1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 09:08:49 -05:00
Commit Graph

9731 Commits

Author SHA1 Message Date
Pavol Markovic
6ce9845677
macOS: Fix missing connectx function with Xcode version older than 9.0
The previous fix https://github.com/curl/curl/pull/1788 worked just for
Xcode 9. This commit extends the fix to older Xcode versions effectively
by not using connectx function.

Fixes https://github.com/curl/curl/issues/1330
Fixes https://github.com/curl/curl/issues/2080
Closes https://github.com/curl/curl/pull/1336
Closes #2082
2017-11-15 11:10:51 +01:00
Dirk Feytons
d3ab7c5a21
openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
Fixes #2079
Closes #2081
2017-11-15 11:09:21 +01:00
Michael Kaufmann
ae7369b6d0 URL: return error on malformed URLs with junk after IPv6 bracket
Follow-up to aadb7c7. Verified by new test 1263.

Closes #2072
2017-11-14 18:20:56 +01:00
Patrick Monnerat
def2ca2628 zlib/brotli: only include header files in modules needing them
There is a conflict on symbol 'free_func' between openssl/crypto.h and
zlib.h on AIX. This is an attempt to resolve it.

Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html
Reported-By: Michael Felt
2017-11-13 14:20:41 +01:00
Daniel Stenberg
fa1512b2a0
SMB: fix uninitialized local variable
Reported-by: Brian Carpenter
2017-11-13 08:27:36 +01:00
Orgad Shaneh
9f78b05443
connect.c: remove executable bit on file
Closes #2071
2017-11-12 10:51:46 +01:00
Daniel Stenberg
aa7668b948
setopt: split out curl_easy_setopt() to its own file
... to make url.c smaller.

Closes #1944
2017-11-10 23:08:20 +01:00
Daniel Stenberg
3619ee5feb
curl_share_setopt: va_end was not called if conncache errors
CID 984459, detected by Coverity
2017-11-10 15:02:11 +01:00
Luca Boccassi
32828cc4fb
--interface: add support for Linux VRF
The --interface command (CURLOPT_INTERFACE option) already uses
SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP
address first, which fails in case the user passes a VRF.

Try to use the socket option immediately and parse it as a fallback
instead.  Update the documentation to mention this feature, and that it
requires the binary to be ran by root or with CAP_NET_RAW capabilities
for this to work.

Closes #2024
2017-11-09 13:20:11 +01:00
Daniel Stenberg
67c55a26d5
share: add support for sharing the connection cache 2017-11-09 11:07:44 +01:00
Daniel Stenberg
e871ab56ed
imap: deal with commands case insensitively
As documented in RFC 3501 section 9:
https://tools.ietf.org/html/rfc3501#section-9

Closes #2061
2017-11-09 10:36:47 +01:00
Daniel Stenberg
6b12beb25a
connect: store IPv6 connection status after valid connection
... previously it would store it already in the happy eyeballs stage
which could lead to the IPv6 bit being set for an IPv4 connection,
leading to curl not wanting to do EPSV=>PASV for FTP transfers.

Closes #2053
2017-11-09 07:59:04 +01:00
Jay Satiro
fa64b0fc4b content_encoding: fix inflate_stream for no bytes available
- Don't call zlib's inflate() when avail_in stream bytes is 0.

This is a follow up to the parent commit 19e66e5. Prior to that change
libcurl's inflate_stream could call zlib's inflate even when no bytes
were available, causing inflate to return Z_BUF_ERROR, and then
inflate_stream would treat that as a hard error and return
CURLE_BAD_CONTENT_ENCODING.

According to the zlib FAQ, Z_BUF_ERROR is not fatal.

This bug would happen randomly since packet sizes are arbitrary. A test
of 10,000 transfers had 55 fail (ie 0.55%).

Ref: https://zlib.net/zlib_faq.html#faq05

Closes https://github.com/curl/curl/pull/2060
2017-11-09 01:36:50 -05:00
Patrick Monnerat
19e66e5362 content_encoding: do not write 0 length data 2017-11-07 02:38:34 +01:00
Daniel Stenberg
6e6bf60357
fnmatch: remove dead code
There was a duplicate check for backslashes in the setcharset()
function.

Coverity CID 1420611
2017-11-06 09:01:53 +01:00
Daniel Stenberg
cbb22cb76d
url: remove unncessary NULL-check
Since 'conn' won't be NULL in there and we also access the pointer in
there without the check.

Coverity CID 1420610
2017-11-06 08:23:11 +01:00
Viktor Szakats
cc1f443609 Makefile.m32: allow to customize brotli libs
It adds the ability to link against static brotli libs.

Also fix brotli include path.
2017-11-05 23:02:05 +00:00
Viktor Szakats
609aa62f53 Makefile.m32: add brotli support 2017-11-05 15:32:43 +01:00
Patrick Monnerat
11bf1796cd HTTP: implement Brotli content encoding
This uses the brotli external library (https://github.com/google/brotli).
Brotli becomes a feature: additional curl_version_info() bit and
structure fields are provided for it and CURLVERSION_NOW bumped.

