1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 06:55:02 -05:00
Commit Graph

10087 Commits

Author SHA1 Message Date
Rick Deist
3349a633b8
hostip: fix check on Curl_shuffle_addr return value
Closes #3110
2018-10-08 08:39:24 +02:00
Daniel Stenberg
e50a2002bd
FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
Now FILE transfers send headers to the header callback like HTTP and
other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
work for FILE in the callbacks.

Makes "curl -i file://.." and "curl -I file://.." work like before
again. Applied the bold header logic to them too.

Regression from c1c2762 (7.61.0)

Reported-by: Shaun Jackman
Fixes #3083
Closes #3101
2018-10-08 08:35:40 +02:00
Daniel Gustafsson
b55e85d4ec gskit: make sure to terminate version string
In case a very small buffer was passed to the version function, it could
result in the buffer not being NULL-terminated since strncpy() doesn't
guarantee a terminator on an overflowed buffer. Rather than adding code
to terminate (and handle zero-sized buffers), move to using snprintf()
instead like all the other vtls backends.

Closes #3105
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-07 22:36:25 +02:00
dmitrykos
0b19ef13b4
timeval: fix use of weak symbol clock_gettime() on Apple platforms
Closes #3048
2018-10-05 22:29:21 +02:00
Daniel Stenberg
7f00146d00
doh: keep the IPv4 address in (original) network byte order
Ideally this will fix the reversed order shown in SPARC tests:

  resp 8: Expected 127.0.0.1 got 1.0.0.127

Closes #3091
2018-10-05 22:15:34 +02:00
Daniel Gustafsson
4301d14b90 checksrc: handle zero scoped ignore commands
If a !checksrc! disable command specified to ignore zero errors, it was
still added to the ignore block even though nothing was ignored. While
there were no blocks ignored that shouldn't be ignored, the processing
ended with with a warning:

<filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
 /* !checksrc! disable LONGLINE 0 */
                    ^
Fix by instead treating a zero ignore as a a badcommand and throw a
warning for that one.

Closes #3096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05 13:33:21 +02:00
Daniel Gustafsson
b5d182d037 checksrc: enable strict mode and warnings
Enable strict and warnings mode for checksrc to ensure we aren't missing
anything due to bugs in the checking code. This uncovered a few things
which are all fixed in this commit:

* several variables were used uninitialized
* several variables were not defined in the correct scope
* the whitelist filehandle was read even if the file didn't exist
* the enable_warn() call when a disable counter had expired was passing
  incorrect variables, but since the checkwarn() call is unlikely to hit
  (the counter is only decremented to zero on actual ignores) it didn't
  manifest a problem.

Closes #3090
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05 13:29:37 +02:00
dmitrykos
667b5721c7 cmake: test and set missed defines during configuration
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.

Closes #3097
2018-10-05 13:10:41 +03:00
Daniel Stenberg
8f2bb0e377
doh: make sure TTL isn't re-inited by second (discarded?) response
Closes #3092
2018-10-04 23:22:28 +02:00
Daniel Gustafsson
2873971d62 memory: ensure to check allocation results
The result of a memory allocation should always be checked, as we may
run under memory pressure where even a small allocation can fail. This
adds checking and error handling to a few cases where the allocation
wasn't checked for success. In the ftp case, the freeing of the path
variable is moved ahead of the allocation since there is little point
in keeping it around across the strdup, and the separation makes for
more readable code. In nwlib, the lock is aslo freed in the error path.

Also bumps the copyright years on affected files.

Closes #3084
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 23:45:38 +02:00
Daniel Gustafsson
e182fc1613 comment: Fix multiple typos in function parameters
Ensure that the parameters in the comment match the actual names in the
prototype.

Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 10:27:27 +02:00
Jay Satiro
dd6b62acc3 nss: fix nssckbi module loading on Windows
- Use .DLL extension instead of .so to load modules on Windows.

Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Reported-by: Maxime Legros

Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442

Closes https://github.com/curl/curl/pull/3086
2018-10-03 02:28:09 -04:00
Daniel Stenberg
d9a2dc9aad
urlapi: starting with a drive letter on win32 is not an abs url
... and libcurl doesn't support any single-letter URL schemes (if there
even exist any) so it should be fairly risk-free.

