1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-05 09:05:04 -05:00
Commit Graph

1384 Commits

Author SHA1 Message Date
Alessandro Ghedini
03de4e4b21 connect: implement TCP Fast Open for Linux
Closes #660
2016-04-18 23:21:50 +02:00
Alessandro Ghedini
dc68f2dab9 url: add CURLOPT_TCP_FASTOPEN option 2016-04-18 23:17:19 +02:00
Michael Kaufmann
cd8d236245 news: CURLOPT_CONNECT_TO and --connect-to
Makes curl connect to the given host+port instead of the host+port found
in the URL.
2016-04-17 23:50:59 +02:00
Steve Holme
ccf7a82605 CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
As these two options provide identical functionality, the former for
SOCK5 proxies and the latter for HTTP proxies, merged the two options
together.

As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
7.49.0.
2016-04-09 20:47:05 +01:00
Steve Holme
5ee484c597 url: Ternary operator code style changes 2016-04-09 17:17:37 +01:00
Steve Holme
f044cbe6fc sasl: Fixed compilation errors from commit 9d89a0387
...when GSS-API or Windows SSPI are not used.
2016-04-09 05:57:10 +01:00
Steve Holme
43116218c0 url: Corrected comments following 9d89a0387 2016-04-09 05:33:03 +01:00
Steve Holme
39d68b47e1 http_negotiate: Calculate service name and proxy service name locally
Calculate the service name and proxy service names locally, rather than
in url.c which will allow for us to support overriding the service name
for other protocols such as FTP, IMAP, POP3 and SMTP.
2016-04-08 18:41:41 +01:00
Daniel Stenberg
a71012c03e code: style updates 2016-04-03 22:38:36 +02:00
Steve Holme
9a8aef1365 url: Corrected get protocol family for FTP and LDAP
Fixed copy/paste error from commit a5aec58726.
2016-04-01 07:24:39 +01:00
Daniel Stenberg
575e885db0 multi: turn Curl_done into file local multi_done
... as it now is used by multi.c only.
2016-03-30 07:52:28 +02:00
Daniel Stenberg
6b61d8160d multi: move Curl_do and Curl_do_done to multi.c and make static
... called multi_do and multi_do_done as they're file local now.
2016-03-30 07:52:28 +02:00
Steve Holme
f0bdd72c10 http_ntlm: Renamed from curl_ntlm.[c|h]
Renamed the header and source files for this module as they are HTTP
specific and as such, they should use the naming convention as other
HTTP authentication source files do - this revert commit 260ee6b7bf.

Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
code needs separating from the HTTP protocol and migrating into the
vauth directory, thus adding support for Winbind to the SASL based
protocols such as IMAP, POP3 and SMTP.
2016-03-27 17:58:50 +01:00
Jay Satiro
3d144ab99b url: don't use bad offset in tld_check_name to show error
libidn's tld_check_lz returns an error offset of the first character
that it failed to process, however that offset is not a byte offset and
may not even be in the locale encoding therefore we can't use it to show
the user the character that failed to process.

Bug: https://github.com/curl/curl/issues/731
Reported-by: Karlson2k
2016-03-26 14:41:35 -04:00
Steve Holme
06ccaa0c68 url: Corrected indentation when calling idna_to_ascii_lz() 2016-03-11 07:46:09 +00:00
Steve Holme
58e4a06743 idn_win32: Use boolean based success codes
Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
based success code.
2016-03-11 07:24:39 +00:00
Daniel Stenberg
549b1a433a url.c: fix clang warning: no newline at end of file 2016-03-10 09:36:49 +01:00
Steve Holme
a5aec58726 imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
Regression since commit 710f14edba.

Bug: https://github.com/curl/curl/issues/422
Reported-by: Justin Ehlert
2016-03-08 19:36:46 +00:00
Anders Bakken
46bf7ff78d pipeline: Sanity check pipeline pointer before accessing it.
I got a crash with this stack:

curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
curl/lib/multi.c:561 (curl_multi_remove_handle)
curl/lib/url.c:415 (Curl_close)
curl/lib/easy.c:859 (curl_easy_cleanup)

Closes #704
2016-03-08 00:25:53 +01:00
Anders Bakken
3c2ef2a610 url: if Curl_done is premature then pipeline not in use
Prevent a crash if 2 (or more) requests are made to the same host and
pipelining is enabled and the connection does not complete.

Bug: https://github.com/curl/curl/pull/690
2016-03-01 18:55:04 -05:00
Michael Koenig
9dc3eaee29 TFTP: add option to suppress TFTP option requests (Part 1)
Some TFTP server implementations ignore the "TFTP Option extension"
(RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
problems with libcurl. Another switch for curl_easy_setopt
"CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
sending TFTP option requests to a server, avoiding many problems caused
by faulty implementations.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:00:58 -05:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Isaac Boukris
d41dcba4e9 NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26 23:42:55 +01:00
Daniel Stenberg
13b6d3b7dd ConnectionExists: only do pipelining/multiplexing when asked
When an HTTP/2 upgrade request fails (no protocol switch), it would
previously detect that as still possible to pipeline on (which is
acorrect) and do that when PIPEWAIT was enabled even if pipelining was
not explictily enabled.

It should only pipelined if explicitly asked to.

Closes #584
2016-01-11 23:55:13 +01:00
Mohammad AlSaleh
3d209b5fb0 lib: Prefix URLs with lower-case protocol names/schemes
Before this patch, if a URL does not start with the protocol
name/scheme, effective URLs would be prefixed with upper-case protocol
names/schemes. This behavior might not be expected by library users or
end users.

For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
URL is "hostname/path". The effective URL would be
"HTTPS://hostname/path" instead of "https://hostname/path".

After this patch, effective URLs would be prefixed with a lower-case
protocol name/scheme.

Closes #597

Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11 23:38:42 +01:00
Michael Kaufmann
5d7c9379ef IDN host names: Remove the port number before converting to ACE
Closes #596
2016-01-11 00:11:28 +01:00
Tatsuhiro Tsujikawa
5da7461a55 url: Fix compile error with --enable-werror 2016-01-09 02:26:23 -05:00
Daniel Stenberg
c338d8cf9c Revert "multiplex: allow only once HTTP/2 is actually used"
This reverts commit 46cb70e9fa.

Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
2016-01-08 14:39:54 +01:00
Michael Kaufmann
d9b4d1ce20 connection reuse: IDN host names fixed
Use the ACE form of IDN hostnames as key in the connection cache.  Add
new tests.

