1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 01:58:49 -05:00
Commit Graph

11314 Commits

Author SHA1 Message Date
Daniel Stenberg
80d73bcca2
tls: provide the CApath verbose log on its own line
... not newline separated from the previous line. This makes it output
asterisk prefixed properly like other verbose putput!

Reported-by: jmdavitt on github
Fixes #5826
Closes #5827
2020-08-19 15:55:50 +02:00
Daniel Stenberg
3c9e021f86
Curl_easy: remember last connection by id, not by pointer
CVE-2020-8231

Bug: https://curl.haxx.se/docs/CVE-2020-8231.html

Reported-by: Marc Aldorasi
Closes #5824
2020-08-17 14:33:09 +02:00
Daniel Stenberg
d68fc02972
asyn-ares: correct some bad comments
Closes #5812
2020-08-15 00:08:00 +02:00
Daniel Stenberg
010fb9830b
copyright: update/correct the year range on a few files 2020-08-14 10:20:27 +02:00
Emil Engler
da901fefe0
multi: Remove 10-year old out-commented code
The code hasn't been touched since 2010-08-18

Closes #5805
2020-08-12 15:28:46 +02:00
Stefan Yohansson
50dd05a552
transfer: move retrycount from connect struct to easy handle
This flag was applied to the connection struct that is released on
retry.  These changes move the retry counter into Curl_easy struct that
lives across retries and retains the new connection.

Reported-by: Cherish98 on github
Fixes #5794
Closes #5800
2020-08-10 23:20:17 +02:00
Daniel Stenberg
43c68d842e
libssh2: s/ssherr/sftperr/
The debug output used ssherr instead of sftperr which not only outputs
the wrong error code but also casues a warning on Windows.

Follow-up to 7370b4e39f

Reported-by: Gisle Vanem
Bug: 7370b4e39f (r41334700)
Closes #5799
2020-08-10 14:34:01 +02:00
Daniel Stenberg
aecce3551c
ftp: don't do ssl_shutdown instead of ssl_close
The shutdown function is for downgrading a connection from TLS to plain,
and this is not requested here.

Have ssl_close reset the TLS connection state.

This partially reverts commit f002c850d9

Reported-by: Rasmus Melchior Jacobsen
Reported-by: Denis Goleshchikhin
Fixes #5797
2020-08-10 14:32:06 +02:00
Daniel Stenberg
265717d271
smtp_parse_address: handle blank input string properly
Closes #5792
2020-08-07 11:49:36 +02:00
Daniel Stenberg
2754a89362
ngtcp2: adapt to error code rename
Closes #5786
2020-08-05 23:35:31 +02:00
Daniel Stenberg
a0c461434c
gtls: survive not being able to get name/issuer
Closes #5778
2020-08-05 14:44:48 +02:00
Daniel Stenberg
7f187d897c
h2: repair trailer handling
The previous h2 trailer fix in 54a2b63 was wrong and caused a
regression: it cannot deal with trailers immediately when read since
they may be read off the connection by the wrong 'data' owner.

This change reverts the logic back to gathering all trailers into a
single buffer, like before 54a2b63.

Reported-by: Tadej Vengust
Fixes #5663
Closes #5769
2020-08-03 23:43:24 +02:00
Viktor Szakats
8297978c21
windows: disable Unix Sockets for old mingw
Classic mingw and 10y+ old versions of mingw-w64 don't ship with
Windows headers having the typedef necessary for Unix Sockets
support, so try detecting these environments to disable this
feature.

Ref: cf6afc5717/

Reviewed-by: Daniel Stenberg

Fixes #5674
Closes #5758
2020-08-03 14:31:49 +00:00
Cameron Cawley
790137b0f7
win32: Add Curl_verify_windows_version() to curlx
Closes https://github.com/curl/curl/pull/5754
2020-08-02 17:58:44 +02:00
Daniel Stenberg
ca567dc5a4
multi: Condition 'extrawait' is always true
Reported by Codacy.

Reviewed-by: Marcel Raad
Closes #5759
2020-08-01 23:21:29 +02:00
Marcel Raad
c71d8bb56d
openssl: fix build with LibreSSL < 2.9.1
`SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
introduced in LibreSSL 2.9.1 [0].

[0] 0db809ee17

Closes https://github.com/curl/curl/pull/5757
2020-08-01 17:47:32 +02:00
Marc Aldorasi
d5bb459ccf
multi_remove_handle: close unused connect-only connections
Previously any connect-only connections in a multi handle would be kept
alive until the multi handle was closed.  Since these connections cannot
be re-used, they can be marked for closure when the associated easy
handle is removed from the multi handle.

Closes #5749
2020-08-01 15:26:08 +02:00
Marc Hoersken
633c9478c9
connect: remove redundant message about connect failure
Reviewed-by: Daniel Stenberg

Closes #5708
2020-07-31 18:58:03 +02:00
Jay Satiro
a12a16151a url: fix CURLU and location following
Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
incorrectly used for the location follow, resulting in infinite requests
to the original location.

