1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 11:35:07 -05:00
Commit Graph

10272 Commits

Author SHA1 Message Date
Frank Gevaerts
21b33b9a0b
rand: Fix a mismatch between comments in source and header.
Reported-by: Björn Stenberg <bjorn@haxx.se>
Closes #3584
2019-02-18 23:13:30 +01:00
Patrick Monnerat
fa86d32d59 x509asn1: replace single char with an array
Although safe in this context, using a single char as an array may
cause invalid accesses to adjacent memory locations.

Detected by Coverity.
2019-02-18 15:40:34 +01:00
Jay Satiro
f26bc29cfe easy: fix win32 init to work without CURL_GLOBAL_WIN32
- Change the behavior of win32_init so that the required initialization
  procedures are not affected by CURL_GLOBAL_WIN32 flag.

libcurl via curl_global_init supports initializing for win32 with an
optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop
Winsock initialization. It did so internally by skipping win32_init()
when that flag was set. Since then win32_init() has been expanded to
include required initialization routines that are separate from
Winsock and therefore must be called in all cases. This commit fixes
it so that CURL_GLOBAL_WIN32 only controls the optional win32
initialization (which is Winsock initialization, according to our doc).

The only users affected by this change are those that don't pass
CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the
risk of a potential crash.

Ref: https://github.com/curl/curl/pull/3573

Fixes https://github.com/curl/curl/issues/3313
Closes https://github.com/curl/curl/pull/3575
2019-02-18 02:12:12 -05:00
Daniel Gustafsson
e6522522f9 cookie: Add support for cookie prefixes
The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
and how they should affect cookie initialization, which has been
adopted by the major browsers. This adds support for the two prefixes
defined, __Host- and __Secure, and updates the testcase with the
supplied examples from the draft.

Closes #3554
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-17 00:09:30 +01:00
Daniel Gustafsson
0299b262cd mbedtls: release sessionid resources on error
If mbedtls_ssl_get_session() fails, it may still have allocated
memory that needs to be freed to avoid leaking. Call the library
API function to release session resources on this errorpath as
well as on Curl_ssl_addsessionid() errors.

Closes: #3574
Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-16 22:30:31 +01:00
Patrick Monnerat
c52620c249 version.c: silent scan-build even when librtmp is not enabled 2019-02-16 01:04:22 +01:00
Daniel Stenberg
ca597ad34a
Curl_now: figure out windows version in win32_init
... and avoid use of static variables that aren't thread safe.

Fixes regression from e9ababd4f5 (present in the 7.64.0 release)

Reported-by: Paul Groke
Fixes #3572
Closes #3573
2019-02-15 23:23:14 +01:00
Daniel Stenberg
354aa32820
strip_trailing_dot: make sure NULL is never used for strlen
scan-build warning: Null pointer passed as an argument to a 'nonnull'
parameter
2019-02-14 23:30:43 +01:00
Jay Satiro
4015fae044
connection_check: restore original conn->data after the check
- Save the original conn->data before it's changed to the specified
  data transfer for the connection check and then restore it afterwards.

This is a follow-up to 38d8e1b 2019-02-11.

History:

It was discovered a month ago that before checking whether to extract a
dead connection that that connection should be associated with a "live"
transfer for the check (ie original conn->data ignored and set to the
passed in data). A fix was landed in 54b201b which did that and also
cleared conn->data after the check. The original conn->data was not
restored, so presumably it was thought that a valid conn->data was no
longer needed.

Several days later it was discovered that a valid conn->data was needed
after the check and follow-up fix was landed in bbae24c which partially
reverted the original fix and attempted to limit the scope of when
conn->data was changed to only when pruning dead connections. In that
case conn->data was not cleared and the original conn->data not
restored.

A month later it was discovered that the original fix was somewhat
correct; a "live" transfer is needed for the check in all cases
because original conn->data could be null which could cause a bad deref
at arbitrary points in the check. A fix was landed in 38d8e1b which
expanded the scope to all cases. conn->data was not cleared and the
original conn->data not restored.

