1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 01:58:49 -05:00
Commit Graph

10738 Commits

Author SHA1 Message Date
Christoph M. Becker
7c596f5dea
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.

Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html

Closes #4365
2019-09-16 23:36:22 +02:00
Daniel Stenberg
9bc44ff64d
doh: clean up dangling DOH handles and memory on easy close
If you set the same URL for target as for DoH (and it isn't a DoH
server), like "https://example.com" in both, the easy handles used for
the DoH requests could be left "dangling" and end up not getting freed.

Reported-by: Paul Dreik
Closes #4366
2019-09-16 17:31:56 +02:00
Daniel Stenberg
6de1053692
smb: check for full size message before reading message details
To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
2019-09-16 14:16:06 +02:00
Daniel Stenberg
00da834156
quiche: persist connection details
... like we do for other protocols at connect time. This makes "curl -I"
and other things work.

Reported-by: George Liu
Fixes #4358
Closes #4360
2019-09-16 13:37:26 +02:00
Daniel Stenberg
a0f8fccb1e
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Follow-up to ffe34b7b59
Closes #4359
2019-09-16 08:49:51 +02:00
Paul Dreik
dda418266c
doh: fix undefined behaviour and open up for gcc and clang optimization
The undefined behaviour is annoying when running fuzzing with
sanitizers. The codegen is the same, but the meaning is now not up for
dispute. See https://cppinsights.io/s/516a2ff4

By incrementing the pointer first, both gcc and clang recognize this as
a bswap and optimizes it to a single instruction.  See
https://godbolt.org/z/994Zpx

Closes #4350
2019-09-15 23:27:45 +02:00
Paul Dreik
b766602729
doh: fix (harmless) buffer overrun
Added unit test case 1655 to verify.
Close #4352

the code correctly finds the flaws in the old code,
if one temporarily restores doh.c to the old version.
2019-09-15 23:25:24 +02:00
Daniel Stenberg
65f5b958c9
FTP: allow "rubbish" prepended to the SIZE response
This is a protocol violation but apparently there are legacy proprietary
servers doing this.

Added test 336 and 337 to verify.

Reported-by: Philippe Marguinaud
Closes #4339
2019-09-13 14:21:00 +02:00
Zenju
acf1d2acd1
FTP: skip CWD to entry dir when target is absolute
Closes #4332
2019-09-13 14:05:34 +02:00
Daniel Stenberg
83b4cfacba
parsedate: still provide the name arrays when disabled
If FILE or FTP are enabled, since they also use them!

Reported-by: Roland Hieber
Fixes #4325
Closes #4343
2019-09-13 08:25:14 +02:00
Daniel Stenberg
a56a47ac33
openssl: close_notify on the FTP data connection doesn't mean closure
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!

Regression since 3f5da4e59a (7.65.0)

Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
2019-09-13 00:10:47 +02:00
Zenju
0aef91411e
setopt: make it easier to add new enum values
... by using the *_LAST define names better.

Closes #4321
2019-09-12 09:42:54 +02:00
Daniel Stenberg
e34ec7de59
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333
2019-09-12 09:37:11 +02:00
Jay Satiro
08f96982a9 ldap: Stop using wide char version of ldapp_err2string
Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).

We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:

failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));

Closes https://github.com/curl/curl/pull/4272
2019-09-11 02:44:47 -04:00
Daniel Stenberg
9637dbfffd
urlapi: one colon is enough for the strspn() input (typo) 2019-09-10 11:51:51 +02:00
Daniel Stenberg
eab3c580f9
urlapi: verify the IPv6 numerical address
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
2019-09-10 11:32:12 +02:00
Clément Notin
ffe34b7b59
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available.  Existing code is preserved for older versions of
OpenSSL.

Closes #4304
2019-09-10 08:11:42 +02:00
Clément Notin
9136542d33
openssl: indent, re-organize and add comments 2019-09-10 08:08:44 +02:00
migueljcrum
67b30b3418
sspi: fix memory leaks
Closes #4299
2019-09-10 08:06:05 +02:00
Daniel Stenberg
c4c9e070f3
Curl_fillreadbuffer: avoid double-free trailer buf on error
Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas

Closes #4307
2019-09-09 09:36:27 +02:00
Daniel Stenberg
9069838b30
security:read_data fix bad realloc()
... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
2019-09-09 08:14:34 +02:00
Thomas Vegas
facb0e4662
tftp: Alloc maximum blksize, and use default unless OACK is received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
2019-09-09 08:14:34 +02:00
Thomas Vegas
82f3ba3806
tftp: return error when packet is too small for options 2019-09-09 08:14:34 +02:00
Daniel Stenberg
158dcb9f86
netrc: free 'home' on error
Follow-up to f9c7ba9096

Coverity CID 1453474

Closes #4291
2019-09-03 23:00:51 +02:00
Daniel Stenberg
4ac2884003
urldata: avoid 'generic', use dedicated pointers
For the 'proto' union within the connectdata struct.

