1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-11 03:55:03 -05:00
Commit Graph

10609 Commits

Author SHA1 Message Date
Daniel Stenberg
a55faf33d4
cleanup: remove the 'numsocks' argument used in many places
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.

Closes #4169
2019-07-30 23:16:44 +02:00
Daniel Stenberg
cb542ac4d0
readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
Regression, broken in commit 65eb65fde6 (curl 7.64.1)

Reported-by: Jonathan Cardoso Machado
Assisted-by: Jay Satiro

Fixes #4136
Closes #4162
2019-07-30 23:07:56 +02:00
Daniel Stenberg
041690aadb
asyn-thread: removed unused variable
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
before push...
2019-07-30 10:29:54 +02:00
amkatyal
eb9a604f8d
asyn-thread: create a socketpair to wait on
Closes #4157
2019-07-30 08:27:30 +02:00
Daniel Stenberg
d23e87d551
progress: reset download/uploaded counter
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.

Fixed-by: Ironbars13 on github
Fixes #4084
Closes #4161
2019-07-29 22:31:30 +02:00
Daniel Stenberg
fc6045f5d1
http2_recv: trigger another read when the last data is returned
... so that end-of-stream is detected properly.

Reported-by: Tom van der Woerdt
Fixes #4043
Closes #4160
2019-07-29 22:16:27 +02:00
Balazs Kovacsics
802aa5ae27
HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME.  Update
test 1514 according to the new behaviour.

Closes #4138
2019-07-29 13:18:53 +02:00
Jay Satiro
78ed3abe11 easy: resize receive buffer on easy handle reset
- In curl_easy_reset attempt to resize the receive buffer to its default
  size. If realloc fails then continue using the previous size.

Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.

Reported-by: Felix Hädicke

Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
2019-07-25 22:24:06 -04:00
Felix Hädicke
6261749510
ssh-libssh: do not specify O_APPEND when not in append mode
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).

Fixes #4147
Closes #4148
2019-07-25 23:29:21 +02:00
Gergely Nagy
a55edcea65
multi: call detach_connection before Curl_disconnect
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.

Fixes #4144
Closes #4151
2019-07-25 18:06:42 +02:00
Daniel Stenberg
3af0e76d1e
HTTP3: initial (experimental) support
USe configure --with-ngtcp2 or --with-quiche

Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>

Closes #3500
2019-07-21 23:49:03 +02:00
Daniel Stenberg
828392ae10
curl_version_info: provide nghttp2 details
Introducing CURLVERSION_SIXTH with nghttp2 info.

Closes #4121
2019-07-20 00:06:42 +02:00
Daniel Stenberg
ec3f6f1c36
source: remove names from source comments
Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons

Assisted-by: Daniel Gustafsson
Closes #4129
2019-07-19 23:50:22 +02:00
Daniel Stenberg
27e14efe5f
progress: make the progress meter appear again
Fix regression caused by 21080e1

Reported-by: Chih-Hsuan Yen
Fixes #4122
Closes #4124
2019-07-19 11:29:27 +02:00
Daniel Gustafsson
e5b371dc51 nss: inspect returnvalue of token check
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes https://github.com/curl/curl/pull/4110
2019-07-17 00:52:24 -04:00
Jay Satiro
e8442e4ffc libcurl: Restrict redirect schemes (follow-up)
- Allow FTPS on redirect.

- Update default allowed redirect protocols in documentation.

Follow-up to 6080ea0.

Ref: https://github.com/curl/curl/pull/4094

Closes https://github.com/curl/curl/pull/4115
2019-07-17 00:48:40 -04:00
Linos Giannopoulos
6080ea098d
libcurl: Restrict redirect schemes
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.

For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.

Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.

[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>

Closes #4094
2019-07-14 16:29:55 +02:00
Zenju
7e8f1916d6
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
Closes #4100
2019-07-14 16:24:46 +02:00
Peter Simonyi
855887af79
http: allow overriding timecond with custom header
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g.
If-Modified-Since).  Allow this to be replaced or suppressed with
CURLOPT_HTTPHEADER.

Fixes #4103
Closes #4109
2019-07-14 16:17:15 +02:00
Juergen Hoetzel
ac3d19a26d smb: Use the correct error code for access denied on file open
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open.

Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead.

Closes https://github.com/curl/curl/pull/4095
2019-07-11 02:57:40 -04:00
Gisle Vanem
26da21c84a system_win32: fix clang warning
- Declare variable in header as extern.

Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
2019-07-11 02:27:04 -04:00
Daniel Gustafsson
11d7fe118d headers: Remove no longer exported functions
There were a leftover few prototypes of Curl_ functions that we used to
export but no longer do, this removes those prototypes and cleans up any
comments still referring to them.

Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free()
Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn()
were made static in 05b100aee2.
Curl_http_perhapsrewind() made static in 574aecee20.

For the remainder, I didn't trawl the Git logs hard enough to capture
their exact time of deletion, but they were all gone: Curl_splayprint(),
Curl_http2_send_request(), Curl_global_host_cache_dtor(),
Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(),
Curl_http_auth_stage() and Curl_close_connections().

Closes #4096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-07-10 19:26:40 +02:00
Daniel Gustafsson
efc55b8986 cleanup: fix typo in comment 2019-07-08 13:19:35 +02:00
Daniel Gustafsson
24e92a71d5 nss: support using libnss on macOS
The file suffix for dynamically loadable objects on macOS is .dylib,
which need to be added for the module definitions in order to get the
NSS TLS backend to work properly on macOS.

Closes https://github.com/curl/curl/pull/4046
2019-07-06 23:40:21 -04:00
Daniel Gustafsson
6717102503 nss: don't set unused parameter
The value of the maxPTDs parameter to PR_Init() has since at least
NSPR 2.1, which was released sometime in 1998, been marked ignored
as is accordingly not used in the initialization code.  Setting it
to a value when calling PR_Init() is thus benign, but indicates an
intent which may be misleading. Reset the value to zero to improve
clarity.

Closes https://github.com/curl/curl/pull/4054
2019-07-06 23:37:51 -04:00
Daniel Gustafsson
2028a1a977 nss: only cache valid CRL entries
Change the logic around such that we only keep CRLs that NSS actually
ended up caching around for later deletion.  If CERT_CacheCRL() fails
then there is little point in delaying the freeing of the CRL as it
is not used.

Closes https://github.com/curl/curl/pull/4053
2019-07-06 23:32:39 -04:00
Gergely Nagy
cf4255c847 lib: Use UTF-8 encoding in comments
Some editors and IDEs assume that source files use UTF-8 file encodings.
It also fixes the build with MSVC when /utf-8 command line option is
used (this option is mandatory for some other open-source projects, this
is useful when using the same options is desired for building all
libraries of a project).

Closes https://github.com/curl/curl/pull/4087
2019-07-06 23:25:20 -04:00
Jay Satiro
3609ab3147 docs: Fix links to OpenSSL docs
OpenSSL changed their manual locations and does not redirect to the new
locations.

Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html
Reported-by: Daniel Stenberg
2019-06-30 17:16:28 -04:00
Daniel Stenberg
c40eb3220c
openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is
built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for
UWP (with "VC-WIN32-UWP").

Reported-by: Vasily Lobaskin
Fixes #4073
Closes #4077
2019-06-26 07:59:46 +02:00
Daniel Stenberg
e4b5dd2987
win32: make DLL loading a no-op for UWP
Reported-by: Michael Brehm
Fixes #4060
Closes #4072
2019-06-25 20:33:07 +02:00
Daniel Gustafsson
b96282010e http: clarify header buffer size calculation
The header buffer size calculation can from static analysis seem to
overlow as it performs an addition between two size_t variables and
stores the result in a size_t variable. Overflow is however guarded
against elsewhere since the input to the addition is regulated by
the maximum read buffer size. Clarify this with a comment since the
question was asked.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-24 23:35:06 +02:00
Daniel Stenberg
265f7f42f6
http2: call done_sending on end of upload
To make sure a HTTP/2 stream registers the end of stream.

Bug #4043 made me find this problem but this fix doesn't correct the
reported issue.

Closes #4068
2019-06-24 23:11:37 +02:00
James Brown
d331227cf0
c-ares: honor port numbers in CURLOPT_DNS_SERVERS
By using ares_set_servers_ports_csv on new enough c-ares.

Fixes #4066
Closes #4067
2019-06-24 15:34:16 +02:00
Daniel Stenberg
e73b478246
multi: enable multiplexing by default (again)
It was originally made default in d7c4213bd0 (7.62.0) but mistakenly
reverted in commit 2f44e94efb (7.65.0). Now enabled again.

Closes #4051
2019-06-23 23:02:23 +02:00
Daniel Stenberg
c0c40ab075
http2: don't call stream-close on already closed streams
Closes #4055
2019-06-21 00:07:13 +02:00
Gisle Vanem
8f332e589b
system_win32: fix typo 2019-06-20 09:39:10 +02:00
Daniel Stenberg
21080e1828
configure: --disable-progress-meter
Builds libcurl without support for the built-in progress meter.

