| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails. This commit
replaces this with the percent-escaping method for URLs.
As this may introduce incompatibilities with server-side applications, a
new libcurl option CURLOPT_MIME_OPTIONS with bitmask
CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
backslash-escaping. This is controlled by new cli tool option
--form-escape.
New tests and documentation are provided for this feature.
Reported by: Ryan Sleevi
Fixes #7789
Closes #7805
|
| |
|
|
|
|
|
|
|
| |
... and close connections that are too old instead of reusing them.
By default, this behavior is disabled.
Bug: https://curl.se/mail/lib-2021-09/0058.html
Closes #7751
|
| |
|
|
|
|
|
|
|
|
| |
Add curl_url_strerror() to convert CURLUcode into readable string and
facilitate easier troubleshooting in programs using URL API.
Extend CURLUcode with CURLU_LAST for iteration in unit tests.
Update man pages with a mention of new function.
Update example code and tests with new functionality where it fits.
Closes #7605
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.
6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.
Cloes #7176
|
| |
|
|
|
|
|
| |
This flag will be further exposed by adding build options.
Reverts #6809
Closes #7028
|
| |
|
|
|
|
|
|
| |
Looks like the declaration of cpp shoule be const char ** and return
null if convert_version_info_string fails.
Fixes #7134
Closes #7135
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
and Secure Transport (Apple) SSL backends.
Prior to this change PEM certificates could only be imported from a file
and not from memory.
Co-authored-by: moparisthebest@users.noreply.github.com
Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109
Closes https://github.com/curl/curl/pull/6662
|
| |
|
|
|
|
|
|
| |
- Add gsasl_version string and bump to CURLVERSION_TENTH.
Ref: https://curl.se/mail/lib-2021-04/0003.html
Closes https://github.com/curl/curl/pull/6843
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.
- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
to automatically locate and use a client certificate for
authentication, when requested by the server.
- New curl tool options --ssl-auto-client-cert and
--proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.
Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn
Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard
Closes https://github.com/curl/curl/pull/6673
|
| |
|
|
| |
CURLVERSION_HEIGHTH -> CURLVERSION_EIGHTH
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New functions curl_easy_option_by_name_ccsid() and
curl_easy_option_get_name_ccsid() allows accessing metadata in alternate
character encoding.
This commit also updates curl_version_info_ccsid() to handle info version 9
and adds recent definitions to the ILE/RPG include file.
Documentation updated accordingly.
Reviewed-by: Jon Rumsey
Closes #6574
|
| |
|
|
|
|
|
|
|
|
|
| |
This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
which was removed in 2682e5f5. The deprecation text says
> Your code may safely assume C89 semantics that RETSIGTYPE is void.
So, remove it and just use void instead.
Closes #6861
|
| |
|
|
|
|
|
| |
It was never defined anywhere. Fixed disable-scan (test 1165) to also
scan headers, which found this issue.
Closes #6809
|
| |
|
|
|
| |
Reviewed-by: Emil Engler
Closes #6802
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit e06fa7462ac258c removed support for libgcrypt leaving only
support for nettle which has been the default crypto library in
GnuTLS for a long time. There were however a few conditionals on
USE_GNUTLS_NETTLE which cause compilation errors in the metalink
code (as it used the gcrypt fallback instead as a result). See the
below autobuild for an example of the error:
https://curl.se/dev/log.cgi?id=20210225123226-30704#prob1
This removes all uses of USE_GNUTLS_NETTLE and also removes the
gcrypt support from the metalink code while at it.
Closes #6656
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
| |
|
|
|
|
|
|
|
| |
- add CURLINFO_REFERER libcurl option
- add --write-out '%{referer}' command-line option
- extend --xattr command-line option to fill user.xdg.referrer.url extended
attribute with the referrer (if there was any)
Closes #6591
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
same as their respective counterparts.
- New curl tool options --doh-insecure and --doh-cert-status do the same
as their respective counterparts.
Prior to this change DOH SSL certificate verification settings for
verifyhost and verifypeer were supposed to be inherited respectively
from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
were not. As a result DOH verification remained at the default, ie
enabled, and it was not possible to disable. This commit changes
behavior so that the DOH verification settings are independent and not
inherited.
Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676
Fixes https://github.com/curl/curl/issues/4578
Closes https://github.com/curl/curl/pull/6597
|
| |
|
|
|
|
|
|
| |
chkstrings fails because a new string option that could require codepage
conversion has been added.
Closes #6561
Fixes #6560
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Update build instructions in packages/DOS/README
- Extend 'VPATH' with 'vquic' and 'vssh'.
- Allow 'Makefile.dist' to build both 'lib' and 'src'.
- Allow using the Windows hosted djgpp cross compiler to build for MSDOS
under Windows.
- 'USE_SSL' -> 'USE_OPENSSL'
- Added a 'link_EXE' macro. Etc, etc.
- Linking 'curl.exe' needs '$(CURLX_CFILES)' too.
- Do not pick-up '../lib/djgpp/*.o' files. Recompile locally.
- Generate a gzipped 'tool_hugehelp.c' if 'USE_ZLIB=1'.
- Remove 'djgpp-clean'
- Adapt to new C-ares directory structure
- Use conditional variable assignments
Clarify the 'conditional variable assignment' in 'common.dj'.