Reported-by: sspiri@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/5709
Closes https://github.com/curl/curl/pull/5713
2020-07-30 11:57:35 -04:00
Daniel Stenberg
2f72ad44fc
checksrc: ban gmtime/localtime
They're not thread-safe so they should not be used in libcurl code.

Explictly enabled when deemed necessary and in examples and tests

Reviewed-by: Nicolas Sterchele
Closes #5732
2020-07-28 23:51:17 +02:00
Daniel Stenberg
5ae339971a
transfer: fix data_pending for builds with both h2 and h3 enabled
Closes #5734
2020-07-28 23:48:49 +02:00
Daniel Stenberg
abe59221fc
curl_multi_setopt: fix compiler warning "result is always false"
On systems with 32 bit long the expression is always false. Avoid
the warning.

Reported-by: Gisle Vanem
Bug: 61a08508f6 (commitcomment-40941232)
Closes #5736
2020-07-28 23:37:01 +02:00
Daniel Stenberg
81b4e99b1e
curl: improve the existing file check with -J
Previously a file that isn't user-readable but is user-writable would
not be properly avoided and would get overwritten.

Reported-by: BrumBrum on hackerone
Assisted-by: Jay Satiro
Bug: https://hackerone.com/reports/926638
Closes #5731
2020-07-28 23:28:40 +02:00
Jonathan Nieder
2b6b843bb1
multi: update comment to say easyp list is linear
Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1,
2013-08-02), the easy handle list is not circular but ends with
->next pointing to NULL.

Reported-by: Masaya Suzuki <masayasuzuki@google.com>
Closes #5737
2020-07-28 15:48:30 +02:00
Daniel Stenberg
d259cf1a9b
ngtcp2: store address in sockaddr_storage
Reported-by: Tatsuhiro Tsujikawa
Closes #5733
2020-07-27 19:46:58 +02:00
Daniel Stenberg
91cb16b21f
setopt: unset NOBODY switches to GET if still HEAD
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
action but before 7.71.0 that used to switch back to GET and with this
change (assuming the method is still set to HEAD) this behavior is
brought back.

Reported-by: causal-agent on github
Fixes #5725
Closes #5728
2020-07-27 19:33:16 +02:00
Ehren Bendler
14e63c19a0
configure: cleanup wolfssl + pkg-config conflicts when cross compiling.
Also choose a different wolfSSL function to test for NTLM support.

Fixes #5605
Closes #5682
2020-07-27 15:18:13 +02:00
Daniel Stenberg
425fa864ce
quiche: handle calling disconnect twice
Reported-by: lilongyan-huawei on github
Fixes #5726
Closes #5727
2020-07-27 12:53:46 +02:00
Nicolas Sterchele
0b85969226
getinfo: reset retry-after value in initinfo
- Avoid re-using retry_after value from preceding request
- Add libtest 3010 to verify

Reported-by: joey-l-us on github
Fixes #5661
Closes #5672
2020-07-27 12:15:44 +02:00
Marcel Raad
0c6112a139
WIN32: stop forcing narrow-character API
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.

Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
2020-07-27 10:42:38 +02:00
Tobias Stoeckmann
8829703b5a mprintf: Fix stack overflows
Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:43:00 -04:00
Tobias Stoeckmann
94b03664de mprintf: Fix dollar string handling
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.

Also do not read behind boundaries of illegal format strings.

These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.

Closes https://github.com/curl/curl/pull/5722
2020-07-27 03:42:59 -04:00
Daniel Stenberg
376d5bb323
ntlm: free target_info before (re-)malloc
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379

Closes #5724
2020-07-26 23:48:36 +02:00
Marcel Raad
d746ff1107
doh: remove redundant cast
Closes https://github.com/curl/curl/pull/5704
2020-07-21 20:00:29 +02:00
Marcel Raad
2998749850
md(4|5): don't use deprecated macOS functions
They are marked as deprecated for -mmacosx-version-min >= 10.15,
which might result in warnings-as-errors.

Closes https://github.com/curl/curl/pull/5695
2020-07-19 10:34:52 +02:00
Daniel Stenberg
3c4c4ec2ee
strdup: remove the odd strlen check
It confuses code analyzers with its use of -1 for unsigned value. Also,
a check that's not normally used in strdup() code - and not necessary.

Closes #5697
2020-07-18 12:37:25 +02:00
Daniel Stenberg
da3e0f406a
ngtcp2: adjust to recent sockaddr updates
Closes #5690
2020-07-16 23:56:42 +02:00
Daniel Stenberg
954cd3eb48
CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
... by adding support for a new dedicated return code.

Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
2020-07-16 00:24:29 +02:00
Baruch Siach
2f5d0e497e
nss: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Closes #5667
2020-07-14 23:42:20 +02:00
Daniel Stenberg
d75e3ab74c
CURLINFO_EFFECTIVE_METHOD: added
Provide the HTTP method that was used on the latest request, which might
be relevant for users when there was one or more redirects involved.

