1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 14:05:03 -05:00
Commit Graph

27001 Commits

Author SHA1 Message Date
Anthony Shaw
2908a8232c
github/workflow: add "security-extended" to codeql-analysis.yml
Extends the CodeQL code scan.

Closes #6815
2021-04-09 15:46:31 +02:00
Jochem Broekhoff
255bdfe65c
examples/hiperfifo.c: check event_initialized before delete
If event_del is called with the event struct (still) zeroed out, a
segmentation fault may occur.  event_initialized checks whether the
event struct is nonzero.

Closes #6876
2021-04-09 11:44:21 +02:00
Patrick Monnerat
9c1e1a6105
ntlm: fix negotiated flags usage
According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.

The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.

Tests involving NTLM are adjusted to this new behavior.

Fixes #6813
Closes #6849
2021-04-09 09:40:56 +02:00
Patrick Monnerat
cca455a36b
ntlm: support version 2 on 32-bit platforms
Closes #6849
2021-04-09 09:40:49 +02:00
Patrick Monnerat
10514d0076
curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
whole NTLM.

Closes #6849
2021-04-09 09:40:36 +02:00
Daniel Stenberg
c502b47f1f
lib: remove unused HAVE_INET_NTOA_R* defines
Closes #6867
2021-04-08 16:33:29 +02:00
Michael Forney
eaa1d73229
configure: include <time.h> unconditionally
In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.

In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.

The AC_HEADER_TIME macro deprecation text says

> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.

So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.

Closes #6859
2021-04-07 16:08:01 +02:00
Michael Forney
812fce9dcf
configure: remove use of RETSIGTYPE
This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
which was removed in 2682e5f5. The deprecation text says

> Your code may safely assume C89 semantics that RETSIGTYPE is void.

So, remove it and just use void instead.

Closes #6861
2021-04-07 16:01:05 +02:00
Muhammed Yavuz Nuzumlalı
694eab18bc
install: add instructions for Apple Darwin platforms
Closes #6860
2021-04-07 15:54:32 +02:00
Muhammed Yavuz Nuzumlalı
5d2c384452
configure: disable min version set for Darwin
Fixes #6838
Closes #6860
2021-04-07 15:54:02 +02:00
David Hu
3be5ebf303
docs/HTTP3.md: update the build instruction using gnutls
In ngtcp2 the `with-gnutls` option is disabled by default, which will
cause `curl` unable to be `make` because of lacking the libraries
needed.

Closes #6857
2021-04-07 09:02:33 +02:00
Daniel Stenberg
719baefc77
RELEASE-NOTES: synced 2021-04-07 08:32:50 +02:00
Daniel Stenberg
77db2a0c6d
typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
... and not values.

Reported-by: locpyl-tidnyd on github
Fixes #6818
Closes #6819
2021-04-07 00:16:40 +02:00
Daniel Stenberg
33ddef3617
ngtcp2+gnutls: clear credentials when freed
... to avoid double-free.

Reported-by: Kenneth Davidson
Fixes #6824
Closes #6856
2021-04-07 00:07:10 +02:00
Cherish98
4b4401e26a tool_progress: Fix progress meter in parallel mode
Make sure the total amount of DL/UL bytes are counted before the
transfer finalizes. Otherwise if a transfer finishes too quick, its
total numbers are not added, and results in a DL%/UL% that goes above
100%.

Detail:

progress_meter() is called periodically, and it may not catch a
transfer's total bytes if the value was unknown during the last call,
and the transfer is finished and deleted (i.e., lost) during the next
call.

Closes https://github.com/curl/curl/pull/6840
2021-04-05 23:43:26 -04:00
Emil Engler
c1abc6624d libssh: get rid of PATH_MAX
This removes the last occurrence of PATH_MAX inside our libssh
implementation by calculating the path length from the string length of
the two components.

Closes #6829
2021-04-05 23:21:19 -04:00
Daniel Stenberg
605aa03ac1
http_proxy: only loop on 407 + close if we have credentials
... to fix the retry-loop.

Add test 718 to verify.