Closes #4023
2019-06-18 22:33:26 +02:00
Steve Holme
6c2f9bea70
netrc: Return the correct error code when out of memory
Introduced in 763c5178.

Closes #4036
2019-06-18 21:00:43 +01:00
Daniel Stenberg
7fb54ef89b
config-os400: add getpeername and getsockname defines
Reported-by: jonrumsey on github
Fixes #4037
Closes #4039
2019-06-18 16:42:51 +02:00
Gergely Nagy
6c2b7d44e3
openssl: fix pubkey/signature algorithm detection in certinfo
Certinfo gives the same result for all OpenSSL versions.
Also made printing RSA pubkeys consistent with older versions.

Reported-by: Michael Wallner
Fixes #3706
Closes #4030
2019-06-18 07:57:31 +02:00
Daniel Stenberg
755083d00d
conn_maxage: move the check to prune_dead_connections()
... and avoid the locking issue.

Reported-by: Kunal Ekawde
Fixes #4029
Closes #4032
2019-06-17 23:51:26 +02:00
Daniel Gustafsson
03a22a26c6 openssl: remove outdated comment
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(),
which is why we switched to CONF_modules_load_file() and introduced
a comment stating why. This behavior was however changed in OpenSSL
commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now
outdated and incorrect comment. The mentioned commit also declares
OPENSSL_config() deprecated so keep the current coding.

Closes #4033
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-17 13:11:02 +02:00
Patrick Monnerat
ef8d98bbba os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.
Use it in curl_easy_setopt_ccsid().

Reported-by: jonrumsey on github
Fixes #3833
Closes #4028
2019-06-16 01:05:53 +02:00
Daniel Stenberg
6cc18c59a7
multi: fix the transfer hash function
Follow-up from 8b987cc7eb

Reported-by: Tom van der Woerdt
Fixes #4018
Closes #4024
2019-06-14 00:49:35 +02:00
Marcel Raad
74f911d463
krb5: fix compiler warning
Even though the variable was used in a DEBUGASSERT, GCC 8 warned in
debug mode:
krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable]

Just suppress the warning and declare the variable unconditionally
instead of only for DEBUGBUILD (which also missed the check for
HAVE_ASSERT_H).

Closes https://github.com/curl/curl/pull/4020
2019-06-13 11:08:53 +02:00
Daniel Stenberg
8b987cc7eb
multi: fix the transfer hashes in the socket hash entries
- The transfer hashes weren't using the correct keys so removing entries
  failed.

- Simplified the iteration logic over transfers sharing the same socket and
  they now simply are set to expire and thus get handled in the "regular"
  timer loop instead.

Reported-by: Tom van der Woerdt
Fixes #4012
Closes #4014
2019-06-12 12:31:23 +02:00
Cliff Crosland
f67009dd98 url: Fix CURLOPT_MAXAGE_CONN time comparison
Old connections are meant to expire from the connection cache after
CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x
that value. This occurs because a time value measured in milliseconds is
accidentally divided by 1M instead of by 1,000.

Closes https://github.com/curl/curl/pull/4013
2019-06-12 01:10:22 -04:00
Daniel Stenberg
ee6945c088
http2: remove CURL_DISABLE_TYPECHECK define
... in http2-less builds as it served no use.
2019-06-11 07:49:24 +02:00
Daniel Stenberg
342a0c7ddf
wolfssl: fix key pinning build error
follow-up from deb9462ff2
2019-06-11 07:46:04 +02:00
Daniel Stenberg
4da5794d81
wolfssl: fixup for SNI use
follow-up from deb9462ff2

Closes #4007
2019-06-10 13:04:53 +02:00
Daniel Stenberg
deb9462ff2
wolfssl: refer to it as wolfSSL only
Remove support for, references to and use of "cyaSSL" from the source
and docs. wolfSSL is the current name and there's no point in keeping
references to ancient history.

Assisted-by: Daniel Gustafsson

Closes #3903
2019-06-10 09:18:16 +02:00
Daniel Stenberg
1667d5599d
bindlocal: detect and avoid IP version mismatches in bind()
Reported-by: Alex Grebenschikov
Fixes #3993
Closes #4002
2019-06-10 08:01:50 +02:00
Daniel Stenberg
094b5f3540
multi: make sure 'data' can present in several sockhash entries
Since more than one socket can be used by each transfer at a given time,
each sockhash entry how has its own hash table with transfers using that
socket.

