1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 05:55:04 -05:00
Commit Graph

5072 Commits

Author SHA1 Message Date
Daniel Stenberg
42db4ccee2
examples: length-limit two sscanf() uses of %s
Reported-by: Jishan Shaikh
Fixes #7293
Closes #7294
2021-06-24 15:57:09 +02:00
Daniel Stenberg
7020be7d85
--socks4[a]: clarify where the host name is resolved
Closes #7273
2021-06-17 23:07:39 +02:00
Daniel Stenberg
933c61e4fc
libcurl-security.3: mention file descriptors and forks
... and move the security report section last.

Reported-by: Harry Sintonen
Closes #7270
2021-06-17 17:11:40 +02:00
Daniel Stenberg
52aa18411c
KNOWN_BUGS: Negotiate on Windows fails
Closes #5881
2021-06-16 14:29:11 +02:00
Daniel Stenberg
1782acd392
KNOWN_BUGS: renames instead of locking for atomic operations
Closes #6882
Closes #6884
2021-06-16 10:59:39 +02:00
Viktor Szakats
2026124691
idn: fix libidn2 with windows unicode builds
Unicode Windows builds use UTF-8 strings internally in libcurl,
so make sure to call the UTF-8 flavour of the libidn2 API. Also
document that Windows builds with libidn2 and UNICODE do expect
CURLOPT_URL as an UTF-8 string.

Reported-by: dEajL3kA on github
Assisted-by: Jay Satiro
Reviewed-by: Marcel Raad
Closes #7246
Fixes #7228
2021-06-15 12:10:48 +00:00
Daniel Stenberg
b67d3ba73e
curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.

The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.

Updated test 1560 to verify.

Closes #7073
2021-06-15 10:49:49 +02:00
Jay Satiro
22aa098113 docs: Remove outdated curl tool limitation
- Document that HTTP/2 multiplexing is supported by the curl tool when
  parallel transfers are used.

Supported since 7.66.0 via --parallel, but the doc wasn't updated.

Closes https://github.com/curl/curl/pull/7259
2021-06-15 03:19:32 -04:00
Fawad Mirza
92c588f04b
CURLOPT_WRITEFUNCTION.3: minor update of the example
Safely avoid chunk.size garbage value if declared non globally.

Closes #7219
2021-06-09 14:29:40 +02:00
Daniel Stenberg
265b14d6b3
metalink: remove
Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems and issues involving the
   metalink support in curl. The issues are not detailed here. When
   working on those, it become apparent to the team that several of the
   problems are due to the system design, metalink library API and what
   the metalink RFC says. They are very hard to fix on the curl side
   only.

2. The metalink usage with curl was only very briefly documented and was
   not following the "normal" curl usage pattern in several ways, making
   it surprising and non-intuitive which could lead to further security
   issues.

3. The metalink library was last updated 6 years ago and wasn't so
   active the years before that either. An unmaintained library means
   there's a security problem waiting to happen. This is probably reason
   enough.

4. Metalink requires an XML parsing library, which is complex code (even
   the smaller alternatives) and to this day often gets security
   updates.

5. Metalink is not a widely used curl feature. In the 2020 curl user
   survey, only 1.4% of the responders said that they'd are using it. In
   2021 that number was 1.2%. Searching the web also show very few
   traces of it being used, even with other tools.

6. The torrent format and associated technology clearly won for
   downloading large files from multiple sources in parallel.

Cloes #7176
2021-06-07 08:14:25 +02:00
Daniel Stenberg
9cf516adc6
docs/INSTALL: remove mentions of configure --with-darwin-ssl
... as it isn't supported since a while back.

Make configure fail with a warning if used.

Reported-by: Vadim Grinshpun
Bug: https://curl.se/mail/lib-2021-06/0008.html
Closes #7200
2021-06-06 23:55:32 +02:00
Daniel Stenberg
60e4267705
TODO: Support rate-limiting for MQTT 2021-06-04 15:57:02 +02:00
Daniel Stenberg
628ebd82b9
test269: disable for hyper
--ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
with hyper.

Closes #7184
2021-06-03 23:11:11 +02:00
Daniel Stenberg
6793332eba
CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax
For options that pass in lists or strings that are subsequently parsed
and must be correct. This broadens the scope for the option previously
known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
provided as a #define for existing applications.