Closes #4290
2019-09-03 23:00:51 +02:00
Daniel Stenberg
5050edb124
cleanup: move functions out of url.c and make them static
Closes #4289
2019-09-03 13:11:12 +02:00
Daniel Stenberg
4d0306c698
smtp: check for and bail out on too short EHLO response
Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918

Assisted-by: Max Dymond

Closes #4287
2019-09-03 08:25:23 +02:00
Daniel Stenberg
198b73d12c
smb: init *msg to NULL in smb_send_and_recv()
... it might otherwise return OK from this function leaving that pointer
uninitialized.

Bug: https://crbug.com/oss-fuzz/16907

Closes #4286
2019-09-02 23:06:48 +02:00
Daniel Stenberg
84ced9389e
Curl_addr2string: take an addrlen argument too
This allows the function to figure out if a unix domain socket has a
file name or not associated with it! When a socket is created with
socketpair(), as done in the fuzzer testing, the path struct member is
uninitialized and must not be accessed.

Bug: https://crbug.com/oss-fuzz/16699

Closes #4283
2019-08-31 11:41:56 +02:00
Daniel Stenberg
c30aff4f88
quiche: expire when poll returned data
... to make sure we continue draining the queue until empty

Closes #4281
2019-08-30 17:41:16 +02:00
Daniel Stenberg
4d9e324771
quiche: decrease available buffer size, don't assign it!
Found-by: Jeremy Lainé
2019-08-30 17:41:11 +02:00
Daniel Stenberg
7bac3135df
ngtcp2: on h3 stream close, call expire
... to trigger a new read to detect the stream close!

Closes #4275
2019-08-29 19:23:52 +02:00
Tatsuhiro Tsujikawa
484b6f345f
ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4278
2019-08-29 19:22:16 +02:00
Daniel Stenberg
0690b3330c
ngtcp2: set flow control window to stream buffer size
Closes #4274
2019-08-28 14:37:19 +02:00
Tatsuhiro Tsujikawa
5b3be0729c
ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4270
2019-08-27 16:31:19 +02:00
Daniel Stenberg
c1b6a384f9
http2: when marked for closure and wanted to close == OK
It could otherwise return an error even when closed correctly if GOAWAY
had been received previously.

Reported-by: Tom van der Woerdt
Fixes #4267
Closes #4268
2019-08-26 22:44:59 +02:00
Kamil Dudka
7e513c1048 vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure
This is a follow-up to https://github.com/curl/curl/pull/3864 .

Closes #4224
2019-08-26 13:43:21 +02:00
Daniel Stenberg
48f589893d
quiche: send the HTTP body correctly on callback uploads
Closes #4265
2019-08-26 11:31:39 +02:00
Daniel Stenberg
aae22fdbd5
ngtcp2: add support for SSLKEYLOGFILE
Closes #4260
2019-08-25 23:29:46 +02:00
Daniel Stenberg
30a606e066
ngtcp2: improve h3 response receiving
Closes #4259
2019-08-25 23:29:43 +02:00
Daniel Stenberg
b959c2f775
ngtcp2: use nghttp3_version() 2019-08-25 23:18:17 +02:00
Daniel Stenberg
ff4ef390f6
ngtcp2: sync with upstream API changes
Assisted-by: Tatsuhiro Tsujikawa
2019-08-25 23:18:14 +02:00
Kyle Abramowitz
25f9621935
scp: fix directory name length used in memcpy
Fix read off end of array due to bad pointer math in getworkingpath for
SCP home directory case.