Closes #5511
2020-07-14 17:53:45 +02:00
Viktor Szakats
8fa3f7809a
windows: add unicode to feature list
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken

Closes #5491
2020-07-14 08:30:17 +00:00
Daniel Stenberg
61a08508f6
multi: remove two checks always true
Detected by Codacy
Closes #5676
2020-07-14 00:12:08 +02:00
ihsinme
60aa961288
socks: use size_t for size variable
Use the unsigned type (size_t) in the arithmetic of pointers. In this
context, the signed type (ssize_t) is used unnecessarily.

Authored-by: ihsinme on github
Closes #5654
2020-07-12 22:52:19 +02:00
Gilles Vollant
e13357b14b
content_encoding: add zstd decoding support
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu

Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
2020-07-12 18:11:37 +02:00
Daniel Stenberg
c4026a9897
asyn.h: remove the Curl_resolver_getsock define
- not used
 - used the wrong number of arguments
 - confused the Codeacy code analyzer

Closes #5647
2020-07-12 18:06:50 +02:00
Daniel Stenberg
0d4c3618e9
ngtcp2: update to modified qlog callback prototype
Closes #5675
2020-07-12 17:53:08 +02:00
Daniel Stenberg
9466034561
transfer: fix memory-leak with CURLOPT_CURLU in a duped handle
Added test case 674 to reproduce and verify the bug report.

Fixes #5665
Reported-by: NobodyXu on github
Closes #5673
2020-07-12 16:36:02 +02:00
Baruch Siach
81bf2713ae
bearssl: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Reviewed-by: Nicolas Sterchele
Closes #5666
2020-07-12 16:22:38 +02:00
Daniel Stenberg
69bfde4515
http2: only do the *done() cleanups for HTTP
Follow-up to ef86daf4d3

Closes #5650
Fixes #5646
2020-07-04 01:13:50 +02:00
Alex Kiernan
0fda8db95c
gnutls: repair the build with CURL_DISABLE_PROXY
`http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
if `CURL_DISABLE_PROXY` is enabled.  Repair the build with that
configuration.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Closes #5645
2020-07-04 00:18:43 +02:00
Alex Kiernan
691df98d51 gnutls: Fetch backend when using proxy
Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge")
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2020-07-03 14:11:37 +01:00
Laramie Leavitt
ef86daf4d3
http2: close the http2 connection when no more requests may be sent
Well-behaving HTTP2 servers send two GOAWAY messages. The first
message is a warning that indicates that the server is going to
stop accepting streams. The second one actually closes the stream.

nghttp2 reports this state (and the other state of no more stream
identifiers) via the call nghttp2_session_check_request_allowed().
In this state the client should not create more streams on the
session (tcp connection), and in curl this means that the server
has requested that the connection is closed.

It would be also be possible to put the connclose() call into the
on_http2_frame_recv() function that triggers on the GOAWAY message.

This fixes a bug seen when the client sees the following sequence of
frames:

// advisory GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1]
... some additional frames

// final GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ]

Before this change, curl will attempt to reuse the connection even
after the last stream, will encounter this error:

* Found bundle for host localhost: 0x5595f0a694e0 [can multiplex]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 10443 (#0)
* Using Stream ID: 9 (easy handle 0x5595f0a72e30)
> GET /index.html?5 HTTP/2
> Host: localhost:10443
> user-agent: curl/7.68.0
> accept: */*
>
* stopped the pause stream!
* Connection #0 to host localhost left intact
curl: (16) Error in the HTTP2 framing layer

This error may posion the connection cache, causing future requests
which resolve to the same curl connection to go through the same error
path.

Closes #5643
2020-07-03 11:16:48 +02:00
Jeremy Maitin-Shepard
31f0e864c7
http2: fix nghttp2_strerror -> nghttp2_http2_strerror in debug messages
Confusingly, nghttp2 has two different error code enums:

- nghttp2_error, to be used with nghttp2_strerror
- nghttp2_error_code, to be used with nghttp2_http2_strerror

Closes #5641
2020-07-02 23:37:28 +02:00
Marcel Raad
19b96ba385
url: silence MSVC warning
Since commit f3d501dc67, if proxy support is disabled, MSVC warns:
url.c : warning C4701: potentially uninitialized local variable
'hostaddr' used
url.c : error C4703: potentially uninitialized local pointer variable
'hostaddr' used

That could actually only happen if both `conn->bits.proxy` and
`CURL_DISABLE_PROXY` were enabled.
Initialize it to NULL to silence the warning.

Closes https://github.com/curl/curl/pull/5638
2020-07-02 13:31:22 +02:00
Daniel Stenberg
25222b14ef
Revert "multi: implement wait using winsock events"
This reverts commit 8bc25c590e.

That commit (from #5397) introduced a regression in 7.71.0.

