1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 09:38:54 -05:00
Commit Graph

10175 Commits

Author SHA1 Message Date
Tim Rühsen
e4f2a5bc1b
mprintf: avoid unsigned integer overflow warning
The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184
2018-11-02 11:07:04 +01:00
Daniel Stenberg
2c5ec339ea
Curl_follow: accept non-supported schemes for "fake" redirects
When not actually following the redirect and the target URL is only
stored for later retrieval, curl always accepted "non-supported"
schemes. This was a regression from 46e164069d.

Reported-by: Brad King
Fixes #3210
Closes #3215
2018-11-02 09:50:44 +01:00
Daniel Stenberg
302d125b42
axtls: removed
As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson
Closes #3194
2018-11-01 10:29:53 +01:00
marcosdiazr
7f4c358541
schannel: make CURLOPT_CERTINFO support using Issuer chain
Closes #3197
2018-11-01 10:21:51 +01:00
Daniel Stenberg
832661b3a7
schannel: use Curl_ prefix for global private symbols
Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201
2018-11-01 09:39:45 +01:00
Daniel Gustafsson
1460e89e01 vtls: add MesaLink to curl_sslbackend enum
MesaLink support was added in commit 57348eb97d but the
backend was never added to the curl_sslbackend enum in curl/curl.h.
This adds the new backend to the enum and updates the relevant docs.

Closes #3195
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-30 16:56:51 +01:00
Daniel Stenberg
f3a24d7916
Curl_auth_create_plain_message: fix too-large-input-check
CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
81d135d671
Curl_close: clear data->multi_easy on free to avoid use-after-free
Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
75b94d77e8
rand: add comment to skip a clang-tidy false positive 2018-10-27 15:59:44 +02:00
Daniel Stenberg
feea1259e4
x509asn1: always check return code from getASN1Element() 2018-10-27 15:59:43 +02:00
Daniel Stenberg
be20814191
Makefile: add 'tidy' target that runs clang-tidy
Available in the root, src and lib dirs.

Closes #3163
2018-10-27 15:59:38 +02:00
Patrick Monnerat
c335b7f1f7 x509asn1: suppress left shift on signed value
Use an unsigned variable: as the signed operation behavior is undefined,
this change silents clang-tidy about it.

Ref: https://github.com/curl/curl/pull/3163
Reported-By: Daniel Stenberg
2018-10-27 15:04:50 +02:00
Michael Kaufmann
3793761a37 multi: Fix error handling in the SENDPROTOCONNECT state
If Curl_protocol_connect() returns an error code,
handle the error instead of switching to the next state.

Closes #3170
2018-10-27 13:03:50 +02:00
Daniel Stenberg
44a9e9f80f
openssl: output the correct cipher list on TLS 1.3 error
When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178
Closes #3180
2018-10-27 10:46:38 +02:00
Daniel Gustafsson
5c8c310edb ssh: free the session on init failures
Ensure to clear the session object in case the libssh2 initialization
fails.

It could be argued that the libssh2 error function should be called to
get a proper error message in this case. But since the only error path
in libssh2_knownhost_init() is memory a allocation failure it's safest
to avoid since the libssh2 error handling allocates memory.

Closes #3179
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26 15:39:15 +02:00
Daniel Gustafsson
68348461dc
openssl: make 'done' a proper boolean
Closes #3176
2018-10-26 13:51:25 +02:00
Daniel Stenberg
ebfe02f73c
gtls: Values stored to but never read
Detected by clang-tidy

Closes #3176
2018-10-26 13:51:07 +02:00
Gisle Vanem
639d052e44
rtmp: fix for compiling with lwIP
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
  curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
    setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
    ^
  curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
  #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                 ^
Closes #3155
2018-10-26 00:04:02 +02:00
Michael Kaufmann
daabc91581 urldata: Fix comment in header
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25 13:04:03 +02:00
Michael Kaufmann
d48e6b7f95 netrc: free temporary strings if memory allocation fails
- Change the inout parameters after all needed memory has been
  allocated. Do not change them if something goes wrong.
- Free the allocated temporary strings if strdup() fails.