Tests 314 and 315 check Brotli content unencoding with correct and
erroneous data.

Some tests are updated to accomodate with the now configuration dependent
parameters of the Accept-Encoding header.
2017-11-05 15:28:16 +01:00
Patrick Monnerat
dbcced8e32 HTTP: support multiple Content-Encodings
This is implemented as an output streaming stack of unencoders, the last
calling the client write procedure.

New test 230 checks this feature.

Bug: https://github.com/curl/curl/pull/2002
Reported-By: Daniel Bankhead
2017-11-05 15:09:48 +01:00
Jay Satiro
462f3cac34 url: remove arg value check from CURLOPT_SSH_AUTH_TYPES
Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value
check on this option is incorrect; we have to accept any value.

Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES
erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT.

Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120
2017-11-04 18:36:07 -04:00
Daniel Stenberg
685ef13057 ntlm: avoid malloc(0) for zero length passwords
It triggers an assert() when built with memdebug since malloc(0) may
return NULL *or* a valid pointer.

Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054

Assisted-by: Max Dymond
Closes #2054
2017-11-04 22:22:49 +01:00
Daniel Stenberg
921bf1de52 CURLOPT_INFILESIZE: accept -1
Regression since f121575

Reported-by: Petr Voytsik
Fixes #2047
2017-11-03 14:40:19 +01:00
Jay Satiro
b51e0742b9 url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1
Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT
erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT.
2017-11-02 00:30:28 -04:00
Dan Fandrich
544bfdebea http2: Fixed OOM handling in upgrade request
This caused the torture tests on test 1800 to fail.
2017-11-01 14:37:01 +01:00
Daniel Stenberg
25cb41d35d CURLOPT_MAXREDIRS: allow -1 as a value
... which is valid according to documentation. Regression since
f121575c0b.

Verified now in test 501.

Reported-by: cbartl on github
Fixes #2038
Closes #2039
2017-11-01 11:56:19 +01:00
Daniel Stenberg
cda89c8b58 include: remove conncache.h inclusion from where its not needed 2017-11-01 10:06:32 +01:00
Jay Satiro
b8bd6dc110 url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1
.. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE.

Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE
erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT.

Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html
Reported-by: Andrew Lambert
2017-11-01 02:11:30 -04:00
Daniel Stenberg
fa394c8c2e cookie: avoid NULL dereference
... when expiring old cookies.

Reported-by: Pavel Gushchin
Fixes #2032
Closes #2035
2017-10-31 09:16:03 +01:00
Marcel Raad
52d9a11c1c
memdebug: use send/recv signature for curl_dosend/curl_dorecv
This avoids build errors and warnings caused by implicit casts.

Closes https://github.com/curl/curl/pull/2031
2017-10-30 21:27:59 +01:00
Daniel Stenberg
a7b99d58a8 curlx: the timeval functions are no longer provided as curlx_*
Pointed-out-by: Dmitri Tikhonov
Bug: #2034
2017-10-30 16:41:44 +01:00
Daniel Stenberg
f2003295a0 select: update comments
s/curlx_tvnow/Curl_now
2017-10-30 16:40:28 +01:00
Dmitri Tikhonov
d531f33ba2 timeval: use mach time on MacOS
If clock_gettime() is not supported, use mach_absolute_time() on MacOS.

closes #2033
2017-10-30 15:27:46 +01:00
Daniel Stenberg
7ee59512f8
timeleft: made two more users of Curl_timeleft use timediff_t 2017-10-29 13:13:23 +01:00
Jakub Zakrzewski
1cb4f5d6e8 cmake: Export libcurl and curl targets to use by other cmake projects
The config files define curl and libcurl targets as imported targets
CURL::curl and CURL::libcurl. For backward compatibility with CMake-
provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are
also set.

Closes #1879
2017-10-28 17:22:47 +02:00
Florin
2b5b37cb91
auth: add support for RFC7616 - HTTP Digest access authentication
Signed-off-by: Florin <petriuc.florin@gmail.com>
2017-10-28 16:32:43 +02:00
Daniel Stenberg
0d85eed3df
Curl_timeleft: change return type to timediff_t
returning 'time_t' is problematic when that type is unsigned and we
return values less than zero to signal "already expired", used in
several places in the code.

Closes #2021
2017-10-28 10:40:51 +02:00
Daniel Stenberg
961c8667d2
setopt: fix CURLOPT_SSH_AUTH_TYPES option read
Regression since f121575c0b

Reported-by: Rob Cotrone
2017-10-27 22:57:51 +02:00
Marcel Raad
733190413f
resolvers: only include anything if needed
This avoids warnings about unused stuff.

