1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 13:05:03 -05:00
Commit Graph

1266 Commits

Author SHA1 Message Date
Isaac Boukris
0b8d682f81 Don't mix unix domain sockets with regular ones
When reusing a connection, make sure the unix domain
socket option matches.
2016-11-17 17:34:02 +01:00
Daniel Stenberg
346340808c URL-parser: for file://[host]/ URLs, the [host] must be localhost
Previously, the [host] part was just ignored which made libcurl accept
strange URLs misleading users. like "file://etc/passwd" which might've
looked like it refers to "/etc/passwd" but is just "/passwd" since the
"etc" is an ignored host name.

Reported-by: Mike Crowe
Assisted-by: Kamil Dudka
2016-11-11 17:14:45 +01:00
Jay Satiro
4564636781 easy: Initialize info variables on easy init and duphandle
- Call Curl_initinfo on init and duphandle.

Prior to this change the statistical and informational variables were
simply zeroed by calloc on easy init and duphandle. While zero is the
correct default value for almost all info variables, there is one where
it isn't (filetime initializes to -1).

Bug: https://github.com/curl/curl/issues/1103
Reported-by: Neal Poole
2016-11-05 23:06:28 -04:00
Daniel Stenberg
c27013c05d url: remove unconditional idn2.h include
Mistake brought by 9c91ec7781
2016-10-31 09:50:12 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
b3ee26c5df connectionexists: use case sensitive user/password comparisons
CVE-2016-8616

Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536 escape: avoid using curl_easy_unescape() internally
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781 idn: switch to libidn2 use and IDNA2008 support
CVE-2016-8625

Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e urlparse: accept '#' as end of host name
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.

CVE-2016-8624

Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8a6e89a9eb select: switch to macros in uppercase
Curl_select_ready() was the former API that was replaced with
Curl_select_check() a while back and the former arg setup was provided
with a define (in order to leave existing code unmodified).

Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
common shortcuts where only one socket is checked. They're also more
visibly macros.
2016-10-18 11:05:45 +02:00
Jay Satiro
aec0c993cb url: skip to-be-closed connections when pipelining (follow-up)
- Change back behavior so that pipelining is considered possible for
connections that have not yet reached the protocol level.

This is a follow-up to e5f0b1a which had changed the behavior of
checking if pipelining is possible to ignore connections that had
'bits.close' set. Connections that have not yet reached the protocol
level also have that bit set, and we need to consider pipelining
possible on those connections.
2016-10-17 02:44:39 -04:00
Rider Linden
e5f0b1ab43 url: skip to-be-closed connections when pipelining
No longer attempt to use "doomed" to-be-closed connections when
pipelining. Prior to this change connections marked for deletion (e.g.
timeout) would be erroneously used, resulting in sporadic crashes.

As originally reported and fixed by Carlo Wood (origin unknown).

Bug: https://github.com/curl/curl/issues/627
Reported-by: Rider Linden

Closes https://github.com/curl/curl/pull/1075
Participation-by: nopjmp@users.noreply.github.com
2016-10-14 03:16:46 -04:00
Michael Kaufmann
e9e5366193 New libcurl option to keep sending on error
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
sending the request body shall be completed when the server responds
early with an error status code.

This is suitable for manual NTLM authentication.

Reviewed-by: Jay Satiro

Closes https://github.com/curl/curl/pull/904
2016-09-22 22:22:31 +02:00
Daniel Stenberg
3533def3d5 http2: make sure stream errors don't needlessly close the connection
With HTTP/2 each transfer is made in an indivial logical stream over the
connection, making most previous errors that caused the connection to get
forced-closed now instead just kill the stream and not the connection.

Fixes #941
2016-08-28 16:44:49 +02:00
Daniel Stenberg
321c897c06 proxy: polished the error message for unsupported schemes
Follow up to a96319ebb9
2016-08-15 11:11:46 +02:00
Daniel Stenberg
a96319ebb9 proxy: reject attempts to use unsupported proxy schemes
I discovered some people have been using "https://example.com" style
strings as proxy and it "works" (curl doesn't complain) because curl
ignores unknown schemes and then assumes plain HTTP instead.