Closes #3122
2018-10-25 12:54:55 +02:00
Ruslan Baratov
4f2541f975
config: Remove unused SIZEOF_VOIDP
Closes #3162
2018-10-24 11:20:57 +02:00
Gisle Vanem
eda0998894
Fix for compiling with lwIP (3)
lwIP on Windows does not have a WSAIoctl() function. 
But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23 12:55:07 +02:00
Daniel Stenberg
6535b9303d
Curl_follow: return better errors on URL problems
... by making the converter function global and accessible.

Closes #3153
2018-10-23 11:43:41 +02:00
Daniel Stenberg
ca10fae6fc
Curl_follow: remove remaining free(newurl)
Follow-up to 05564e750e. This function no longer frees the passed-in
URL.

Reported-by: Michael Kaufmann
Bug: 05564e750e (commitcomm)
ent-30985666
2018-10-23 11:43:41 +02:00
Daniel Gustafsson
06d8f16b87 headers: end all headers with guard comment
Most headerfiles end with a /* <headerguard> */ comment, but it was
missing from some. The comment isn't the most important part of our
code documentation but consistency has an intrinsic value in itself.
This adds header guard comments to the files that were lacking it.

Closes #3158
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-23 10:02:24 +02:00
Daniel Stenberg
05564e750e
multi: avoid double-free
Curl_follow() no longer frees the string. Make sure it happens in the
caller function, like we normally handle allocations.

This bug was introduced with the use of the URL API internally, it has
never been in a release version

Reported-by: Dario Weißer
Closes #3149
2018-10-19 15:29:31 +02:00
Daniel Stenberg
8a49f91d32
multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
Otherwise, closing that handle can still cause surprises!

Reported-by: Martin Ankerl
Fixes #3138
Closes #3147
2018-10-19 11:03:17 +02:00
Marcel Raad
abebb2b893
config_win32: enable LDAPS
As done in the autotools and CMake builds by default.

Closes https://github.com/curl/curl/pull/3137
2018-10-19 09:23:14 +02:00
Daniel Stenberg
ad547fcf7b
travis: add build for "configure --disable-verbose"
Closes #3144
2018-10-18 14:51:49 +02:00
Matthew Whitehead
df54b14fb7 x509asn1: Fix SAN IP address verification
For IP addresses in the subject alternative name field, the length
of the IP address (and hence the number of bytes to perform a
memcmp on) is incorrectly calculated to be zero. The code previously
subtracted q from name.end. where in a successful case q = name.end
and therefore addrlen equalled 0. The change modifies the code to
subtract name.beg from name.end to calculate the length correctly.

The issue only affects libcurl with GSKit SSL, not other SSL backends.
The issue is not a security issue as IP verification would always fail.

Fixes #3102
Closes #3141
2018-10-16 03:52:47 -04:00
Marcel Raad
6c413648ec
nonblock: fix unused parameter warning
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
used.
2018-10-14 21:07:45 +02:00
Michael Kaufmann
6afe70a00b Curl_follow: Always free the passed new URL
Closes #3124
2018-10-13 13:18:51 +02:00
Daniel Gustafsson
12d833fa1e transfer: fix typo in comment 2018-10-10 23:50:13 +02:00
Viktor Szakats
e13f023777 ldap: show precise LDAP call in error message on Windows
Also add a unique but common text ('bind via') to make it
easy to grep this specific failure regardless of platform.

Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
Closes https://github.com/curl/curl/pull/3118
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09 15:05:35 +00:00
Marcel Raad
673795f814
curl_setup: define NOGDI on Windows
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
on MinGW.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:53 +02:00
Marcel Raad
940e1c1e74
Windows: fixes for MinGW targeting Windows Vista
Classic MinGW has neither InitializeCriticalSectionEx nor
GetTickCount64, independent of the target Windows version.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:45 +02:00
Viktor Szakats
ff9d7f4447 spelling fixes [ci skip]
as detected by codespell 1.14.0

Closes https://github.com/curl/curl/pull/3114
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-08 19:37:40 +00:00
Daniel Stenberg
2ece5e3001
curl_ntlm_wb: check aprintf() return codes
... when they return NULL we're out of memory and MUST return failure.

closes #3111
2018-10-08 12:06:33 +02:00
Rick Deist
3349a633b8
hostip: fix check on Curl_shuffle_addr return value
Closes #3110
2018-10-08 08:39:24 +02:00
Daniel Stenberg
e50a2002bd
FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
Now FILE transfers send headers to the header callback like HTTP and
other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
work for FILE in the callbacks.

Makes "curl -i file://.." and "curl -I file://.." work like before
again. Applied the bold header logic to them too.

Regression from c1c2762 (7.61.0)

Reported-by: Shaun Jackman
Fixes #3083
Closes #3101
2018-10-08 08:35:40 +02:00
Daniel Gustafsson
b55e85d4ec gskit: make sure to terminate version string
In case a very small buffer was passed to the version function, it could
result in the buffer not being NULL-terminated since strncpy() doesn't
guarantee a terminator on an overflowed buffer. Rather than adding code
to terminate (and handle zero-sized buffers), move to using snprintf()
instead like all the other vtls backends.

Closes #3105
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-07 22:36:25 +02:00
dmitrykos
0b19ef13b4
timeval: fix use of weak symbol clock_gettime() on Apple platforms
Closes #3048
2018-10-05 22:29:21 +02:00
Daniel Stenberg
7f00146d00
doh: keep the IPv4 address in (original) network byte order
Ideally this will fix the reversed order shown in SPARC tests:

  resp 8: Expected 127.0.0.1 got 1.0.0.127

Closes #3091
2018-10-05 22:15:34 +02:00
Daniel Gustafsson
4301d14b90 checksrc: handle zero scoped ignore commands
If a !checksrc! disable command specified to ignore zero errors, it was
still added to the ignore block even though nothing was ignored. While
there were no blocks ignored that shouldn't be ignored, the processing
ended with with a warning:

<filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
 /* !checksrc! disable LONGLINE 0 */
                    ^
Fix by instead treating a zero ignore as a a badcommand and throw a
warning for that one.

Closes #3096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05 13:33:21 +02:00
Daniel Gustafsson
b5d182d037 checksrc: enable strict mode and warnings
Enable strict and warnings mode for checksrc to ensure we aren't missing
anything due to bugs in the checking code. This uncovered a few things
which are all fixed in this commit:

* several variables were used uninitialized
* several variables were not defined in the correct scope
* the whitelist filehandle was read even if the file didn't exist
* the enable_warn() call when a disable counter had expired was passing
  incorrect variables, but since the checkwarn() call is unlikely to hit
  (the counter is only decremented to zero on actual ignores) it didn't
  manifest a problem.

Closes #3090
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05 13:29:37 +02:00
dmitrykos
667b5721c7 cmake: test and set missed defines during configuration
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.

Closes #3097
2018-10-05 13:10:41 +03:00
Daniel Stenberg
8f2bb0e377
doh: make sure TTL isn't re-inited by second (discarded?) response
Closes #3092
2018-10-04 23:22:28 +02:00
Daniel Gustafsson
2873971d62 memory: ensure to check allocation results
The result of a memory allocation should always be checked, as we may
run under memory pressure where even a small allocation can fail. This
adds checking and error handling to a few cases where the allocation
wasn't checked for success. In the ftp case, the freeing of the path
variable is moved ahead of the allocation since there is little point
in keeping it around across the strdup, and the separation makes for
more readable code. In nwlib, the lock is aslo freed in the error path.

Also bumps the copyright years on affected files.

Closes #3084
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 23:45:38 +02:00
Daniel Gustafsson
e182fc1613 comment: Fix multiple typos in function parameters
Ensure that the parameters in the comment match the actual names in the
prototype.

Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 10:27:27 +02:00
Jay Satiro
dd6b62acc3 nss: fix nssckbi module loading on Windows
- Use .DLL extension instead of .so to load modules on Windows.

Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Reported-by: Maxime Legros

Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442

Closes https://github.com/curl/curl/pull/3086
2018-10-03 02:28:09 -04:00
Daniel Stenberg
d9a2dc9aad
urlapi: starting with a drive letter on win32 is not an abs url
... and libcurl doesn't support any single-letter URL schemes (if there
even exist any) so it should be fairly risk-free.

Reported-by: Marcel Raad

Fixes #3070
Closes #3071
2018-10-02 11:48:01 +02:00
Marcel Raad
c1c092c0b4
doh: fix curl_easy_setopt argument type
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
MinGW.
2018-10-02 11:15:29 +02:00
Ruslan Baratov
69328490fc CMake: Improve config installation
Use 'GNUInstallDirs' standard module to set destinations of installed
files.

Use uppercase "CURL" names instead of lowercase "curl" to match standard
'FindCURL.cmake' CMake module:
* https://cmake.org/cmake/help/latest/module/FindCURL.html

Meaning:
* Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
* User should call 'find_package(CURL)' instead of 'find_package(curl)'

Use 'configure_package_config_file' function to generate
'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
file smaller and handle components better.  E.g.  current configuration
report no error if user specified unknown components (note: new
configuration expects no components, report error if user will try to
specify any).

Closes https://github.com/curl/curl/pull/2849
2018-10-01 16:16:29 -04:00
Daniel Stenberg
570008c99d
doh: only build if h2 enabled
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
of HTTP for use with DoH".

Reported-by: Marcel Raad
Closes #3066
2018-09-30 11:31:58 +02:00
Daniel Stenberg
2dfc0dd6b5
multi: fix memory leak in content encoding related error path
... a missing multi_done() call.

Credit to OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
Closes #3063
2018-09-29 15:03:57 +02:00
Daniel Stenberg
454fa3fd7b
multi: fix location URL memleak in error path
Follow-up to #3044 - fix a leak OSS-Fuzz detected
Closes #3057
2018-09-28 17:10:14 +02:00
Sergei Nikulov
f8215f80ab cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) 2018-09-28 16:54:20 +03:00
Marcel Raad
7ae78feea3
curl_threads: fix classic MinGW compile break
Classic MinGW still has _beginthreadex's return type as unsigned long
instead of uintptr_t [0]. uintptr_t is not even defined because of [1].

[0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
[1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90

Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
Closes https://github.com/curl/curl/pull/3051
2018-09-27 09:13:20 +02:00
Daniel Stenberg
304bb2f7c1
Curl_http2_done: fix memleak in error path
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
2018-09-25 17:03:45 +02:00
Daniel Stenberg
4058cf2a7f
http: fix memleak in rewind error path
If the rewind would fail, a strdup() would not get freed.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
2018-09-25 10:30:08 +02:00
Daniel Stenberg
ef695fc301
Curl_retry_request: fix memory leak
Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
Closes #3042
2018-09-24 16:38:11 +02:00
Daniel Stenberg
e2dd435d47
openssl: load built-in engines too
Regression since 38203f1

Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
2018-09-24 16:36:31 +02:00
Christian Heimes
b939bc47b2
OpenSSL: enable TLS 1.3 post-handshake auth
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
2018-09-24 08:01:18 +02:00
Even Rouault
55b51b8c49
Curl_dedotdotify(): always nul terminate returned string.
This fixes potential out-of-buffer access on "file:./" URL

$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516==    at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516==    by 0x4EBB315: seturl (urlapi.c:801)
==24516==    by 0x4EBB568: parseurl (urlapi.c:861)
==24516==    by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516==    by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516==    by 0x4E67AEF: create_conn (url.c:3613)
==24516==    by 0x4E68A4F: Curl_connect (url.c:4119)
==24516==    by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516==    by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516==    by 0x4E7558C: easy_transfer (easy.c:686)
==24516==    by 0x4E75801: easy_perform (easy.c:779)
==24516==    by 0x4E75868: curl_easy_perform (easy.c:798)

Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz

Closes #3039
2018-09-24 07:48:41 +02:00
Viktor Szakats
b801b453af whitespace fixes
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
  in manual examples

Closes https://github.com/curl/curl/pull/3037
2018-09-23 22:24:02 +00:00
Daniel Stenberg
e407e79c29
http: add missing return code check
Detected by Coverity. CID 1439610.