Closes https://github.com/curl/curl/pull/2023
2017-10-27 13:20:13 +02:00
Daniel Stenberg
fe03485e93
curl_setup.h: oops, shorten the too long line 2017-10-27 11:12:45 +02:00
Martin Storsjo
9e76dbe054
curl_setup: Improve detection of CURL_WINDOWS_APP
If WINAPI_FAMILY is defined, it should be safe to try to include
winapifamily.h to check what the define evaluates to.

This should fix detection of CURL_WINDOWS_APP if building with
_WIN32_WINNT set to 0x0600.

Closes #2025
2017-10-27 11:02:42 +02:00
Jay Satiro
979d2877be transfer: Fix chunked-encoding upload bug
- When uploading via chunked-encoding don't compare file size to bytes
  sent to determine whether the upload has finished.

Chunked-encoding adds its own overhead which why the bytes sent is not
equal to the file size. Prior to this change if a file was uploaded in
chunked-encoding and its size was known it was possible that the upload
could end prematurely without sending the final few chunks. That would
result in a server hang waiting for the remaining data, likely followed
by a disconnect.

The scope of this bug is limited to some arbitrary file sizes which have
not been determined. One size that triggers the bug is 475020.

Bug: https://github.com/curl/curl/issues/2001
Reported-by: moohoorama@users.noreply.github.com

Closes https://github.com/curl/curl/pull/2010
2017-10-26 14:34:46 -04:00
Daniel Stenberg
788d333573
timeval: make timediff_t also work on 32bit windows
... by using curl_off_t for the typedef if time_t is larger than 4
bytes.

Reported-by: Gisle Vanem
Bug: b9d25f9a6b (co)
mmitcomment-25205058
Closes #2019
2017-10-26 20:22:55 +02:00
Daniel Stenberg
f0364f7e31
curl_fnmatch: return error on illegal wildcard pattern
... instead of doing an infinite loop!

Added test 1162 to verify.

Reported-by: Max Dymond
Fixes #2015
Closes #2017
2017-10-26 13:37:45 +02:00
Max Dymond
7b11c5dbe6
wildcards: don't use with non-supported protocols
Fixes timeouts in the fuzzing tests for non-FTP protocols.

Closes #2016
2017-10-26 13:34:45 +02:00
Max Dymond
3340b456a5 multi: allow table handle sizes to be overridden
Allow users to specify their own hash define for
CURL_CONNECTION_HASH_SIZE so that both values can be overridden.

Closes #1982
2017-10-25 18:50:02 +02:00
Daniel Stenberg
5d543fe906 time: rename Curl_tvnow to Curl_now
... since the 'tv' stood for timeval and this function does not return a
timeval struct anymore.

Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
clean up the descriptive comments.

Closes #2011
2017-10-25 18:48:05 +02:00
Daniel Stenberg
1d72b5b891 ftplistparser: follow-up cleanup to remove PL_ERROR() 2017-10-25 18:45:14 +02:00
Max Dymond
f786d1f143 ftplistparser: free off temporary memory always
When using the FTP list parser, ensure that the memory that's
allocated is always freed.

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682
Closes #2013
2017-10-25 18:44:47 +02:00
Daniel Stenberg
b9d25f9a6b timediff: return timediff_t from the time diff functions
... to cater for systems with unsigned time_t variables.

- Renamed the functions to curlx_timediff and Curl_timediff_us.

- Added overflow protection for both of them in either direction for
  both 32 bit and 64 bit time_ts

- Reprefixed the curlx_time functions to use Curl_*

Reported-by: Peter Piekarski
Fixes #2004
Closes #2005
2017-10-25 09:54:37 +02:00
Jon DeVree
fdd879d549
mk-ca-bundle: Remove URL for aurora
Aurora is no longer used by Mozilla
https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/
2017-10-22 23:38:31 +02:00
Jon DeVree
f571651a0d
mk-ca-bundle: Fix URL for NSS
The 'tip' is the most recent branch committed to, this should be
'default' like the URLs for the browser are.

Closes #1998
2017-10-22 23:38:23 +02:00
Daniel Stenberg
13c9a9ded3
imap: if a FETCH response has no size, don't call write callback
CVE-2017-1000257

Reported-by: Brian Carpenter and 0xd34db347
Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
2017-10-22 16:02:43 +02:00
Daniel Stenberg
769647e714
ftp: reject illegal IP/port in PASV 227 response
... by using range checks. Among other things, this avoids an undefined
behavior for a left shift that could happen on negative or very large
values.

Closes #1997

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
2017-10-20 15:06:25 +02:00
Patrick Monnerat
cea27d3454 mime: do not reuse previously computed multipart size
The contents might have changed: size must be recomputed.

