1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 04:55:03 -05:00
Commit Graph

11077 Commits

Author SHA1 Message Date
Daniel Stenberg
f002c850d9
ftp: shut down the secondary connection properly when SSL is used
Reported-by: Neal Poole
Fixes #5340
Closes #5385
2020-05-15 08:28:55 +02:00
Marcel Raad
ffdddb45d9
curl_setup: support Unicode functions to open files on Windows
Use them only if `_UNICODE` is defined, in which case command-line
arguments have been converted to UTF-8.

Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:37 +02:00
Marcel Raad
9e5669f388
tool: support UTF-16 command line on Windows
- use `wmain` instead of `main` when `_UNICODE` is defined [0]
- define `argv_item_t` as `wchar_t *` in this case
- use the curl_multibyte gear to convert the command-line arguments to
  UTF-8

This makes it possible to pass parameters with characters outside of
the current locale on Windows, which is required for some tests, e.g.
the IDN tests. Out of the box, this currently only works with the
Visual Studio project files, which default to Unicode, and winbuild
with the `ENABLE_UNICODE` option.

[0] https://devblogs.microsoft.com/oldnewthing/?p=40643

Ref: https://github.com/curl/curl/issues/3747
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:36 +02:00
Marcel Raad
a55c835e6b
curl_multibyte: add to curlx
This will also be needed in the tool and tests.

Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:27 +02:00
Daniel Stenberg
600a8cded4
url: make the updated credentials URL-encoded in the URL
Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400
2020-05-14 17:59:47 +02:00
Major_Tom
8e762199b0
vauth/cleartext: fix theoretical integer overflow
Fix theoretical integer overflow in Curl_auth_create_plain_message.

The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.

Closes #5391
2020-05-14 08:36:35 +02:00
Daniel Stenberg
66b0775763
checksrc: enhance the ASTERISKSPACE and update code accordingly
Fine: "struct hello *world"

Not fine: "struct hello* world" (and variations)

Closes #5386
2020-05-14 00:02:05 +02:00
Daniel Stenberg
81a54b12c6
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
2020-05-13 16:39:36 +02:00
Daniel Stenberg
e1f3f3a14f
url: reject too long input when parsing credentials
Since input passed to libcurl with CURLOPT_USERPWD and
CURLOPT_PROXYUSERPWD circumvents the regular string length check we have
in Curl_setstropt(), the input length limit is enforced in
Curl_parse_login_details too, separately.

Reported-by: Thomas Bouzerar
Closes #5383
2020-05-13 08:02:42 +02:00
denzor
a9021716cc easy: fix dangling pointer on easy_perform fail
Closes https://github.com/curl/curl/pull/5363
2020-05-12 03:00:27 -04:00
Daniel Stenberg
db8866fad9
url: sort the protocol schemes in rough popularity order
When looking for a protocol match among supported schemes, check the
most "popular" schemes first. It has zero functionality difference and
for all practical purposes a speed difference will not be measureable
but it still think it makes sense to put the least likely matches last.

"Popularity" based on the 2019 user survey.

Closes #5377
2020-05-12 08:22:04 +02:00
Peter Wu
5d8c53d320
CMake: add ENABLE_ALT_SVC option
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting
(not tested).
2020-05-10 23:36:54 +02:00
Peter Wu
5bfc874a35
CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
Add three new CMake Find modules (using the curl license, but I grant
others the right to apply the CMake BSD license instead).

This CMake config is simpler than the autotools one because it assumes
ngtcp2 and nghttp3 to be used together. Another difference is that this
CMake config checks whether QUIC is actually supported by the TLS
library (patched OpenSSL or boringssl) since this can be a common
configuration mistake that could result in build errors later.

Unlike autotools, CMake does not warn you that the features are
experimental. The user is supposed to already know that and read the
documentation. It requires a very special build environment anyway.

Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from
current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure
out which features (libldap-2.4, libssh2) to disable due to conflicts
with boringssl.

Closes #5359
2020-05-10 23:36:41 +02:00
Daniel Stenberg
92501a12a2
checksrc: close the .checksrc file handle when done reading 2020-05-08 17:00:29 +02:00
Gilles Vollant
148534db57
CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)
Closes #4346
2020-05-08 15:55:04 +02:00
Daniel Stenberg
7f1c098728
urlapi: accept :: as a valid IPv6 address
Text 1560 is extended to verify.

Reported-by: Pavel Volgarev
Fixes #5344
Closes #5351
2020-05-08 08:47:29 +02:00
Peter Wang
1c341e2270
*_sspi: fix bad uses of CURLE_NOT_BUILT_IN
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other
instances of QuerySecurityPackageInfo failing, as in
commit 2a81439553.