Closes #4258
2019-08-24 18:47:56 +02:00
Daniel Stenberg
65fda739ee
http: the 'closed' struct field is used by both ngh2 and ngh3
and remove 'header_recvbuf', not used for anything

Reported-by: Jeremy Lainé

Closes #4257
2019-08-24 17:21:41 +02:00
Daniel Stenberg
0a5d28fa2e
ngtcp2: accept upload via callback
Closes #4256
2019-08-23 22:33:29 +02:00
Daniel Stenberg
e59540139a
cleanup: remove DOT_CHAR completely
Follow-up to f9c7ba9096

The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
now.

Pointed-out-by: Gisle Vanem
Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638

Closes #4247
2019-08-20 23:07:59 +02:00
Daniel Stenberg
23803aae7b
spnego_sspi: add typecast to fix build warning
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-20170516"

Closes #4245
2019-08-20 23:06:19 +02:00
Daniel Stenberg
3e8a9bfd17
openssl: build warning free with boringssl
Closes #4244
2019-08-20 19:55:06 +02:00
Daniel Stenberg
2056175dc2
ngtcp2: make postfields-set posts work
Closes #4242
2019-08-20 16:53:40 +02:00
Daniel Stenberg
99775438d6
http: remove chunked-encoding and expect header use for HTTP/3 2019-08-20 16:53:40 +02:00
Daniel Stenberg
6a90c9e0c4
CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
For a long time (since 7.28.1) we've returned error when setting the
value to 1 to make applications notice that we stopped supported the old
behavior for 1. Starting now, we treat 1 and 2 exactly the same.

Closes #4241
2019-08-20 14:57:59 +02:00
Daniel Stenberg
f9c7ba9096
netrc: make the code try ".netrc" on Windows as well
... but fall back and try "_netrc" too if the dot version didn't work.

Co-Authored-By: Steve Holme
2019-08-20 11:48:42 +02:00
Daniel Stenberg
1a0dc6f6a3
ngtcp2: use ngtcp2_version() to get the run-time version
... which of course doesn't have to be the same used at build-time.

Function just recently merged in ngtcp2.
2019-08-20 08:52:22 +02:00
Daniel Stenberg
349c3f5a08
ngtcp2: move the h3 initing to immediately after the rx key
To fix a segfault and to better deal with 0-RTT

Assisted-by: Tatsuhiro Tsujikawa
2019-08-20 08:51:23 +02:00
Alessandro Ghedini
e54affa82c
quiche: register debug callback once and earlier
The quiche debug callback is global and can only be initialized once, so
make sure we don't do it multiple times (e.g. if multiple requests are
executed).

In addition this initializes the callback before the connection is
created, so we get logs for the handshake as well.

Closes #4236
2019-08-17 17:00:49 +02:00
Daniel Stenberg
ea28a6cb2f
ssh: add a generic Curl_ssh_version function for SSH backends
Closes #4235
2019-08-17 16:57:58 +02:00
Daniel Stenberg
1a7634e484
base64: check for SSH, not specific SSH backends 2019-08-17 16:57:56 +02:00
Daniel Stenberg
d6dea75af7
vssh: move ssh init/cleanup functions into backend code 2019-08-17 16:57:55 +02:00
Daniel Stenberg
5b2d703fe5
vssh: create directory for SSH backend code 2019-08-17 16:57:55 +02:00
Daniel Stenberg
68fab35c73
http: fix use of credentials from URL when using HTTP proxy
When a username and password are provided in the URL, they were wrongly
removed from the stored URL so that subsequent uses of the same URL
wouldn't find the crendentials. This made doing HTTP auth with multiple
connections (like Digest) mishave.

Regression from 46e164069d (7.62.0)

Test case 335 added to verify.