Reported-by: moteus on github
Fixes #1999
2017-10-20 13:57:12 +01:00
Patrick Monnerat
8aee8a6a2d vtls: change struct Curl_ssl close' field name to close_one'.
On OS/400, `close' is an ASCII system macro that corrupts the code if
not used in a context not targetting the close() system API.
2017-10-19 19:55:17 +01:00
Patrick Monnerat
a4fc19eb4d os400: add missing symbols in config file.
Also adjust makefile to renamed files and warn about installation dirs mix-up.
2017-10-19 18:48:21 +01:00
Patrick Monnerat
a8742efe42 mime: limit bas64-encoded lines length to 76 characters 2017-10-19 18:33:27 +01:00
Daniel Stenberg
f121575c0b
setopt: range check most long options
... filter early instead of risking "funny values" having to be dealt
with elsewhere.
2017-10-16 09:23:33 +02:00
Daniel Stenberg
172ce9cc19
setopt: avoid integer overflows when setting millsecond values
... that are multiplied by 1000 when stored.

For 32 bit long systems, the max value accepted (2147483 seconds) is >
596 hours which is unlikely to ever be set by a legitimate application -
and previously it didn't work either, it just caused undefined behavior.

Also updated the man pages for these timeout options to mention the
return code.

Closes #1938
2017-10-16 09:23:19 +02:00
Viktor Szakats
4440b6ad57 makefile.m32: allow to override gcc, ar and ranlib
Allow to ovverride certain build tools, making it possible to
use LLVM/Clang to build curl. The default behavior is unchanged.
To build with clang (as offered by MSYS2), these settings can
be used:

CURL_CC=clang
CURL_AR=llvm-ar
CURL_RANLIB=llvm-ranlib

Closes https://github.com/curl/curl/pull/1993
2017-10-15 19:42:32 +00:00
Viktor Szakats
748f5301c0 ldap: silence clang warning
Use memset() to initialize a structure to avoid LLVM/Clang warning:
ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]

Closes https://github.com/curl/curl/pull/1992
2017-10-15 15:59:43 +00:00
Daniel Stenberg
ad164eceb3
memdebug: trace send, recv and socket
... to allow them to be included in torture tests too.

closes #1980
2017-10-14 17:40:12 +02:00
Patrick Monnerat
d7e4230538 mime: do not call failf() if easy handle is NULL. 2017-10-13 17:16:57 +01:00
Daniel Stenberg
5f9e2ca09b
mime: fix the content reader to handle >16K data properly
Reported-by: Jeroen Ooms
Closes #1988
2017-10-13 07:55:10 +02:00
Patrick Monnerat
0401734dfd mime: keep "text/plain" content type if user-specified.
Include test cases in 554, 587, 650.

Fixes https://github.com/curl/curl/issues/1986
2017-10-12 19:36:16 +01:00
Artak Galoyan
5505df7d24 url: Update current connection SSL verify params in setopt
Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
connection updates the current connection's (i.e.'connectdata'
structure) appropriate ssl_config (and ssl_proxy_config) structures
variables, making these options effective for ongoing connection.

This functionality was available before and was broken by the
following change:
"proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
CommitId: cb4e2be7c6.

Bug: https://github.com/curl/curl/issues/1941

Closes https://github.com/curl/curl/pull/1951
2017-10-11 03:14:26 -04:00
David Benjamin
de7597f155
openssl: don't use old BORINGSSL_YYYYMM macros
Those were temporary things we'd add and remove for our own convenience
long ago. The last few stayed around for too long as an oversight but
have since been removed. These days we have a running
BORINGSSL_API_VERSION counter which is bumped when we find it
convenient, but 2015-11-19 was quite some time ago, so just check
OPENSSL_IS_BORINGSSL.

Closes #1979
2017-10-11 08:12:19 +02:00
Daniel Stenberg
38ab7b4ccb
smtp_done: free data before returning (on send failure)
... as otherwise it could leak that memory.

Detected by OSS-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600

Assisted-by: Max Dymond
Closes #1977
2017-10-10 22:56:50 +02:00
Daniel Stenberg
ecf21c551f
FTP: URL decode path for dir listing in nocwd mode
Reported-by: Zenju on github

Test 244 added to verify
Fixes #1974
Closes #1976
2017-10-10 15:02:38 +02:00
Daniel Stenberg
62a721ea47
openssl: enable PKCS12 support for !BoringSSL
Enable PKCS12 for all non-boringssl builds without relying on configure
or cmake checks.

Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
Reported-by: Christian Schmitz
Closes #1948
2017-10-09 11:29:53 +02:00
Patrick Monnerat
06cb8adde2 mime: properly unbind mime structure in curl_mime_free().
This allows freeing a mime structure bound to the easy handle before
curl_easy_cleanup().

