #6691 Closes #6782
* tftp: remove unused struct fieldsDaniel Stenberg2021-03-231-7/+0
| | | | | | Follow-up to d3d90ad9c00530d Closes #6781
* openldap: avoid NULL pointer dereferencesDaniel Stenberg2021-03-231-15/+25
| | | | | | | Follow-up to a59c33ceffb8f78 Reported-by: Patrick Monnerat Fixes #6676 Closes #6780
* http: strip default port from URL sent to proxyDaniel Stenberg2021-03-231-1/+1
| | | | | | | | | | To make sure the Host: header and the URL provide the same authority portion when sent to the proxy, strip the default port number from the URL if one was provided. Reported-by: Michael Brown Fixes #6769 Closes #6778
* tftp: remove the 3600 second default timeoutDaniel Stenberg2021-03-221-38/+22
| | | | | | | | ... it was never meant to be there. Reported-by: Tomas Berger Fixes #6774 Closes #6776
* ngtcp2: sync with recent API updatesDaniel Stenberg2021-03-221-2/+4
| | | | Closes #6770
* libssh2:ssh_connect: clear session pointer after freeDaniel Stenberg2021-03-211-0/+1
| | | | | | | | | If libssh2_knownhost_init() returns NULL, like in an OOM situation, the ssh session was freed but the pointer wasn't cleared which made libcurl later call libssh2 to cleanup using the stale pointer. Fixes #6764 Closes #6766
* rustls: Handle close_notify.Jacob Hoffman-Andrews2021-03-211-2/+6
| | | | | | | | If we get a close_notify, treat that as EOF. If we get an EOF from the TCP stream, treat that as an error (because we should have ended the connection earlier, when we got a close_notify). Closes #6763
* docs: Explain DOH transfers inherit some SSL settingsJay Satiro2021-03-171-1/+5
| | | | | | | | | | | - Document in DOH that some SSL settings are inherited but DOH hostname and peer verification are not and are controlled separately. - Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but we're considering changing behavior to no longer inherit it. Request feedback. Closes https://github.com/curl/curl/pull/6688
* http: make 416 not fail with resume + CURLOPT_FAILONERRRORDaniel Stenberg2021-03-171-0/+8
| | | | | | | | | | | | | When asked to resume a download, libcurl will convert that to HTTP logic and if then the entire file is already transferred it will result in a 416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that scenario, it should *not* lead to an error return. Updated test 1156, added test 1273 Reported-by: Jonathan Watt Fixes #6740 Closes #6753
View Lorry Controller Status