Closes #7175
2021-06-02 23:03:55 +02:00
theawless
ee8c4f766c
define: re-add CURL_DISABLE_NTLM and corresponding ifdefs
This flag will be further exposed by adding build options.

Reverts #6809
Closes #7028
2021-06-02 08:55:00 +02:00
Daniel Stenberg
5e1e4dbf1e
GOVERNANCE: add 'user', 'committer' and 'contributor'
As those are commonly used terms in the project.

Closes #7151
2021-05-31 15:42:39 +02:00
Daniel Stenberg
c61ca43340
URL-SYNTAX.md: document the new 'localhost' treatment 2021-05-31 15:37:37 +02:00
Daniel Gustafsson
772eacb2e3 docs: fix typos 2021-05-31 12:47:15 +02:00
Daniel Stenberg
a43e1da1e2
HYPER: remove mentions of deprecated development branch 2021-05-28 23:06:19 +02:00
Daniel Stenberg
68975fba02
HSTS: not experimental anymore 2021-05-28 12:34:07 +02:00
Douglas R. Reno
ed38ac86ea
INSTALL: use correct extension for CURL-DISABLE.md
In INSTALL.MD, it's currently set to CURL-DISABLE-md instead of
CURL-DISABLE.md. This generates a 404 on the cURL website as well as
when viewing the docs through Github.

Closes #7142
2021-05-27 22:59:48 +02:00
Viktor Szakats
3976dd67a2
docs: use --max-redirs instead of --max-redir
For consistency.

Closes #7130
2021-05-26 14:49:52 +02:00
Daniel Stenberg
83a31635a4
THANKS: added contributors from 7.77.0 cycle 2021-05-26 08:18:11 +02:00
Daniel Stenberg
82d334001f
copyright: update copyright year ranges to 2021 2021-05-26 08:18:11 +02:00
Daniel Stenberg
54e5c24565
TODO: netrc caching and sharing
URL: https://curl.se/mail/archive-2021-05/0018.html
2021-05-25 17:45:26 +02:00
Jacob Hoffman-Andrews
a62e6435f4
rustls: switch read_tls and write_tls to callbacks
And update to 0.6.0, including a rename from session to connection for
many fields.

Closes #7071
2021-05-24 16:40:59 +02:00
Daniel Stenberg
b03b82a85f
docs/tests: remove freenode references 2021-05-24 00:21:00 +02:00
Lucas Clemente Vella
84d2839740
CURLOPT_IPRESOLVE: preventing wrong IP version from being used
In some situations, it was possible that a transfer was setup to
use an specific IP version, but due do DNS caching or connection
reuse, it ended up using a different IP version from requested.

This commit changes the effect of CURLOPT_IPRESOLVE from simply
restricting address resolution to preventing the wrong connection
type being used, when choosing a connection from the pool, and
to restricting what addresses could be used when establishing
a new connection.

It is important that all addresses versions are resolved, even if
not used in that transfer in particular, because the result is
cached, and could be useful for a different transfer with a
different CURLOPT_IPRESOLVE setting.

Closes #6853
2021-05-20 16:58:31 +02:00
Ryan Beck-Buysse
d845d392b5
docs/TheArtOfHttpScripting: fix markdown links
extra parens cause the links to be incorrectly formatted
and inconsistent with the rest of the document.

Signed-off-by: Ryan Beck-Buysse <rbuysse@gmail.com>
Closes #7097
2021-05-19 09:10:11 +02:00
Emil Engler
3d3f4efbc8
docs: replace dots with dashes in markdown enums
We use dashes instead of dots nearly everywhere except for those few
cases. This commit addresses this issues and brings more coherency into
it.

Closes #7093
2021-05-19 00:40:12 +02:00
Emil Engler
d79f8492c5
docs: improve INTERNALS.md regarding getsock cb
This adds the I/O prefix to indicate that those "actions" are kind-of
related to those found in select(2) or poll(2) (reading/writing).

It also adds a note where the prototypes of those functions can be found
in the source code.