Reported-by: Mike Crowe

Fixes #4228
Closes #4229
2019-08-16 10:11:22 +02:00
Daniel Stenberg
cec3ef8793
ngtcp2: provide the callbacks as a static struct
... instead of having them in quicsocket
2019-08-15 10:20:35 +02:00
Tatsuhiro Tsujikawa
408c758bb8
ngtcp2: add missing nghttp3_conn_add_write_offset call
Closes #4225
2019-08-15 08:02:52 +02:00
Tatsuhiro Tsujikawa
c47ef9115e
ngtcp2: deal with stream close 2019-08-15 08:02:23 +02:00
Tatsuhiro Tsujikawa
e42bd8a204
ngtcp2: Consume QUIC STREAM data properly 2019-08-15 08:02:20 +02:00
Tatsuhiro Tsujikawa
887ebc384c
ngtcp2: don't reinitialize SSL on Retry 2019-08-15 08:02:15 +02:00
Daniel Stenberg
437bf10cad
multi: getsock improvements for QUIC connecting 2019-08-14 23:14:12 +02:00
Daniel Stenberg
5848f27594
connect: connections are persistent by default for HTTP/3 2019-08-14 23:14:12 +02:00
Daniel Stenberg
baf7860b71
quiche: happy eyeballs
Closes #4220
2019-08-14 23:14:12 +02:00
Daniel Stenberg
f2cc26456b
ngtcp2: do QUIC connections happy-eyeballs friendly 2019-08-14 23:14:12 +02:00
Daniel Stenberg
1d85e09ccd
curl_version: bump string buffer size to 250
With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which
causes a truncated output).
2019-08-14 15:16:07 +02:00
Jay Satiro
dca6f73613 vauth: Use CURLE_AUTH_ERROR for auth function errors
- Add new error code CURLE_AUTH_ERROR.

Prior to this change auth function errors were signaled by
CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
technically correct.

Ref: https://github.com/curl/curl/pull/3848

Co-authored-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/3864
2019-08-14 03:14:01 -04:00
Peter Wu
cc5fae5dac nss: use TLSv1.3 as default if supported
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
range in NSS 3.45. It looks like the intention is to raise the minimum
version rather than lowering the maximum, so adjust accordingly. Note
that the caller (nss_setup_connect) initializes the version range to
(TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.

Closes #4187
Reviewed-by: Daniel Stenberg
Reviewed-by: Kamil Dudka
2019-08-13 21:59:30 +01:00
Daniel Stenberg
362d59edab
quic.h: remove unused proto 2019-08-13 15:09:07 +02:00
Daniel Stenberg
d6cb1bdf6c
lib/quic.c: unused - removed 2019-08-13 12:41:04 +02:00
Daniel Stenberg
49e6b3857f
altsvc: make it use h3-22 with ngtcp2 as well 2019-08-12 22:30:58 +02:00
Daniel Stenberg
368d444cc6
ngtcp2: initial h3 request work
Closes #4217
2019-08-12 22:30:52 +02:00
Daniel Stenberg
1a2df1518a
curl_version_info: offer quic (and h3) library info
Closes #4216
2019-08-12 13:37:08 +02:00
Tatsuhiro Tsujikawa
fb6d46a709
ngtcp2: send HTTP/3 request with nghttp3
This commit makes sending HTTP/3 request with nghttp3 work.  It
minimally receives HTTP response and calls nghttp3 callbacks, but no
processing is made at the moment.

Closes #4215
2019-08-12 09:20:36 +02:00
Daniel Stenberg
102ebe0459
nghttp3: initial h3 template code added 2019-08-12 00:18:59 +02:00
Daniel Stenberg
d85a1cf11d
nghttp3: required when ngtcp2 is used for QUIC
- checked for by configure
- updated docs/HTTP3.md
- shown in the version string

Closes #4210
2019-08-12 00:18:53 +02:00
Eric Wong
17d1e27d30
asyn-thread: issue CURL_POLL_REMOVE before closing socket
This avoids EBADF errors from EPOLL_CTL_DEL operations in the
ephiperfifo.c example.  EBADF is dangerous in multi-threaded
applications where I rely on epoll_ctl to operate on the same
epoll description from different threads.

Follow-up to eb9a604f8d

Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html
Closes #4211
2019-08-11 22:58:01 +02:00
Tatsuhiro Tsujikawa
86ae740482
ngtcp2: Send ALPN h3-22
Closes #4212
2019-08-11 16:47:29 +02:00
Tatsuhiro Tsujikawa
f49abd1090
ngtcp2: use ngtcp2_settings_default and specify initial_ts 2019-08-11 16:47:21 +02:00
Tatsuhiro Tsujikawa
afce0620a2
ngtcp2: make the QUIC handshake work
Closes #4209
2019-08-10 16:07:33 +02:00
Daniel Stenberg
084404b8ab
CURLOPT_H3: removed
There's no use for this anymore and it was never in a release.

Closes #4206
2019-08-09 12:26:02 +02:00
Daniel Stenberg
db061571ef
http3: make connection reuse work
Closes #4204
2019-08-09 12:26:02 +02:00
Daniel Stenberg
4570c22c57
quiche: add SSLKEYLOGFILE support 2019-08-09 12:23:18 +02:00
Daniel Stenberg
69b3ff5118
alt-svc: add protocol version selection masking
So that users can mask in/out specific HTTP versions when Alt-Svc is
used.

