1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 10:08:48 -05:00
Commit Graph

27219 Commits

Author SHA1 Message Date
Daniel Stenberg
eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00
Daniel Stenberg
cf65d4237e
curl: ignore options asking for SSLv2 or SSLv3
Instead output a warning about it and continue with the defaults.

These SSL versions are typically not supported by the TLS libraries since a
long time back already since they are inherently insecure and broken. Asking
for them to be used will just cause an error to be returned slightly later.

In the unlikely event that a user's TLS library actually still supports these
protocol versions, this change might make the request a little less insecure.

Closes #6772
2021-04-19 08:14:05 +02:00
Daniel Stenberg
6fc805d0c1
test972: verify the json output with jsonlint
Make sure one of the azure jobs has jsonlint installed so that the test
runs there.

Ref: #6905
2021-04-17 11:03:40 +02:00
Jay Satiro
2f78be51eb
tool_writeout: fix the HTTP_CODE json output
Update test 970 accordingly.

Reported-by: Michal Rus
Fixes #6905
Closes #6906
2021-04-17 11:03:30 +02:00
Daniel Stenberg
2cd2686129
openldap: protect SSL-specific code with proper #ifdef
Closes #6901
2021-04-15 23:31:41 +02:00
Daniel Stenberg
b532d35b5c
libssh2: fix Value stored to 'sshp' is never read
Pointed out by scan-build

Closes #6900
2021-04-15 22:43:35 +02:00
Victor Vieux
0d7c55bd57
tool_getparam: replace (in-place) '%20' by '+' according to RFC1866
Signed-off-by: Victor Vieux <victorvieux@gmail.com>

Closes #6895
2021-04-15 13:45:12 +02:00
Daniel Stenberg
7bdec2a08b
configure: provide --with-openssl, deprecate --with-ssl
Makes the option more explicit.

Closes #6887
2021-04-15 09:08:34 +02:00
Daniel Stenberg
ccaaa534d0
RELEASE-NOTES: synced
and bumped curlver to 7.77.0
2021-04-15 08:24:19 +02:00
Javier Blazquez
40d2d39f86
rustls: only return CURLE_AGAIN when TLS session is fully drained
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.

We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.

Reviewed-by: Jacob Hoffman-Andrews
Closes #6894
2021-04-15 08:19:49 +02:00
Daniel Stenberg
520bd5225c
cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
the cookiejar from memory.

Reported-by: Stefan Karpinski
Fixes #6889
Closes #6891
2021-04-14 23:09:36 +02:00
Daniel Stenberg
566b74a0e1
RELEASE-NOTES: synced
curl 7.76.1 release
2021-04-14 07:56:23 +02:00
Daniel Stenberg
aba89ca236
THANKS: add names from 7.76.1 2021-04-13 14:32:30 +02:00
Daniel Stenberg
95d525a9e1
misc: update copyright year ranges to match latest updates 2021-04-13 14:32:30 +02:00
Tatsuhiro Tsujikawa
f141b0bbf7
ngtcp2: Use ALPN h3-29 for now
Fixes #6864
Cloes #6886
2021-04-13 14:22:32 +02:00
Jay Satiro
0409c12ae7 TODO: remove 18.22 --fail-with-body
--fail-with-body was added in 8a964cb (precedes curl-7_76_0).
2021-04-11 00:36:13 -04:00
Jürgen Gmach
c6e213e584
src/tool_vms.c: remove duplicated word in comment
Closes #6881
2021-04-10 11:43:18 +02:00
Daniel Stenberg
d0c196618e
configure: fix CURL_DARWIN_CFLAGS use
The macro name change was not completely done.

Follow-up to 5d2c384452
Bug: 5d2c384452 (commitcomment-49315187)
Reported-by: Marcel Raad
Closes #6878
2021-04-09 17:09:08 +02:00
Anthony Shaw
2908a8232c
github/workflow: add "security-extended" to codeql-analysis.yml
Extends the CodeQL code scan.

Closes #6815
2021-04-09 15:46:31 +02:00
Jochem Broekhoff
255bdfe65c
examples/hiperfifo.c: check event_initialized before delete
If event_del is called with the event struct (still) zeroed out, a
segmentation fault may occur.  event_initialized checks whether the
event struct is nonzero.

Closes #6876
2021-04-09 11:44:21 +02:00
Patrick Monnerat
9c1e1a6105
ntlm: fix negotiated flags usage
According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.

The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.

Tests involving NTLM are adjusted to this new behavior.

Fixes #6813
Closes #6849
2021-04-09 09:40:56 +02:00
Patrick Monnerat
cca455a36b
ntlm: support version 2 on 32-bit platforms
Closes #6849
2021-04-09 09:40:49 +02:00
Patrick Monnerat
10514d0076
curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION
... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
whole NTLM.

Closes #6849
2021-04-09 09:40:36 +02:00
Daniel Stenberg
c502b47f1f
lib: remove unused HAVE_INET_NTOA_R* defines
Closes #6867
2021-04-08 16:33:29 +02:00
Michael Forney
eaa1d73229
configure: include <time.h> unconditionally
In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.

In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.

The AC_HEADER_TIME macro deprecation text says

> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.

So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.

Closes #6859
2021-04-07 16:08:01 +02:00
Michael Forney
812fce9dcf
configure: remove use of RETSIGTYPE
This was previously defined by the obsolete AC_TYPE_SIGNAL macro,
which was removed in 2682e5f5. The deprecation text says

> Your code may safely assume C89 semantics that RETSIGTYPE is void.

So, remove it and just use void instead.