Fixes #1970.
2017-10-09 01:26:27 +01:00
Daniel Stenberg
232dffcf24
RTSP: avoid integer overflow on funny RTSP response
... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.
Closes #1969
2017-10-09 00:41:48 +02:00
Patrick Monnerat
ebcbed3821 mime: refuse to add subparts to one of their own descendants.
Reported-by: Alexey Melnichuk
Fixes #1962
2017-10-08 18:49:52 +01:00
Patrick Monnerat
112ea5adb6 mime: avoid resetting a part's encoder when part's contents change. 2017-10-08 18:43:13 +01:00
Patrick Monnerat
b557182db1 mime: improve unbinding top multipart from easy handle.
Also avoid dangling pointers in referencing parts.
2017-10-08 18:38:34 +01:00
Patrick Monnerat
93e62adde8 mime: be tolerant about setting twice the same header list in a part. 2017-10-08 16:20:13 +01:00
Daniel Stenberg
b2df2d47e5
Revert "multi_done: wait for name resolve to finish if still ongoing"
This reverts commit f3e03f6c0a.

Caused memory leaks in the fuzzer, needs to be done differently.

Disable test 1553 for now too, as it causes memory leaks without this
commit!
2017-10-08 00:55:10 +02:00
Daniel Stenberg
1e552535e1
remove_handle: call multi_done() first, then clear dns cache pointer
Closes #1960
2017-10-07 23:54:33 +02:00
Daniel Stenberg
f3e03f6c0a
multi_done: wait for name resolve to finish if still ongoing
... as we must clean up memory.
2017-10-07 17:54:41 +02:00
Daniel Stenberg
5b54df06d2
pingpong: return error when trying to send without connection
When imap_done() got called before a connection is setup, it would try
to "finish up" and dereffed a NULL pointer.

Test case 1553 managed to reproduce. I had to actually use a host name
to try to resolve to slow it down, as using the normal local server IP
will make libcurl get a connection in the first curl_multi_perform()
loop and then the bug doesn't trigger.

Fixes #1953
Assisted-by: Max Dymond
2017-10-07 00:20:31 +02:00
Marcel Raad
202189ff2c
vtls: fix warnings with --disable-crypto-auth
When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
are not used.
2017-10-06 19:01:19 +02:00
Daniel Stenberg
7f1140c8bf
multi_cleanup: call DONE on handles that never got that
... fixes a memory leak with at least IMAP when remove_handle is never
called and the transfer is abruptly just abandoned early.

Test 1552 added to verify

Detected by OSS-fuzz
Assisted-by: Max Dymond
Closes #1954
2017-10-06 16:48:39 +02:00
Benbuck Nason
454dae0092
strtoofft: Remove extraneous null check
Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str'
argument.

Closes #1952
2017-10-06 14:49:28 +02:00
Daniel Stenberg
2dcc378381
openssl: fix build without HAVE_OPAQUE_EVP_PKEY
Reported-by: Javier Sixto
Fixes #1955
Closes #1956
2017-10-06 14:42:40 +02:00
Viktor Szakats
24bba40456 lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
The source code is now prepared to handle the case when both
Win32 Crypto and OpenSSL/NSS crypto backends are enabled
at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
whenever the targeted Windows version supports it. Since this
matches the minimum Windows version supported by curl
(Windows 2000), enable it unconditionally for the Win32 platform.

This in turn enables SMB (and SMBS) protocol support whenever
Win32 Crypto is available, regardless of what other crypto backends
are enabled.

Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052

Closes https://github.com/curl/curl/pull/1943
2017-10-06 07:37:42 +00:00
Daniel Stenberg
7bc5308db3
build: fix --disable-crypto-auth
Reported-by: Wyatt O'Day
Fixes #1945
Closes #1947
2017-10-05 14:06:23 +02:00
Nick Zitzmann
3e492e03b3 darwinssl: add support for TLSv1.3
Closes https://github.com/curl/curl/pull/1794
2017-10-05 00:51:38 -04:00
Viktor Szakats
aaa16f8025 lib/Makefile.m32: allow customizing dll suffixes
- New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
  libcurl dll name. Useful to add `-x64` to 64-bit builds so that
  it can live in the same directory as the 32-bit one. By default
  this is empty.

- New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
  generated import library (implib) for libcurl .dll. It defaults
  to `dll`, and it's useful to modify that to `.dll` to have the
  standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.

Closes https://github.com/curl/curl/pull/1942
2017-10-04 15:57:19 +00:00
Daniel Stenberg
120d963a64
failf: skip the sprintf() if there are no consumers
Closes #1936
2017-10-04 14:48:06 +02:00
Daniel Stenberg
a69a4d222d
ftp: UBsan fixup 'pointer index expression overflowed'
Closes #1939
2017-10-04 14:47:09 +02:00
Michael Kaufmann
5f1fa5827d idn: fix source code comment 2017-10-03 18:46:50 +02:00
Michael Kaufmann
9d3dde37a8 vtls: compare and clone ssl configs properly
Compare these settings in Curl_ssl_config_matches():
- verifystatus (CURLOPT_SSL_VERIFYSTATUS)
- random_file (CURLOPT_RANDOM_FILE)
- egdsocket (CURLOPT_EGDSOCKET)

Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
and copy the setting "sessionid" unconditionally.