In addition, the sockhash entry can now be marked 'blocked = TRUE'"
which then makes the delete function just set 'removed = TRUE' instead
of removing it "for real", as a way to not rip out the carpet under the
feet of a parent function that iterates over the transfers of that same
sockhash entry.

Reported-by: Tom van der Woerdt
Fixes #3961
Fixes #3986
Fixes #3995
Fixes #4004
Closes #3997
2019-06-10 00:47:48 +02:00
Daniel Stenberg
680f141332
unpause: trigger a timeout for event-based transfers
... so that timeouts or other state machine actions get going again
after a changing pause state. For example, if the last delivery was
paused there's no pending socket activity.

Reported-by: sstruchtrup on github
Fixes #3994
Closes #4001
2019-06-09 18:33:59 +02:00
Marcel Raad
e23c52b329
build: fix Codacy warnings
Reduce variable scopes and remove redundant variable stores.

Closes https://github.com/curl/curl/pull/3975
2019-06-05 20:38:06 +02:00
Frank Gevaerts
660603141c
ssl: Update outdated "openssl-only" comments for supported backends
These are for features that used to be openssl-only but were expanded
over time to support other SSL backends.

Closes #3985
2019-06-04 20:25:12 +01:00
Sergey Ogryzkov
f9b60fb6f8
NTLM: reset proxy "multipass" state when CONNECT request is done
Closes #3972
2019-06-02 23:11:33 +02:00
Michael Kaufmann
2e5ceb3934
http: don't parse body-related headers bodyless responses
Responses with status codes 1xx, 204 or 304 don't have a response body. For
these, don't parse these headers:

- Content-Encoding
- Content-Length
- Content-Range
- Last-Modified
- Transfer-Encoding

This change ensures that HTTP/2 upgrades work even if a
"Content-Length: 0" or a "Transfer-Encoding: chunked" header is present.

Co-authored-by: Daniel Stenberg
Closes #3702
Fixes #3968
Closes #3977
2019-06-02 22:58:04 +02:00
Daniel Stenberg
c36f42839d
singlesocket: use separate variable for inner loop
An inner loop within the singlesocket() function wrongly re-used the
variable for the outer loop which then could cause an infinite
loop. Change to using a separate variable!

Reported-by: Eric Wu
Fixes #3970
Closes #3973
2019-06-01 10:41:15 +02:00
Josie Huddleston
1c0e9527ba
http2: Stop drain from being permanently set on
Various functions called within Curl_http2_done() can have the
side-effect of setting the Easy connection into drain mode (by calling
drain_this()).  However, the last time we unset this for a transfer (by
calling drained_transfer()) is at the beginning of Curl_http2_done().
If the Curl_easy is reused for another transfer, it is then stuck in
drain mode permanently, which in practice makes it unable to write any
data in the new transfer.

This fix moves the last call to drained_transfer() to later in
Curl_http2_done(), after the functions that could potentially call for a
drain.

Fixes #3966
Closes #3967
Reported-by: Josie-H
2019-05-30 00:26:20 +02:00
Steve Holme
bdf6d8af3e
conncache: Remove the DEBUGASSERT on length check
We trust the calling code as this is an internal function.

Closes #3962
2019-05-29 22:07:43 +01:00
Gisle Vanem
48b9ea4379 system_win32: fix function prototype
- Change if_nametoindex parameter type from char * to const char *.

Follow-up to 09eef8af from this morning.

Bug: https://github.com/curl/curl/commit/09eef8af#r33716067
2019-05-29 14:37:39 -04:00
Steve Holme
09eef8af18
url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
This fixes the static dependency on iphlpapi.lib and allows curl to
build for targets prior to Windows Vista.

This partially reverts 170bd047.

Fixes #3960
Closes #3958
2019-05-29 07:19:20 +01:00
Daniel Stenberg
5908009e31
http: fix "error: equality comparison with extraneous parentheses" 2019-05-29 08:17:08 +02:00
Daniel Stenberg
6961322f70
parse_proxy: make sure portptr is initialized
Reported-by: Benbuck Nason

fixes #3959
2019-05-28 23:50:49 +02:00
Daniel Stenberg
a6183ab23a
url: default conn->port to the same as conn->remote_port
... so that it has a sensible value when ConnectionExists() is called which
needs it set to differentiate host "bundles" correctly on port number!

Also, make conncache:hashkey() use correct port for bundles that are proxy vs
host connections.