Reported-by: tmkk on github
Fixes #5631
Closes #5632
2020-06-30 12:27:23 +02:00
Daniel Stenberg
c891e681bf
ngtcp2: sync with current master
ngtcp2 added two new callbacks

Reported-by: Lucien Zürcher
Fixes #5624
Closes #5627
2020-06-29 17:09:59 +02:00
Daniel Stenberg
9bfe665913
vtls: compare cert blob when finding a connection to reuse
Reported-by: Gergely Nagy
Fixes #5617
Closes #5619
2020-06-29 09:01:55 +02:00
Daniel Stenberg
032e838b73
terminology: call them null-terminated strings
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).

Reported-by: coinhubs on github
Fixes #5598
Closes #5608
2020-06-28 00:31:24 +02:00
Daniel Stenberg
ff43fb6dec
http: fix proxy auth with blank password
Regression in 7.71.0

Added test case 346 to verify.

Reported-by: Kristoffer Gleditsch
Fixes #5613
Closes #5616
2020-06-28 00:29:59 +02:00
Baruch Siach
989e6dffc5
mbedtls: fix build with disabled proxy support
Don't reference fields that do not exist. Fixes build failure:

vtls/mbedtls.c: In function 'mbed_connect_step1':
vtls/mbedtls.c:249:54: error: 'struct connectdata' has no member named 'http_proxy'

Closes #5615
2020-06-26 14:20:20 +02:00
Daniel Stenberg
d5ed571948
url: allow user + password to contain "control codes" for HTTP(S)
Reported-by: Jon Johnson Jr
Fixes #5582
Closes #5592
2020-06-25 09:57:19 +02:00
Daniel Stenberg
31e53584db
escape: make the URL decode able to reject only %00 bytes
... or all "control codes" or nothing.

Assisted-by: Nicolas Sterchele
2020-06-25 09:57:18 +02:00
Daniel Stenberg
646cc574f0
http2: set the correct URL in pushed transfers
...previously CURLINFO_EFFECTIVE_URL would report the URL of the
original "mother transfer", not the actually pushed resource.

Reported-by: Jonathan Cardoso Machado
Fixes #5589
Closes #5591
2020-06-25 09:31:21 +02:00
Javier Blazquez
ae3d1e04f6 openssl: Fix compilation on Windows when ngtcp2 is enabled
- Include wincrypt before OpenSSL includes so that the latter can
  properly handle any conflicts between the two.

Closes https://github.com/curl/curl/pull/5606
2020-06-25 03:11:46 -04:00
Daniel Stenberg
32defc3197
escape: zero length input should return a zero length output
Regression added in 7.71.0.

Fixes #5601
Reported-by: Kristoffer Gleditsch
Closes #5602
2020-06-25 00:00:28 +02:00
Daniel Stenberg
d2baa502fc
Curl_inet_ntop: always check the return code
Reported-by: Siva Sivaraman
Fixes #5412
Closes #5597
2020-06-24 16:04:54 +02:00
Daniel Stenberg
550bcdd442
sendf: improve the message on client write errors
Replace "Failed writing body (X != Y)" with
"Failure writing output to destination". Possibly slightly less cryptic.

Reported-by: coinhubs on github
Fixes #5594
Closes #5596
2020-06-24 16:03:40 +02:00
Daniel Stenberg
ff1c37cbe3
url: make sure pushed streams get an allocated download buffer
Follow-up to c4e6968127

When a new transfer is created, as a resuly of an acknowledged push,
that transfer needs a download buffer allocated.

Closes #5590
2020-06-23 15:13:27 +02:00
Jay Satiro
abbc5d6044 openssl: Don't ignore CA paths when using Windows CA store
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.

The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.

Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585
2020-06-22 15:31:38 -04:00
Jay Satiro
c9c31b9245 openssl: Fix CA fallback logic for OpenSSL 3.0 build
Prior to this change I assume a build error would occur when
CURL_CA_FALLBACK was used.

Closes https://github.com/curl/curl/pull/5587
2020-06-22 12:24:57 -04:00
Daniel Stenberg
0f55269aff
copyright: update mismatched copyright years 2020-06-22 11:55:34 +02:00
Valentyn Korniienko
e39a6e2cea
multibyte: Fixed access-> waccess to file for Windows Plarform
Reviewed-by: Marcel Raad
Closes #5580
2020-06-21 19:31:39 +02:00
Daniel Stenberg
3f84b3e39a
altsvc: bump to h3-29
Closes #5584
2020-06-19 23:29:26 +02:00
Daniel Stenberg
dc90f51065
connect: improve happy eyeballs handling
For QUIC but also for regular TCP when the second family runs out of IPs
with a failure while the first family is still trying to connect.

