1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 01:58:49 -05:00
Commit Graph

11314 Commits

Author SHA1 Message Date
Daniel Stenberg
f93455eb04
altsvc: clone setting in curl_easy_duphandle
The cache content is not duplicated, like other caches, but the setting
and specified file name are.

Test 1908 is extended to verify this somewhat. Since the duplicated
handle gets the same file name, the test unfortunately overwrites the
same file twice (with different contents) which makes it hard to check
automatically.

Closes #5923
2020-09-06 09:54:54 +02:00
Daniel Stenberg
bbf8cae44d
build: drop support for building with Watcom
These files are not maintained, they seem to have no users, Watcom
compilers look like not having users nor releases anymore.

Closes #5918
2020-09-05 21:51:37 +02:00
Daniel Stenberg
879007f811
easygetopt: pass a valid enum to avoid compiler warning
"integer constant not in range of enumerated type 'CURLoption'"

Reported-by: Gisle Vanem
Bug: 6ebe63fac2 (commitcomment-42042843)

Closes #5915
2020-09-05 14:44:11 +02:00
ihsinme
d1d3105317
connect.c: remove superfluous 'else' in Curl_getconnectinfo
Closes #5912
2020-09-04 13:31:51 +02:00
cbe
a27af8b510
libssh2: pass on the error from ssh_force_knownhost_key_type
Closes #5909
2020-09-03 18:02:27 +02:00
Martin Bašti
3eff1c5092
http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
... in case NO_PROXY takes an effect

Without this patch, the following command crashes:

    $ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
        git clone https://github.com/curl/curl.git

Minimal libcurl-based reproducer:

    #include <curl/curl.h>

    int main() {
      CURL *curl = curl_easy_init();
      if(curl) {
        CURLcode ret;
        curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
        curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
        /* set the proxy type */
        curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
        curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
        curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
        ret = curl_easy_perform(curl);
        curl_easy_cleanup(curl);
        return ret;
      }
      return -1;
    }

Assisted-by: Kamil Dudka
Bug: https://bugzilla.redhat.com/1873327
Closes #5902
2020-09-03 08:01:56 +02:00
Daniel Stenberg
b3fbb2fb9d
openssl: avoid error conditions when importing native CA
The code section that is OpenSSL 3+ specific now uses the same logic as
is used in the version < 3 section. It caused a compiler error without
it.

Closes #5907
2020-09-02 22:47:52 +02:00
Daniel Stenberg
dd51f04b11
setopt: avoid curl_ on local variable
Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
5507a6ae41
mqtt.c: avoid curl_ prefix on local variable
Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
c26446ff5e
wildcard: strip "curl_" prefix from private symbols
Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
3acb2abdf5
vtls: make it 'struct Curl_ssl_session'
Use uppercase C for internal symbols.

Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
221a584df9
curl_threads: make it 'struct Curl_actual_call'
Internal names should not be prefixed "curl_"

Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
add7022666
schannel: make it 'struct Curl_schannel*'
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
9e90ff0839
hash: make it 'struct Curl_hash'
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:58 +02:00
Daniel Stenberg
9b3f888a00
llist: make it "struct Curl_llist"
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:58 +02:00
Marc Hoersken
8bdc4f8aee
telnet.c: depend on static requirement of WinSock version 2
Drop dynamic loading of ws2_32.dll and instead rely on the
imported version which is now required to be at least 2.2.

Reviewed-by: Marcel Raad
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Reviewed-by: Viktor Szakats

Closes #5854
2020-09-02 16:33:03 +02:00
Marc Hoersken
3e4b32a3e1
win32: drop support for WinSock version 1, require version 2
IPv6, telnet and now also the multi API require WinSock
version 2 which is available starting with Windows 95.

Therefore we think it is time to drop support for version 1.

Reviewed-by: Marcel Raad
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Reviewed-by: Viktor Szakats

Follow up to #5634
Closes #5854
2020-09-02 16:30:39 +02:00
Marc Hoersken
20d74b7393
select: align poll emulation to return all relevant events
The poll emulation via select already consumes POLLRDNORM,
POLLWRNORM and POLLRDBAND as input events. Therefore it
should also return them as output events if signaled.

Also fix indentation in input event handling block.

Assisted-by: Jay Satiro
Reviewed-by: Daniel Stenberg

Replaces #5852
Closes #5883
2020-09-02 16:26:20 +02:00
Daniel Stenberg
64586af926
lib/Makefile.am: bump VERSIONINFO due to new functions
... we're generally bad at this, but we are adding new functions for
this release.