Follow-up from 46e164069d

Closes #3034
2018-09-23 23:08:39 +02:00
Daniel Stenberg
30b2d07b03
ftp: don't access pointer before NULL check
Detected by Coverity. CID 1439611.

Follow-up from 46e164069d
2018-09-23 23:08:36 +02:00
Daniel Stenberg
46e164069d
url: use the URL API internally as well
... to make it a truly unified URL parser.

Closes #3017
2018-09-22 11:58:10 +02:00
Viktor Szakats
f078361c0e URL and mailmap updates, remove an obsolete directory [ci skip]
Closes https://github.com/curl/curl/pull/3031
2018-09-22 07:58:32 +00:00
Erik Minekus
39c9140cce
Curl_saferealloc: Fixed typo in docblock
Closes #3029
2018-09-21 14:24:55 +02:00
Daniel Stenberg
2097cd5152
urlapi: fix support for address scope in IPv6 numerical addresses
Closes #3024
2018-09-21 11:19:14 +02:00
Loganaden Velvindron
9bdadbbdee
GnutTLS: TLS 1.3 support
Closes #2971
2018-09-21 09:13:33 +02:00
Jay Satiro
2e5651a5ce vtls: fix ssl version "or later" behavior change for many backends
- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
2018-09-20 14:12:25 -04:00
Daniel Stenberg
9307c219ad
urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance
In order for this API to fully work for libcurl itself, it now offers a
CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
name prefix just like libcurl always did. If there's no known prefix, it
will guess "http://".

Separately, it relaxes the check of the host name so that IDN host names
can be passed in as well.

Both these changes are necessary for libcurl itself to use this API.

Assisted-by: Daniel Gustafsson
Closes #3018
2018-09-19 23:21:52 +02:00
Kamil Dudka
eb0b3acbc1 nss: try to connect even if libnssckbi.so fails to load
One can still use CA certificates stored in NSS database.

Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html

Closes #3016
2018-09-19 16:58:33 +02:00
Daniel Gustafsson
522e647cc5 urlapi: don't set value which is never read
In the CURLUPART_URL case, there is no codepath which invokes url
decoding so remove the assignment of the urldecode variable. This
fixes the deadstore bug-report from clang static analysis.

Closes #3015
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-19 13:44:10 +02:00
Daniel Stenberg
ec5d0991cc
curl_multi_wait: call getsock before figuring out timeout
.... since getsock may update the expiry timer.

Fixes #2996
Closes #3000
2018-09-18 15:39:28 +02:00
Daniel Gustafsson
ed7830061e darwinssl: Fix realloc memleak
The reallocation was using the input pointer for the return value, which
leads to a memory leak on reallication failure. Fix by instead use the
safe internal API call Curl_saferealloc().

Closes #3005
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
2018-09-18 09:08:06 +02:00
Daniel Gustafsson
927cb3708e memory: add missing curl_printf header
ftp_send_command() was using vsnprintf() without including the libcurl
*rintf() replacement header. Fix by including curl_printf.h and also
add curl_memory.h while at it since memdebug.h depends on it.

Closes #2999
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-17 09:28:10 +02:00
Daniel Stenberg
55dbcb061d
http: made Curl_add_buffer functions take a pointer-pointer
... so that they can clear the original pointer on failure, which makes
the error-paths and their cleanups easier.