Probably a regression from 7.62.0

Reported-by: Tom van der Woerdt
Fixes #3956
Closes #3957
2019-05-28 23:00:42 +02:00
Daniel Stenberg
2f11fbf208
conncache: make "bundles" per host name when doing proxy tunnels
Only HTTP proxy use where multiple host names can be used over the same
connection should use the proxy host name for bundles.

Reported-by: Tom van der Woerdt
Fixes #3951
Closes #3955
2019-05-28 16:23:59 +02:00
Daniel Stenberg
8581e1928e
multi: track users of a socket better
They need to be removed from the socket hash linked list with more care.

When sh_delentry() is called to remove a sockethash entry, remove all
individual transfers from the list first. To enable this, each Curl_easy struct
now stores a pointer to the sockethash entry to know how to remove itself.

Reported-by: Tom van der Woerdt and Kunal Ekawde

Fixes #3952
Fixes #3904
Closes #3953
2019-05-28 12:17:02 +02:00
Steve Holme
28526e9c80
curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
Microsoft added support for Unix Domain Sockets in Windows 10 1803
(RS4). Rather than expect the user to enable Unix Domain Sockets by
uncommenting the #define that was added in 0fd6221f we use the RS4
pre-processor variable that is present in newer versions of the
Windows SDK.

Closes #3939
2019-05-28 07:36:06 +01:00
Jonas Vautherin
5aa2347f22
cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
Closes #3945
2019-05-28 08:34:15 +02:00
Hubert Kario
319ae9075e nss: allow to specify TLS 1.3 ciphers if supported by NSS
Closes #3916
2019-05-27 09:04:09 +02:00
Jay Satiro
db8ec1fa38
Revert all SASL authzid (new feature) commits
- Revert all commits related to the SASL authzid feature since the next
  release will be a patch release, 7.65.1.

Prior to this change CURLOPT_SASL_AUTHZID  / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.

After the patch release after the reverted commits can be restored by
using cherry-pick:

git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690

Details for all reverted commits:

Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."

This reverts commit 0edf6907ae.

Revert "tests: Fix the line endings for the SASL alt-auth tests"

This reverts commit c2a8d52a13.

Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"

This reverts commit 8c1cc369d0.

Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"

This reverts commit a9499ff136.

Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"

This reverts commit a14d72ca2f.
2019-05-25 23:36:11 +02:00
Daniel Stenberg
5c9b2e68a4
sectransp: handle errSSLPeerAuthCompleted from SSLRead()
Reported-by: smuellerDD on github
Fixes #3932
Closes #3933
2019-05-24 11:34:13 +02:00
Gisle Vanem
9d55e09cfe
Fix typo. 2019-05-24 09:05:28 +02:00
Daniel Stenberg
9ad313dcb8
md4: include the mbedtls config.h to get the MD4 info 2019-05-23 17:06:40 +02:00
Daniel Stenberg
0dc9a80199
md4: build correctly with openssl without MD4
Reported-by: elsamuko at github
Fixes #3921
Closes #3922
2019-05-23 17:06:29 +02:00
Zenju
170bd047f5
config-win32: add support for if_nametoindex and getsockname
Closes https://github.com/curl/curl/pull/3923
2019-05-23 11:10:28 +02:00
Daniel Stenberg
dc0a671213
url: fix bad #ifdef
Regression since e91e481612.

Reported-by: Tom Greenslade
Fixes #3924
Closes #3925
2019-05-23 09:06:48 +02:00
Daniel Stenberg
c6b5813723
Revert "progress: CURL_DISABLE_PROGRESS_METER"
This reverts commit 3b06e68b77.

Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT +
CURLOPT_LOW_SPEED_TIME

Reported-by: Dave Reisner

Fixes #3927
Closes #3928
2019-05-23 09:05:20 +02:00
Steve Holme
a14d72ca2f
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
2019-05-22 22:55:05 +01:00
Daniel Stenberg
269f7df0ae
PolarSSL: deprecate support step 1. Removed from configure.
Also removed mentions from most docs.

Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html

Closes #3888
2019-05-22 10:00:56 +02:00
Daniel Stenberg
c9c4f7b547
configure/cmake: check for if_nametoindex()
- adds the check to cmake

- fixes the configure check to work for cross-compiled windows builds

Closes #3917
2019-05-22 09:49:19 +02:00
Daniel Stenberg
12e564ca20
parse_proxy: use the IPv6 zone id if given
If the proxy string is given as an IPv6 numerical address with a zone
id, make sure to use that for the connect to the proxy.