 - Removed "h2c" and updated test case accordingly
 - Changed how the altsvc struct is laid out
 - Added ifdefs to make the unittest run even in a quiche-tree

Closes #4201
2019-08-08 09:10:29 +02:00
Daniel Stenberg
a93b43cde8
http3: fix the HTTP/3 in the request, make alt-svc set right versions
Closes #4200
2019-08-08 08:28:43 +02:00
Daniel Stenberg
98c3f14871
alt-svc: send Alt-Used: in redirected requests
RFC 7838 section 5:

   When using an alternative service, clients SHOULD include an Alt-Used
   header field in all requests.

Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus
this is deemed ok).

You can disable sending this header just like you disable any other HTTP
header in libcurl.

Closes #4199
2019-08-08 08:24:37 +02:00
Daniel Stenberg
026840e35c
CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
Even though it cannot fall-back to a lower HTTP version automatically. The
safer way to upgrade remains via CURLOPT_ALTSVC.

CURLOPT_H3 no longer has any bits that do anything and might be removed
before we remove the experimental label.

Updated the curl tool accordingly to use "--http3".

Closes #4197
2019-08-08 08:17:24 +02:00
Daniel Stenberg
f933449d3b
CURLINFO_RETRY_AFTER: parse the Retry-After header value
This is only the libcurl part that provides the information. There's no
user of the parsed value. This change includes three new tests for the
parser.

Ref: #3794
2019-08-07 14:45:39 +02:00
Daniel Stenberg
fd00e14adb
curl.h: add CURL_HTTP_VERSION_3 to the version enum
It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with
CURLINFO_HTTP_VERSION.
2019-08-07 12:51:52 +02:00
Daniel Stenberg
1f145b02d9
quiche: make use of the connection timeout API properly 2019-08-07 12:51:52 +02:00
Daniel Stenberg
7a83e1d1d4
quiche: make POSTFIELDS posts work 2019-08-07 11:05:05 +02:00
Daniel Stenberg
07828b1c9d
quiche: improved error handling and memory cleanups 2019-08-07 08:39:39 +02:00
Daniel Stenberg
470551b7fc
quiche: flush egress in h3_stream_recv() too 2019-08-07 07:48:37 +02:00
Steve Holme
7c469fa537 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixes #3653
Closes #3790

NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.

Closes https://github.com/curl/curl/pull/4186
2019-08-06 11:38:20 -04:00
Yiming Jing
9b5f2ad329
mesalink: implement client authentication
Closes #4184
2019-08-06 10:19:17 +02:00
Daniel Stenberg
02346abc32
curl_multi_poll: a sister to curl_multi_wait() that waits more
Repeatedly we see problems where using curl_multi_wait() is difficult or
just awkward because if it has no file descriptor to wait for
internally, it returns immediately and leaves it to the caller to wait
for a small amount of time in order to avoid occasional busy-looping.

This is often missed or misunderstood, leading to underperforming
applications.

This change introduces curl_multi_poll() as a replacement drop-in
function that accepts the exact same set of arguments. This function
works identically to curl_multi_wait() - EXCEPT - for the case when
there's nothing to wait for internally, as then this function will by
itself wait for a "suitable" short time before it returns. This
effectiely avoids all risks of busy-looping and should also make it less
likely that apps "over-wait".

This also changes the curl tool to use this funtion internally when
doing parallel transfers and changes curl_easy_perform() to use it
internally.

Closes #4163
2019-08-06 09:33:29 +02:00
Daniel Stenberg
cee7639b79
quiche:h3_stream_recv return 0 at end of stream
... and remove some verbose messages we don't need. Made transfers from
facebook.com work better.
2019-08-06 08:06:58 +02:00
Daniel Stenberg
92dc514c5b
altsvc: make quiche use h3-22 now 2019-08-06 07:39:27 +02:00
Daniel Stenberg
e9bbc81299
quiche: show the actual version number 2019-08-06 07:39:27 +02:00
Daniel Stenberg
dc35631ef7
quiche: first working HTTP/3 request
- enable debug log
 - fix use of quiche API
 - use download buffer
 - separate header/body

Closes #4193
2019-08-06 07:39:21 +02:00
Daniel Stenberg
a42b0957ab
http09: disable HTTP/0.9 by default in both tool and library
As the plan has been laid out in DEPRECATED. Update docs accordingly and
verify in test 1174. Now requires the option to be set to allow HTTP/0.9
responses.