I think this misleads users into believing curl uses HTTPS to proxies
when it doesn't. Now curl rejects proxy strings using unsupported
schemes instead of just ignoring and defaulting to HTTP.
2016-08-15 10:46:27 +02:00
Daniel Stenberg
4732ca5724 CURLOPT_TCP_NODELAY: now enabled by default
After a few wasted hours hunting down the reason for slowness during a
TLS handshake that turned out to be because of TCP_NODELAY not being
set, I think we have enough motivation to toggle the default for this
option. We now enable TCP_NODELAY by default and allow applications to
switch it off.

This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
used to disable it.

Thanks-to: Tim Rühsen
Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
2016-08-05 00:12:57 +02:00
Daniel Stenberg
bde2f09d5e multi: make Curl_expire() work with 0 ms timeouts
Previously, passing a timeout of zero to Curl_expire() was a magic code
for clearing all timeouts for the handle. That is now instead made with
the new Curl_expire_clear() function and thus a 0 timeout is fine to set
and will trigger a timeout ASAP.

This will help removing short delays, in particular notable when doing
HTTP/2.
2016-08-04 00:26:01 +02:00
Daniel Stenberg
247d890da8 TLS: switch off SSL session id when client cert is used
CVE-2016-5419
Bug: https://curl.haxx.se/docs/adv_20160803A.html
Reported-by: Bru Rom
Contributions-by: Eric Rescorla and Ray Satiro
2016-08-03 00:34:27 +02:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Daniel Stenberg
5409e1d793 URL parser: allow URLs to use one, two or three slashes
Mostly in order to support broken web sites that redirect to broken URLs
that are accepted by browsers.

Browsers are typically even more leniant than this as the WHATWG URL
spec they should allow an _infinite_ amount. I tested 8000 slashes with
Firefox and it just worked.

Added test case 1141, 1142 and 1143 to verify the new parser.

Closes #791
2016-05-30 23:13:55 +02:00
Daniel Stenberg
cba9621342 ftp wildcard: segfault due to init only in multi_perform
The proper FTP wildcard init is now more properly done in Curl_pretransfer()
and the corresponding cleanup in Curl_close().

The previous place of init/cleanup code made the internal pointer to be NULL
when this feature was used with the multi_socket() API, as it was made within
the curl_multi_perform() function.

Reported-by: Jonathan Cardoso Machado
Fixes #800
2016-05-15 00:37:36 +02:00
Michael Kaufmann
117a0ffe9f ConnectionExists: follow-up fix for proxy re-use
Follow-up commit to 5823179

Closes #648
2016-05-13 00:02:21 +02:00
Daniel Stenberg
f6767f5435 TLS: move the ALPN/NPN enable bits to the connection
Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.

Reported-by: Jay Satiro

Fixes #789
2016-05-09 15:30:25 -04:00
Daniel Stenberg
5823179523 connections: non-HTTP proxies on different ports aren't reused either
Reported-by: Oleg Pudeyev and fuchaoqun

Fixes #648
2016-05-03 08:18:15 +02:00
Daniel Stenberg
283babfaf8 tls: make setting pinnedkey option fail if not supported
to make it obvious to users trying to use the feature with TLS backends
not supporting it.

Discussed in #781
Reported-by: Travis Burtrum
2016-05-01 17:05:38 +02:00
Daniel Stenberg
4f45240bc8 lib: include curl_printf.h as one of the last headers
curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

 curl_printf.h
 curl_memory.h
 memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743
2016-04-29 22:32:49 +02:00
Karlson2k
2242384911 url.c: fixed DEBUGASSERT() for WinSock workaround
If buffer is allocated, but nothing is received during prereceive
stage, than number of processed bytes must be zero.

Closes #778
2016-04-25 11:25:18 +02:00
Steve Holme
99980cf904 url.c: Prefer we don't use explicit NULLs in conditions
Fixed commit fa5fa65a30 to not use NULLs in if condition.
2016-04-20 18:07:05 +01:00
Isaac Boukris
fa5fa65a30 NTLM: check for NULL pointer before deferencing
At ConnectionExists, both check->proxyuser and check->proxypasswd
could be NULL, so make sure to check first.