Closes #7092
2021-05-19 00:39:06 +02:00
Emil Engler
158d26e4fc
docs: document attach in INTERNALS.md
The new field in the Curl_handler struct still lacks documentation. This
adds it it from the information extracted from lib/urldata.h:797

Closes #7091
2021-05-19 00:38:10 +02:00
Daniel Stenberg
5dfa4c08bb
docs: cookies from HTTP headers need domain set
... or the cookies won't get sent. Push users to using the "Netscape"
format instead, which curl uses when saving a cookie "jar".

Reported-by: Martin Dorey
Reviewed-by: Daniel Gustafsson
Fixes #6723
Closes #7077
2021-05-17 10:57:03 +02:00
Daniel Stenberg
fe5a61c007
CURLOPT_CAPATH.3: defaults to a path, not NULL
Reported-by: Andrew Barnert

Closes #7062
2021-05-16 00:50:27 +02:00
Daniel Stenberg
f71d3e01ec
travis: disable the libssh build
It can't run on focal and causes warnings on bionic. Since the focal
failure started rather suddenly a while ago, we can suspect it might be
temporary.

Added "bring back the build" to the TODO document.

Fixes #7011
Closes #7012
2021-05-09 00:13:37 +02:00
Daniel Stenberg
63813a0325
HTTP3: make the ngtcp2 build use the quictls fork
... as ngtcp2 itself documents the build this way.

Closes #7031
2021-05-07 22:43:54 +02:00
Daniel Stenberg
1763aceb0c
http: limit the initial send amount to used upload buffer size
Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer has been set, this
function can benefit from sending more bytes. With default size used,
this does the same as before.

Also changed the storage of the size to an 'unsigned int' as it is not
allowed to be set larger than 2M.

Also added cautions to the man pages about changing buffer sizes in
run-time.

Closes #7022
2021-05-07 08:51:39 +02:00
Daniel Stenberg
e2497c73f9
curl_mprintf.3: add description
These functions have existed in the API since the dawn of time. It is
about time we describe how they work, even if we discourage users from
using them.

Closes #7010
2021-05-06 23:21:12 +02:00
Timothy Gu
51e3388f7d
URL-SYNTAX: update IDNA section for WHATWG spec changes
WHATWG URL has dictated the use of Nontransitional Processing (IDNA
2008) for several years now. Chrome (and derivatives) still use
Transitional Processing, but Firefox and Safari have both switched.

Also document the fact that winidn functions differently from libidn2
here.

Closes #7026
2021-05-06 23:15:46 +02:00
Calvin Buckley
69bf70d7dc
INSTALL: add IBM i specific quirks
Fixes #6830
Closes #7013
2021-05-06 16:59:43 +02:00
Daniel Stenberg
a42b8f08d8
libcurl.3: mention the URL API
To make it easier to find. Also a minor polish of libcurl-url.3

Closes #7009
2021-05-06 16:54:05 +02:00
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
Daniel Stenberg
7d7a0a8b09
KNOWN_BUGS: add two HTTP/2 bugs 2021-05-03 17:27:35 +02:00
Daniel Stenberg
e41f2e5225
KNOWN_BUGS: add three HTTP/3 issues
... and moved the HTTP/2 issues to its own section

Closes #6606
Closes #6510
Closes #6494
2021-05-03 17:22:52 +02:00
ejanchivdorj
94241a9e78
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
2021-05-03 17:11:01 +02:00
Jacob Hoffman-Andrews
8228002cd1
rustls: use ALPN
Update required rustls to 0.5.0

Closes #6960
2021-04-30 08:27:37 +02:00
Ayushman Singh Chauhan
6aae7b1761
docs: camelcase it like GitHub everywhere
Closes #6979
2021-04-28 08:16:20 +02:00
Lucas Servén Marín
b08863822c docs: fix typo in fail-with-body doc
This commit fixes a small typo in the documentation for the
--fail-with-body flag.

Closes https://github.com/curl/curl/pull/6977
2021-04-27 15:11:08 -04:00
Daniel Stenberg
2e23f3b8d5
libcurl-security.3: be careful of setuid
Reported-by: Harry Sintonen
Closes #6970
2021-04-27 07:51:42 +02:00
Daniel Stenberg
7fdf01f32e
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
Closes #6942
2021-04-26 10:25:03 +02:00