Closes #592
2016-01-08 00:19:46 +01:00
Daniel Stenberg
a2cae9aafd ConnectionExists: add missing newline in infof() call
Mistake from commit a464f33843
2016-01-06 00:54:49 +01:00
Daniel Stenberg
46cb70e9fa multiplex: allow only once HTTP/2 is actually used
To make sure curl doesn't allow multiplexing before a connection is
upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
connection uses HTTP/2 as well and not only check what's wanted.

Closes #584

Patch-by: c0ff
2016-01-06 00:54:49 +01:00
Anders Bakken
a464f33843 ConnectionExists: with *PIPEWAIT, wait for connections
Try harder to prevent libcurl from opening up an additional socket when
CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
handshakes complete first before the decision is made.

Closes #575
2015-12-23 10:20:37 +01:00
Anders Bakken
8fbaf6749a setstropt: const-correctness
Closes #565
2015-12-14 23:14:39 +01:00
Daniel Stenberg
4bcc532de5 http: add libcurl option to allow HTTP/2 for HTTPS only
... and stick to 1.1 for HTTP. This is in line with what browsers do and
should have very little risk.
2015-12-13 09:24:51 +01:00
Daniel Stenberg
40c349ada9 done: make sure the final progress update is made
It would previously be skipped if an existing error was returned, but
would lead to a previous value being left there and later used.
CURLINFO_TOTAL_TIME for example.

Still it avoids that final progress update if we reached DONE as the
result of a callback abort to avoid another callback to be called after
an abort-by-callback.

Reported-by: Lukas Ruzicka

Closes #538
2015-11-24 20:49:04 +01:00
Daniel Stenberg
c341311a0e Revert "cleanup: general removal of TODO (and similar) comments"
This reverts commit 64e959ffe3.

Feedback-by: Dan Fandrich
URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-24 09:36:45 +01:00
Daniel Stenberg
64e959ffe3 cleanup: general removal of TODO (and similar) comments
They tend to never get updated anyway so they're frequently inaccurate
and we never go back to revisit them anyway. We document issues to work
on properly in KNOWN_BUGS and TODO instead.
2015-11-13 16:15:26 +01:00
Steve Holme
eaa98cef8d oauth2: Don't use XOAUTH2 in OAuth 2.0 variables 2015-11-09 22:25:08 +00:00
Steve Holme
4e3d396900 oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
When referring to OAuth 2.0 we should use the official name rather the
SASL mechanism name.
2015-11-09 22:25:08 +00:00
Daniel Stenberg
d31ed6ac71 http2: s/priority/weight 2015-10-23 08:22:38 +02:00
Daniel Stenberg
3042cb5043 http2: added three stream prio/deps options
CURLOPT_STREAM_DEPENDS

CURLOPT_STREAM_DEPENDS_E

CURLOPT_STREAM_PRIORITY
2015-10-23 08:22:38 +02:00
Daniel Stenberg
c6aedf680f fread_func: move callback pointer from set to state struct
... and assign it from the set.fread_func_set pointer in the
Curl_init_CONNECT function. This A) avoids that we have code that
assigns fields in the 'set' struct (which we always knew was bad) and
more importantly B) it makes it impossibly to accidentally leave the
wrong value for when the handle is re-used etc.

Introducing a state-init functionality in multi.c, so that we can set a
specific function to get called when we enter a state. The
Curl_init_CONNECT is thus called when switching to the CONNECT state.

Bug: https://github.com/bagder/curl/issues/346

Closes #346
2015-10-15 23:32:19 +02:00
Isaac Boukris
f65e07ca59 NTLM: Reset auth-done when using a fresh connection
With NTLM a new connection will always require authentication.
Fixes #435
2015-09-19 23:21:05 +02:00
Daniel Stenberg
87e533ace0 parse_proxy: reject illegal port numbers
If the port number in the proxy string ended weirdly or the number is
too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
numerical address is used without enclosing brackets.

Also mention the bracket requirement for IPv6 numerical addresses to the
man page for CURLOPT_PROXY.

Closes #415

Reported-by: Marcel Raad
2015-09-08 15:17:00 +02:00
Nathaniel Waisbrot
9756d1da76 CURLOPT_DEFAULT_PROTOCOL: added
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.
2015-08-22 21:57:14 -04:00
Jay Satiro
172b2beba6 SSL: Add an option to disable certificate revocation checks
New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-17 02:40:16 -04:00
Daniel Stenberg
e9f0dd43bc http2: init the pushed transfer properly 2015-06-24 23:44:42 +02:00
Daniel Stenberg
817323ed82 parse_proxy: switch off tunneling if non-HTTP proxy
non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL

Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html
Reported-by: Sean Boudreau
2015-05-22 16:19:53 +02:00
Daniel Stenberg
b0143a2a33 read_callback: move to SessionHandle from connectdata
With many easy handles using the same connection for multiplexing, it is
important we store and keep the transfer-oriented stuff in the
SessionHandle so that callbacks and callback data work fine even when
many easy handles share the same physical connection.
2015-05-20 23:06:45 +02:00
Daniel Stenberg
155b1f5df9 http2: fix build when NOT h2-enabled 2015-05-18 14:09:32 +02:00
Daniel Stenberg
d6f1c74330 pipeline: switch some code over to functions
... to "compartmentalize" a bit and make it easier to change behavior
when multiplexing is used instead of good old pipelining.
2015-05-18 09:33:47 +02:00
Daniel Stenberg
811443754a CURLOPT_PIPEWAIT: added
By setting this option to 1 libcurl will wait for a connection to reveal
if it is possible to pipeline/multiplex on before it continues.
2015-05-18 09:33:47 +02:00
Daniel Stenberg
193251794a IsPipeliningPossible: fixed for http2 2015-05-18 09:33:47 +02:00
Daniel Stenberg
5871affc7a http2: remove the stream from the hash in stream_close callback
... and suddenly things work much better!
2015-05-18 09:33:47 +02:00
Daniel Stenberg
72105ebf05 http2: set default concurrency, fix ConnectionExists for multiplex 2015-05-18 09:33:47 +02:00
Daniel Stenberg
38bd6bf0bb bundles: store no/default/pipeline/multiplex
to allow code to act differently on the situation.