Reported-by: Marcel Raad

Fixes #3070
Closes #3071
2018-10-02 11:48:01 +02:00
Marcel Raad
c1c092c0b4
doh: fix curl_easy_setopt argument type
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
MinGW.
2018-10-02 11:15:29 +02:00
Ruslan Baratov
69328490fc CMake: Improve config installation
Use 'GNUInstallDirs' standard module to set destinations of installed
files.

Use uppercase "CURL" names instead of lowercase "curl" to match standard
'FindCURL.cmake' CMake module:
* https://cmake.org/cmake/help/latest/module/FindCURL.html

Meaning:
* Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
* User should call 'find_package(CURL)' instead of 'find_package(curl)'

Use 'configure_package_config_file' function to generate
'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
file smaller and handle components better.  E.g.  current configuration
report no error if user specified unknown components (note: new
configuration expects no components, report error if user will try to
specify any).

Closes https://github.com/curl/curl/pull/2849
2018-10-01 16:16:29 -04:00
Daniel Stenberg
570008c99d
doh: only build if h2 enabled
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
of HTTP for use with DoH".

Reported-by: Marcel Raad
Closes #3066
2018-09-30 11:31:58 +02:00
Daniel Stenberg
2dfc0dd6b5
multi: fix memory leak in content encoding related error path
... a missing multi_done() call.

Credit to OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
Closes #3063
2018-09-29 15:03:57 +02:00
Daniel Stenberg
454fa3fd7b
multi: fix location URL memleak in error path
Follow-up to #3044 - fix a leak OSS-Fuzz detected
Closes #3057
2018-09-28 17:10:14 +02:00
Sergei Nikulov
f8215f80ab cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) 2018-09-28 16:54:20 +03:00
Marcel Raad
7ae78feea3
curl_threads: fix classic MinGW compile break
Classic MinGW still has _beginthreadex's return type as unsigned long
instead of uintptr_t [0]. uintptr_t is not even defined because of [1].

[0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
[1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90

Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
Closes https://github.com/curl/curl/pull/3051
2018-09-27 09:13:20 +02:00
Daniel Stenberg
304bb2f7c1
Curl_http2_done: fix memleak in error path
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
2018-09-25 17:03:45 +02:00
Daniel Stenberg
4058cf2a7f
http: fix memleak in rewind error path
If the rewind would fail, a strdup() would not get freed.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
2018-09-25 10:30:08 +02:00
Daniel Stenberg
ef695fc301
Curl_retry_request: fix memory leak
Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
Closes #3042
2018-09-24 16:38:11 +02:00
Daniel Stenberg
e2dd435d47
openssl: load built-in engines too
Regression since 38203f1

Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
2018-09-24 16:36:31 +02:00
Christian Heimes
b939bc47b2
OpenSSL: enable TLS 1.3 post-handshake auth
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
2018-09-24 08:01:18 +02:00
Even Rouault
55b51b8c49
Curl_dedotdotify(): always nul terminate returned string.
This fixes potential out-of-buffer access on "file:./" URL

$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516==    at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516==    by 0x4EBB315: seturl (urlapi.c:801)
==24516==    by 0x4EBB568: parseurl (urlapi.c:861)
==24516==    by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516==    by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516==    by 0x4E67AEF: create_conn (url.c:3613)
==24516==    by 0x4E68A4F: Curl_connect (url.c:4119)
==24516==    by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516==    by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516==    by 0x4E7558C: easy_transfer (easy.c:686)
==24516==    by 0x4E75801: easy_perform (easy.c:779)
==24516==    by 0x4E75868: curl_easy_perform (easy.c:798)

Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz

Closes #3039
2018-09-24 07:48:41 +02:00
Viktor Szakats
b801b453af whitespace fixes
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
  in manual examples

Closes https://github.com/curl/curl/pull/3037
2018-09-23 22:24:02 +00:00
Daniel Stenberg
e407e79c29
http: add missing return code check
Detected by Coverity. CID 1439610.

Follow-up from 46e164069d

Closes #3034
2018-09-23 23:08:39 +02:00
Daniel Stenberg
30b2d07b03
ftp: don't access pointer before NULL check
Detected by Coverity. CID 1439611.

Follow-up from 46e164069d
2018-09-23 23:08:36 +02:00
Daniel Stenberg
46e164069d
url: use the URL API internally as well
... to make it a truly unified URL parser.