Closes #5899
2020-09-01 16:27:43 +02:00
Daniel Stenberg
e250b568b8
optiontable: use DEBUGBUILD
Follow-up to commit 6e18568ba3 (#5877)
2020-09-01 16:02:27 +02:00
Daniel Stenberg
e37e446868
mqtt: enable by default
No longer considered experimental.

Closes #5858
2020-08-31 09:45:09 +02:00
Michael Baentsch
ede125b7b7
tls: add CURLOPT_SSL_EC_CURVES and --curves
Closes #5892
2020-08-30 17:24:04 +02:00
Daniel Stenberg
a337355487
url: remove funny embedded comments in Curl_disonnect calls 2020-08-30 17:03:48 +02:00
Chris Paulson-Ellis
728f8d3bdc
conn: check for connection being dead before reuse
Prevents incorrect reuse of an HTTP connection that has been prematurely
shutdown() by the server.

Partial revert of 755083d00d

Fixes #5884
Closes #5893
2020-08-30 16:59:16 +02:00
Marcel Raad
f504f18641 ntlm: fix condition for curl_ntlm_core usage
`USE_WINDOWS_SSPI` without `USE_WIN32_CRYPTO` but with any other DES
backend is fine, but was excluded before.

This also fixes test 1013 as the condition for SMB support in
configure.ac didn't match the condition in the source code. Now it
does.

Fixes https://github.com/curl/curl/issues/1262
Closes https://github.com/curl/curl/pull/5771
2020-08-29 10:08:32 +02:00
Marc Hoersken
05729b66c5
select: simplify return code handling for poll and select
poll and select already return -1 on error according to POSIX,
so there is no need to perform a <0 to -1 conversion in code.

Also we can just use one check with <= 0 on the return code.

Assisted-by: Daniel Stenberg
Reviewed-by: Jay Satiro

Replaces #5852
Closes #5880
2020-08-29 09:48:59 +02:00
Daniel Stenberg
6e18568ba3
easyoptions: provide debug function when DEBUGBUILD
... not CURLDEBUG as they're not always set in conjunction.

Follow-up to 6ebe63fac2

Fixes #5877
Closes #5878
2020-08-28 23:35:12 +02:00
Marc Hoersken
003e81e2a3
multi: handle connection state winsock events
Learn from the way Cygwin handles and maps the WinSock events
to simulate correct and complete poll and select behaviour
according to Richard W. Stevens Network Programming book.

Reviewed-by: Jay Satiro
Reviewed-by: Marcel Raad

Follow up to #5634
Closes #5867
2020-08-28 17:57:52 +02:00
Daniel Stenberg
a2c85bb8e4
Curl_pgrsTime - return new time to avoid timeout integer overflow
Setting a timeout to INT_MAX could cause an immediate error to get
returned as timeout because of an overflow when different values of
'now' were used.

This is primarily fixed by having Curl_pgrsTime() return the "now" when
TIMER_STARTSINGLE is set so that the parent function will continue using
that time.

Reported-by: Ionuț-Francisc Oancea
Fixes #5583
Closes #5847
2020-08-28 14:16:41 +02:00
Daniel Stenberg
68a5132474
TLS: fix SRP detection by using the proper #ifdefs
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP

HAVE_OPENSSL_SRP is defined when OpenSSL can use it

HAVE_GNUTLS_SRP is defined when GnuTLS can use it

Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.

Reported-by: Stefan Strogin
Fixes #5865
Closes #5870
2020-08-28 14:13:05 +02:00
Emil Engler
616c30ad67
lib: make Curl_gethostname accept a const pointer
The address of that variable never gets changed, only the data in it so
why not make it a "char * const"?

Closes #5866
2020-08-27 22:52:22 +02:00
Daniel Stenberg
ad691b191a
configure: added --disable-get-easy-options
To allow disabling of the curl_easy_option APIs in a build.

Closes #5365
2020-08-27 14:17:42 +02:00
Daniel Stenberg
6ebe63fac2
options: API for meta-data about easy options
const struct curl_easyoption *curl_easy_option_by_name(const char *name);

 const struct curl_easyoption *curl_easy_option_by_id (CURLoption id);

 const struct curl_easyoption *
 curl_easy_option_next(const struct curl_easyoption *prev);

The purpose is to provide detailed enough information to allow for
example libcurl bindings to get option information at run-time about
what easy options that exist and what arguments they expect.

