1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 19:45:04 -05:00
Commit Graph

4518 Commits

Author SHA1 Message Date
Jay Satiro
a12a16151a url: fix CURLU and location following
Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
incorrectly used for the location follow, resulting in infinite requests
to the original location.

Reported-by: sspiri@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/5709
Closes https://github.com/curl/curl/pull/5713
2020-07-30 11:57:35 -04:00
Daniel Stenberg
2f72ad44fc
checksrc: ban gmtime/localtime
They're not thread-safe so they should not be used in libcurl code.

Explictly enabled when deemed necessary and in examples and tests

Reviewed-by: Nicolas Sterchele
Closes #5732
2020-07-28 23:51:17 +02:00
Nicolas Sterchele
0b85969226
getinfo: reset retry-after value in initinfo
- Avoid re-using retry_after value from preceding request
- Add libtest 3010 to verify

Reported-by: joey-l-us on github
Fixes #5661
Closes #5672
2020-07-27 12:15:44 +02:00
Tobias Stoeckmann
8829703b5a mprintf: Fix stack overflows
Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:43:00 -04:00
Marcel Raad
c90e48c005
util: silence conversion warnings
timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might
be a 64-bit integer. This is the case when building for recent macOS
versions, for example. Just treat tv_usec as an int, which should
hopefully always be sufficient on systems with
`HAVE_CLOCK_GETTIME_MONOTONIC`.

Closes https://github.com/curl/curl/pull/5695
2020-07-19 10:34:58 +02:00
Daniel Stenberg
c13c67e127
test1139: make it display the difference on test failures 2020-07-14 18:31:37 +02:00
Daniel Stenberg
839e9f342b
test1119: verify stdout in the test
So that failures will be displayed in the terminal, as it makes test failures
visually displayed easier and faster.

Closes #5644
2020-07-14 18:31:30 +02:00
Daniel Stenberg
f5e6907d52
curl: add %{method} to the -w variables
Gets the CURLINFO_EFFECTIVE_METHOD from libcurl.

Added test 1197 to verify.
2020-07-14 17:53:45 +02:00
Gilles Vollant
e13357b14b
content_encoding: add zstd decoding support
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu

Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
2020-07-12 18:11:37 +02:00
Daniel Stenberg
9466034561
transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
Added test case 674 to reproduce and verify the bug report.

Fixes #5665
Reported-by: NobodyXu on github
Closes #5673
2020-07-12 16:36:02 +02:00
Daniel Stenberg
1535363e72
ftpserver: don't verify SMTP MAIL FROM names
Rely on tests asking the names to get refused instead - test servers
should be as dumb as possible. Edited test 914, 955 and 959 accordingly.

Closes #5639
2020-07-03 10:10:30 +02:00
Daniel Stenberg
032e838b73
terminology: call them null-terminated strings
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).

Reported-by: coinhubs on github
Fixes #5598
Closes #5608
2020-06-28 00:31:24 +02:00
Daniel Stenberg
ff43fb6dec
http: fix proxy auth with blank password
Regression in 7.71.0

Added test case 346 to verify.

Reported-by: Kristoffer Gleditsch
Fixes #5613
Closes #5616
2020-06-28 00:29:59 +02:00
Daniel Stenberg
1529838a14
test1539: do a HTTP 1.0 POST without a set size (fails)
Attempt to reproduce #5593. Test case 1514 is very similar but uses
HTTP/1.1 and thus switches to chunked.