Fixes #765
2016-04-20 15:26:45 +02:00
Karlson2k
72d5e144fb sendf.c: added ability to call recv() before send() as workaround
WinSock destroys recv() buffer if send() is failed. As result - server
response may be lost if server sent it while curl is still sending
request. This behavior noticeable on HTTP server short replies if
libcurl use several send() for request (usually for POST request).
To workaround this problem, libcurl use recv() before every send() and
keeps received data in intermediate buffer for further processing.

Fixes: #657
Closes: #668
2016-04-20 09:22:48 +02:00
Alessandro Ghedini
03de4e4b21 connect: implement TCP Fast Open for Linux
Closes #660
2016-04-18 23:21:50 +02:00
Alessandro Ghedini
dc68f2dab9 url: add CURLOPT_TCP_FASTOPEN option 2016-04-18 23:17:19 +02:00
Michael Kaufmann
cd8d236245 news: CURLOPT_CONNECT_TO and --connect-to
Makes curl connect to the given host+port instead of the host+port found
in the URL.
2016-04-17 23:50:59 +02:00
Steve Holme
ccf7a82605 CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
As these two options provide identical functionality, the former for
SOCK5 proxies and the latter for HTTP proxies, merged the two options
together.

As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
7.49.0.
2016-04-09 20:47:05 +01:00
Steve Holme
5ee484c597 url: Ternary operator code style changes 2016-04-09 17:17:37 +01:00
Steve Holme
f044cbe6fc sasl: Fixed compilation errors from commit 9d89a0387
...when GSS-API or Windows SSPI are not used.
2016-04-09 05:57:10 +01:00
Steve Holme
43116218c0 url: Corrected comments following 9d89a0387 2016-04-09 05:33:03 +01:00
Steve Holme
39d68b47e1 http_negotiate: Calculate service name and proxy service name locally
Calculate the service name and proxy service names locally, rather than
in url.c which will allow for us to support overriding the service name
for other protocols such as FTP, IMAP, POP3 and SMTP.
2016-04-08 18:41:41 +01:00
Daniel Stenberg
a71012c03e code: style updates 2016-04-03 22:38:36 +02:00
Steve Holme
9a8aef1365 url: Corrected get protocol family for FTP and LDAP
Fixed copy/paste error from commit a5aec58726.
2016-04-01 07:24:39 +01:00
Daniel Stenberg
575e885db0 multi: turn Curl_done into file local multi_done
... as it now is used by multi.c only.
2016-03-30 07:52:28 +02:00
Daniel Stenberg
6b61d8160d multi: move Curl_do and Curl_do_done to multi.c and make static
... called multi_do and multi_do_done as they're file local now.
2016-03-30 07:52:28 +02:00
Steve Holme
f0bdd72c10 http_ntlm: Renamed from curl_ntlm.[c|h]
Renamed the header and source files for this module as they are HTTP
specific and as such, they should use the naming convention as other
HTTP authentication source files do - this revert commit 260ee6b7bf.

Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
code needs separating from the HTTP protocol and migrating into the
vauth directory, thus adding support for Winbind to the SASL based
protocols such as IMAP, POP3 and SMTP.
2016-03-27 17:58:50 +01:00
Jay Satiro
3d144ab99b url: don't use bad offset in tld_check_name to show error
libidn's tld_check_lz returns an error offset of the first character
that it failed to process, however that offset is not a byte offset and
may not even be in the locale encoding therefore we can't use it to show
the user the character that failed to process.

Bug: https://github.com/curl/curl/issues/731
Reported-by: Karlson2k
2016-03-26 14:41:35 -04:00
Steve Holme
06ccaa0c68 url: Corrected indentation when calling idna_to_ascii_lz() 2016-03-11 07:46:09 +00:00
Steve Holme
58e4a06743 idn_win32: Use boolean based success codes
Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
based success code.
2016-03-11 07:24:39 +00:00
Daniel Stenberg
549b1a433a url.c: fix clang warning: no newline at end of file 2016-03-10 09:36:49 +01:00
Steve Holme
a5aec58726 imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
Regression since commit 710f14edba.

Bug: https://github.com/curl/curl/issues/422
Reported-by: Justin Ehlert
2016-03-08 19:36:46 +00:00