1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 01:58:49 -05:00
Commit Graph

5063 Commits

Author SHA1 Message Date
Daniel Stenberg
265b14d6b3
metalink: remove
Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems and issues involving the
   metalink support in curl. The issues are not detailed here. When
   working on those, it become apparent to the team that several of the
   problems are due to the system design, metalink library API and what
   the metalink RFC says. They are very hard to fix on the curl side
   only.

2. The metalink usage with curl was only very briefly documented and was
   not following the "normal" curl usage pattern in several ways, making
   it surprising and non-intuitive which could lead to further security
   issues.

3. The metalink library was last updated 6 years ago and wasn't so
   active the years before that either. An unmaintained library means
   there's a security problem waiting to happen. This is probably reason
   enough.

4. Metalink requires an XML parsing library, which is complex code (even
   the smaller alternatives) and to this day often gets security
   updates.

5. Metalink is not a widely used curl feature. In the 2020 curl user
   survey, only 1.4% of the responders said that they'd are using it. In
   2021 that number was 1.2%. Searching the web also show very few
   traces of it being used, even with other tools.

6. The torrent format and associated technology clearly won for
   downloading large files from multiple sources in parallel.

Cloes #7176
2021-06-07 08:14:25 +02:00
Daniel Stenberg
9cf516adc6
docs/INSTALL: remove mentions of configure --with-darwin-ssl
... as it isn't supported since a while back.

Make configure fail with a warning if used.

Reported-by: Vadim Grinshpun
Bug: https://curl.se/mail/lib-2021-06/0008.html
Closes #7200
2021-06-06 23:55:32 +02:00
Daniel Stenberg
60e4267705
TODO: Support rate-limiting for MQTT 2021-06-04 15:57:02 +02:00
Daniel Stenberg
628ebd82b9
test269: disable for hyper
--ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
with hyper.

Closes #7184
2021-06-03 23:11:11 +02:00
Daniel Stenberg
6793332eba
CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
For options that pass in lists or strings that are subsequently parsed
and must be correct. This broadens the scope for the option previously
known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
provided as a #define for existing applications.

Closes #7175
2021-06-02 23:03:55 +02:00
theawless
ee8c4f766c
define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
This flag will be further exposed by adding build options.

Reverts #6809
Closes #7028
2021-06-02 08:55:00 +02:00
Daniel Stenberg
5e1e4dbf1e
GOVERNANCE: add 'user', 'committer' and 'contributor'
As those are commonly used terms in the project.

Closes #7151
2021-05-31 15:42:39 +02:00
Daniel Stenberg
c61ca43340
URL-SYNTAX.md: document the new 'localhost' treatment 2021-05-31 15:37:37 +02:00
Daniel Gustafsson
772eacb2e3 docs: fix typos 2021-05-31 12:47:15 +02:00
Daniel Stenberg
a43e1da1e2
HYPER: remove mentions of deprecated development branch 2021-05-28 23:06:19 +02:00
Daniel Stenberg
68975fba02
HSTS: not experimental anymore 2021-05-28 12:34:07 +02:00
Douglas R. Reno
ed38ac86ea
INSTALL: use correct extension for CURL-DISABLE.md
In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
CURL-DISABLE.md. This generates a 404 on the cURL website as well as
when viewing the docs through Github.

Closes #7142
2021-05-27 22:59:48 +02:00
Viktor Szakats
3976dd67a2
docs: use --max-redirs instead of --max-redir
For consistency.

Closes #7130
2021-05-26 14:49:52 +02:00
Daniel Stenberg
83a31635a4
THANKS: added contributors from 7.77.0 cycle 2021-05-26 08:18:11 +02:00
Daniel Stenberg
82d334001f
copyright: update copyright year ranges to 2021 2021-05-26 08:18:11 +02:00
Daniel Stenberg
54e5c24565
TODO: netrc caching and sharing
URL: https://curl.se/mail/archive-2021-05/0018.html
2021-05-25 17:45:26 +02:00
Jacob Hoffman-Andrews
a62e6435f4
rustls: switch read_tls and write_tls to callbacks
And update to 0.6.0, including a rename from session to connection for
many fields.