A day later it was discovered that not restoring the original conn->data
may lead to busy loops in applications that use the event interface, and
given this observation it's a pretty safe assumption that there is some
code path that still needs the original conn->data. This commit is the
follow-up fix for that, it restores the original conn->data after the
connection check.

Assisted-by: tholin@users.noreply.github.com
Reported-by: tholin@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/3542
Closes #3559
2019-02-14 17:42:43 +01:00
Daniel Stenberg
49d73d40f6
memdebug: bring back curl_mark_sclose
Used by debug builds with NSS.

Reverted from 05b100aee2
2019-02-14 17:34:55 +01:00
Patrick Monnerat
539d17b0de transfer.c: do not compute length of undefined hex buffer.
On non-ascii platforms, the chunked hex header was measured for char code
conversion length, even for chunked trailers that do not have an hex header.
In addition, the efective length is already known: use it.
Since the hex length can be zero, only convert if needed.

Reported by valgrind.
2019-02-14 16:03:24 +01:00
Patrick Monnerat
489ef6b694 x509asn1: "Dereference of null pointer"
Detected by scan-build (false positive).
2019-02-14 14:54:01 +01:00
Daniel Stenberg
28177def43
gssapi: fix deprecated header warnings
Heimdal includes on FreeBSD spewed out lots of them. Less so now.

Closes #3566
2019-02-14 08:38:43 +01:00
Daniel Stenberg
bb2444b794
multi: Dereference of null pointer
Mostly a false positive, but this makes the code easier to read anyway.

Detected by scan-build.

Closes #3563
2019-02-13 08:06:35 +01:00
Jay Satiro
0648070423 schannel: restore some debug output but only for debug builds
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.

Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
2019-02-12 19:54:08 -05:00
Daniel Stenberg
179927c12a
mime: put the boundary buffer into the curl_mime struct
... instead of allocating it separately and point to it. It is
fixed-size and always used for each part.

Closes #3561
2019-02-12 22:55:32 +01:00
Daniel Stenberg
84c10dc1ba
schannel: be quiet
Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.

Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
Reported-by: Volker Schmid
Closes #3552
2019-02-12 22:53:10 +01:00
Romain Geissler
aa1f1d48f3
Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
Closes #3562
2019-02-12 19:19:55 +01:00
Daniel Stenberg
61496154ce
http2: multi_connchanged() moved from multi.c, only used for h2
Closes #3557
2019-02-12 14:40:37 +01:00
Daniel Stenberg
a6d134e17a
pretransfer: don't strlen() POSTFIELDS set for GET requests
... since that data won't be used in the request anyway.

Fixes #3548
Reported-by: Renaud Allard
Close #3549
2019-02-12 14:36:54 +01:00
Daniel Stenberg
aabc7ae5ec
multi: remove verbose "Expire in" ... messages
Reported-by: James Brown
Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html
Closes #3558
2019-02-12 14:13:15 +01:00
Daniel Stenberg
aabe0a7312
mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
Reported-by: MAntoniak on github
Fixes #3553
Closes #3556
2019-02-12 10:27:47 +01:00
Daniel Gustafsson
5c31aebf64 non-ascii.c: fix typos in comments
Fix two occurrences of s/convers/converts/ spotted while reading code.
2019-02-12 10:24:29 +01:00
Daniel Stenberg
fc7ab4835b
fnmatch: disable if FTP is disabled
Closes #3551
2019-02-12 07:50:39 +01:00
Daniel Stenberg
afda140ec5
curl_path: only enabled for SSH builds 2019-02-12 07:50:39 +01:00
Daniel Gustafsson
e5d574c54f dns: release sharelock as soon as possible
There is no benefit to holding the data sharelock when freeing the
addrinfo in case it fails, so ensure releaseing it as soon as we can
rather than holding on to it. This also aligns the code with other
consumers of sharelocks.

Closes #3516
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-11 13:34:11 +01:00
Daniel Stenberg
982c09b95b
multi: (void)-prefix when ignoring return values
... and added braces to two function calls which fixes warnings if they
are replace by empty macros at build-time.
2019-02-11 11:57:02 +01:00
Daniel Stenberg
38d8e1bd4e
connection_check: set ->data to the transfer doing the check
The http2 code for connection checking needs a transfer to use. Make
sure a working one is set before handler->connection_check() is called.