Assisted-by: Jeroen Ooms
Closes #5365
2020-08-27 14:17:36 +02:00
Jay Satiro
fbe07c6829 openssl: Fix wincrypt symbols conflict with BoringSSL
OpenSSL undefines the conflicting symbols but BoringSSL does not so we
must do it ourselves.

Reported-by: Samuel Tranchet
Assisted-by: Javier Blazquez

Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371
Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73

Fixes https://github.com/curl/curl/issues/5669
Closes https://github.com/curl/curl/pull/5857
2020-08-26 23:24:41 -04:00
Daniel Stenberg
d854572ccc
socketpair: allow CURL_DISABLE_SOCKETPAIR
... to completely disable the use of socketpair

Closes #5850
2020-08-26 22:58:21 +02:00
Daniel Stenberg
ce88e21c72
curl_get_line: build only if cookies or alt-svc are enabled
Closes #5851
2020-08-26 22:56:26 +02:00
fullincome
01e2679b49
schannel: fix memory leak when using get_cert_location
The get_cert_location function allocates memory only on success.
Previously get_cert_location was able to allocate memory and return
error. It wasn't obvious and in this case the memory wasn't
released.

Fixes #5855
Closes #5860
2020-08-26 22:54:11 +02:00
Emil Engler
a6a17662f2
doh: add error message for DOH_DNS_NAME_TOO_LONG
When this error code was introduced in b6a53fff6c, it was
forgotten to be added in the errors array and doh_strerror function.

Closes #5863
2020-08-26 22:51:29 +02:00
Daniel Stenberg
7691f68ba3
ngtcp2: adapt to the new pkt_info arguments
Guidance-by: Tatsuhiro Tsujikawa

Closes #5864
2020-08-26 22:40:30 +02:00
Marc Hoersken
3334ee6bcb
multi: expand pre-check for socket readiness
Check readiness of all sockets before waiting on them
to avoid locking in case the one-time event FD_WRITE
was already consumed by a previous wait operation.

More information about WinSock network events:
https://docs.microsoft.com/en-us/windows/win32/api/
   winsock2/nf-winsock2-wsaeventselect#return-value

Closes #5634
2020-08-25 12:11:45 +02:00
rcombs
d2a7d7c185
multi: implement wait using winsock events
This avoids using a pair of TCP ports to provide wakeup functionality
for every multi instance on Windows, where socketpair() is emulated
using a TCP socket on loopback which could in turn lead to socket
resource exhaustion.

A previous version of this patch failed to account for how in WinSock,
FD_WRITE is set only once when writing becomes possible and not again
until after a send has failed due to the buffer filling. This contrasts
to how FD_READ and FD_OOB continue to be set until the conditions they
refer to no longer apply. This meant that if a user wrote some data to
a socket, but not enough data to completely fill its send buffer, then
waited on that socket to become writable, we'd erroneously stall until
their configured timeout rather than returning immediately.

This version of the patch addresses that issue by checking each socket
we're waiting on to become writable with select() before the wait, and
zeroing the timeout if it's already writable.

Assisted-by: Marc Hörsken
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Stenberg
Tested-by: Gergely Nagy
Tested-by: Rasmus Melchior Jacobsen
Tested-by: Tomas Berger

Replaces #5397
Reverts #5632
Closes #5634
2020-08-25 12:11:24 +02:00
Marc Hoersken
17f58c8d98
select: reduce duplication of Curl_poll in Curl_socket_check
Change Curl_socket_check to use select-fallback in Curl_poll
instead of implementing it in Curl_socket_check and Curl_poll.

Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro

Replaces #5262 and #5492
Closes #5707
2020-08-25 11:21:44 +02:00
Marc Hoersken
e21bd22f84
select: fix poll-based check not detecting connect failure
This commit changes Curl_socket_check to use POLLPRI to
check for connect failure on the write socket, because
POLLPRI maps to fds_err. This is in line with select(2).

The select-based socket check correctly checks for connect
failures by adding the write socket also to fds_err.

The poll-based implementation (which internally can itself
fallback to select again) did not previously check for
connect failure by using POLLPRI with the write socket.

See the follow up commit to this for more information.

This commit makes sure connect failures can be detected
and handled if HAVE_POLL_FINE is defined, eg. on msys2-devel.

Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro

Replaces #5509
Prepares #5707
2020-08-25 11:20:58 +02:00
Marc Hoersken
0f7c332f9f
select.h: make socket validation macros test for INVALID_SOCKET
With Winsock the valid range is [0..INVALID_SOCKET-1] according to
https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2

Reviewed-by: Jay Satiro
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Stenberg

Closes #5760
2020-08-25 11:17:06 +02:00
Michael Musset
ebc6c54c74
sftp: add the option CURLKHSTAT_FINE_REPLACE
Replace the old fingerprint of the host with a new.