Separated the timeout handling for IPv4 and IPv6 connections when they
both have a number of addresses to iterate over.
2020-06-18 00:20:42 +02:00
Daniel Stenberg
325866fd6f
ngtcp2: never call fprintf() in lib code in release version 2020-06-18 00:20:42 +02:00
Daniel Stenberg
b6af4c2336
ngtcp2: fix happy eyeballs quic connect crash
Reported-by: Peter Wu
Fixes #5565
Closes #5568
2020-06-18 00:20:42 +02:00
Daniel Stenberg
3bf18cdadd
select: remove the unused ELAPSED_MS() macro
Closes #5573
2020-06-18 00:11:25 +02:00
rcombs
8bc25c590e
multi: implement wait using winsock events
This avoids using a pair of TCP ports to provide wakeup functionality
for every multi instance on Windows, where socketpair() is emulated
using a TCP socket on loopback which could in turn lead to socket
resource exhaustion.

Reviewed-by: Gergely Nagy
Reviewed-by: Marc Hörsken

Closes #5397
2020-06-17 07:18:08 +02:00
Ruurd Beerstra
d80d419d3e
ntlm: enable NTLM support with wolfSSL
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.

Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
2020-06-16 09:06:19 +02:00
Daniel Stenberg
e15e51384a
http: move header storage to Curl_easy from connectdata
Since the connection can be used by many independent requests (using
HTTP/2 or HTTP/3), things like user-agent and other transfer-specific
data MUST NOT be kept connection oriented as it could lead to requests
getting the wrong string for their requests. This struct data was
lingering like this due to old HTTP1 legacy thinking where it didn't
mattered..

Fixes #5566
Closes #5567
2020-06-15 22:56:25 +02:00
Daniel Stenberg
b88bdedf9c
altsvc: remove the num field from the altsvc struct
It was superfluous since we have the list.size alredy

Reported-by: Jay Satiro
Fixes #5553
Closes #5563
2020-06-12 23:24:11 +02:00
Daniel Stenberg
8b4e796775
share: don't set the share flag it something fails
When asking for a specific feature to be shared in the share object,
that bit was previously set unconditionally even if the shared feature
failed or otherwise wouldn't work.

Closes #5554
2020-06-12 09:42:52 +02:00
Daniel Stenberg
eab2f95c0d
wording: avoid blacklist/whitelist stereotypes
Instead of discussing if there's value or meaning (implied or not) in
the colors, let's use words without the same possibly negative
associations.

Closes #5546
2020-06-10 08:49:17 +02:00
Daniel Stenberg
2a41e23671
socks: detect connection close during handshake
The SOCKS4/5 state machines weren't properly terminated when the proxy
connection got closed, leading to a busy-loop.

Reported-By: zloi-user on github
Fixes #5532
Closes #5542
2020-06-08 23:19:36 +02:00
xquery
0a35580e21
multi: add defensive check on data->multi->num_alive
Closes #5540
2020-06-08 16:14:07 +02:00
Daniel Stenberg
54d3769761
Curl_addrinfo: use one malloc instead of three
To reduce the amount of allocations needed for creating a Curl_addrinfo
struct, make a single larger malloc instead of three separate smaller
ones.

Closes #5533
2020-06-08 16:10:53 +02:00
Alessandro Ghedini
5277775462
quiche: update SSLKEYLOGFILE support
quiche now requires the application to explicitly set the keylog path
for each connection, rather than reading the environment variable
itself.

Closes #5541
2020-06-08 16:09:49 +02:00
Daniel Stenberg
99e09d9046
ngtcp2: update with recent API changes
Syncs with ngtcp2 commit 7e9a917d386d98 merged June 7 2020.

Assisted-by: Tatsuhiro Tsujikawa
Closes #5538
2020-06-08 11:11:00 +02:00
xquery
b950120b2d
socks: remove unreachable breaks in socks.c and mime.c
Closes #5537
2020-06-08 11:04:44 +02:00
Daniel Stenberg
7370b4e39f
libssh2: keep sftp errors as 'unsigned long'
Remove weird work-around for storing the SFTP errors as int instead of
the "unsigned long" that libssh2 actually returns for SFTP errors.

Closes #5534
2020-06-08 08:38:48 +02:00
Marc Hoersken
3186f50054
timeouts: move ms timeouts to timediff_t from int and long
Now that all functions in select.[ch] take timediff_t instead
of the limited int or long, we can remove type conversions
and related preprocessor checks to silence compiler warnings.

Avoiding conversions from time_t was already done in 842f73de.

Based upon #5262
Supersedes #5214, #5220 and #5221
Follow up to #5343 and #5479
Closes #5490
2020-06-06 20:05:58 +02:00
François Rigault
e2de2d5397
openssl: set FLAG_TRUSTED_FIRST unconditionally
On some systems, openssl 1.0.x is still the default, but it has been
patched to contain all the recent security fixes. As a result of this
patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
defined, while the previous behavior of openssl to not look at trusted
chains first, remains.

Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
probe for the behavior of openssl based on the existence ofmacros.