Reported-by: jnbr on github
Fixes #3541
Closes #3547
2019-02-11 10:34:34 +01:00
Daniel Stenberg
81a9fe4e92
hostip: make create_hostcache_id avoid alloc + free
Closes #3544
2019-02-11 08:57:54 +01:00
Daniel Stenberg
05b100aee2
cleanup: make local functions static
urlapi: turn three local-only functions into statics

conncache: make conncache_find_first_connection static

multi: make detach_connnection static

connect: make getaddressinfo static

curl_ntlm_core: make hmac_md5 static

http2: make two functions static

http: make http_setup_conn static

connect: make tcpnodelay static

tests: make UNITTEST a thing to mark functions with, so they can be static for
normal builds and non-static for unit test builds

... and mark Curl_shuffle_addr accordingly.

url: make up_free static

setopt: make vsetopt static

curl_endian: make write32_le static

rtsp: make rtsp_connisdead static

warnless: remove unused functions

memdebug: remove one unused function, made another static
2019-02-10 18:38:57 +01:00
Daniel Stenberg
9cb126792c
url/idnconvert: remove scan for <= 32 ascii values
The check was added back in fa939220df before the URL parser would catch
these problems and therefore these will never trigger now.

Closes #3539
2019-02-09 23:39:58 +01:00
Daniel Stenberg
f260b9e932
urlapi: reduce variable scope, remove unreachable 'break'
Both nits pointed out by codacy.com

Closes #3540
2019-02-09 23:33:36 +01:00
Chris Araman
927a5bd1b4 url: close TLS before removing conn from cache
- Fix potential crashes in schannel shutdown.

Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.

Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531
2019-02-06 13:33:21 -05:00
Daniel Gustafsson
39df4073e5
smtp: avoid risk of buffer overflow in strtol
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.

Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
Reported-by: Brian Carpenter (Geeknik Labs)
CVE-2019-3823
2019-02-04 08:22:32 +01:00
Daniel Stenberg
50c9484278
ntlm: fix *_type3_message size check to avoid buffer overflow
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
2019-02-04 08:22:32 +01:00
Daniel Stenberg
b780b30d13
NTLM: fix size check condition for type2 received data
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
2019-02-04 08:22:31 +01:00
georgeok
a730432e59
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
2019-02-01 09:56:27 +01:00
Daniel Stenberg
180501cb02
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504
2019-02-01 08:20:38 +01:00
Daniel Stenberg
6f61933adf
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.

Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
2019-02-01 08:19:40 +01:00
Jeremie Rapin
a9d9a3abbe
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application.  Use the curl mecanisms fix this behavior.

Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>

Closes #3502
2019-01-28 12:03:33 +01:00
Michael Kujawa
b0a43aade1 timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)

Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.

Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
2019-01-28 01:16:00 -05:00
Daniel Stenberg
179311ec37
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.

Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
2019-01-26 00:29:50 +01:00
Felix Hädicke
3cbf731d9e
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.

Fixes #3493
Closes #3494
2019-01-24 09:09:45 +01:00
Felix Hädicke
15c94b310b
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.

Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.

This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.

Fixes #3491
Closes #3495
2019-01-24 09:03:11 +01:00
Archangel_SDY
ce6f73b912
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487
2019-01-21 23:21:45 +01:00
Daniel Gustafsson
f0b2c13a9e memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.

Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2019-01-20 21:59:04 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Stenberg
6ee6729709
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
2019-01-18 16:43:21 +01:00
JDepooter
b095a1ca63
ssh: log the libssh2 error message when ssh session startup fails
When a ssh session startup fails, it is useful to know why it has
failed. This commit changes the message from:
   "Failure establishing ssh session"
to something like this, for example:
   "Failure establishing ssh session: -5, Unable to exchange encryption keys"

Closes #3481
2019-01-17 15:03:16 +01:00
Daniel Stenberg
16a3307e81
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
2019-01-16 08:20:57 +01:00