Also added some more info message for the connection re-use function to
make it clearer when connections are not re-used.
2015-05-18 09:33:36 +02:00
Daniel Stenberg
783b3c7b42 http2: separate multiplex/pipelining + cleanup memory leaks 2015-05-18 08:57:18 +02:00
Daniel Stenberg
02ec1ced9b CURLMOPT_PIPELINE: bit 1 is for multiplexing 2015-05-18 08:57:18 +02:00
Daniel Stenberg
591a6933da pipeline: move function to pipeline.c and make static
... as it was only used from there.
2015-05-18 08:57:18 +02:00
Daniel Stenberg
e91aedd840 IsPipeliningPossible: http2 can always "pipeline" (multiplex) 2015-05-18 08:57:18 +02:00
Daniel Stenberg
01e1bdb10c http2: force "drainage" of streams
... which is necessary since the socket won't be readable but there is
data waiting in the buffer.
2015-05-18 08:57:17 +02:00
Daniel Stenberg
7bbac214f5 http2: move the mem+len pair to the stream struct 2015-05-18 08:57:17 +02:00
Daniel Stenberg
fd137786e5 bundles: merged into conncache.c
All the existing Curl_bundle* functions were only ever used from within
the conncache.c file, so I moved them over and made them static (and
removed the Curl_ prefix).
2015-05-12 23:21:33 +02:00
Daniel Stenberg
b419e7ae0c hostcache: made all host caches use structs, not pointers
This avoids unnecessary dynamic allocs and as this also removed the last
users of *hash_alloc() and *hash_destroy(), those two functions are now
removed.
2015-05-12 09:46:53 +02:00
Daniel Stenberg
640296c95d connection cache: avoid Curl_hash_alloc()
... by using plain structs instead of pointers for the connection cache,
we can avoid several dynamic allocations that weren't necessary.
2015-05-12 09:15:02 +02:00
Daniel Stenberg
6ba2e88a64 CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.

Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
2015-04-28 21:02:37 +02:00
Linus Nielsen
97c272e5d1 Negotiate: custom service names for SPNEGO.
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
2015-04-28 08:29:56 +02:00
Daniel Stenberg
09a31fabe4 ConnectionExists: call it multi-use instead of pipelining
So that it fits HTTP/2 as well
2015-04-27 22:54:34 +02:00
Daniel Stenberg
85c45d153b connectionexists: follow-up to fd9d3a1ef1
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.

Mistake-caught-by: Kamil Dudka
2015-04-22 13:59:04 +02:00
Daniel Stenberg
fd9d3a1ef1 connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!

bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
2015-04-22 13:32:45 +02:00
Daniel Stenberg
0583e87ada fix_hostname: zero length host name caused -1 index offset
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
2015-04-21 23:20:36 +02:00
Daniel Stenberg
31be461c6b ConnectionExists: for NTLM re-use, require credentials to match
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
2015-04-21 23:20:36 +02:00
Jay Satiro
488102fc17 url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is defined 2015-03-27 09:31:30 +01:00
Daniel Stenberg
5d23279299 CURLOPT_PATH_AS_IS: added
--path-as-is is the command line option

Added docs in curl.1 and CURLOPT_PATH_AS_IS.3

Added test in test 1241
2015-03-24 10:31:58 +01:00
Alessandro Ghedini
4dcd25e138 url: add CURLOPT_SSL_FALSESTART option
This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.
2015-03-20 20:14:33 +01:00
Daniel Stenberg
9395999543 checksrc: use space after comma 2015-03-17 13:57:37 +01:00
Daniel Stenberg
0f4a03cbb6 free: instead of Curl_safefree()
Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.
2015-03-16 15:01:15 +01:00
Markus Elfring
9e661601fe Bug #149: Deletion of unnecessary checks before a few calls of cURL functions
The following functions return immediately if a null pointer was passed.
* Curl_cookie_cleanup
* curl_formfree

It is therefore not needed that a function caller repeats a corresponding check.

This issue was fixed by using the software Coccinelle 1.0.0-rc24.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-16 12:13:56 +01:00
Markus Elfring
29c655c0a6 Bug #149: Deletion of unnecessary checks before calls of the function "free"
The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first

This issue was fixed by using the software Coccinelle 1.0.0-rc24.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-16 12:13:56 +01:00
Daniel Stenberg
852d35b6ea proxy: re-use proxy connections (regression)
When checking for a connection to re-use, a proxy-using request must
check for and use a proxy connection and not one based on the host
name!

Added test 1421 to verify

Bug: http://curl.haxx.se/bug/view.cgi?id=1492
2015-03-11 11:54:22 +01:00
Daniel Stenberg
df5578a7a3 mprintf.h: remove #ifdef CURLDEBUG
... and as a consequence, introduce curl_printf.h with that re-define
magic instead and make all libcurl code use that instead.
2015-03-03 12:36:18 +01:00
Julian Ospald
90314100e0 configure: allow both --with-ca-bundle and --with-ca-path
SSL_CTX_load_verify_locations by default (and if given non-Null
parameters) searches the CAfile first and falls back to CApath.  This
allows for CAfile to be a basis (e.g. installed by the package manager)
and CApath to be a user configured directory.

This wasn't reflected by the previous configure constraint which this
patch fixes.

Bug: https://github.com/bagder/curl/pull/139
2015-02-20 16:30:04 +01:00
Alessandro Ghedini
3af90a6e19 url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
2015-01-16 23:23:29 +01:00
Daniel Stenberg
178bd7db34 url-parsing: reject CRLFs within URLs
Bug: http://curl.haxx.se/docs/adv_20150108B.html
Reported-by: Andrey Labunets
2015-01-07 22:55:56 +01:00
Steve Holme
1abe65d928 code/docs: Use Unix rather than UNIX to avoid use of the trademark
Use Unix when generically writing about Unix based systems as UNIX is
the trademark and should only be used in a particular product's name.
2014-12-26 21:42:44 +00:00
Kyle J. McKay
14c3601583 parseurlandfillconn(): fix improper non-numeric scope_id stripping.
Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
2014-12-17 15:52:07 +01:00
Patrick Monnerat
9081014c2c IPV6: address scope != scope id
There was a confusion between these: this commit tries to disambiguate them.
- Scope can be computed from the address itself.
- Scope id is scope dependent: it is currently defined as 1-based local
  interface index for link-local scoped addresses, and as a site index(?) for
  (obsolete) site-local addresses. Linux only supports it for link-local
  addresses.
The URL parser properly parses a scope id as an interface index, but stores it
in a field named "scope": confusion. The field has been renamed into "scope_id".
Curl_if2ip() used the scope id as it was a scope. This caused failures
to bind to an interface.
Scope is now computed from the addresses and Curl_if2ip() matches them.
If redundantly specified in the URL, scope id is check for mismatch with
the interface index.