Closes #5530
2020-06-06 18:01:24 +02:00
Cherish98
e980cbb8e7
socks: fix expected length of SOCKS5 reply
Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the
reply ATYP is X'01'. This resulted in erroneously expecting more bytes
when the request length is greater than the reply length (e.g., when
remotely resolving the hostname).

Closes #5527
2020-06-05 23:20:10 +02:00
Daniel Stenberg
d957ed4941
trailers: switch h1-trailer logic to use dynbuf
In the continued effort to remove "manual" realloc schemes.

Closes #5524
2020-06-05 17:57:24 +02:00
Peter Wu
ceab0febd0 quiche: advertise draft 28 support
Fix the verbose message while at it, quiche currently supports draft
27 and draft 28 simultaneously.

Closes #5518
2020-06-04 22:07:56 +02:00
Daniel Stenberg
74368dc6ae
altsvc: fix 'dsthost' may be used uninitialized in this function 2020-06-03 16:28:56 +02:00
Daniel Stenberg
9c845be279
urldata: let the HTTP method be in the set.* struct
When the method is updated inside libcurl we must still not change the
method as set by the user as then repeated transfers with that same
handle might not execute the same operation anymore!

This fixes the libcurl part of #5462

Test 1633 added to verify.

Closes #5499
2020-06-02 16:30:36 +02:00
Daniel Stenberg
cba70628ae
hostip: fix the memory-leak introduced in 67d2802
Fixes #5503
Closes #5504
2020-06-02 12:43:50 +02:00
Saleem Abdulrasool
21ed48e8d9
vtls: repair the build with CURL_DISABLE_PROXY
`http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
is enabled.  Repair the build with that configuration.

Follow-up to f3d501dc67

Closes #5498
2020-06-01 23:03:31 +02:00
Daniel Stenberg
b77a2528f8
transfer: remove k->str NULL check
"Null-checking k->str suggests that it may be null, but it has already
been dereferenced on all paths leading to the check" - and it can't
legally be NULL at this point. Remove check.

Detected by Coverity CID 1463884

Closes #5495
2020-06-01 15:22:36 +02:00
Marc Hoersken
5325b92a0a
select: always use Sleep in Curl_wait_ms on Win32
Since Win32 almost always will also have USE_WINSOCK,
we can reduce complexity and always use Sleep there.

Assisted-by: Jay Satiro
Reviewed-by: Daniel Stenberg

Follow up to #5343
Closes #5489
2020-06-01 08:32:21 +02:00
Daniel Stenberg
8346c90b78
conncache: download buffer needs +1 size for trailing zero
Follow-up to c4e6968127
Detected by OSS-Fuzz: https://oss-fuzz.com/testcase-detail/5727799779524608
2020-05-31 17:45:57 +02:00
Daniel Stenberg
f3d501dc67
build: disable more code/data when built without proxy support
Added build to travis to verify

Closes #5466
2020-05-30 23:18:16 +02:00
Daniel Stenberg
c4e6968127
url: alloc the download buffer at transfer start
... and free it as soon as the transfer is done. It removes the extra
alloc when a new size is set with setopt() and reduces memory for unused
easy handles.

In addition: the closure_handle now doesn't use an allocated buffer at
all but the smallest supported size as a stack based one.

Closes #5472
2020-05-30 23:14:33 +02:00
Daniel Stenberg
842f73de58
timeouts: change millisecond timeouts to timediff_t from time_t
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.

Closes #5479
2020-05-30 23:10:57 +02:00
Marc Hoersken
fc55c723c4
select: add overflow checks for timeval conversions
Using time_t and suseconds_t if suseconds_t is available,
long on Windows (maybe others in the future) and int elsewhere.

Also handle case of ULONG_MAX being greater or equal to INFINITE.

Assisted-by: Jay Satiro
Reviewed-by: Daniel Stenberg

Part of #5343
2020-05-30 10:21:23 +02:00
Marc Hoersken
4a8f459837
select: use timediff_t instead of time_t and int for timeout_ms
Make all functions in select.[ch] take timeout_ms as timediff_t
which should always be large enough and signed on all platforms
to take all possible timeout values and avoid type conversions.

Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg

Replaces #5107 and partially #5262
Related to #5240 and #5286
Closes #5343
2020-05-30 10:20:40 +02:00
Daniel Stenberg
733a39a907
libssh2: improved error output for wrong quote syntax
Reported-by: Werner Stolz

Closes #5474
2020-05-29 09:35:52 +02:00
Daniel Stenberg
155551c446
urldata: fix comments: Curl_done() is called multi_done() now
... since 575e885db
2020-05-28 10:13:39 +02:00
Peter Wu
697f984ec9 ngtcp2: use common key log routine for better thread-safety
Tested with ngtcp2 built against the OpenSSL library. Additionally
tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC).

The TLS backend (independent of QUIC) may or may not already have opened
the keylog file before. Therefore Curl_tls_keylog_open is always called
to ensure the file is open.
2020-05-27 21:19:51 +02:00
Peter Wu
7be7c56be9 wolfssl: add SSLKEYLOGFILE support
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.

Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.

Closes #5327
2020-05-27 21:19:51 +02:00
Peter Wu
6011a986ca vtls: Extract and simplify key log file handling from OpenSSL
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:

 - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
 - Do not perform dynamic memory allocation when preparing a log entry.
   Unless the TLS specifications change we can suffice with a reasonable
   fixed-size buffer.
 - Simplify state tracking when SSL_CTX_set_keylog_callback is
   unavailable. My original sslkeylog.c code included this tracking in
   order to handle multiple calls to SSL_connect and detect new keys
   after renegotiation (via SSL_read/SSL_write). For curl however we can
   be sure that a single master secret eventually becomes available
   after SSL_connect, so a simple flag is sufficient. An alternative to
   the flag is examining SSL_state(), but this seems more complex and is
   not pursued. Capturing keys after server renegotiation was already
   unsupported in curl and remains unsupported.

Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:

    # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
    openssl s_server -www -tls1
    # Likewise, but fail the server handshake.
    openssl s_server -www -tls1 -Verify 2
    # TLS 1.3 test. No need to test the failing server handshake.
    openssl s_server -www -tls1_3

Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.

    tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
        -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
        -dtls.port==4433,http -ohttp.desegment_body:FALSE \
        -Y 'tls.handshake.verify_data or http'

A single connection can easily be identified via the `tcp.stream` field.
2020-05-27 21:19:51 +02:00
Michael Kaufmann
3d44bfb08d
transfer: close connection after excess data has been read
For HTTP 1.x, it's a protocol error when the server sends more bytes
than announced. If this happens, don't reuse the connection, because the
start position of the next response is undefined.

Closes #5440
2020-05-27 08:16:35 +02:00
Estanislau Augé-Pujadas
18e63b1679
Revert "ssh: ignore timeouts during disconnect"
This reverts commit f31760e63b. Shipped in
curl 7.54.1.

Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html
Closes #5465
2020-05-27 08:13:13 +02:00
Daniel Stenberg
7414fb25a2
urldata: connect related booleans live in struct ConnectBits
And remove a few unused booleans!

Closes #5461
2020-05-27 08:02:47 +02:00
Daniel Stenberg
67d2802dea
hostip: on macOS avoid DoH when given a numerical IP address
When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that
numerical IP addresses still need to get "resolved" - but not with DoH.

Reported-by: Viktor Szakats
Fixes #5454
Closes #5459
2020-05-26 17:37:39 +02:00
Daniel Stenberg
96a822f6e2
ngtcp2: cleanup memory when failing to connect
Reported-by: Peter Wu
Fixes #5447 (the ngtcp2 side of it)
Closes #5451
2020-05-26 10:16:32 +02:00
Daniel Stenberg
3ff207f7e3
quiche: clean up memory properly when failing to connect
Addresses the quiche side of #5447
Reported-by: Peter Wu
Closes #5450
2020-05-26 10:15:18 +02:00
Daniel Stenberg
d23cc224e6
cleanup: use a single space after equals sign in assignments 2020-05-26 08:28:38 +02:00
Daniel Stenberg
ad829b21ae
url: accept "any length" credentials for proxy auth
They're only limited to the maximum string input restrictions, not to
256 bytes.

Added test 1178 to verify

Reported-by: Will Roberts
Fixes #5448
Closes #5449
2020-05-25 23:08:57 +02:00
Daniel Stenberg
d844f2b9ff
altsvc: fix parser for lines ending with CRLF
Fixed the alt-svc parser to treat a newline as end of line.

The unit tests in test 1654 were done without CRLF and thus didn't quite
match the real world. Now they use CRLF as well.

Reported-by: Peter Wu
Assisted-by: Peter Wu
Assisted-by: Jay Satiro
Fixes #5445
Closes #5446
2020-05-25 23:05:27 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Peter Wu
54d122287c ngtcp2: fix build with current ngtcp2 master implementing draft 28
Based on client.cc changes from ngtcp2. Tested with current git master,
ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380.

Fixes #5444
Closes #5443
2020-05-25 17:34:00 +02:00
Daniel Stenberg
d75e6ce85a
copyright: updated year ranges out of sync
... and whitelisted a few more files in the the copyright.pl script.
2020-05-24 00:02:33 +02:00
Gilles Vollant
7f40633422
setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
Closes #5431
2020-05-23 23:19:13 +02:00
Daniel Stenberg
f6c6a159f5
Revert "sendf: make failf() use the mvsnprintf() return code"
This reverts commit 74623551f3.

Instead mark the function call with (void). Getting the return code and
using it instead triggered Coverity warning CID 1463596 because
snprintf() can return a negative value...