Closes https://github.com/curl/curl/pull/6382
|
| |
|
|
| |
Closes #6375
|
| |
|
|
|
|
|
|
| |
Add 'struct' to cast and declaration of cfcdata to fix compilation
error.
Fixes #6292
Closes #6297
|
| |
|
|
| |
Closes #6172
|
| |
|
|
|
|
|
| |
... and make sure 'make checksrc' in the root dir also verifies the
packages/OS400 sources.
Closes https://github.com/curl/curl/pull/6085
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the OS400 build and also an incorrect entry for
CURLINFO_APPCONNECT_TIME_T where it was treated as
CURLINFO_STARTTRANSFER_TIME_T.
Reported-by: Jon Rumsey
Fixes https://github.com/curl/curl/issues/6083
Closes https://github.com/curl/curl/pull/6084
|
| |
|
|
|
|
|
|
|
| |
The OS is deprecated. I see no traces of anyone having actually built
curl for Symbian after 2012.
The public headers are unmodified.
Closes #5989
|
| |
|
|
|
|
|
|
|
|
|
| |
These two files were always tightly connected and it was hard to
understand what went into which. This also allows us to make the
ftpsend() function static (moved from ftp.c).
Removed security.c
Renamed curl_sec.h to krb5.h
Closes #5987
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CMake option is now called CMAKE_USE_SCHANNEL
The winbuild flag is USE_SCHANNEL
The CI jobs and build scripts only use the new names and the new name
options
Tests now require 'Schannel' (when necessary)
Closes #5795
|
| |
|
|
|
|
|
| |
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken
Closes #5491
|
| |
|
|
|
|
| |
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
|
| |
|
|
| |
Closes #5325
|
| |
|
|
|
|
|
|
|
| |
Reported by the new script 'scripts/copyright.pl'. The script has a
regex whitelist for the files that don't need copyright headers.
Removed three (mostly usesless) README files from docs/
Closes #5141
|
| |
|
|
|
|
| |
Reported-by: Jon Rumsey
Fixes #5142
Closes #5143
|
| |
|
|
|
|
| |
Fixes build.
Closes #5132
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
--ssl-revoke-best-effort to allow a "best effort" revocation check.
A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.
---
When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:
Unknown error (0x80092012) - The revocation function was unable
to check revocation for the certificate.
Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.
This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.
In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.
Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).
To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.
Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.
The test 2070 was added to verify this behavior, adapted from 310.
Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes https://github.com/curl/curl/pull/4981
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support to generate JSON via the writeout feature:
-w "%{json}"
It leverages the existing infrastructure as much as possible. Thus,
generating the JSON on STDERR is possible by:
-w "%{stderr}%{json}"
This implements a variant of
https://github.com/curl/curl/wiki/JSON#--write-out-json.
Closes #4870
|
| |
|
|
| |
Closes #5087
|
| |
|
|
|
|
| |
Assisted-by: Jay Satiro
Follow-up to 6357a19ff29dac04
Closes #5036
|
| |
|
|
|
| |
Closes #4869
Reviewed-by: Emil Engler and Daniel Gustafsson
|
| |
|
|
|
|
|
| |
... and check for inconsistencies for OS400 at build time with the new
chkstrings tool.
Closes #4822
|
| |
|
|
|
|
|
|
|
|
| |
- Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection
errors.
Prior to this change CURLE_FAILED_INIT was used, but that was not
correct.
Closes https://github.com/curl/curl/pull/4754
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when
curl_multi_wait/poll is passed timeout param < 0.
Prior to this change passing a negative value to curl_multi_wait/poll
such as -1 could cause the function to wait forever.
Reported-by: hamstergene@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/4763
Closes https://github.com/curl/curl/pull/4765
|
| |
|
|
|
| |
Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922
Reported-by: Emil Engler
|
| |
|
|
|
|
|
|
|
| |
It is covered by USE_OPENSSL_ENGINE now.
Reported-by: Gisle Vanem
Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951
Closes #4725
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.
Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)
Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.
Ref: https://github.com/curl/curl/pull/4655
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit adds curl_multi_wakeup() which was previously in the TODO
list under the curl_multi_unblock name.
On some platforms and with some configurations this feature might not be
available or can fail, in these cases a new error code
(CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup().
Fixes #4418
Closes #4608
|
| |
|
|
|
|
|
|
|
|
|
| |
- s/USE_CYASSL/USE_WOLFSSL/
- Remove old compatibility macros.
Follow-up to 1c6c59a from several months ago when CyaSSL named symbols
were renamed to wolfSSL. The wolfSSL library was formerly named CyaSSL
and we kept using their old name for compatibility reasons, until
earlier this year.
|
| |
|
|
| |
Closes #4410
|
| |
|
|
|
|
|
|
|
| |
As libcurl now uses these 2 system functions, wrappers are needed on os400
to convert returned AF_UNIX sockaddrs to ascii.
This is a follow-up to commit 7fb54ef.
See also #4037.
Closes #4214
|
| |
|
|
|
|
|
|
|
|
|
| |
Double-underscored or underscore plus uppercase letter at least.
... as they're claimed to be reserved.
Reported-by: patnyb on github
Fixes #4254
Closes #4255
|