Closes #3017
2018-09-22 11:58:10 +02:00
Viktor Szakats
f078361c0e URL and mailmap updates, remove an obsolete directory [ci skip]
Closes https://github.com/curl/curl/pull/3031
2018-09-22 07:58:32 +00:00
Erik Minekus
39c9140cce
Curl_saferealloc: Fixed typo in docblock
Closes #3029
2018-09-21 14:24:55 +02:00
Daniel Stenberg
2097cd5152
urlapi: fix support for address scope in IPv6 numerical addresses
Closes #3024
2018-09-21 11:19:14 +02:00
Loganaden Velvindron
9bdadbbdee
GnutTLS: TLS 1.3 support
Closes #2971
2018-09-21 09:13:33 +02:00
Jay Satiro
2e5651a5ce vtls: fix ssl version "or later" behavior change for many backends
- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
2018-09-20 14:12:25 -04:00
Daniel Stenberg
9307c219ad
urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance
In order for this API to fully work for libcurl itself, it now offers a
CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
name prefix just like libcurl always did. If there's no known prefix, it
will guess "http://".

Separately, it relaxes the check of the host name so that IDN host names
can be passed in as well.

Both these changes are necessary for libcurl itself to use this API.

Assisted-by: Daniel Gustafsson
Closes #3018
2018-09-19 23:21:52 +02:00
Kamil Dudka
eb0b3acbc1 nss: try to connect even if libnssckbi.so fails to load
One can still use CA certificates stored in NSS database.

Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html

Closes #3016
2018-09-19 16:58:33 +02:00
Daniel Gustafsson
522e647cc5 urlapi: don't set value which is never read
In the CURLUPART_URL case, there is no codepath which invokes url
decoding so remove the assignment of the urldecode variable. This
fixes the deadstore bug-report from clang static analysis.

Closes #3015
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-19 13:44:10 +02:00
Daniel Stenberg
ec5d0991cc
curl_multi_wait: call getsock before figuring out timeout
.... since getsock may update the expiry timer.

Fixes #2996
Closes #3000
2018-09-18 15:39:28 +02:00
Daniel Gustafsson
ed7830061e darwinssl: Fix realloc memleak
The reallocation was using the input pointer for the return value, which
leads to a memory leak on reallication failure. Fix by instead use the
safe internal API call Curl_saferealloc().

Closes #3005
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
2018-09-18 09:08:06 +02:00
Daniel Gustafsson
927cb3708e memory: add missing curl_printf header
ftp_send_command() was using vsnprintf() without including the libcurl
*rintf() replacement header. Fix by including curl_printf.h and also
add curl_memory.h while at it since memdebug.h depends on it.

Closes #2999
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-17 09:28:10 +02:00
Daniel Stenberg
55dbcb061d
http: made Curl_add_buffer functions take a pointer-pointer
... so that they can clear the original pointer on failure, which makes
the error-paths and their cleanups easier.

Closes #2992
2018-09-16 23:22:37 +02:00
Daniel Stenberg
130c53b632
http2: fix memory leaks on error-path 2018-09-16 23:22:15 +02:00
Viktor Szakats
420087bb30 secure Openwall URLs 2018-09-14 18:48:35 +00:00
Daniel Stenberg
4ff5f9405a
openssl: show "proper" version number for libressl builds
Closes #2989
2018-09-14 11:57:20 +02:00
Rainer Jung
1599dfcba6
openssl: assume engine support in 0.9.8 or later
Fixes #2983
Closes #2988
2018-09-14 11:56:28 +02:00
Daniel Gustafsson
daa12c6eb3 sendf: use failf() rather than Curl_failf()
The failf() macro is the name used for invoking Curl_failf(). While
there isn't a way to turn off failf like there is for infof, but it's
still a good idea to use the macro.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:48:21 +02:00
Daniel Gustafsson
e7ee2f2923 sendf: Fix whitespace in infof/failf concatenation
Strings broken on multiple rows in the .c file need to have appropriate
whitespace padding on either side of the concatenation point to render
a correct amalgamated string. Fix by adding a space at the occurrences
found.

Closes #2986
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:47:45 +02:00
Daniel Gustafsson
3c5ee47fc2 krb5: fix memory leak in krb_auth
The FTP command allocated by aprintf() must be freed after usage.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:10:55 +02:00
Daniel Gustafsson
a9882b90f8 ftp: include command in Curl_ftpsend sendbuffer
Commit 8238ba9c5f inadvertently removed
the actual command to be sent from the send buffer in a refactoring.
Add back copying the command into the buffer. Also add more guards
against malformed input while at it.

Closes #2985
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:10:18 +02:00