Reported-by: Daniel Kurečka
Fixes #6828
Closes #6850
2021-04-05 22:49:07 +02:00
Daniel Stenberg
00b89ec641
h2: allow 100 streams by default
instead of 13, before the server has told how many streams it
accepts. The server can always reject new streams anyway if we go above
what it accepts.

Ref: #6826
Closes #6852
2021-04-05 22:47:34 +02:00
Luke Granger-Brown
6d930d7306
file: support GETing directories again
After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
expected_size for directories. This has the upshot that when we compare
even an empty Range with the available size, we fail.

This brings back the previous behaviour, which was to succeed, but with
empty content. This also removes the "Accept-ranges: bytes" header,
which is nonsensical on directories.

Adds test 3016
Fixes #6845
Closes #6846
2021-04-05 12:22:07 +02:00
Daniel Stenberg
f6bbc3407a
RELEASE-NOTES: synced
and bumped to 7.76.1
2021-04-04 23:53:33 +02:00
Daniel Stenberg
f573998c22
TLS: fix HTTP/2 selection
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827
2021-04-02 22:53:17 +02:00
Jay Satiro
3085ccfae9 hostip: Fix for builds that disable all asynchronous DNS
- Define Curl_resolver_error function only when USE_CURL_ASYNC.

Prior to this change building curl without an asynchronous resolver
backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
also asynchronous but independent of resolver backend) would cause a
build error since Curl_resolver_error is called by and evaluates
variables only available in asynchronous builds.

Reported-by: Benbuck Nason

Fixes https://github.com/curl/curl/issues/6831
Closes https://github.com/curl/curl/pull/6832
2021-04-02 02:38:43 -04:00
Gilles Vollant
06a7f2745e
openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
Reported-by: Christian Schmitz
Fixes #6816
Closes #6820
2021-03-31 23:35:59 +02:00
Daniel Stenberg
3266b35bbe
RELEASE-NOTES: synced
curl 7.76.0 release
2021-03-31 00:08:25 +02:00
Daniel Stenberg
e1c51916e2
THANKS: added names from 7.76.0 2021-03-31 00:08:24 +02:00
Daniel Stenberg
5a80a869a7
CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
... some users may not want that!
2021-03-30 14:47:14 +02:00
Daniel Stenberg
33ba0ecf48
define: remove CURL_DISABLE_NTLM ifdefs
It was never defined anywhere. Fixed disable-scan (test 1165) to also
scan headers, which found this issue.

Closes #6809
2021-03-29 14:43:54 +02:00
Daniel Stenberg
2c26eeef12
vtls: fix addsessionid for non-proxy builds
Follow-up to b09c8ee157
Fixes #6812
Closes #6811
2021-03-29 14:20:13 +02:00
Li Xinwei
9d4f21b190
cmake: support WinIDN
Closes #6807
2021-03-29 09:50:55 +02:00
Daniel Stenberg
6bb028dbda
transfer: clear 'referer' in declaration
To silence (false positive) compiler warnings about it.

Follow-up to 7214288898

Reviewed-by: Marcel Raad
Closes #6810
2021-03-29 09:45:53 +02:00
Marc Hoersken
d6fba0ca06
config: fix SSPI enabling NTLM if crypto auth is disabled
Avoid enabling NTLM feature based upon Windows SSPI
being enabled in case that crypto auth is disabled.

Reported-by: Marcel Raad

Follow-up to #6277
Fixes #6803
Closes #6808
2021-03-29 09:08:48 +02:00
Daniel Stenberg
ce2d5fb7fa
HISTORY: add two 2021 events 2021-03-29 09:05:12 +02:00
Daniel Stenberg
b09c8ee157
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890
2021-03-28 23:19:56 +02:00
Viktor Szakats
7214288898
transfer: strip credentials from the auto-referer header field
Added test 2081 to verify.

CVE-2021-22876

Bug: https://curl.se/docs/CVE-2021-22876.html
2021-03-28 23:19:55 +02:00
Daniel Stenberg
184ffc0bdf
curl_sasl: fix compiler error with --disable-crypto-auth
... if libgsasl was found.