Closes #5595
2020-06-26 15:11:04 +02:00
Daniel Stenberg
8acfb932ef
tests: verify newline in username and password for HTTP
test 1296 is a simply command line test

test 1910 is a libcurl test including a redirect
2020-06-25 09:57:19 +02:00
Daniel Stenberg
79d8099ff0
test543: extended to verify zero length input
As was reported in #5601
2020-06-25 00:00:35 +02:00
Daniel Stenberg
5bf653464f
test1460: verify that -Ji is not ok 2020-06-22 00:50:08 +02:00
Daniel Stenberg
c888e3f6ce
test1179: verify error message for non-existing cmdline option 2020-06-18 13:59:49 +02:00
Daniel Stenberg
185890d5d7
FILEFORMAT: describe verify/stderr 2020-06-18 09:50:43 +02:00
Daniel Stenberg
b88bdedf9c
altsvc: remove the num field from the altsvc struct
It was superfluous since we have the list.size alredy

Reported-by: Jay Satiro
Fixes #5553
Closes #5563
2020-06-12 23:24:11 +02:00
Martin V
b71628b633
test1560: avoid possibly negative association in wording
Closes #5549
2020-06-12 10:01:57 +02:00
Daniel Stenberg
eab2f95c0d
wording: avoid blacklist/whitelist stereotypes
Instead of discussing if there's value or meaning (implied or not) in
the colors, let's use words without the same possibly negative
associations.

Closes #5546
2020-06-10 08:49:17 +02:00
Daniel Stenberg
54d3769761
Curl_addrinfo: use one malloc instead of three
To reduce the amount of allocations needed for creating a Curl_addrinfo
struct, make a single larger malloc instead of three separate smaller
ones.

Closes #5533
2020-06-08 16:10:53 +02:00
Daniel Stenberg
876e66412a
tests: add two simple tests for --login-options
Test 895 and 896 - as a follow-up to a3e972313b

Closes #5539
2020-06-08 12:55:31 +02:00
Daniel Stenberg
2705830f2f
server/util: fix logmsg format using curl_off_t argument
... this caused segfaults on armv7.

Regression added in dd0365d560 (7.70.0)

Reviewed-by: Jay Satiro
Closes #5529
2020-06-06 13:25:56 +02:00
Daniel Stenberg
9c845be279
urldata: let the HTTP method be in the set.* struct
When the method is updated inside libcurl we must still not change the
method as set by the user as then repeated transfers with that same
handle might not execute the same operation anymore!

This fixes the libcurl part of #5462

Test 1633 added to verify.

Closes #5499
2020-06-02 16:30:36 +02:00
Daniel Stenberg
c06ffdb6f1
test970: make it require proxy support
This test verifies the -w %json output and the test case includes a full
generated "blob". If there's no proxy support built into libcurl, it
will return an error for proxy related info variables and they will not
be included in the json, thus causing a mismatch and this test fails.

Reported-by: Marc Hörsken
Fixes #5501
Closes #5502
2020-06-02 10:39:15 +02:00
Daniel Stenberg
f3d501dc67
build: disable more code/data when built without proxy support
Added build to travis to verify

Closes #5466
2020-05-30 23:18:16 +02:00
Daniel Stenberg
c4e6968127
url: alloc the download buffer at transfer start
... and free it as soon as the transfer is done. It removes the extra
alloc when a new size is set with setopt() and reduces memory for unused
easy handles.

In addition: the closure_handle now doesn't use an allocated buffer at
all but the smallest supported size as a stack based one.

Closes #5472
2020-05-30 23:14:33 +02:00
Marc Hoersken
62314d6b71
unit1604.c: fix implicit conv from 'SANITIZEcode' to 'CURLcode'
GCC 10 warns about this with warning: implicit conversion
  from 'SANITIZEcode' to 'CURLcode' [-Wenum-conversion]

Since 'expected_result' is not really of type 'CURLcode' and
it is not exposed in any way, we can just use 'SANITIZEcode'.

