| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
See: https://mesonbuild.com/Wrap-dependency-system-manual.html#provide-section
|
| |
|
| |
|
|
|
|
|
|
| |
Companion to 9596a869414bb0811f1e1f6009c950ca7af81189
See !211
|
|
|
|
| |
Closes #242
|
|
|
|
|
| |
There is no need to add it to the project arguments; we should treat
it as any other dependency. There's nothing special about it.
|
|
|
|
| |
Closes #237
|
|
|
|
| |
In the end 2.72.1 wasn't released.
|
|
|
|
|
| |
A server MUST NOT send a Content-Length header field in any response
with a status code of 1xx (Informational) or 204 (No Content)
|
|
|
|
| |
Closes #234
|
| |
|
|
|
|
|
|
|
| |
With d9f97292 the intention was only to change the behavior of soup_message_headers_get_content_disposition()
however parse_content_foo() is also used for Content-Type.
Fixes #232
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default was disabled for backwards compatability however it
was an unsafe default and many projects unknowingly did not enable
it.
This is a break in behavior however the security concerns are important.
The belief that all projects would switch to the safer SoupSession
didn't happen and the number of under-maintained projects is too
many to fix quickly.
This brings a base level of security to all of them and will likely
not actually break much as the modern internet depends on CAs heavily.
For users who are broken by it, the possible fixes are:
- Add the CA for the service you can no longer connect to to the
system CA database on your computer
- Get the administrator of the service you were connecting to to
switch to using a certificate signed by a public CA
- Use http rather than https
- Wait for, or request, the app to be updated
For system administrators who provide a service whose users have been broken by this, the possible fixes are:
- Update your service to use a certificate signed by a public CA
- Get each user to add the CA to their system CA db, as above
- Get each user to move to an alternative app
For developers of apps whose users have been broken by this, the possible fixes are:
- Document how users can add CAs to the system CA DB, as above
- Add a config option to allow users to turn ssl-use-system-ca-file off again.
(Note that this will probably eventually result in someone filing a CVE against your app.)
- Add a config option to allow users to configure a file containing a CA to be trusted,
and then read that in as a GTlsDatabaseFile and set it as SoupSession:tls-database
- Add a ton of code to allow users to accept certificates signed by unknown CAs and then
remember the certificates for next time. (We have no easily-copied examples of how to do this.)
|
|
|
|
|
| |
This isn't the proper way to use extern C as the included
headers may actually have C++ aware code in them.
|
|
|
|
| |
Closes #217
|
|
|
|
|
|
|
| |
RFC2397 states that data URLs have "no relative URL forms", but
soup_uri_new_with_base would still attempt to resolve any suspected
relative URL paths regardless. This was also inconsistent with the
behavior of most web browsers.
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the message is restarted due to the failed auth, we fail to
properly reset the SoupSession:ostream data on the item task and we end up
calling async_send_request_return_result() twice causing the following
critical the second time:
(auth-test:66750): libsoup-CRITICAL **: 15:48:08.156: async_send_request_return_result: assertion 'item->task != NULL' failed
SoupSession:ostream data is set in item task, but we reset in item
message.
|
|
|
|
|
|
| |
This fixes compilation with Visual Studio, as the explicit declaration
of soup_brotli_decompressor_get_type and the one generated by G_DECLARE_FINAL_TYPE
are apparently not identical for the cl.exe compiler.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds very basic support for dumping HTTP connection information to
sysprof, if the process is being run under a sysprof session.
See https://gitlab.gnome.org/GNOME/sysprof/-/issues/43 for plans of how
this could be expanded in future. This is just a starting point.
The code in this commit dumps a message to the sysprof capture which
includes the URI, total time for the connection (request + response),
and the amount of data transferred in the request and response.
It adds an optional dependency on `libsysprof-capture-4.a`, and a
subproject for building that if it’s not available on the system.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
|
| |
|
|
|
|
|
| |
Renamed as soup_message_is_feature_disabled(). We need this in WebKit to
check if cookies are available in an existing SoupMessage.
|
|
|
|
|
| |
This way disabling the same feature twice doesn't add a new element to
the list.
|
|
|
|
|
|
|
| |
We are currently using the hash table value as a key in the lookup. So,
we compare the feature type with the registewred schemes. We should get
the list of schemes and find one in the table whose value matches the
given type.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new policy matches the Safari behavior when ITP is disabled and
third-party cookies are blocked. The SOUP_COOKIE_JAR_ACCEPT_NO_THIRD_PARTY
policy does not allow subresources to set cookies unless they match the
domain of the main resource. The new policy makes an exception for domains
that have previously stored cookies (when being visited).