Closes #6861
2021-04-07 16:01:05 +02:00
Muhammed Yavuz Nuzumlalı
694eab18bc
install: add instructions for Apple Darwin platforms
Closes #6860
2021-04-07 15:54:32 +02:00
Muhammed Yavuz Nuzumlalı
5d2c384452
configure: disable min version set for Darwin
Fixes #6838
Closes #6860
2021-04-07 15:54:02 +02:00
David Hu
3be5ebf303
docs/HTTP3.md: update the build instruction using gnutls
In ngtcp2 the `with-gnutls` option is disabled by default, which will
cause `curl` unable to be `make` because of lacking the libraries
needed.

Closes #6857
2021-04-07 09:02:33 +02:00
Daniel Stenberg
719baefc77
RELEASE-NOTES: synced 2021-04-07 08:32:50 +02:00
Daniel Stenberg
77db2a0c6d
typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
... and not values.

Reported-by: locpyl-tidnyd on github
Fixes #6818
Closes #6819
2021-04-07 00:16:40 +02:00
Daniel Stenberg
33ddef3617
ngtcp2+gnutls: clear credentials when freed
... to avoid double-free.

Reported-by: Kenneth Davidson
Fixes #6824
Closes #6856
2021-04-07 00:07:10 +02:00
Cherish98
4b4401e26a tool_progress: Fix progress meter in parallel mode
Make sure the total amount of DL/UL bytes are counted before the
transfer finalizes. Otherwise if a transfer finishes too quick, its
total numbers are not added, and results in a DL%/UL% that goes above
100%.

Detail:

progress_meter() is called periodically, and it may not catch a
transfer's total bytes if the value was unknown during the last call,
and the transfer is finished and deleted (i.e., lost) during the next
call.

Closes https://github.com/curl/curl/pull/6840
2021-04-05 23:43:26 -04:00
Emil Engler
c1abc6624d libssh: get rid of PATH_MAX
This removes the last occurrence of PATH_MAX inside our libssh
implementation by calculating the path length from the string length of
the two components.

Closes #6829
2021-04-05 23:21:19 -04:00
Daniel Stenberg
605aa03ac1
http_proxy: only loop on 407 + close if we have credentials
... to fix the retry-loop.

Add test 718 to verify.

Reported-by: Daniel Kurečka
Fixes #6828
Closes #6850
2021-04-05 22:49:07 +02:00
Daniel Stenberg
00b89ec641
h2: allow 100 streams by default
instead of 13, before the server has told how many streams it
accepts. The server can always reject new streams anyway if we go above
what it accepts.

Ref: #6826
Closes #6852
2021-04-05 22:47:34 +02:00
Luke Granger-Brown
6d930d7306
file: support GETing directories again
After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an
expected_size for directories. This has the upshot that when we compare
even an empty Range with the available size, we fail.

This brings back the previous behaviour, which was to succeed, but with
empty content. This also removes the "Accept-ranges: bytes" header,
which is nonsensical on directories.

Adds test 3016
Fixes #6845
Closes #6846
2021-04-05 12:22:07 +02:00
Daniel Stenberg
f6bbc3407a
RELEASE-NOTES: synced
and bumped to 7.76.1
2021-04-04 23:53:33 +02:00
Daniel Stenberg
f573998c22
TLS: fix HTTP/2 selection
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827
2021-04-02 22:53:17 +02:00
Jay Satiro
3085ccfae9 hostip: Fix for builds that disable all asynchronous DNS
- Define Curl_resolver_error function only when USE_CURL_ASYNC.

Prior to this change building curl without an asynchronous resolver
backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is
also asynchronous but independent of resolver backend) would cause a
build error since Curl_resolver_error is called by and evaluates
variables only available in asynchronous builds.

Reported-by: Benbuck Nason

Fixes https://github.com/curl/curl/issues/6831
Closes https://github.com/curl/curl/pull/6832
2021-04-02 02:38:43 -04:00
Gilles Vollant
06a7f2745e
openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
Reported-by: Christian Schmitz
Fixes #6816
Closes #6820
2021-03-31 23:35:59 +02:00
Daniel Stenberg
3266b35bbe
RELEASE-NOTES: synced
curl 7.76.0 release
2021-03-31 00:08:25 +02:00
Daniel Stenberg
e1c51916e2
THANKS: added names from 7.76.0 2021-03-31 00:08:24 +02:00
Daniel Stenberg
5a80a869a7
CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
... some users may not want that!
2021-03-30 14:47:14 +02:00
Daniel Stenberg
33ba0ecf48
define: remove CURL_DISABLE_NTLM ifdefs
It was never defined anywhere. Fixed disable-scan (test 1165) to also
scan headers, which found this issue.

Closes #6809
2021-03-29 14:43:54 +02:00
Daniel Stenberg
2c26eeef12
vtls: fix addsessionid for non-proxy builds
Follow-up to b09c8ee157
Fixes #6812
Closes #6811
2021-03-29 14:20:13 +02:00
Li Xinwei
9d4f21b190
cmake: support WinIDN
Closes #6807
2021-03-29 09:50:55 +02:00
Daniel Stenberg
6bb028dbda
transfer: clear 'referer' in declaration
To silence (false positive) compiler warnings about it.

Follow-up to 7214288898

Reviewed-by: Marcel Raad
Closes #6810
2021-03-29 09:45:53 +02:00
Marc Hoersken
d6fba0ca06
config: fix SSPI enabling NTLM if crypto auth is disabled
Avoid enabling NTLM feature based upon Windows SSPI
being enabled in case that crypto auth is disabled.

Reported-by: Marcel Raad

Follow-up to #6277
Fixes #6803
Closes #6808
2021-03-29 09:08:48 +02:00
Daniel Stenberg
ce2d5fb7fa
HISTORY: add two 2021 events 2021-03-29 09:05:12 +02:00