This commit should fix SF bug #1451.
2014-12-16 13:52:06 +01:00
Steve Holme
24b30d259c smb: Disable SMB when 64-bit integers are not supported
This fixes compilation issues with compilers that don't support 64-bit
integers through long long or __int64.
2014-12-12 22:34:18 +00:00
Steve Holme
0da4524a22 url.c: Fixed compilation warning when USE_NTLM is not defined
url.c:3078: warning: variable 'credentialsMatch' set but not used
2014-12-10 11:57:11 +00:00
Dan Fandrich
41f1f6e830 cookies: Improved OOM handling in cookies
This fixes the test 506 torture test. The internal cookie API really
ought to be improved to separate cookie parsing errors (which may be
ignored) with OOM errors (which should be fatal).
2014-12-09 23:58:30 +01:00
Steve Holme
dcd484a238 smb: Fixed Windows autoconf builds following commit eb88d778e7
As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO
either explicitly through --enable-win32-cypto or automatically on
_WIN32 based platforms, subsequent builds broke with the following
error message:

"Can't compile NTLM support without a crypto library."
2014-12-07 20:47:54 +00:00
Bill Nagel
526603ff05 smb: Build with SSPI enabled
Build SMB/CIFS protocol support when SSPI is enabled.
2014-12-07 18:36:23 +00:00
Anthon Pang
1b3a398ec1 docs: Fix FAILONERROR typos
It returns error for >= 400 HTTP responses.

Bug: https://github.com/bagder/curl/pull/129
2014-12-04 12:14:59 -08:00
Peter Wu
970c22f970 libcurl: add UNIX domain sockets support
The ability to do HTTP requests over a UNIX domain socket has been
requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a
discussion happened, no patch seems to get through. I decided to give it
a go since I need to test a nginx HTTP server which listens on a UNIX
domain socket.

One patch [3] seems to make it possible to use the
CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket.
Another person wrote a Go program which can do HTTP over a UNIX socket
for Docker[4] which uses a special URL scheme (though the name contains
cURL, it has no relation to the cURL library).

This patch considers support for UNIX domain sockets at the same level
as HTTP proxies / IPv6, it acts as an intermediate socket provider and
not as a separate protocol. Since this feature affects network
operations, a new feature flag was added ("unix-sockets") with a
corresponding CURL_VERSION_UNIX_SOCKETS macro.

A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This
option enables UNIX domain sockets support for all requests on the
handle (replacing IP sockets and skipping proxies).

A new configure option (--enable-unix-sockets) and CMake option
(ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I
deliberately did not mark this feature as advanced, this is a
feature/component that should easily be available.

 [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html
 [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/
 [2]: http://sourceforge.net/p/curl/feature-requests/53/
 [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html
 [4]: https://github.com/Soulou/curl-unix-socket

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-12-04 02:52:19 +01:00
Steve Holme
ce2d84b3bb libcurl: Exclude SMB from the protocol redirect
As local files could be accessed through \\localhost\c$.
2014-11-30 20:42:05 +00:00
Bill Nagel
6f2419342f libcurl: Enable support for the SMB protocol
This patch enables SMB/CIFS support in libcurl.
2014-11-30 20:25:28 +00:00
Steve Holme
520dc64369 build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is defined
USE_NTLM would only be defined if: HTTP support was enabled, NTLM and
cryptography weren't disabled, and either a supporting cryptography
library or Windows SSPI was being compiled against.

This means it was not possible to build libcurl without HTTP support
and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather
than introduce a new SASL pre-processor definition, removed the HTTP
prerequisite just like USE_SPNEGO and USE_KRB5.

Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP
as it is only available to HTTP at present.

This bug dates back to August 2011 when I started to add support for
NTLM to SMTP.
2014-11-09 12:54:34 +00:00
Steve Holme
e8cea8d70f url.c: Fixed compilation warning
conversion from 'curl_off_t' to 'size_t', possible loss of data
2014-11-05 12:42:35 +00:00
Daniel Stenberg
b387560692 curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.

Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.

Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis
2014-11-05 08:05:14 +01:00
Steve Holme
3fe5b462f7 ntlm: Only define ntlm data structure when USE_NTLM is defined 2014-10-25 22:36:49 +01:00
Daniel Stenberg
fb6e8a5aa4 url.c: use 'CURLcode result' 2014-10-24 08:51:04 +02:00
Daniel Stenberg
0eb3d15ccb code cleanup: we prefer 'CURLcode result'
... for the local variable name in functions holding the return
code. Using the same name universally makes code easier to read and
follow.

Also, unify code for checking for CURLcode errors with:

 if(result) or if(!result)

instead of

 if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-24 08:23:19 +02:00
93e450793c SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
2014-10-07 14:44:19 +02:00
Daniel Stenberg
a60825fa96 parse_proxy: remove dead code.
Coverity CID 982331.
2014-10-03 23:51:19 +02:00
Daniel Stenberg
b85c625d83 detect_proxy: fix possible single-byte memory leak
Coverity CID 1202836. If the proxy environment variable returned an empty
string, it would be leaked. While an empty string is not really a proxy, other
logic in this function already allows a blank string to be returned so allow
that here to avoid the leak.
2014-10-02 23:31:01 +02:00
Yousuke Kimoto
b10a838a7a CURLOPT_COOKIELIST: Added "RELOAD" command 2014-09-25 16:28:17 +02:00
Daniel Stenberg
d57d041d67 curlssl: make tls backend symbols use curlssl in the name 2014-09-13 15:31:12 +02:00
Daniel Stenberg
4c2e40a488 url: let the backend decide CURLOPT_SSL_CTX_ support
... to further remove specific TLS backend knowledge from url.c
2014-09-13 15:28:08 +02:00
Daniel Stenberg
7494f0f498 vtls: have the backend tell if it supports CERTINFO 2014-09-13 15:11:26 +02:00
Daniel Stenberg
8250f93d41 CURLOPT_CAPATH: return failure if set without backend support 2014-09-13 14:56:27 +02:00
Steve Holme
21db158722 url.c: Use CURLAUTH_NONE constant rather than 0
Small follow up to commit 898808fa8c to use auth constants rather than
hard code value when clearing picked authentication mechanism.
2014-09-06 22:23:54 +01:00
Daniel Stenberg
898808fa8c disconnect: don't touch easy-related state on disconnects
This was done to make sure NTLM state that is bound to a connection
doesn't survive and gets used for the subsequent request - but
disconnects can also be done to for example make room in the connection
cache and thus that connection is not strictly related to the easy
handle's current operation.

