... to avoid integer overflows later when multiplying with 1000 to
convert seconds to milliseconds.
Added test 1269 to verify.
Reported-by: Jason Lee
Closes#4166
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.
Fixed-by: Ironbars13 on github
Fixes#4084Closes#4161
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update
test 1514 according to the new behaviour.
Closes#4138
This fixes the winbuild build method which broke several days ago
when experimental quic support was added in 3af0e76.
Reported-by: Michael Lee
Fixes https://github.com/curl/curl/issues/4158
- In curl_easy_reset attempt to resize the receive buffer to its default
size. If realloc fails then continue using the previous size.
Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.
Reported-by: Felix Hädicke
Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).
Fixes#4147Closes#4148
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.
Fixes#4144Closes#4151
USe configure --with-ngtcp2 or --with-quiche
Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>
Closes#3500
This is done by making sure each individual transfer is first added to a
linked list as then they can be performed serially, or at will, in
parallel.
Closes#3804
Several reasons:
- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons
Assisted-by: Daniel Gustafsson
Closes#4129
- Find package "Brotli" instead of "BROTLI" since the former is the
casing used for CMake/FindBrotli.cmake, and otherwise find_package
may fail on a case-sensitive file system.
Fixes https://github.com/curl/curl/issues/4117
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call. Should it
return false, we should however treat it as an error and bail out.
Closes https://github.com/curl/curl/pull/4110
Since 7.54 --tlsv1. options use the specified version or later, however
older versions of curl documented it as using just the specified version
which may or may not have happened depending on the TLS library.
Document this discrepancy to allay confusion for users familiar with the
old documentation that expect just the specified version.
Fixes https://github.com/curl/curl/issues/4097
Closes https://github.com/curl/curl/pull/4119
... as larger values would rather indicate something silly (and could
potentially cause buffer problems).
Reported-by: pendrek at hackerone
Closes#4114
- Escape apostrophes at line start.
Some lines begin with a "'" (apostrophe, single quote), which is then
interpreted as a control character in *roff.
Such lines are interpreted as being a call to a macro, and if
undefined, the lines are removed from the output.
Bug: https://bugs.debian.org/926352
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Submitted-by: Alessandro Ghedini
Closes https://github.com/curl/curl/pull/4111
The testcase ensures that redirects to CURLPROTO_GOPHER won't be
allowed, by default, in the future. Also, curl is being used
for convenience while keeping the testcases DRY.
The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is
redirected to CURLPROTO_GOPHER
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.
For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.
Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.
[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
Closes#4094