Closes #5685
2020-08-24 17:26:08 +02:00
Daniel Stenberg
4ebac06106
checksrc: verify do-while and spaces between the braces
Updated mprintf.c to comply

Closes #5845
2020-08-24 16:38:17 +02:00
Daniel Stenberg
bc3b5bcf87
setopt: if the buffer exists, refuse the new BUFFERSIZE
The buffer only exists during transfer and then we shouldn't change the
size (the setopt is not documented to work then).

Reported-by: Harry Sintonen
Closes #5842
2020-08-24 09:08:56 +02:00
COFFEETALES
fab5185275
sftp: add new quote commands 'atime' and 'mtime'
Closes #5810
2020-08-24 09:01:56 +02:00
Daniel Stenberg
88b1ca7cba
CURLE_PROXY: new error code
Failures clearly returned from a (SOCKS) proxy now causes this return
code. Previously the situation was not very clear as what would be
returned and when.

In addition: when this error code is returned, an application can use
CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then
returns a value from the new 'CURLproxycode' enum.

Closes #5770
2020-08-24 08:41:48 +02:00
Viktor Szakats
38039da764
Makefile.m32: add ability to override zstd libs [ci skip]
Similarly to brotli, where this was already possible.
E.g. it allows to link zstd statically to libcurl.dll.

Ref: https://github.com/curl/curl-for-win/issues/12
Ref: d9b266afd2

Closes https://github.com/curl/curl/pull/5840
2020-08-22 21:08:28 +00:00
Daniel Stenberg
80d73bcca2
tls: provide the CApath verbose log on its own line
... not newline separated from the previous line. This makes it output
asterisk prefixed properly like other verbose putput!

Reported-by: jmdavitt on github
Fixes #5826
Closes #5827
2020-08-19 15:55:50 +02:00
Daniel Stenberg
3c9e021f86
Curl_easy: remember last connection by id, not by pointer
CVE-2020-8231

Bug: https://curl.haxx.se/docs/CVE-2020-8231.html

Reported-by: Marc Aldorasi
Closes #5824
2020-08-17 14:33:09 +02:00
Daniel Stenberg
d68fc02972
asyn-ares: correct some bad comments
Closes #5812
2020-08-15 00:08:00 +02:00
Daniel Stenberg
010fb9830b
copyright: update/correct the year range on a few files 2020-08-14 10:20:27 +02:00
Emil Engler
da901fefe0
multi: Remove 10-year old out-commented code
The code hasn't been touched since 2010-08-18

Closes #5805
2020-08-12 15:28:46 +02:00
Stefan Yohansson
50dd05a552
transfer: move retrycount from connect struct to easy handle
This flag was applied to the connection struct that is released on
retry.  These changes move the retry counter into Curl_easy struct that
lives across retries and retains the new connection.

Reported-by: Cherish98 on github
Fixes #5794
Closes #5800
2020-08-10 23:20:17 +02:00
Daniel Stenberg
43c68d842e
libssh2: s/ssherr/sftperr/
The debug output used ssherr instead of sftperr which not only outputs
the wrong error code but also casues a warning on Windows.

Follow-up to 7370b4e39f

Reported-by: Gisle Vanem
Bug: 7370b4e39f (r41334700)
Closes #5799
2020-08-10 14:34:01 +02:00
Daniel Stenberg
aecce3551c
ftp: don't do ssl_shutdown instead of ssl_close
The shutdown function is for downgrading a connection from TLS to plain,
and this is not requested here.

Have ssl_close reset the TLS connection state.

This partially reverts commit f002c850d9

Reported-by: Rasmus Melchior Jacobsen
Reported-by: Denis Goleshchikhin
Fixes #5797
2020-08-10 14:32:06 +02:00
Daniel Stenberg
265717d271
smtp_parse_address: handle blank input string properly
Closes #5792
2020-08-07 11:49:36 +02:00
Daniel Stenberg
2754a89362
ngtcp2: adapt to error code rename
Closes #5786
2020-08-05 23:35:31 +02:00
Daniel Stenberg
a0c461434c
gtls: survive not being able to get name/issuer
Closes #5778
2020-08-05 14:44:48 +02:00
Daniel Stenberg
7f187d897c
h2: repair trailer handling
The previous h2 trailer fix in 54a2b63 was wrong and caused a
regression: it cannot deal with trailers immediately when read since
they may be read off the connection by the wrong 'data' owner.