The http authentication state is still kept in the easy handle since all
http auth _except_ NTLM is connection independent and thus survive over
multiple connections.

Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
Reported-by: Paras S
2014-08-25 09:17:57 +02:00
Frank Meier
63a0bd4270 NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed
since NTLM requires multiple requests that re-use the same connection
for the authentication to work

Solution: Ignore the forbid reuse flag in case the NTLM authentication
handshake is in progress, according to the NTLM state flag.

Fixed known bug #77.
2014-08-22 16:05:31 +02:00
Daniel Stenberg
30f2d0c0b3 Curl_disconnect: don't free the URL
The URL is not a property of the connection so it should not be freed in
the connection disconnect but in the Curl_close() that frees the easy
handle.

Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html
Reported-by: Paras S
2014-08-20 16:37:01 +02:00
Frank Meier
01368d395c create_conn: prune dead connections
Bringing back the old functionality that was mistakenly removed when the
connection cache was remade. When creating a new connection, all the
existing ones are checked and those that are known to be dead get
disconnected for real and removed from the connection cache. It helps
the cache from holding on to very many stale connections and aids in
keeping down the number of system sockets in wait states.

Help-by: Jonatan Vela <jonatan.vela@ergon.ch>

Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html
2014-08-12 23:33:56 +02:00
Daniel Stenberg
5b22c47ca9 findprotocol: show unsupported protocol within quotes
... to aid when for example prefixed with a space or other weird
character.
2014-07-23 18:17:16 +02:00
Michael Osipov
eed1c63c70 docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
Michael Osipov
e38ba43014 curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- CURL_VERSION_GSSNEGOTIATE is deprecated which
  is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
  CURUL_VERSION_SPNEGO now.
- Remove display of feature 'GSS-Negotiate'
2014-07-23 00:01:39 +02:00
Marcel Raad
d242839af8 url.c: use the preferred symbol name: *READDATA
with CURL_NO_OLDIES defined, it doesn't compile because this deprecated
symbol (*INFILE) is used

Bug: http://curl.haxx.se/bug/view.cgi?id=1398
2014-07-22 11:27:51 +02:00
Yousuke Kimoto
aa68848451 cookie: avoid mutex deadlock
... by removing the extra mutex locks around th call to
Curl_flush_cookies() which takes care of the locking itself already.

Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
2014-07-15 23:50:56 +02:00
Dan Fandrich
1cef8f0bc3 url.c: Fixed memory leak on OOM
This showed itself on some systems with torture failures
in tests 1060 and 1061
2014-07-09 23:55:12 +02:00
Dan Fandrich
3ae2b6cd7f Update instances of some obsolete CURLOPTs to their new names 2014-07-05 22:47:13 +02:00
Marcel Raad
8ffe6f5b57 compiler warnings: potentially uninitialized variables
... pointed out by MSVC2013

Bug: http://curl.haxx.se/bug/view.cgi?id=1391
2014-07-05 01:42:10 +02:00
Ray Satiro
907520c4b9 progress callback: skip last callback update on errors
When an error has been detected, skip the final forced call to the
progress callback by making sure to pass the current return code
variable in the Curl_done() call in the CURLM_STATE_DONE state.

This avoids the "extra" callback that could occur even if you returned
error from the progress callback.

Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
Reported by: Jonathan Cardoso Machado
2014-07-02 23:53:25 +02:00
Lindley French
964e43c5e2 conncache: move the connection counter to the cache struct
The static connection counter caused a race condition. Moving the
connection id counter into conncache solves it, as well as simplifying
the related logic.
2014-06-13 15:05:24 +02:00
Daniel Stenberg
1b89456509 url-parser: only use if_nametoindex if detected by configure
The previous #ifdef detection wasn't good enough.

Bug: http://curl.haxx.se/mail/lib-2014-05/0260.html
Reported-by: Chris Young
2014-05-26 22:10:15 +02:00
Daniel Stenberg
ac6da721a3 curl_easy_reset: reset the URL
Make sure that the URL is reset and cleared.

Bug: http://curl.haxx.se/mail/lib-2014-05/0235.html
Reported-by: Jonathan Cardoso Machado
2014-05-24 19:06:11 +02:00
Daniel Stenberg
df13f8e8c2 bits.close: introduce connection close tracking
Make all code use connclose() and connkeep() when changing the "close
state" for a connection. These two macros take a string argument with an
explanation, and debug builds of curl will include that in the debug
output. Helps tracking connection re-use/close issues.
2014-05-22 00:34:10 +02:00
Steve Holme
6f8085ca77 url.c: Fixed compilation warning/error
Depending on compiler line 3505 could generate the following warning or
error:

* warning: ISO C90 forbids mixed declarations and code
* A declaration cannot appear after an executable statement in a block
* error C2275: 'size_t' : illegal use of this type as an expression
2014-05-07 10:55:19 +01:00
Daniel Stenberg
5de8d84098 fix_hostname: strip off a single trailing dot from host name
Primarily for SNI, we need the host name without a trailing dot.
"https://www.example.com." resolves fine but fails on SNI unless the dot
is removed.

Reported-by: Leon Winter
Bug: http://curl.haxx.se/mail/lib-2014-04/0161.html
2014-05-06 08:44:11 +02:00
Daniel Stenberg
d5ec44ca4c INFILESIZE: fields in UserDefined must not be changed run-time
set.infilesize in this case was modified in several places, which could
lead to repeated requests using the same handle to get unintendent/wrong
consequences based on what the previous request did!
2014-04-26 18:17:10 +02:00
Daniel Stenberg
710f14edba handler: make 'protocol' always specified as a single bit
This makes the findprotocol() function work as intended so that libcurl
can properly be restricted to not support HTTP while still supporting
HTTPS - since the HTTPS handler previously set both the HTTP and HTTPS
bits in the protocol field.

This fixes --proto and --proto-redir for most SSL protocols.