Closes #7071
2021-05-24 16:40:59 +02:00
Daniel Stenberg
b03b82a85f
docs/tests: remove freenode references 2021-05-24 00:21:00 +02:00
Lucas Clemente Vella
84d2839740
CURLOPT_IPRESOLVE: preventing wrong IP version from being used
In some situations, it was possible that a transfer was setup to
use an specific IP version, but due do DNS caching or connection
reuse, it ended up using a different IP version from requested.

This commit changes the effect of CURLOPT_IPRESOLVE from simply
restricting address resolution to preventing the wrong connection
type being used, when choosing a connection from the pool, and
to restricting what addresses could be used when establishing
a new connection.

It is important that all addresses versions are resolved, even if
not used in that transfer in particular, because the result is
cached, and could be useful for a different transfer with a
different CURLOPT_IPRESOLVE setting.

Closes #6853
2021-05-20 16:58:31 +02:00
Ryan Beck-Buysse
d845d392b5
docs/TheArtOfHttpScripting: fix markdown links
extra parens cause the links to be incorrectly formatted
and inconsistent with the rest of the document.

Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
Closes #7097
2021-05-19 09:10:11 +02:00
Emil Engler
3d3f4efbc8
docs: replace dots with dashes in markdown enums
We use dashes instead of dots nearly everywhere except for those few
cases. This commit addresses this issues and brings more coherency into
it.

Closes #7093
2021-05-19 00:40:12 +02:00
Emil Engler
d79f8492c5
docs: improve INTERNALS.md regarding getsock cb
This adds the I/O prefix to indicate that those "actions" are kind-of
related to those found in select(2) or poll(2) (reading/writing).

It also adds a note where the prototypes of those functions can be found
in the source code.

Closes #7092
2021-05-19 00:39:06 +02:00
Emil Engler
158d26e4fc
docs: document attach in INTERNALS.md
The new field in the Curl_handler struct still lacks documentation. This
adds it it from the information extracted from lib/urldata.h:797

Closes #7091
2021-05-19 00:38:10 +02:00
Daniel Stenberg
5dfa4c08bb
docs: cookies from HTTP headers need domain set
... or the cookies won't get sent. Push users to using the "Netscape"
format instead, which curl uses when saving a cookie "jar".

Reported-by: Martin Dorey
Reviewed-by: Daniel Gustafsson
Fixes #6723
Closes #7077
2021-05-17 10:57:03 +02:00
Daniel Stenberg
fe5a61c007
CURLOPT_CAPATH.3: defaults to a path, not NULL
Reported-by: Andrew Barnert

Closes #7062
2021-05-16 00:50:27 +02:00
Daniel Stenberg
f71d3e01ec
travis: disable the libssh build
It can't run on focal and causes warnings on bionic. Since the focal
failure started rather suddenly a while ago, we can suspect it might be
temporary.

Added "bring back the build" to the TODO document.

Fixes #7011
Closes #7012
2021-05-09 00:13:37 +02:00
Daniel Stenberg
63813a0325
HTTP3: make the ngtcp2 build use the quictls fork
... as ngtcp2 itself documents the build this way.

Closes #7031
2021-05-07 22:43:54 +02:00
Daniel Stenberg
1763aceb0c
http: limit the initial send amount to used upload buffer size
Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer has been set, this
function can benefit from sending more bytes. With default size used,
this does the same as before.

Also changed the storage of the size to an 'unsigned int' as it is not
allowed to be set larger than 2M.

Also added cautions to the man pages about changing buffer sizes in
run-time.

Closes #7022
2021-05-07 08:51:39 +02:00
Daniel Stenberg
e2497c73f9
curl_mprintf.3: add description
These functions have existed in the API since the dawn of time. It is
about time we describe how they work, even if we discourage users from
using them.

Closes #7010
2021-05-06 23:21:12 +02:00
Timothy Gu
51e3388f7d
URL-SYNTAX: update IDNA section for WHATWG spec changes
WHATWG URL has dictated the use of Nontransitional Processing (IDNA
2008) for several years now. Chrome (and derivatives) still use
Transitional Processing, but Firefox and Safari have both switched.

Also document the fact that winidn functions differently from libidn2
here.