This change reverts the logic back to gathering all trailers into a
single buffer, like before 54a2b63.

Reported-by: Tadej Vengust
Fixes #5663
Closes #5769
2020-08-03 23:43:24 +02:00
Viktor Szakats
8297978c21
windows: disable Unix Sockets for old mingw
Classic mingw and 10y+ old versions of mingw-w64 don't ship with
Windows headers having the typedef necessary for Unix Sockets
support, so try detecting these environments to disable this
feature.

Ref: cf6afc5717/

Reviewed-by: Daniel Stenberg

Fixes #5674
Closes #5758
2020-08-03 14:31:49 +00:00
Cameron Cawley
790137b0f7
win32: Add Curl_verify_windows_version() to curlx
Closes https://github.com/curl/curl/pull/5754
2020-08-02 17:58:44 +02:00
Daniel Stenberg
ca567dc5a4
multi: Condition 'extrawait' is always true
Reported by Codacy.

Reviewed-by: Marcel Raad
Closes #5759
2020-08-01 23:21:29 +02:00
Marcel Raad
c71d8bb56d
openssl: fix build with LibreSSL < 2.9.1
`SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
introduced in LibreSSL 2.9.1 [0].

[0] 0db809ee17

Closes https://github.com/curl/curl/pull/5757
2020-08-01 17:47:32 +02:00
Marc Aldorasi
d5bb459ccf
multi_remove_handle: close unused connect-only connections
Previously any connect-only connections in a multi handle would be kept
alive until the multi handle was closed.  Since these connections cannot
be re-used, they can be marked for closure when the associated easy
handle is removed from the multi handle.

Closes #5749
2020-08-01 15:26:08 +02:00
Marc Hoersken
633c9478c9
connect: remove redundant message about connect failure
Reviewed-by: Daniel Stenberg

Closes #5708
2020-07-31 18:58:03 +02:00
Jay Satiro
a12a16151a url: fix CURLU and location following
Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
incorrectly used for the location follow, resulting in infinite requests
to the original location.

Reported-by: sspiri@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/5709
Closes https://github.com/curl/curl/pull/5713
2020-07-30 11:57:35 -04:00
Daniel Stenberg
2f72ad44fc
checksrc: ban gmtime/localtime
They're not thread-safe so they should not be used in libcurl code.

Explictly enabled when deemed necessary and in examples and tests

Reviewed-by: Nicolas Sterchele
Closes #5732
2020-07-28 23:51:17 +02:00
Daniel Stenberg
5ae339971a
transfer: fix data_pending for builds with both h2 and h3 enabled
Closes #5734
2020-07-28 23:48:49 +02:00
Daniel Stenberg
abe59221fc
curl_multi_setopt: fix compiler warning "result is always false"
On systems with 32 bit long the expression is always false. Avoid
the warning.

Reported-by: Gisle Vanem
Bug: 61a08508f6 (commitcomment-40941232)
Closes #5736
2020-07-28 23:37:01 +02:00
Daniel Stenberg
81b4e99b1e
curl: improve the existing file check with -J
Previously a file that isn't user-readable but is user-writable would
not be properly avoided and would get overwritten.

Reported-by: BrumBrum on hackerone
Assisted-by: Jay Satiro
Bug: https://hackerone.com/reports/926638
Closes #5731
2020-07-28 23:28:40 +02:00
Jonathan Nieder
2b6b843bb1
multi: update comment to say easyp list is linear
Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1,
2013-08-02), the easy handle list is not circular but ends with
->next pointing to NULL.

Reported-by: Masaya Suzuki <masayasuzuki@google.com>
Closes #5737
2020-07-28 15:48:30 +02:00
Daniel Stenberg
d259cf1a9b
ngtcp2: store address in sockaddr_storage
Reported-by: Tatsuhiro Tsujikawa
Closes #5733
2020-07-27 19:46:58 +02:00
Daniel Stenberg
91cb16b21f
setopt: unset NOBODY switches to GET if still HEAD
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
action but before 7.71.0 that used to switch back to GET and with this
change (assuming the method is still set to HEAD) this behavior is
brought back.

Reported-by: causal-agent on github
Fixes #5725
Closes #5728
2020-07-27 19:33:16 +02:00
Ehren Bendler
14e63c19a0
configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
Also choose a different wolfSSL function to test for NTLM support.