Closes #6806
2021-03-28 23:03:15 +02:00
Patrick Monnerat
8cbc16b2f9
ldap: only set the callback ptr for TLS context when TLS is used
Follow-up to a5eee22e59
Fixes #6804
Closes #6805
2021-03-28 16:01:20 +02:00
Daniel Stenberg
85e6975643
copyright: update copyright year ranges to 2021
Reviewed-by: Emil Engler
Closes #6802
2021-03-27 23:00:14 +01:00
Daniel Stenberg
b5726e5549
send_speed: simplify the checks for if a speed limit is set
... as we know the value cannot be set to negative: enforced by
setopt()
2021-03-27 12:38:28 +01:00
Daniel Stenberg
24e469f6d6
http: cap body data amount during send speed limiting
By making sure never to send off more than the allowed number of bytes
per second the speed limit logic is given more room to actually work.

Reported-by: Fabian Keil
Bug: https://curl.se/mail/lib-2021-03/0042.html
Closes #6797
2021-03-27 12:38:15 +01:00
Daniel Stenberg
95cbcec8f9
urldata: merge "struct DynamicStatic" into "struct UrlState"
Both were used for the same purposes and there was no logical separation
between them. Combined, this also saves 16 bytes in less holes in my
test build.

Closes #6798
2021-03-26 23:19:20 +01:00
Daniel Stenberg
d003b0213a
tests/README.md: mentioned that en_US.UTF-8 is required
Reported-by: Oumph on github
Fixes #6768
2021-03-26 17:54:12 +01:00
Daniel Stenberg
eef3b43ae8
HISTORY: fixed the Mac OS X 10.1 release date
Based on what Wikipedia says
2021-03-26 09:08:10 +01:00
Jay Satiro
a8da0302a7 examples: Remove threaded-shared-conn.c due to bug
Known bug 11.11 is the shared object's connection cache is not thread
safe, so we should not have an example for it.

Ref: https://github.com/curl/curl/issues/4915
Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not

Closes https://github.com/curl/curl/pull/6795
2021-03-26 03:14:50 -04:00
Jay Satiro
65aa275bbc KNOWN_BUGS: Update 11.9 - DoH option inheritance
- Add description: Explain that some options aren't inherited because
  they are not relevant for the DoH SSL connections or may result in
  unexpected behavior.

- Remove the reference to #4578 (SSL verify options not inherited) since
  that was fixed by #6597 (separate DoH-specific options for verify).

- Explain that DoH-specific options (those created by #6597) are
  available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
  CURLOPT_DOH_SSL_VERIFYSTATUS.

- Add a reference to #6605 and explain that the user's debug function is
  not inherited because it would be unexpected to pass internal handles
  (ie DoH handles) to the user's callback.

Closes https://github.com/curl/curl/issues/6605
2021-03-26 03:14:28 -04:00
Daniel Stenberg
ae42f1df15
curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO 2021-03-26 07:56:22 +01:00
Jean-Philippe Menil
5930cb1c46
openssl: ensure to check SSL_CTX_set_alpn_protos return values
SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure

Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>

Closes #6794
2021-03-25 22:57:20 +01:00
Daniel Stenberg
7b6bfd2d78
multi: close the connection when h2=>h1 downgrading
Otherwise libcurl is likely to reuse the connection again in the next
attempt since the connection reuse logic doesn't take downgrades into
account.

Reported-by: Anthony Ramine
Fixes #6788
Closes #6793
2021-03-25 16:18:13 +01:00
Daniel Stenberg
db4e0bd85f
openssl: set the transfer pointer for logging early
Otherwise, the transfer will be NULL in the trace function when the
early handshake details arrive and then curl won't show them.

Regresssion in 7.75.0

Reported-by: David Hu
Fixes #6783
Closes #6792
2021-03-25 16:16:55 +01:00
Daniel Stenberg
cd7aec95d6
RELEASE-NOTES: synced 2021-03-25 09:32:02 +01:00
Daniel Stenberg
8494abfb1b
TODO: Custom progress meter update interval
Ref: https://stackoverflow.com/q/66789977/93747
2021-03-25 09:22:52 +01:00