This means that reusing connections that are secured with a client
certificate is now possible, and the statement "TLS session resumption
is disabled when a client certificate is used" in the old advisory at
https://curl.haxx.se/docs/adv_20170419.html is obsolete.

Reviewed-by: Daniel Stenberg

Closes #1917
2017-10-03 18:08:50 +02:00
Michael Kaufmann
c4ebd8b46d proxy: read the "no_proxy" variable only if necessary
Reviewed-by: Daniel Stenberg

Closes #1919
2017-10-03 18:04:42 +02:00
Daniel Stenberg
5ff2c5ff25
FTP: zero terminate the entry path even on bad input
... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
2017-10-02 07:50:17 +02:00
Daniel Stenberg
8392a0cf61
cookie: fix memory leak if path was set twice in header
... this will let the second occurance override the first.

Added test 1161 to verify.

Reported-by: Max Dymond
Fixes #1932
Closes #1933
2017-09-30 23:40:50 +02:00
Dan Fandrich
df7839b68c Set and use more necessary options when some protocols are disabled
When curl and libcurl are built with some protocols disabled, they stop
setting and receiving some options that don't make sense with those
protocols.  In particular, when HTTP is disabled many options aren't set
that are used only by HTTP.  However, some options that appear to be
HTTP-only are actually used by other protocols as well (some despite
having HTTP in the name) and should be set, but weren't. This change now
causes some of these options to be set and used for more (or for all)
protocols. In particular, this fixes tests 646 through 649 in an
HTTP-disabled build, which use the MIME API in the mail protocols.
2017-09-30 02:10:54 +02:00
Daniel Stenberg
20ea22ff73
cookie: fix memory leak on oversized rejection
Regression brought by 2bc230de63

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513
Assisted-by: Max Dymond

Closes #1930
2017-09-29 12:06:34 +02:00
Anders Bakken
49d75a4c15
connect: fix race condition with happy eyeballs timeout
The timer should be started after conn->connecttime is set. Otherwise
the timer could expire without this condition being true:

    /* should we try another protocol family? */
    if(i == 0 && conn->tempaddr[1] == NULL &&
      curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) {

Ref: #1928
2017-09-29 08:51:59 +02:00
Michael Kaufmann
eac324f284 http: add custom empty headers to repeated requests
Closes #1920
2017-09-28 21:25:22 +02:00
Michael Kaufmann
284d06df9e reuse_conn: don't copy flags that are known to be equal
A connection can only be reused if the flags "conn_to_host" and
"conn_to_port" match. Therefore it is not necessary to copy these flags
in reuse_conn().

Closes #1918
2017-09-28 21:18:02 +02:00
Jay Satiro
953b5c4e26 ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911
2017-09-23 13:58:14 -04:00
Daniel Stenberg
afbdc96638
file_range: avoid integer overflow when figuring out byte range
When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond
2017-09-23 18:21:15 +02:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Daniel Stenberg
3b05f79ef8
imap: quote atoms properly when escaping characters
Updates test 800 to verify

Fixes #1902
Closes #1903
2017-09-22 14:43:37 +02:00
Daniel Stenberg
b8e0fe19ec
vtls: provide curl_global_sslset() even in non-SSL builds
... it just returns error:

Bug: 1328f69d53 (commitcomment-24470367)
Reported-by: Marcel Raad

Closes #1906
2017-09-22 12:09:13 +02:00
Patrick Monnerat
ee56fdb691 form/mime: field names are not allowed to contain zero-valued bytes.
Also suppress length argument of curl_mime_name() (names are always
zero-terminated).
2017-09-22 01:08:29 +01:00
Dirk Feytons
fa9482ab09
openssl: only verify RSA private key if supported
In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c

Closes #1904
2017-09-21 20:17:06 +02:00
Patrick Monnerat
a7bcf274cc mime: rephrase the multipart output state machine (#1898) ...
... in hope coverity will like it much.
2017-09-20 14:06:47 +01:00
Patrick Monnerat
f304201868 mime: fix an explicit null dereference (#1899) 2017-09-20 12:01:11 +01:00
Daniel Stenberg
1e548f7784
smtp: fix memory leak in OOM
Regression since ce0881edee

Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
torture testing.
2017-09-20 11:33:46 +02:00
Pavel P
5fe85587cc
cookies: use lock when using CURLINFO_COOKIELIST
Closes #1896
2017-09-19 23:48:48 +02:00
Daniel Stenberg
bec50cc285
mime:escape_string minor clarification change
... as it also removes a warning with old gcc versions.

Bug: https://curl.haxx.se/mail/lib-2017-09/0049.html
Reported-by: Ben Greear
2017-09-18 23:15:41 +02:00
Daniel Stenberg
2bc230de63
cookies: reject oversized cookies
... instead of truncating them.

There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.

We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.