Reviewed-by: Daniel Stenberg
Reviewed-by: Marcel Raad

Closes #5476
2020-05-30 10:07:26 +02:00
Marc Hoersken
c0d4faf8e5
tests/libtest: fix undefined reference to 'curlx_win32_fopen'
Since curl_setup.h now makes use of curlx_win32_fopen for Win32
builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined,
we need to include the relevant files for tests using fopen,
because the libtest sources are also including curl_setup.h

Reviewed-by: Marcel Raad
Reviewed-by: Daniel Stenberg

Follow up to #3784 (ffdddb45d9)
Closes #5475
2020-05-30 10:03:00 +02:00
Daniel Stenberg
6531d089e5
server/sws: fix asan warning on use of uninitialized variable 2020-05-29 13:05:09 +02:00
Daniel Stenberg
32d4d6b969
mk-lib1521: generate code for testing BLOB options as well
Follow-up to cac5374298

Closes #5478
2020-05-29 09:22:50 +02:00
Daniel Stenberg
d528d97563
FILEFORMAT: add more features that tests can depend on 2020-05-27 14:33:49 +02:00
Daniel Stenberg
ad829b21ae
url: accept "any length" credentials for proxy auth
They're only limited to the maximum string input restrictions, not to
256 bytes.

Added test 1178 to verify

Reported-by: Will Roberts
Fixes #5448
Closes #5449
2020-05-25 23:08:57 +02:00
Maksim Stsepanenka
96f52abf80
test1167: fixes in badsymbols.pl
Closes #5442
2020-05-25 23:07:46 +02:00
Daniel Stenberg
d844f2b9ff
altsvc: fix parser for lines ending with CRLF
Fixed the alt-svc parser to treat a newline as end of line.

The unit tests in test 1654 were done without CRLF and thus didn't quite
match the real world. Now they use CRLF as well.

Reported-by: Peter Wu
Assisted-by: Peter Wu
Assisted-by: Jay Satiro
Fixes #5445
Closes #5446
2020-05-25 23:05:27 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Daniel Stenberg
006d2991bd
curl: remove -J "informational" written on stdout
curl would previously show "curl: Saved to filename 'name from header'"
if -J was used and a name was picked from the Content-Disposition
header. That output could interfer with other stdout output, such as -w.

This commit removes that output line.
Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html
Reported-by: Коваленко Анатолий Викторович
Closes #5435
2020-05-23 23:12:53 +02:00
Daniel Stenberg
bb79320af7
tests/server/util.h: add extern to silence compiler warning
Follow-up from a3b0699d5c
2020-05-20 15:37:09 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Daniel Stenberg
9e95ca10b5
test1632: verify FTP through HTTPS-proxy with connection re-use 2020-05-15 08:28:56 +02:00
Daniel Stenberg
c6ce51169e
test1631: verify FTP download through HTTPS-proxy 2020-05-15 08:28:56 +02:00
Daniel Stenberg
a3b0699d5c
sws: as last resort, get test number from server cmd file
If it can't be found in the request. Also support --cmdfile to set it to
a custom file name.

runtests.pl always writes this file with the test number in it since a
while back.
2020-05-15 08:28:56 +02:00
Marcel Raad
a55c835e6b
curl_multibyte: add to curlx
This will also be needed in the tool and tests.

Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:27 +02:00
Daniel Stenberg
600a8cded4
url: make the updated credentials URL-encoded in the URL
Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400
2020-05-14 17:59:47 +02:00
Daniel Stenberg
e2a7a6bb9e
tests: add https-proxy support to the test suite
Initial test 1630 added with basic HTTPS-proxy use. HTTPS-proxy is like
HTTP proxy but with a full TLS connection to the proxy.

Closes #5399
2020-05-14 16:21:31 +02:00
Daniel Stenberg
66b0775763
checksrc: enhance the ASTERISKSPACE and update code accordingly
Fine: "struct hello *world"

Not fine: "struct hello* world" (and variations)

Closes #5386
2020-05-14 00:02:05 +02:00
Daniel Stenberg
f3f5d82e28
docs/options-in-versions: which version added each cmdline option
Added test 971 to verify that the list is in sync with the files in
cmdline-opts. The check also verifies that .d-files that uses Added:
specify the same version number as the options-in-versions file does.

Closes #5381
2020-05-13 23:58:36 +02:00
Jay Satiro
b995bb58cb tool: Add option --retry-all-errors to retry on any error
The "sledgehammer" of retrying.

Closes https://github.com/curl/curl/pull/5185
2020-05-12 03:00:15 -04:00