Closes #4191
2019-08-06 00:08:14 +02:00
Daniel Stenberg
4173868f66
quiche: initial h3 request send/receive 2019-08-05 14:20:56 +02:00
Daniel Stenberg
47645f45da
lib/Makefile.am: make checksrc run in vquic too 2019-08-05 14:20:51 +02:00
Daniel Stenberg
182c272133
altsvc: fix removal of expired cache entry
Closes #4192
2019-08-05 14:18:46 +02:00
Steve Holme
850a295b41
md4: Use our own MD4 implementation when no crypto libraries are available
Closes #3780
2019-08-04 18:01:29 +01:00
Steve Holme
72e5fd83b2
md4: No need to include Curl_md4.h for each TLS library 2019-08-04 18:01:29 +01:00
Steve Holme
3d9685ee55
md4: No need for the NTLM code to call Curl_md4it() for each TLS library
As the NTLM code no longer calls any of TLS libraries' specific MD4
functions, there is no need to call this function for each #ifdef.
2019-08-04 18:01:28 +01:00
Steve Holme
2ff216f1b0
md4: Move the mbed TLS MD4 implementation out of the NTLM code 2019-08-04 18:01:28 +01:00
Steve Holme
c5eb2fd618
md4: Move the WinCrypt implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
11c50f7655
md4: Move the SecureTransport implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
24c298fb4d
md4: Use the Curl_md4it() function for OpenSSL based NTLM 2019-08-04 18:01:26 +01:00
Steve Holme
c89365929b
md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code 2019-08-04 18:01:26 +01:00
Steve Holme
78e263676b
md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code 2019-08-04 18:01:25 +01:00
Jay Satiro
9a24f97711 OS400: Add CURLOPT_H3 symbols
Follow-up to 3af0e76 which added experimental H3 support.

Closes https://github.com/curl/curl/pull/4185
2019-08-04 11:04:51 -04:00
Daniel Stenberg
cc28a502bc
url: make use of new HTTP version if alt-svc has one 2019-08-03 21:55:51 +02:00
Daniel Stenberg
a9a2b26830
url: set conn->transport to default TCP at init time 2019-08-03 21:55:51 +02:00
Daniel Stenberg
0711153b46
altsvc: with quiche, use the quiche h3 alpn string
Closes #4183
2019-08-03 21:55:41 +02:00
Daniel Stenberg
1132f43012
alt-svc: more liberal ALPN name parsing
Allow pretty much anything to be part of the ALPN identifier. In
particular minus, which is used for "h3-20" (in-progress HTTP/3
versions) etc.

Updated test 356.
Closes #4182
2019-08-03 21:54:00 +02:00
Daniel Stenberg
decefd5778
quiche: use the proper HTTP/3 ALPN 2019-08-02 13:52:14 +02:00
Daniel Stenberg
fc5b61baf0
quiche: add failf() calls for two error cases
To aid debugging

Closes #4181
2019-08-02 13:52:07 +02:00
Kamil Dudka
4c187043c5 http_negotiate: improve handling of gss_init_sec_context() failures
If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
gss_init_sec_context() failed, the POST request was sent
with empty body.  This commit also restores the original
behavior of `curl --fail --negotiate`, which was changed
by commit 6c60355323.

Add regression tests 2077 and 2078 to cover this.

Fixes #3992
Closes #4171
2019-08-01 16:21:41 +02:00
Daniel Stenberg
b1616dad8f
timediff: make it 64 bit (if possible) even with 32 bit time_t
... to make it hold microseconds too.

Fixes #4165
Closes #4168
2019-08-01 07:43:24 +02:00
Daniel Stenberg
b7d1264647
getenv: support up to 4K environment variable contents on windows
Reported-by: Michal Čaplygin
Fixes #4174
Closes #4175
2019-07-31 08:20:59 +02:00
lufia
84aba180e2
plan9: add support for running on Plan 9
Closes #3701
2019-07-31 00:23:25 +02:00
lufia
6cd5c35509
ntlm: explicit type casting 2019-07-31 00:22:16 +02:00
Daniel Stenberg
a55faf33d4
cleanup: remove the 'numsocks' argument used in many places
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.