Closes #2992
2018-09-16 23:22:37 +02:00
Daniel Stenberg
130c53b632
http2: fix memory leaks on error-path 2018-09-16 23:22:15 +02:00
Viktor Szakats
420087bb30 secure Openwall URLs 2018-09-14 18:48:35 +00:00
Daniel Stenberg
4ff5f9405a
openssl: show "proper" version number for libressl builds
Closes #2989
2018-09-14 11:57:20 +02:00
Rainer Jung
1599dfcba6
openssl: assume engine support in 0.9.8 or later
Fixes #2983
Closes #2988
2018-09-14 11:56:28 +02:00
Daniel Gustafsson
daa12c6eb3 sendf: use failf() rather than Curl_failf()
The failf() macro is the name used for invoking Curl_failf(). While
there isn't a way to turn off failf like there is for infof, but it's
still a good idea to use the macro.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:48:21 +02:00
Daniel Gustafsson
e7ee2f2923 sendf: Fix whitespace in infof/failf concatenation
Strings broken on multiple rows in the .c file need to have appropriate
whitespace padding on either side of the concatenation point to render
a correct amalgamated string. Fix by adding a space at the occurrences
found.

Closes #2986
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:47:45 +02:00
Daniel Gustafsson
3c5ee47fc2 krb5: fix memory leak in krb_auth
The FTP command allocated by aprintf() must be freed after usage.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:10:55 +02:00
Daniel Gustafsson
a9882b90f8 ftp: include command in Curl_ftpsend sendbuffer
Commit 8238ba9c5f inadvertently removed
the actual command to be sent from the send buffer in a refactoring.
Add back copying the command into the buffer. Also add more guards
against malformed input while at it.

Closes #2985
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:10:18 +02:00
Daniel Gustafsson
60ed8d7276 ntlm_wb: Fix memory leaks in ntlm_wb_response
When erroring out on a request being too large, the existing buffer was
leaked. Fix by explicitly freeing on the way out.

Closes #2966
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:06:05 +02:00
Yiming Jing
57348eb97d
vtls: add a MesaLink vtls backend
Closes #2984
2018-09-13 08:26:37 +02:00
Yiming Jing
31ba404a9c
configure.ac: add a MesaLink vtls backend 2018-09-13 08:26:23 +02:00
Viktor Szakats
539a8059ef lib: fix gcc8 warning on Windows
Closes https://github.com/curl/curl/pull/2979
2018-09-12 08:52:40 +00:00
Jay Satiro
357161accd openssl: fix gcc8 warning
- Use memcpy instead of strncpy to copy a string without termination,
  since gcc8 warns about using strncpy to copy as many bytes from a
  string as its length.

Suggested-by: Viktor Szakats

Closes https://github.com/curl/curl/issues/2980
2018-09-12 03:14:20 -04:00
Daniel Gustafsson
2099dde2c8
cookies: Move failure case label to end of function
Rather than jumping backwards to where failure cleanup happens
to be performed, move the failure case to end of the function
where it is expected per existing coding convention.

Closes #2965
2018-09-10 08:33:08 +02:00
Daniel Gustafsson
1870fd2832
misc: fix typos in comments
Closes #2963
2018-09-10 08:32:07 +02:00
Daniel Gustafsson
6e054623b4
cookies: fix leak when writing cookies to file
If the formatting fails, we error out on a fatal error and
clean up on the way out. The array was however freed within
the wrong scope and was thus never freed in case the cookies
were written to a file instead of STDOUT.

Closes #2957
2018-09-10 08:31:11 +02:00
Daniel Gustafsson
c3654df166
cookies: Remove redundant expired check
Expired cookies have already been purged at a later expiration time
before this check, so remove the redundant check.

closes #2962
2018-09-10 08:30:24 +02:00
Daniel Stenberg
37da149670
ntlm_wb: bail out if the response gets overly large
Exit the realloc() loop if the response turns out ridiculously large to
avoid worse problems.

Reported-by: Harry Sintonen
Closes #2959
2018-09-09 10:44:02 +02:00
Daniel Gustafsson
6e4b8c5073
url.c: fix comment typo and indentation
Closes #2960
2018-09-08 23:28:04 +02:00
Daniel Stenberg
01dedc99fc
urlapi: avoid derefencing a possible NULL pointer
Coverity CID 1439134
2018-09-08 22:57:36 +02:00