Fixes #5605
Closes #5682
2020-07-27 15:18:13 +02:00
Daniel Stenberg
425fa864ce
quiche: handle calling disconnect twice
Reported-by: lilongyan-huawei on github
Fixes #5726
Closes #5727
2020-07-27 12:53:46 +02:00
Nicolas Sterchele
0b85969226
getinfo: reset retry-after value in initinfo
- Avoid re-using retry_after value from preceding request
- Add libtest 3010 to verify

Reported-by: joey-l-us on github
Fixes #5661
Closes #5672
2020-07-27 12:15:44 +02:00
Marcel Raad
0c6112a139
WIN32: stop forcing narrow-character API
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.

Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
2020-07-27 10:42:38 +02:00
Tobias Stoeckmann
8829703b5a mprintf: Fix stack overflows
Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:43:00 -04:00
Tobias Stoeckmann
94b03664de mprintf: Fix dollar string handling
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.

Also do not read behind boundaries of illegal format strings.

These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:42:59 -04:00
Daniel Stenberg
376d5bb323
ntlm: free target_info before (re-)malloc
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379

Closes #5724
2020-07-26 23:48:36 +02:00
Marcel Raad
d746ff1107
doh: remove redundant cast
Closes https://github.com/curl/curl/pull/5704
2020-07-21 20:00:29 +02:00
Marcel Raad
2998749850
md(4|5): don't use deprecated macOS functions
They are marked as deprecated for -mmacosx-version-min >= 10.15,
which might result in warnings-as-errors.

Closes https://github.com/curl/curl/pull/5695
2020-07-19 10:34:52 +02:00
Daniel Stenberg
3c4c4ec2ee
strdup: remove the odd strlen check
It confuses code analyzers with its use of -1 for unsigned value. Also,
a check that's not normally used in strdup() code - and not necessary.

Closes #5697
2020-07-18 12:37:25 +02:00
Daniel Stenberg
da3e0f406a
ngtcp2: adjust to recent sockaddr updates
Closes #5690
2020-07-16 23:56:42 +02:00
Daniel Stenberg
954cd3eb48
CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
... by adding support for a new dedicated return code.

Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
2020-07-16 00:24:29 +02:00
Baruch Siach
2f5d0e497e
nss: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Closes #5667
2020-07-14 23:42:20 +02:00
Daniel Stenberg
d75e3ab74c
CURLINFO_EFFECTIVE_METHOD: added
Provide the HTTP method that was used on the latest request, which might
be relevant for users when there was one or more redirects involved.

Closes #5511
2020-07-14 17:53:45 +02:00
Viktor Szakats
8fa3f7809a
windows: add unicode to feature list
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken

Closes #5491
2020-07-14 08:30:17 +00:00
Daniel Stenberg
61a08508f6
multi: remove two checks always true
Detected by Codacy
Closes #5676
2020-07-14 00:12:08 +02:00
ihsinme
60aa961288
socks: use size_t for size variable
Use the unsigned type (size_t) in the arithmetic of pointers. In this
context, the signed type (ssize_t) is used unnecessarily.

Authored-by: ihsinme on github
Closes #5654
2020-07-12 22:52:19 +02:00
Gilles Vollant
e13357b14b
content_encoding: add zstd decoding support
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu

Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
2020-07-12 18:11:37 +02:00
Daniel Stenberg
c4026a9897
asyn.h: remove the Curl_resolver_getsock define
- not used
 - used the wrong number of arguments
 - confused the Codeacy code analyzer

Closes #5647
2020-07-12 18:06:50 +02:00
Daniel Stenberg
0d4c3618e9
ngtcp2: update to modified qlog callback prototype
Closes #5675
2020-07-12 17:53:08 +02:00
Daniel Stenberg
9466034561
transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
Added test case 674 to reproduce and verify the bug report.

Fixes #5665
Reported-by: NobodyXu on github
Closes #5673
2020-07-12 16:36:02 +02:00
Baruch Siach
81bf2713ae
bearssl: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Reviewed-by: Nicolas Sterchele
Closes #5666
2020-07-12 16:22:38 +02:00
Daniel Stenberg
69bfde4515
http2: only do the *done() cleanups for HTTP
Follow-up to ef86daf4d3

Closes #5650
Fixes #5646
2020-07-04 01:13:50 +02:00
Alex Kiernan
0fda8db95c
gnutls: repair the build with CURL_DISABLE_PROXY
`http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
if `CURL_DISABLE_PROXY` is enabled.  Repair the build with that
configuration.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Closes #5645
2020-07-04 00:18:43 +02:00