This is done by adding a few new convenience defines that groups HTTP
and HTTPS, FTP and FTPS etc that should then be used when the code wants
to check for both protocols at once. PROTO_FAMILY_[protocol] style.

Bug: https://github.com/bagder/curl/pull/97
Reported-by: drizzt
2014-04-23 22:36:01 +02:00
Marc Hoersken
c48b996cf2 url.c: fix possible use of non-null-terminated string with strlen
Follow up on b0e742544b
2014-04-19 14:25:32 +02:00
Marc Hoersken
b0e742544b url.c: fix possible use of non-null-terminated string with strlen 2014-04-19 00:17:21 +02:00
Steve Holme
e2c14bde22 url.c: Fixed typo in comment 2014-04-18 17:51:26 +01:00
Dan Fandrich
263ed02da6 url: only use if_nametoindex() if IFNAMSIZ is available 2014-04-14 08:02:06 +02:00
Daniel Stenberg
ef6be35bae CURLOPT_HEADEROPT: added
Modified the logic so that CURLOPT_HEADEROPT now controls if PROXYHEADER
is actually used or not.
2014-04-04 17:03:43 +02:00
Daniel Stenberg
ac887eedbc CURLOPT_PROXYHEADER: set headers for proxy-only
Includes docs and new test cases: 1525, 1526 and 1527

Co-written-by: Vijay Panghal
2014-04-04 17:03:43 +02:00
Daniel Stenberg
13682d1a24 ipv6: strip off zone identifiers in redirects too
Follow up to 9317eced98 makes test 1056 work again.
2014-03-31 09:35:32 +02:00
Till Maas
9317eced98 URL parser: IPv6 zone identifiers are now supported 2014-03-31 07:58:25 +02:00
Steve Holme
517b06d657 url: Fixed connection re-use when using different log-in credentials
In addition to FTP, other connection based protocols such as IMAP, POP3,
SMTP, SCP, SFTP and LDAP require a new connection when different log-in
credentials are specified. Fixed the detection logic to include these
other protocols.

Bug: http://curl.haxx.se/docs/adv_20140326A.html
2014-03-25 23:01:37 +01:00
Daniel Stenberg
539412851c parse_remote_port: error out on illegal port numbers better 2014-03-06 00:06:45 +00:00
Daniel Stenberg
219a0fbe76 remote_port: allow connect to port 0
Port number zero is perfectly allowed to connect to. I moved to storing
the remote port number in an int so that -1 means undefined and 0-65535
can be used for legitimate port numbers.
2014-03-05 17:38:05 +00:00
Shao Shuchao
2111c2ed07 ConnectionDone: default maxconnects to 4 x number of easy handles
... as documented!
2014-02-17 09:29:25 +01:00
Daniel Stenberg
d765099813 ConnectionExists: re-use connections better
When allowing NTLM, the re-use connection logic was too focused on
finding an existing NTLM connection to use and didn't properly allow
re-use of other ones. This made the logic not re-use perfectly re-usable
connections.

Added test case 1418 and 1419 to verify.

Regression brought in 8ae35102c (curl 7.35.0)

Reported-by: Jeff King
Bug: http://thread.gmane.org/gmane.comp.version-control.git/242213
2014-02-16 14:30:02 +01:00
Daniel Stenberg
378af08c99 ConnectionExists: reusing possible HTTP+NTLM connections better
Make sure that the special NTLM magic we do is for HTTP+NTLM only since
that's where the authenticated connection is a weird non-standard
paradigm.

Regression brought in 8ae35102c (curl 7.35.0)

Bug: http://curl.haxx.se/mail/lib-2014-02/0100.html
Reported-by: Dan Fandrich
2014-02-13 23:25:38 +01:00
Tiit Pikma
c021a60bcc transfer: make Expect: 100-continue timeout configurable.
Replaced the #define CURL_TIMEOUT_EXPECT_100 in transfer.c with the
CURLOPT_EXPECT_100_TIMEOUT_MS option to make the timeout configurable.
2014-02-13 16:05:17 +01:00
Fabian Frank
909a68c121 NPN/ALPN: allow disabling via command line
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Dan Fandrich
768151449b netrc: Fixed a memory leak in an OOM condition 2014-01-30 22:15:03 +01:00
Dan Fandrich
1a20f59237 oauth2: Fixed a memory leak in an OOM condition 2014-01-28 23:55:04 +01:00
Daniel Stenberg
5b2342d377 info: remove debug output
Removed some of the infof() calls that were added with the recent
pipeline improvements but they're not useful to the vast majority of
readers and the pipelining seems to fundamentaly work - the debugging
outputs can easily be added there if debugging these functions is needed
again.
2014-01-08 23:19:57 +01:00
Daniel Stenberg
8ae35102c4 ConnectionExists: fix NTLM check for new connection
When the requested authentication bitmask includes NTLM, we cannot
re-use a connection for another username/password as we then risk
re-using NTLM (connection-based auth).

This has the unfortunate downside that if you include NTLM as a possible
auth, you cannot re-use connections for other usernames/passwords even
if NTLM doesn't end up the auth type used.

Reported-by: Paras S
Patched-by: Paras S
Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html
2014-01-07 09:48:40 +01:00
Steve Holme
60bd22620a mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU
Following commit 0aafd77fa4, replaced the internal usage of
FORMAT_OFF_T and FORMAT_OFF_TU with the external versions that we
expect API programmers to use.

This negates the need for separate definitions which were subtly
different under different platforms/compilers.
2013-12-31 11:10:42 +00:00
Daniel Stenberg
11e8066ef9 vtls: renamed sslgen.[ch] to vtls.[ch] 2013-12-20 17:12:42 +01:00
Daniel Stenberg
eccf4fb7ee vtls: created subdir, moved sslgen.[ch] there, updated all include lines 2013-12-20 17:12:42 +01:00
Daniel Stenberg
169fedbdce login options: remove the ;[options] support from CURLOPT_USERPWD
To avoid the regression when users pass in passwords containing semi-
colons, we now drop the ability to set the login options with the same
options. Support for login options in CURLOPT_USERPWD was added in
7.31.0.

Test case 83 was modified to verify that colons and semi-colons can be
used as part of the password when using -u (CURLOPT_USERPWD).