Reported-by: Edmond Yu

Fixes #3482
Closes #3918
2019-05-22 09:45:43 +02:00
Daniel Stenberg
8fba2d6a6b
url: convert the zone id from a IPv6 URL to correct scope id
Reported-by: GitYuanQu on github
Fixes #3902
Closes #3914
2019-05-21 18:58:45 +02:00
Daniel Gustafsson
528b284e4b udpateconninfo: mark variable unused
When compiling without getpeername() or getsockname(), the sockfd
paramter to Curl_udpateconninfo() became unused after commit e91e481612
added ifdef guards.

Closes #3910
Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196
Reviewed-by: Marcel Raad, Daniel Stenberg
2019-05-21 09:42:22 +02:00
Daniel Gustafsson
8986d3c6f4 ftp: move ftp_ccc in under featureflag
Commit e91e481612 moved ftp_ccc in under
the FTP featureflag in the UserDefined struct, but vtls callsites were
still using it unprotected.

Closes #3912
Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865
Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-21 09:38:11 +02:00
Guy Poizat
0da8441298
mbedtls: enable use of EC keys
Closes #3892
2019-05-20 19:00:59 +02:00
Omar Ramadan
c454d7f3f4
urlapi: increase supported scheme length to 40 bytes
The longest currently registered URI scheme at IANA is 36 bytes long.

Closes #3905
Closes #3900
2019-05-20 15:27:02 +02:00
Marcel Raad
10db3ef21e
lib: reduce variable scopes
Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872
2019-05-20 08:51:11 +02:00
Marcel Raad
320cec284d
ssh: move variable declaration to where it's used
This way, we need only one call to free.

Closes https://github.com/curl/curl/pull/3873
2019-05-20 08:06:22 +02:00
Marcel Raad
c92a4debd2
ssh-libssh: remove unused variable
sock was only used to be assigned to fd_read.

Closes https://github.com/curl/curl/pull/3873
2019-05-20 08:06:05 +02:00
Daniel Stenberg
2576003415
tftp: use the current blksize for recvfrom()
bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436
2019-05-20 07:57:49 +02:00
Daniel Gustafsson
9a87fe704e version: make ssl_version buffer match for multi_ssl
When running a multi TLS backend build the version string needs more
buffer space. Make the internal ssl_buffer stack buffer match the one
in Curl_multissl_version() to allow for the longer string. For single
TLS backend builds there is no use in extended to buffer. This is a
fallout from #3863 which fixes up the multi_ssl string generation to
avoid a buffer overflow when the buffer is too small.

Closes #3875
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-05-19 22:06:26 +02:00
Steve Holme
7ca7f82ba7
http_ntlm_wb: Handle auth for only a single request
Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Missed in fe6049f0.
2019-05-18 19:01:11 +01:00
Steve Holme
2697d63363
http_ntlm_wb: Cleanup handshake after clean NTLM failure
Missed in 50b87c4e.
2019-05-18 19:01:10 +01:00
Steve Holme
bd21fc9d2f
http_ntlm_wb: Return the correct error on receiving an empty auth message
Missed in fe20826b as it wasn't implemented in http.c in b4d6db83.

Closes #3894
2019-05-18 19:00:51 +01:00
Daniel Stenberg
e91e481612
libcurl: #ifdef away more code for disabled features/protocols 2019-05-17 23:24:34 +02:00
Daniel Stenberg
3b06e68b77
progress: CURL_DISABLE_PROGRESS_METER 2019-05-17 23:24:34 +02:00
Daniel Stenberg
3cfcdf08d8
hostip: CURL_DISABLE_SHUFFLE_DNS 2019-05-17 23:24:34 +02:00
Daniel Stenberg
1f8a584f6a
netrc: CURL_DISABLE_NETRC 2019-05-17 23:24:34 +02:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Steve Holme
fe20826b58
http_ntlm_wb: Move the type-2 message processing into a dedicated function
This brings the code inline with the other HTTP authentication mechanisms.

Closes #3890
2019-05-16 00:03:30 +01:00
Daniel Stenberg
ee68bbe29c
parse_proxy: use the URL parser API
As we treat a given proxy as a URL we should use the unified URL parser
to extract the parts out of it.

Closes #3878
2019-05-15 12:02:05 +02:00
Steve Holme
e832d1ef74
http_negotiate: Move the Negotiate state out of the negotiatedata structure
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

Closes #3882
2019-05-15 00:32:42 +01:00
Steve Holme
85bef18ca1
http_ntlm: Move the NTLM state out of the ntlmdata structure
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.
2019-05-15 00:31:45 +01:00
Steve Holme
0c73adfad3
url: Move the negotiate state type into a dedicated enum 2019-05-15 00:31:35 +01:00
Steve Holme
be9fd703e0
url: Remove duplicate clean up of the winbind variables in conn_shutdown()
Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior
to calling conn_shutdown() and it in turn performs this, there is no
need to perform the same action in conn_shutdown().