Added test 1151 to verify

Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html
Reported-by: Kevin Smith

Closes #1894
2017-09-18 22:55:50 +02:00
Jay Satiro
6d436642dd socks: fix incorrect port number in SOCKS4 error message
Prior to this change it appears the SOCKS5 port parsing was erroneously
used for the SOCKS4 error message, and as a result an incorrect port
would be shown in the error message.

Bug: https://github.com/curl/curl/issues/1892
Reported-by: Jackarain@users.noreply.github.com
2017-09-18 03:07:57 -04:00
Marc Aldorasi
c8666089c8 schannel: Support partial send for when data is too large
Schannel can only encrypt a certain amount of data at once.  Instead of
failing when too much data is to be sent at once, send as much data as
we can and let the caller send the remaining data by calling send again.

Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html

Closes https://github.com/curl/curl/pull/1890
2017-09-16 03:19:35 -04:00
David Benjamin
843200c5b9 openssl: add missing includes
lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
their headers directly rather than relying on other OpenSSL headers
including things.

Closes https://github.com/curl/curl/pull/1891
2017-09-16 03:11:18 -04:00
Daniel Stenberg
93843c372f
conversions: fix several compiler warnings 2017-09-15 16:58:35 +02:00
Daniel Stenberg
46e14b6942
non-ascii: use iconv() with 'char **' argument
Bug: https://curl.haxx.se/mail/lib-2017-09/0031.html
2017-09-15 16:56:23 +02:00
Daniel Stenberg
2fc1db56cd
escape.c: error: pointer targets differ in signedness 2017-09-15 16:56:23 +02:00
Max Dymond
08dbed31d5
rtsp: Segfault in rtsp.c when using WRITEDATA
If the INTERLEAVEFUNCTION is defined, then use that plus the
INTERLEAVEDATA information when writing RTP. Otherwise, use
WRITEFUNCTION and WRITEDATA.

Fixes #1880
Closes #1884
2017-09-15 15:43:48 +02:00
Daniel Stenberg
22708eae40
URL: on connection re-use, still pick the new remote port
... as when a proxy connection is being re-used, it can still get a
different remote port.

Fixes #1887
Reported-by: Oli Kingshott
2017-09-14 16:49:40 +02:00
Daniel Stenberg
87501e57f1
code style: remove wrong uses of multiple spaces
Closes #1878
2017-09-12 13:54:54 +02:00
Daniel Stenberg
59813726d1
checksrc: detect and warn for multiple spaces 2017-09-12 09:50:24 +02:00
Daniel Stenberg
20acb58a38
code style: use space after semicolon 2017-09-12 09:50:24 +02:00
Daniel Stenberg
67ade28571
checksrc: verify space after semicolons 2017-09-12 09:50:24 +02:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Daniel Stenberg
ca86006deb
checksrc: detect and warn for lack of spaces next to plus signs 2017-09-11 09:29:50 +02:00
Daniel Stenberg
6b84438d9a
code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
Daniel Stenberg
e155f38d1e
checksrc: verify spaces around equals signs
... as the code style mandates.
2017-09-11 09:27:28 +02:00
Daniel Stenberg
02eb6184ad
Curl_checkheaders: make it available for IMAP and SMTP too
... not only HTTP uses this now.

Closes #1875
2017-09-11 00:26:17 +02:00
Jay Satiro
64bb7ae6ae mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: https://github.com/curl/curl/issues/1877
Reported-by: SBKarr@users.noreply.github.com
2017-09-10 03:22:05 -04:00
Daniel Stenberg
a14f7152ce
rtsp: do not call fwrite() with NULL pointer FILE *
If the default write callback is used and no destination has been set, a
NULL pointer would be passed to fwrite()'s 4th argument.

OSS-fuzz bug https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3327
(not publicly open yet)

Detected by OSS-fuzz
Closes #1874
2017-09-08 23:56:02 +02:00
Daniel Stenberg
9ef50ee0a4
http-proxy: when not doing CONNECT, that phase is done immediately
`conn->connect_state` is NULL when doing a regular non-CONNECT request
over the proxy and should therefor be considered complete at once.

Fixes #1853
Closes #1862
Reported-by: Lawrence Wagerfield
2017-09-07 16:11:38 +02:00
Johannes Schindelin
f4a623825b
OpenSSL: fix yet another mistake while encapsulating SSL backend data
Another mistake in my manual fixups of the largely mechanical
search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
commit concerning HTTPS proxies (and hence not caught during my
earlier testing).

Fixes #1855
Closes #1871

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:08:24 +02:00
Johannes Schindelin
dde4f5c81a
OpenSSL: fix erroneous SSL backend encapsulation
In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
data, 2017-06-21), this developer prepared for a separation of the
private data of the SSL backends from the general connection data.

This conversion was partially automated (search-and-replace) and
partially manual (e.g. proxy_ssl's backend data).