Bug: http://curl.haxx.se/bug/view.cgi?id=1311
Reported-by: Petr Bahula
Assisted-by: Steve Holme
Signed-off-by: Daniel Stenberg <daniel@haxx.se>
2013-12-14 22:40:37 +01:00
Steve Holme
f2584627c8 curl_easy_setopt: Added the ability to set the login options separately
Rather than set the authentication options as part of the login details
specified in the URL, or via the older CURLOPT_USERPWD option, added a
new libcurl option to allow the login options to be set separately.
2013-11-12 19:08:55 +00:00
Björn Stenberg
e7d77fb3ef connect: Close temporary sockets in conn_free()
The temporary sockets used for Happy Eyeballs were not closed properly,
if curl exited prematurely, which this patch fixes.
2013-11-10 22:49:56 +00:00
Steve Holme
98a5fdaf29 url.c: Very small amount of policing 2013-11-05 23:30:12 +00:00
Björn Stenberg
1ea05be46d url.c: Remove superfluous for loop
The reason for this loop's existence was removed in commit
02fbc26d59.
2013-11-05 23:15:33 +00:00
Björn Stenberg
02fbc26d59 connect: Add connection delay to Happy Eyeballs.
This patch adds a 200ms delay between the first and second address
family socket connection attempts.

It also iterates over IP addresses in the order returned by the
system, meaning most dual-stack systems will try IPv6 first.

Additionally, it refactors the connect code, removing most code that
handled synchronous connects. Since all sockets are now non-blocking,
the logic can be made simpler.
2013-11-04 22:38:19 +01:00
Patrick Monnerat
f6c335d63f NSS: support for CERTINFO feature 2013-10-30 11:12:06 +01:00
Björn Stenberg
7d7df83198 Add "Happy Eyeballs" for IPv4/IPv6.
This patch invokes two socket connect()s nearly simultaneously, and
the socket that is first connected "wins" and is subsequently used for
the connection. The other is terminated.

There is a very slight IPv4 preference, in that if both sockets connect
simultaneously IPv4 is checked first and thus will win.
2013-10-27 11:19:53 +01:00
Daniel Stenberg
d44b014271 FTP: make the data connection work when going through proxy
This is a regression since the switch to always-multi internally
c43127414d.

Test 1316 was modified since we now clearly call the Curl_client_write()
function when doing the LIST transfer part and then the
handler->protocol says FTP and ftpc.transfertype is 'A' which implies
text converting even though that the response is initially a HTTP
CONNECT response in this case.
2013-10-26 23:33:06 +02:00
Kim Vandry
df69440d05 libcurl: New options to bind DNS to local interfaces or IP addresses 2013-09-12 21:11:47 +02:00
Kamil Dudka
c639d725a3 url: handle abortion by read/write callbacks, too
Otherwise, the FTP protocol would unnecessarily hang 60 seconds if
aborted in the CURLOPT_HEADERFUNCTION callback.

Reported by: Tomas Mlcoch
Bug: https://bugzilla.redhat.com/1005686
2013-09-09 13:23:04 +02:00
Daniel Stenberg
d707a975f6 Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without support 2013-09-04 22:29:38 +02:00
Steve Holme
322f0bc2f1 url.c: Fixed compilation warning
An enumerated type is mixed with another type
2013-09-01 13:30:12 +01:00
Kyle L. Huff
06c1bea72f options: added basic SASL XOAUTH2 support
Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the
option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth
2.0 Authorization Framework".
2013-08-25 22:03:57 +01:00
Daniel Stenberg
bb55293313 FTP: remove krb4 support
We've announced this pending removal for a long time and we've
repeatedly asked if anyone would care or if anyone objects. Nobody has
objected. It has probably not even been working for a good while since
nobody has tested/used this code recently.

The stuff in krb4.h that was generic enough to be used by other sources
is now present in security.h
2013-08-25 19:16:36 +02:00
Jonathan Nieder
2f1a0bc0bf url: handle arbitrary-length username and password before '@'
libcurl quietly truncates usernames, passwords, and options from
before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1)
characters to fit in fixed-size buffers on the stack.  Allocate a
buffer large enough to fit the parsed fields on the fly instead to
support longer passwords.

After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH
left, so stop defining that constant while at it.  The hardcoded max
username and password length constants, on the other hand, are still
used in HTTP proxy credential handling (which this patch doesn't
touch).

Reported-by: Colby Ranger
2013-08-20 11:16:38 +02:00
Jonathan Nieder
09ddb1d61c url: handle exceptional cases first in parse_url_login()
Instead of nesting "if(success)" blocks and leaving the reader in
suspense about what happens in the !success case, deal with failure
cases early, usually with a simple goto to clean up and return from
the function.

No functional change intended.  The main effect is to decrease the
indentation of this function slightly.
2013-08-20 11:16:38 +02:00
Jonathan Nieder
15f76bf7bb Curl_setopt: handle arbitrary-length username and password
libcurl truncates usernames, passwords, and options set with
curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
This doesn't affect the return value from curl_easy_setopt(), so from
the caller's point of view, there is no sign anything strange has
happened, except that authentication fails.

For example:

  # Prepare a long (300-char) password.
  s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
  # Start a server.
  nc -l -p 8888 | tee out & pid=$!
  # Tell curl to pass the password to the server.
  curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
  # Extract the password.
  userpass=$(
	awk '/Authorization: Basic/ {print $3}' <out |
	tr -d '\r' |
	base64 -d
  )
  password=${userpass#me:}
  echo ${#password}

Expected result: 300
Actual result: 255

The fix is simple: allocate appropriately sized buffers on the heap
instead of trying to squeeze the provided values into fixed-size
on-stack buffers.

Bug: http://bugs.debian.org/719856
Reported-by: Colby Ranger
2013-08-20 11:16:38 +02:00
Jonathan Nieder
36585b5395 netrc: handle longer username and password
libcurl truncates usernames and passwords it reads from .netrc to
LOGINSIZE and PASSWORDSIZE (64) characters without any indication to
the user, to ensure the values returned from Curl_parsenetrc fit in a
caller-provided buffer.

Fix the interface by passing back dynamically allocated buffers
allocated to fit the user's input.  The parser still relies on a
256-character buffer to read each line, though.

So now you can include an ~246-character password in your .netrc,
instead of the previous limit of 63 characters.

Reported-by: Colby Ranger
2013-08-20 11:16:38 +02:00
Jonathan Nieder
11baffbff6 url: allocate username, password, and options on the heap
This makes it possible to increase the size of the buffers when needed
in later patches.  No functional change yet.
2013-08-20 11:16:38 +02:00
Jonathan Nieder
53333a43a1 url: use goto in create_conn() for exception handling
Instead of remembering before each "return" statement which temporary
allocations, if any, need to be freed, take care to set pointers to
NULL when no longer needed and use a goto to a common block to exit
the function and free all temporaries.