Closes #4169
2019-07-30 23:16:44 +02:00
Daniel Stenberg
cb542ac4d0
readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
Regression, broken in commit 65eb65fde6 (curl 7.64.1)

Reported-by: Jonathan Cardoso Machado
Assisted-by: Jay Satiro

Fixes #4136
Closes #4162
2019-07-30 23:07:56 +02:00
Daniel Stenberg
041690aadb
asyn-thread: removed unused variable
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
before push...
2019-07-30 10:29:54 +02:00
amkatyal
eb9a604f8d
asyn-thread: create a socketpair to wait on
Closes #4157
2019-07-30 08:27:30 +02:00
Daniel Stenberg
d23e87d551
progress: reset download/uploaded counter
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.

Fixed-by: Ironbars13 on github
Fixes #4084
Closes #4161
2019-07-29 22:31:30 +02:00
Daniel Stenberg
fc6045f5d1
http2_recv: trigger another read when the last data is returned
... so that end-of-stream is detected properly.

Reported-by: Tom van der Woerdt
Fixes #4043
Closes #4160
2019-07-29 22:16:27 +02:00
Balazs Kovacsics
802aa5ae27
HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME.  Update
test 1514 according to the new behaviour.

Closes #4138
2019-07-29 13:18:53 +02:00
Jay Satiro
78ed3abe11 easy: resize receive buffer on easy handle reset
- In curl_easy_reset attempt to resize the receive buffer to its default
  size. If realloc fails then continue using the previous size.

Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.

Reported-by: Felix Hädicke

Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
2019-07-25 22:24:06 -04:00
Felix Hädicke
6261749510
ssh-libssh: do not specify O_APPEND when not in append mode
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).

Fixes #4147
Closes #4148
2019-07-25 23:29:21 +02:00
Gergely Nagy
a55edcea65
multi: call detach_connection before Curl_disconnect
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.

Fixes #4144
Closes #4151
2019-07-25 18:06:42 +02:00
Daniel Stenberg
3af0e76d1e
HTTP3: initial (experimental) support
USe configure --with-ngtcp2 or --with-quiche

Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>

Closes #3500
2019-07-21 23:49:03 +02:00
Daniel Stenberg
828392ae10
curl_version_info: provide nghttp2 details
Introducing CURLVERSION_SIXTH with nghttp2 info.

Closes #4121
2019-07-20 00:06:42 +02:00
Daniel Stenberg
ec3f6f1c36
source: remove names from source comments
Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons

Assisted-by: Daniel Gustafsson
Closes #4129
2019-07-19 23:50:22 +02:00
Daniel Stenberg
27e14efe5f
progress: make the progress meter appear again
Fix regression caused by 21080e1

Reported-by: Chih-Hsuan Yen
Fixes #4122
Closes #4124
2019-07-19 11:29:27 +02:00
Daniel Gustafsson
e5b371dc51 nss: inspect returnvalue of token check
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes https://github.com/curl/curl/pull/4110
2019-07-17 00:52:24 -04:00
Jay Satiro
e8442e4ffc libcurl: Restrict redirect schemes (follow-up)
- Allow FTPS on redirect.

- Update default allowed redirect protocols in documentation.

Follow-up to 6080ea0.

Ref: https://github.com/curl/curl/pull/4094

Closes https://github.com/curl/curl/pull/4115
2019-07-17 00:48:40 -04:00
Linos Giannopoulos
6080ea098d
libcurl: Restrict redirect schemes
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.

For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.

Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.

[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>

Closes #4094
2019-07-14 16:29:55 +02:00
Zenju
7e8f1916d6
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
Closes #4100
2019-07-14 16:24:46 +02:00
Peter Simonyi
855887af79
http: allow overriding timecond with custom header
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g.
If-Modified-Since).  Allow this to be replaced or suppressed with
CURLOPT_HTTPHEADER.

Fixes #4103
Closes #4109
2019-07-14 16:17:15 +02:00
Juergen Hoetzel
ac3d19a26d smb: Use the correct error code for access denied on file open
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open.

Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead.

Closes https://github.com/curl/curl/pull/4095
2019-07-11 02:57:40 -04:00
Gisle Vanem
26da21c84a system_win32: fix clang warning
- Declare variable in header as extern.

Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
2019-07-11 02:27:04 -04:00