Sadly, there was a crucial error in the manual part, where the wrong
handle was used: rather than connecting ssl[sockindex]' BIO to the
proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
was an incorrect location to paste "BACKEND->"... d'oh.

Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Jay Satiro
955c21939e
vtls: fix memory corruption
Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
2017-07-28), the code handling HTTPS proxies was broken because the
pointer to the SSL backend data was not swapped between
conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
instead set to NULL (causing segmentation faults).

[jes: provided the commit message, tested and verified the patch]

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Daniel Stenberg
4bb80d532e
vtls: switch to CURL_SHA256_DIGEST_LENGTH define
... instead of the prefix-less version since WolfSSL 3.12 now uses an
enum with that name that causes build failures for us.

Fixes #1865
Closes #1867
Reported-by: Gisle Vanem
2017-09-07 15:59:42 +02:00
Jay Satiro
70a69f3718 SSL: fix unused parameter warnings 2017-09-06 15:11:55 -04:00
Patrick Monnerat
c96d96bc5f mime: drop internal FILE * support.
- The part kind MIMEKIND_FILE and associated code are suppressed.
- Seek data origin offset not used anymore: suppressed.
- MIMEKIND_NAMEDFILE renamed MIMEKIND_FILE; associated fields/functions
  renamed accordingly.
- Curl_getformdata() processes stdin via a callback.
2017-09-06 13:42:03 +01:00
Daniel Stenberg
d1da545a68
configure: remove --enable-soname-bump and SONAME_BUMP
Back in 2008, (and commit 3f3d6ebe66) we changed the logic in how we
determine the native type for `curl_off_t`. To really make sure we
didn't break ABI without bumping SONAME, we introduced logic that
attempted to detect that it would use a different size and thus not be
compatible. We also provided a manual switch that allowed users to tell
configure to bump SONAME by force.

Today, we know of no one who ever got a SONAME bump auto-detected and we
don't know of anyone who's using the manual bump feature. The auto-
detection is also no longer working since we introduced defining
curl_off_t in system.h (7.55.0).

Finally, this bumping logic is not present in the cmake build.

Closes #1861
2017-09-06 08:43:36 +02:00
Gisle Vanem
61825be02b vtls: select ssl backend case-insensitive (follow-up)
- Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.

- Change Curl_strcasecompare calls to strcasecompare
  (maps to the former but shorter).

Follow-up to c290b8f.

Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313

Co-authored-by: Jay Satiro
2017-09-06 02:27:33 -04:00
Jay Satiro
6cdba64e13 openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.

The first one, written for old OpenSSL versions:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c

The second one, written for BoringSSL and new OpenSSL versions:
https://github.com/curl/curl/pull/1346

Note the first one is GPL licensed but the author gave permission to
waive that license for libcurl.

As of right now this feature is disabled by default, and does not have
a configure option to enable it. To enable this feature define
ENABLE_SSLKEYLOGFILE when building libcurl and set environment
variable SSLKEYLOGFILE to a pathname that will receive the keys.

And in Wireshark change your preferences to point to that key file:
Edit > Preferences > Protocols > SSL > Master-Secret

Co-authored-by: Peter Wu

Ref: https://github.com/curl/curl/pull/1030
Ref: https://github.com/curl/curl/pull/1346

Closes https://github.com/curl/curl/pull/1866
2017-09-05 23:56:54 -04:00
Patrick Monnerat
ee5725fb5e mime: fix a trivial warning. 2017-09-05 18:38:31 +01:00
Patrick Monnerat
c1d0b6f98e mime: replace 'struct Curl_mimepart' by 'curl_mimepart' in encoder code.
mime_state is now a typedef.
2017-09-05 18:20:06 +01:00
Patrick Monnerat
63ef436ea1 mime: implement encoders.
curl_mime_encoder() is operational and documented.
curl tool -F option is extended with ";encoder=".
curl tool --libcurl option generates calls to curl_mime_encoder().
New encoder tests 648 & 649.
Test 1404 extended with an encoder specification.
2017-09-05 17:55:51 +01:00
Daniel Stenberg
9926357b42 mime: unified to use the typedef'd mime structs everywhere
... and slightly edited to follow our code style better.
2017-09-05 17:33:16 +01:00
Kamil Dudka
ea142a837e openssl: use OpenSSL's default ciphers by default
Up2date versions of OpenSSL maintain the default reasonably secure
without breaking compatibility, so it is better not to override the
default by curl.  Suggested at https://bugzilla.redhat.com/1483972

Closes #1846
2017-09-05 12:13:38 +02:00
Daniel Stenberg
3130414ce7
http-proxy: treat all 2xx as CONNECT success
Added test 1904 to verify.

Reported-by: Lawrence Wagerfield
Fixes #1859
Closes #1860
2017-09-05 09:47:46 +02:00
Viktor Szakats
841a09ea19 mime: use CURL_ZERO_TERMINATED in examples
and some minor whitespace fixes
2017-09-04 13:58:10 +00:00