Closes #7026
2021-05-06 23:15:46 +02:00
Calvin Buckley
69bf70d7dc
INSTALL: add IBM i specific quirks
Fixes #6830
Closes #7013
2021-05-06 16:59:43 +02:00
Daniel Stenberg
a42b8f08d8
libcurl.3: mention the URL API
To make it easier to find. Also a minor polish of libcurl-url.3

Closes #7009
2021-05-06 16:54:05 +02:00
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
Daniel Stenberg
7d7a0a8b09
KNOWN_BUGS: add two HTTP/2 bugs 2021-05-03 17:27:35 +02:00
Daniel Stenberg
e41f2e5225
KNOWN_BUGS: add three HTTP/3 issues
... and moved the HTTP/2 issues to its own section

Closes #6606
Closes #6510
Closes #6494
2021-05-03 17:22:52 +02:00
ejanchivdorj
94241a9e78
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
2021-05-03 17:11:01 +02:00
Jacob Hoffman-Andrews
8228002cd1
rustls: use ALPN
Update required rustls to 0.5.0

Closes #6960
2021-04-30 08:27:37 +02:00
Ayushman Singh Chauhan
6aae7b1761
docs: camelcase it like GitHub everywhere
Closes #6979
2021-04-28 08:16:20 +02:00
Lucas Servén Marín
b08863822c docs: fix typo in fail-with-body doc
This commit fixes a small typo in the documentation for the
--fail-with-body flag.

Closes https://github.com/curl/curl/pull/6977
2021-04-27 15:11:08 -04:00
Daniel Stenberg
2e23f3b8d5
libcurl-security.3: be careful of setuid
Reported-by: Harry Sintonen
Closes #6970
2021-04-27 07:51:42 +02:00
Daniel Stenberg
7fdf01f32e
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
Closes #6942
2021-04-26 10:25:03 +02:00
Yusuke Nakamura
c1311dba6e
docs/HTTP3.md: fix nghttp2's HTTP/3 server port
Port 8443 does not work now.
Correct origin is in the quicwg's wiki.
https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2

Closes #6964
2021-04-26 08:07:37 +02:00
Johann150
68f6c56396
curl_url_set.3: add memory management information
wording taken from man page for CURLOPT_URL.3

As far as I can see, the URL part is either malloc'ed before due to
encoding or it is strdup'ed.

Closes #6953
2021-04-25 14:13:29 +02:00
Daniel Stenberg
f014eeceb2
CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
Ref: https://curl.se/mail/lib-2021-04/0085.html
Closes #6943
2021-04-23 23:20:31 +02:00
Martin Halle
e540b32562 version: add gsasl_version to curl_version_info_data
- Add gsasl_version string and bump to CURLVERSION_TENTH.

Ref: https://curl.se/mail/lib-2021-04/0003.html

Closes https://github.com/curl/curl/pull/6843
2021-04-22 18:28:28 -04:00
Morten Minde Neergaard
67d3afa73f schannel: Support strong crypto option
- Support enabling strong crypto via optional user cipher list when
  USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.

MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
versions that may be otherwise enabled for better interoperability."

Ref: https://curl.se/mail/lib-2021-02/0066.html
Ref: https://curl.se/docs/manpage.html#--ciphers
Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred

Closes https://github.com/curl/curl/pull/6734
2021-04-22 17:40:19 -04:00
Daniel Stenberg
68d89f242c
configure: make the TLS library choice(s) explicit
configure no longer tries to find a TLS library by default, but all
libraries are now equal: the user needs to explicitly ask what TLS
library or libraries to use.

If no TLS library is selected, configure will error out unless
--without-ssl is explicitly used to request a built without TLS (as that
is very rare these days).

Removes: --with-winssl, --with-darwinssl and all --without-* options for
TLS libraries.

Closes #6897
2021-04-22 23:19:47 +02:00
Jay Satiro
54e7475016 schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change
  for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
  to automatically locate and use a client certificate for
  authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
  --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673
2021-04-22 16:53:37 -04:00
Daniel Stenberg
52fab72397
checksrc: complain on == NULL or != 0 checks in conditions
... to make them all consistenly use if(!var) and if(var)

Also added a few missing warnings to the documentation.

Closes #6912
2021-04-22 09:10:17 +02:00
Daniel Stenberg
063d3f3b96
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'

Closes #6912
2021-04-22 09:10:17 +02:00