Closes #5355
2020-05-08 08:37:56 +02:00
Daniel Stenberg
14c17a2b6e
ngtcp2: introduce qlog support
If the QLOGDIR environment variable is set, enable qlogging.

... and create Curl_qlogdir() in the new generic vquic/vquic.c file for
QUIC functions that are backend independent.

Closes #5353
2020-05-07 16:27:49 +02:00
Daniel Stenberg
2a81439553
ntlm_sspi: fix bad use of CURLE_NOT_BUILT_IN
That return code is reserved for build-time conditional code not being
present while this was a regular run-time error from a Windows API.

Reported-by: wangp on github
Fixes #5349
Closes #5350
2020-05-07 12:58:57 +02:00
Daniel Stenberg
54a2b63c70
http2: simplify and clean up trailer handling
Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in
ed35d6590e. This should make the trailer handling more straight forward and
hopefully less error-prone.

Deliver the trailer header to the callback already at receive-time. No
longer caches the trailers to get delivered at end of stream.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030
Closes #5348
2020-05-07 09:49:51 +02:00
Daniel Stenberg
44645ca8b0
libssh2: convert over to use dynbuf
In my very basic test that lists sftp://127.0.0.1/tmp/, this patched
code makes 161 allocations compared to 194 in git master. A 17%
reduction.

Closes #5336
2020-05-05 14:54:07 +02:00
Daniel Stenberg
80b9db1283
quiche: enable qlog output
quiche has the potential to log qlog files. To enable this, you must
build quiche with the qlog feature enabled `cargo build --features
qlog`. curl then passes a file descriptor to quiche, which takes
ownership of the file. The FD transfer only works on UNIX.

The convention is to enable logging when the QLOGDIR environment is
set. This should be a path to a folder where files are written with the
naming template <SCID>.qlog.

Co-authored-by: Lucas Pardue
Replaces #5337
Closes #5341
2020-05-05 14:50:33 +02:00
Daniel Stenberg
e0af243b61
urldata.h: remove #define HEADERSIZE, not used anymore
Follow-up to ed35d6590e
2020-05-04 16:53:05 +02:00
Daniel Stenberg
18815aa670
ngtcp2: convert to dynbuf
Closes #5335
2020-05-04 14:57:57 +02:00
Daniel Stenberg
7a86a25f5b
connect: make happy eyeballs work for QUIC (again)
Follow-up from dbd16c3e25 (regression in 7.70.0)

Closes #5334
2020-05-04 14:56:26 +02:00
Daniel Stenberg
d2dfa3e689
connect: add two asserts to clue code analyzers in a little 2020-05-04 11:03:29 +02:00
Daniel Stenberg
dae126ff12
http_proxy: ported to use dynbuf instead of a static size buffer
Removes a 16K static buffer from the easy handle. Simplifies the code.
2020-05-04 10:41:06 +02:00
Daniel Stenberg
ed35d6590e
dynbuf: introduce internal generic dynamic buffer functions
A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to them. Existing
functionality has been ported over.

In my early basic testing, the total number of allocations seem at
roughly the same amount as before, possibly a few less.

See docs/DYNBUF.md for a description of the API.

Closes #5300
2020-05-04 10:40:39 +02:00
Daniel Stenberg
59e351a572
asyn-*: remove support for never-used NULL entry pointers
... and instead convert those to asserts to make sure they are truly
never NULL.

Closes #5324
2020-05-03 22:48:04 +02:00
Jay Satiro
153d581b7f asyn-thread: fix cppcheck warning
- Check for NULL entry parameter before attempting to deref entry in
  Curl_resolver_is_resolved, like is already done in asyn-ares.

This is to silence cppcheck which does not seem to understand that
asyn-ares and asyn-thread have separate Curl_resolver_is_resolved
and those units are mutually exclusive. Prior to this change it warned
of a scenario where asyn-thread's Curl_resolver_is_resolved is called
with a NULL entry from asyn-ares, but that couldn't happen.

Reported-by: rl1987@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/5326
2020-05-02 15:03:39 -04:00
Jay Satiro
85eda4e87a select: fix overflow protection in Curl_socket_check
Follow-up to a96c752 which changed the timeout_ms type from time_t to
timediff_t.

Ref: https://github.com/curl/curl/pull/5240

Closes https://github.com/curl/curl/pull/5286
2020-05-02 15:02:20 -04:00
Daniel Stenberg
df2093d293
libssh2: set the expected total size in SCP upload init
... as otherwise the progress callback gets called without that
information, making the progress meter have less info.