No functional change intended.  Currently the only temporary buffer in
this function is "proxy" which is already correctly freed when
appropriate, but there will be more soon.
2013-08-20 11:16:38 +02:00
Daniel Stenberg
8a42c2ef8d cleanup: removed one function, made one static
Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to
easy_addmulti and made it static.

Removed Curl_easy_initHandleData() and uses of it since it was emptied
in commit cdda92ab67b47d74a.
2013-08-12 13:17:57 +02:00
Daniel Stenberg
e79535bc5e SessionHandle: the protocol specific pointer is now a void *
All protocol handler structs are now opaque (void *) in the
SessionHandle struct and moved in the request-specific sub-struct
'SingleRequest'. The intension is to keep the protocol specific
knowledge in their own dedicated source files [protocol].c etc.

There's some "leakage" where this policy is violated, to be addressed at
a later point in time.
2013-08-12 13:17:57 +02:00
Daniel Stenberg
4ad8e142da urldata: clean up the use of the protocol specific structs
1 - always allocate the struct in protocol->setup_connection. Some
protocol handlers had to get this function added.

2 - always free at the end of a request. This is also an attempt to keep
less memory in the handle after it is completed.
2013-08-12 13:17:57 +02:00
Daniel Stenberg
7cc00d9a83 FTP: when EPSV gets a 229 but fails to connect, retry with PASV
This is a regression as this logic used to work. It isn't clear when it
broke, but I'm assuming in 7.28.0 when we went all-multi internally.

This likely never worked with the multi interface. As the failed
connection is detected once the multi state has reached DO_MORE, the
Curl_do_more() function was now expanded somewhat so that the
ftp_do_more() function can request to go "back" to the previous state
when it makes another attempt - using PASV.

Added test case 1233 to verify this fix. It has the little issue that it
assumes no service is listening/accepting connections on port 1...

Reported-by: byte_bucket in the #curl IRC channel
2013-08-06 09:57:59 +02:00
Daniel Stenberg
784336deec multi: remove data->state.current_conn struct field
Not needed
2013-08-03 22:51:35 +02:00
Yang Tse
4fad1943a2 string formatting: fix 15+ printf-style format strings 2013-07-24 16:46:24 +02:00
Yang Tse
de052ca6fc string formatting: fix 25+ printf-style format strings 2013-07-24 01:21:26 +02:00
Fabian Keil
2c4ef997b9 url.c: Fix dot file path cleanup when using an HTTP proxy
Previously the path was cleaned, but the URL wasn't properly updated.
2013-07-23 20:51:15 +02:00
Daniel Stenberg
12d01cb6fa CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function
and CURLOPT_PROGRESSFUNCTION is considered deprecated.

This new callback uses pure 'curl_off_t' arguments to pass on full
resolution sizes. It otherwise retains the same characteristics: the
same call rate, the same meanings for the arguments and the return code
is used the same way.

The progressfunc.c example is updated to show how to use the new
callback for newer libcurls while supporting the older one if built with
an older libcurl or even built with a newer libcurl while running with
an older.
2013-07-18 23:44:06 +02:00
Patrick Monnerat
0eba02fd41 OS400: new SSL backend GSKit 2013-07-15 19:00:36 +02:00
Patrick Monnerat
3a24cb7bc4 x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract
Use from qssl backend
2013-07-15 18:16:13 +02:00
Yang Tse
cfc907e43d url.c: fix parse_url_login() OOM handling 2013-07-14 12:19:57 +02:00
Yang Tse
83f0dae129 url.c: fix parse_login_details() OOM handling 2013-07-12 12:17:31 +02:00
Yang Tse
b16b7f9d3a url.c: fix SIGSEGV 2013-07-11 13:31:08 +02:00
Kamil Dudka
abca89aaa0 url: restore the functionality of 'curl -u :'
This commit fixes a regression introduced in
fddb7b44a7.

Reported by: Markus Moeller
Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
2013-06-30 20:13:14 +02:00
Daniel Stenberg
7877619f85 dotdot: introducing dot file path cleanup
RFC3986 details how a path part passed in as part of a URI should be
"cleaned" from dot sequences before getting used. The described
algorithm is now implemented in lib/dotdot.c with the accompanied test
case in test 1395.

Bug: http://curl.haxx.se/bug/view.cgi?id=1200
Reported-by: Alex Vinnik
2013-06-22 14:15:07 +02:00
Daniel Stenberg
7ac3e9f1ba CURLOPT_COOKIELIST: take cookie share lock
When performing COOKIELIST operations the cookie lock needs to be taken
for the cases where the cookies are shared among multiple handles!

Verified by Benjamin Gilbert's updated test 506

Bug: http://curl.haxx.se/bug/view.cgi?id=1215
Reported-by: Benjamin Gilbert
2013-06-17 23:29:05 +02:00
Steve Holme
a846fbbe2a sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response 2013-04-27 09:58:20 +01:00
Zdenek Pavlas
b37b5233ca url: initialize speed-check data for file:// protocol
... in order to prevent an artificial timeout event based on stale
speed-check data from a previous network transfer.  This commit fixes
a regression caused by 9dd85bced5.

Bug: https://bugzilla.redhat.com/906031
2013-04-26 15:38:22 +02:00
Steve Holme
2af9fd4960 url: Added smtp and pop3 hostnames to the protocol detection list 2013-04-23 19:44:14 +01:00
Steve Holme
ddac43b38e url: Fixed missing length check in parse_proxy()
Commit 11332577b3 removed the length check that was performed by the
old scanf() code.
2013-04-21 18:29:33 +01:00
Steve Holme
416ecc1584 url: Fixed crash when no username or password supplied for proxy
Fixed an issue in parse_proxy(), introduced in commit 11332577b3,
where an empty username or password (For example: http://:@example.com)
would cause a crash.
2013-04-21 16:55:19 +01:00
Steve Holme
11332577b3 url: Updated proxy URL parsing to use parse_login_details() 2013-04-21 12:12:29 +01:00
Steve Holme
702b0dd408 url: Tidy up of setstropt_userpwd() parameters
Updated the naming convention of the login parameters to match those of
other functions.
2013-04-21 10:27:42 +01:00