Closes #3881
2019-05-14 14:35:11 +01:00
Daniel Stenberg
9f9ec7da57
urlapi: require a non-zero host name length when parsing URL
Updated test 1560 to verify.

Closes #3880
2019-05-14 13:39:10 +02:00
Daniel Gustafsson
bd91e7f340 imap: Fix typo in comment 2019-05-14 12:38:23 +02:00
Steve Holme
b5d1de8e21
url: Remove unnecessary initialisation from allocate_conn()
No need to set variables to zero as calloc() does this for us.

Closes #3879
2019-05-14 09:48:16 +01:00
Daniel Gustafsson
b4bb920405 vtls: fix potential ssl_buffer stack overflow
In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
2019-05-13 20:27:50 +02:00
Daniel Stenberg
93c4de6974
pingpong: disable more when no pingpong enabled 2019-05-13 08:17:10 +02:00
Daniel Stenberg
6d32b72822
proxy: acknowledge DISABLE_PROXY more 2019-05-13 08:17:10 +02:00
Daniel Stenberg
b084616210
parsedate: CURL_DISABLE_PARSEDATE 2019-05-13 08:17:10 +02:00
Daniel Stenberg
e5b546b339
sasl: only enable if there's a protocol enabled using it 2019-05-13 08:17:10 +02:00
Daniel Stenberg
b95456f4e2
mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
Daniel Stenberg
0e2208ada6
wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
Daniel Stenberg
7c70a3b1ad
http: CURL_DISABLE_HTTP_AUTH 2019-05-13 08:17:09 +02:00
Daniel Stenberg
bf7303966e
base64: build conditionally if there are users 2019-05-13 08:17:09 +02:00
Daniel Stenberg
ae4adae954
doh: CURL_DISABLE_DOH 2019-05-13 08:17:09 +02:00
Steve Holme
52dfab65d6
auth: Rename the various authentication clean up functions
For consistency and to a avoid confusion.

Closes #3869
2019-05-12 18:37:00 +01:00
Marcel Raad
15fd9abfea
easy: fix another "clarify calculation precedence" warning
I missed this one in commit 6b3dde7fe6.
2019-05-12 13:36:45 +02:00
Marcel Raad
6b3dde7fe6
build: fix "clarify calculation precedence" warnings
Codacy/CppCheck warns about this. Consistently use parentheses as we
already do in some places to silence the warning.

Closes https://github.com/curl/curl/pull/3866
2019-05-12 09:31:09 +02:00
Steve Holme
407408f376
http_ntlm: Corrected the name of the include guard
Missed in f0bdd72c.

Closes #3867
2019-05-11 22:25:55 +01:00
Steve Holme
5c2aebe308
http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
Closes #3861
2019-05-11 17:23:32 +01:00
Steve Holme
fb243b0475
http_negotiate: Don't expose functions when HTTP is disabled 2019-05-11 17:23:27 +01:00
Daniel Stenberg
12d655d456
doh: disable DOH for the cases it doesn't work
Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Limitation added to KNOWN_BUGS.

Fixes #3850
Closes #3857
2019-05-11 11:38:58 +02:00
Steve Holme
0424605fc7 vauth: Fix incorrect function description for Curl_auth_user_contains_domain()
...and misalignment of these comments. From a78c61a4.

Closes #3860
2019-05-10 22:12:03 +01:00
Jay Satiro
d934059afd Revert "multi: support verbose conncache closure handle"
This reverts commit b0972bc.

- No longer show verbose output for the conncache closure handle.

The offending commit was added so that the conncache closure handle
would inherit verbose mode from the user's easy handle. (Note there is
no way for the user to set options for the closure handle which is why
that was necessary.) Other debug settings such as the debug function
were not also inherited since we determined that could lead to crashes
if the user's per-handle private data was used on an unexpected handle.

The reporter here says he has a debug function to capture the verbose
output, and does not expect or want any output to stderr; however
because the conncache closure handle does not inherit the debug function
the verbose output for that handle does go to stderr.

There are other plausible scenarios as well such as the user redirects
stderr on their handle, which is also not inherited since it could lead
to crashes when used on an unexpected handle.

Short of allowing the user to set options for the conncache closure
handle I don't think there's much we can safely do except no longer
inherit the verbose setting.

Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html
Reported-by: Kristoffer Gleditsch

Ref: https://github.com/curl/curl/pull/3598
Ref: https://github.com/curl/curl/pull/3618

Closes https://github.com/curl/curl/pull/3856
2019-05-10 15:01:57 -04:00
Steve Holme
e7a1bc8ee4 ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup()
From 6012fa5a.

Closes #3858
2019-05-10 00:07:44 +01:00
Kamil Dudka
f4603708af http_negotiate: do not treat failure of gss_init_sec_context() as fatal
Fixes #3726
Closes #3849
2019-05-09 09:41:33 +02:00
Kamil Dudka
f65845c1ec spnego_gssapi: fix return code on gss_init_sec_context() failure
Fixes #3726
Closes #3849
2019-05-09 09:41:14 +02:00
Jay Satiro
b5901cab57 http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
- Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to
  the destination host.

We already do something similar for HTTPS proxies by not sending h2. [1]

Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would
incorrectly use HTTP/2 to talk to the proxy, which is not something we
support (yet?). Also it's debatable whether or not that setting should
apply to HTTP/2 proxies.

[1]: https://github.com/curl/curl/commit/17c5d05

Bug: https://github.com/curl/curl/issues/3570
Bug: https://github.com/curl/curl/issues/3832

Closes https://github.com/curl/curl/pull/3853
2019-05-08 22:50:41 -04:00
Ricky Leverence
3a03e59048
OpenSSL: Report -fips in version if OpenSSL is built with FIPS
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Closes #3771
2019-05-08 09:30:15 +02:00
Frank Gevaerts
191ffd0708 nss: allow fifos and character devices for certificates.
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.

I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.

Closes #3807
2019-05-07 17:23:02 +02:00
Daniel Stenberg
d37b0936d1
ssh: define USE_SSH if SSH is enabled (any backend)
Closes #3846
2019-05-06 10:14:17 +02:00
Daniel Stenberg
2d0e9b40d3
urlapi: add CURLUPART_ZONEID to set and get
The zoneid can be used with IPv6 numerical addresses.

Updated test 1560 to verify.

Closes #3834
2019-05-05 15:52:46 +02:00
Taiyu Len
0eec832603
WRITEFUNCTION: add missing set_in_callback around callback
Closes #3837
2019-05-05 11:09:30 +02:00
Daniel Stenberg
bdb2dbc103
urlapi: strip off scope id from numerical IPv6 addresses
... to make the host name "usable". Store the scope id and put it back
when extracting a URL out of it.

Also makes curl_url_set() syntax check CURLUPART_HOST.

Fixes #3817
Closes #3822
2019-05-03 12:17:22 +02:00
Daniel Stenberg
5c9487a30e
multiif.h: remove unused protos
... for functions related to pipelining. Those functions were removed in
2f44e94efb.

Closes #3828
2019-05-02 09:56:19 +02:00
Yiming Jing
6ab569ce0b
travis: upgrade the MesaLink TLS backend to v1.0.0
Closes #3823
Closes #3776
2019-05-01 23:25:05 +02:00
Daniel Stenberg
41fcdf71a1
ConnectionExists: improve non-multiplexing use case
- better log output

- make sure multiplex is enabled for it to be used
2019-05-01 22:51:23 +02:00
Daniel Stenberg
be6e281cf2
multi: provide Curl_multiuse_state to update information
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
5c8783d77f
process_pending_handles: mark queued transfers as previously pending
With transfers being queued up, we only move one at a a time back to the
CONNECT state but now we mark moved transfers so that when a moved
transfer is confirmed "successful" (it connected) it will trigger the
move of another pending transfer. Previously, it would otherwise wait
until the transfer was done before doing this. This makes queued up
pending transfers get processed (much) faster.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
c32248f17d
http: mark bundle as not for multiuse on < HTTP/2 response
Fixes #3813
Closes #3815
2019-05-01 22:51:23 +02:00
Daniel Gustafsson
b45fd8938e cookie: Guard against possible NULL ptr deref
In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-05-01 13:14:15 +02:00
Kamil Dudka
9e8f28a8f1 nss: provide more specific error messages on failed init
Closes #3808
2019-04-29 10:29:53 +02:00
Daniel Stenberg
5fc28510a4
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805
2019-04-29 08:02:44 +02:00
Simon Warta
dc5ac786d9
cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
Closes https://github.com/curl/curl/pull/3769
2019-04-27 11:51:23 +02:00
Steve Holme
e7d3f65ab9 ntlm: Missed pre-processor || (or) during rebase for cd15acd0 2019-04-23 20:26:02 +01:00