Reported-by: Murugan Balraj
Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html
Closes #5317
2020-05-02 16:38:48 +02:00
Emil Engler
42d8d9a7e8
GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
Closes #5287
2020-04-30 14:40:54 +02:00
Daniel Stenberg
c069027139
conncache: various concept cleanups
More connection cache accesses are protected by locks.

CONNCACHE_* is a beter prefix for the connection cache lock macros.

Curl_attach_connnection: now called as soon as there's a connection
struct available and before the connection is added to the connection
cache.

Curl_disconnect: now assumes that the connection is already removed from
the connection cache.

Ref: #4915
Closes #5009
2020-04-30 14:27:54 +02:00
Daniel Stenberg
d39b4128d5
schannel: source code reindent
White space edits only. Conform better to standard curl source code
indenting style.

Closes #5305
2020-04-29 14:43:59 +02:00
Daniel Stenberg
6370e43153
headers: copyright range fix 2020-04-28 18:10:46 +02:00
Rikard Falkeborn
fc0e29dd57
doh: Constify some input pointers
Closes #5306
2020-04-28 07:56:34 +02:00
Daniel Stenberg
cad15b9f92
nss: check for PK11_CreateDigestContext() returning NULL
... to avoid crashes!

Reported-by: Hao Wu
Fixes #5302
Closes #5303
2020-04-27 16:25:59 +02:00
Daniel Stenberg
b7135f58f5
copyright updates: adjust year ranges 2020-04-26 23:59:22 +02:00
Daniel Stenberg
446fb0518b
smtp: set auth correctly
Regression since 7.69.0 and 68fb25fa3f.

The code wrongly assigned 'from' instead of 'auth' which probably was a
copy and paste mistake from other code, leading to that auth could
remain NULL and later cause an error to be returned.

Assisted-by: Eric Sauvageau
Fixes #5294
Closes #5295
2020-04-25 14:14:43 +02:00
Marcel Raad
6ad062ae71
lib: clean up whitespace
This fixes CodeFactor warnings.
2020-04-25 11:15:49 +02:00
Anderson Toshiyuki Sasaki
7bc709f670
libssh: avoid options override by configuration files
Previously, options set explicitly through command line options could be
overridden by the configuration files parsed automatically when
ssh_connect() was called.

By calling ssh_options_parse_config() explicitly, the configuration
files are parsed before setting the options, avoiding the options
override.  Once the configuration files are parsed, the automatic
configuration parsing is not executed.

Fixes #4972
Closes #5283
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-04-25 00:53:11 +02:00
Daniel Stenberg
a96c7529eb
select: make Curl_socket_check take timediff_t timeout
Coverity found CID 1461718:

Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".

Closes #5240
2020-04-23 15:57:23 +02:00
Jay Satiro
c0e139a60d transfer: Switch PUT to GET/HEAD on 303 redirect
Prior to this change if there was a 303 reply to a PUT request then
the subsequent request to respond to that redirect would also be a PUT.
It was determined that was most likely incorrect based on the language
of the RFCs. Basically 303 means "see other" resource, which implies it
is most likely not the same resource, therefore we should not try to PUT
to that different resource.

Refer to the discussions in #5237 and #5248 for more information.

Fixes https://github.com/curl/curl/issues/5237
Closes https://github.com/curl/curl/pull/5248
2020-04-22 17:56:17 -04:00
Daniel Stenberg
bffa116535
lib/mk-ca-bundle: skip empty certs
Reviewed-by: Emil Engler
Reported-by: Ashwin Metpalli
Fixes #5278
Closes #5280
2020-04-22 22:55:08 +02:00
Daniel Stenberg
3fdc4bdb5b
version: skip idn2_check_version() check and add precaution
A gcc-10's -fanalyze complaint made me spot and do these improvements.

Closes #5281
2020-04-22 22:52:32 +02:00
Emil Engler
2d137dedb3
GnuTLS: Don't skip really long certificate fields
Closes #5271
2020-04-21 08:10:55 +02:00
Daniel Stenberg
0891fe7ade
gnutls: bump lowest supported version to 3.1.10
GnuTLS 3.1.10 added new functions we want to use. That version was
released on Mar 22, 2013. Removing support for older versions also
greatly simplifies the code.

Ref: #5271
Closes #5276
2020-04-21 08:09:41 +02:00
Daniel Stenberg
10fece336f
mqtt: make NOSTATE get within the debug name array 2020-04-20 23:27:04 +02:00
Daniel Stenberg
093a9e0014
mqtt: remove code with no purpose
Detected by Coverity. CID 1462319.

"The same code is executed when the condition result is true or false,
because the code in the if-then branch and after the if statement is
identical."

Closes #5275
2020-04-20 22:35:48 +02:00