This patch was written by Michael Catanzaro, but it changed the behavior
of SOUP_COOKIE_JAR_ACCEPT_NO_THIRD_PARTY. I just updated it to add a new
policy instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two instances in `SoupURI` where `g_ascii_isxdigit()` is
called two bytes ahead of the read pointer to check if a %-encoding is
valid. This is fine when the string being parsed is nul-terminated (as
the first `g_ascii_isxdigit()` call will safely return `FALSE`), but
will result in a read off the end of the buffer if it’s
length-terminated (and doesn’t happen to also be nul-terminated).
Thankfully, that’s not the case in any of the code paths in `SoupURI`
leading to these two instances, so this is not a security issue.
However, the functions should probably be fixed to do an appropriate
length check, just in case they get called from somewhere else in
future.
Spotted by oss-fuzz in oss-fuzz#23815 and oss-fuzz#23818, when it was
fuzzing the new `GUri` implementation in GLib, which is heavily based
off this code.
Includes two unit tests which don’t actually trigger the original
failure (as all strings passed into `SoupURI` are forced to be
nul-terminated), but would trigger it if the nul termination was not
present.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
|
|
|
|
| |
It broke 32-bit architectures.
|
|
|
|
|
|
|
|
|
| |
- Fixes encoding issues on file names
- Adds sorting support
- Adds translations
- Add CSS for nicer design
Closes !123
|
| |
|
|
|
|
|
|
|
|
|
| |
A SOUP_AVAILABLE_IN_2_68 (which expands to __dllspec(dllexport) extern
was missed in the use of G_DECLARE_FINAL_TYPE (SoupBrotliDecompressor...),
which broke Visual Studio builds because the first prototype of
soup_brotli_decompressor_get_type() (that results from the
G_DECLARE_FINAL_TYPE macro) was not marked with __declspec(dllexport)
but the second one at line 35 is, which Visual Studio does not allow.
|
| |
|
| |
|
|
|
|
| |
As defined by RFC 7231
|
|
|
|
|
|
| |
This changes passing an HTTP method string to just passing a boolean
for if it is a safe method or not. This slightly simplifies usage
within WebKit.
|
|
|
|
|
| |
The spec says a new connection must be established and some servers
reply with a 400 Bad Request when reusing an existing connection.
|
|
|
|
|
|
|
|
|
| |
We should not schedule a new read after reading the close message, since
we don't expect more input. This fixes a crash due to an assert that
checks that the input source is NULL when the connection is destroyed
that happens when the connection is destroyed in the closed callback.
Fixes #181
|
|
|
|
|
|
|
|
|
|
| |
This adds API for web browsers to set extra information to support
same-site cookies.
Note that usage of SoupSession alone does not provide enough
information to reasonably use these at the moment and require
manually setting the information with the extra context a browser
may have.
|
| |
|
|
|
|
|
| |
GTimeVal has been deprecated and shouldn't be used, so deprecate
soup_date_to_timeval().
|
| |
|
|
|
|
| |
This prevents some unnecessary string copies and a tiny bit of memory.
|
|
|
|
|
|
|
| |
Check the length of the decoded v2 challenge before attempting to
parse it, to avoid reading past it.
Fixes #173
|
|
|
|
|
|
|
| |
The value is optional in the request offer, but not in the server
response.
Fixes: https://gitlab.gnome.org/GNOME/libsoup/issues/166
|
|
|
|
|
| |
This was already fixed for Unix like systems but it was still
possible to smuggle .. into a windows like server.
|
|
|
|
|
| |
Once we bail out we are not going to add the rest of the items to the
hash table, so we need to manually delete them, otherwise they leak.
|
|
|
|
|
| |
The GByteArray allocated in the beginning is not freed in case
of error.
|
|
|
|
|
| |
g_byte_array_append() can reallocate its data, so make sure that we
don't rely on any pointer pointing to it after calling it.
|
|
|
|
|
|
| |
Also remove a spurious unref in the caller while handling the error,
which shouldn't be needed as the extension returns NULL in case of
error.
|
|
|
|
|
|
|
| |
In case of error while processing an incoming or outgoing message, an
extension should return NULL as is customary. This way, in case of
error, the caller doesn't need to worry about having to deal with
dropping the reference for the returned value if non-NULL.
|
| |
|