Closes #5441
2020-05-22 12:34:51 +02:00
Daniel Stenberg
557dde201c
sha256: move assign to the declaration line
Follow-up to fae30656. Should've been squashed with that commit...
2020-05-19 08:52:38 +02:00
Siva Sivaraman
fae3065676
sha256: fixed potentially uninitialized variable
Closes #5414
2020-05-19 08:47:12 +02:00
Daniel Stenberg
74623551f3
sendf: make failf() use the mvsnprintf() return code
... and avoid a strlen() call. Fixes a MonocleAI warning.

Reported-by: MonocleAI
Fixes #5413
Closes #5420
2020-05-19 08:13:31 +02:00
Daniel Stenberg
67521b5ecf
hostip: make Curl_printable_address not return anything
It was not used much anyway and instead we let it store a blank buffer
in case of failure.

Reported-by: MonocleAI
Fixes #5411
Closes #5418
2020-05-19 08:11:46 +02:00
Daniel Stenberg
dbc5c17738
ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
They're done on purpose, make that visible in the code.
Reported-by: MonocleAI
Fixes #5412
Closes #549
2020-05-19 08:06:41 +02:00
Daniel Stenberg
3df42ca949
dynbuf: return NULL when there's no buffer length
... as returning a "" is not a good idea as the string is supposed to be
allocated and returning a const string will cause issues.

Reported-by: Brian Carpenter
Follow-up to ed35d6590e
Closes #5405
2020-05-17 23:20:56 +02:00
Peter Wu
a158a09166 CMake: add libssh build support
Closes #5372
2020-05-15 21:58:12 +02:00
Vyron Tsingaras
34a5400de1
http2: keep trying to send pending frames after req.upload_done
Fixes #1410
Closes #5401
2020-05-15 15:49:18 +02:00
Gilles Vollant
cac5374298
setopt: support certificate options in memory with struct curl_blob
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357
2020-05-15 13:03:59 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Daniel Stenberg
449e54b483
ftp: make domore_getsock() return the secondary socket properly
Previously, after PASV and immediately after the data connection has
connected, the function would only return the control socket to wait for
which then made the data connection simply timeout and not get polled
correctly. This become obvious when running test 1631 and 1632 event-
based.
2020-05-15 08:28:56 +02:00
Daniel Stenberg
f002c850d9
ftp: shut down the secondary connection properly when SSL is used
Reported-by: Neal Poole
Fixes #5340
Closes #5385
2020-05-15 08:28:55 +02:00
Marcel Raad
ffdddb45d9
curl_setup: support Unicode functions to open files on Windows
Use them only if `_UNICODE` is defined, in which case command-line
arguments have been converted to UTF-8.

Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:37 +02:00
Marcel Raad
9e5669f388
tool: support UTF-16 command line on Windows
- use `wmain` instead of `main` when `_UNICODE` is defined [0]
- define `argv_item_t` as `wchar_t *` in this case
- use the curl_multibyte gear to convert the command-line arguments to
  UTF-8

This makes it possible to pass parameters with characters outside of
the current locale on Windows, which is required for some tests, e.g.
the IDN tests. Out of the box, this currently only works with the
Visual Studio project files, which default to Unicode, and winbuild
with the `ENABLE_UNICODE` option.

[0] https://devblogs.microsoft.com/oldnewthing/?p=40643

Ref: https://github.com/curl/curl/issues/3747
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:36 +02:00
Marcel Raad
a55c835e6b
curl_multibyte: add to curlx
This will also be needed in the tool and tests.

Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:27 +02:00
Daniel Stenberg
600a8cded4
url: make the updated credentials URL-encoded in the URL
Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400
2020-05-14 17:59:47 +02:00
Major_Tom
8e762199b0
vauth/cleartext: fix theoretical integer overflow
Fix theoretical integer overflow in Curl_auth_create_plain_message.

The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.

Closes #5391
2020-05-14 08:36:35 +02:00
Daniel Stenberg
66b0775763
checksrc: enhance the ASTERISKSPACE and update code accordingly
Fine: "struct hello *world"

Not fine: "struct hello* world" (and variations)

Closes #5386
2020-05-14 00:02:05 +02:00
Daniel Stenberg
81a54b12c6
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
2020-05-13 16:39:36 +02:00
Daniel Stenberg
e1f3f3a14f
url: reject too long input when parsing credentials
Since input passed to libcurl with CURLOPT_USERPWD and
CURLOPT_PROXYUSERPWD circumvents the regular string length check we have
in Curl_setstropt(), the input length limit is enforced in
Curl_parse_login_details too, separately.

Reported-by: Thomas Bouzerar
Closes #5383
2020-05-13 08:02:42 +02:00
denzor
a9021716cc easy: fix dangling pointer on easy_perform fail
Closes https://github.com/curl/curl/pull/5363
2020-05-12 03:00:27 -04:00
Daniel Stenberg
db8866fad9
url: sort the protocol schemes in rough popularity order
When looking for a protocol match among supported schemes, check the
most "popular" schemes first. It has zero functionality difference and
for all practical purposes a speed difference will not be measureable
but it still think it makes sense to put the least likely matches last.

"Popularity" based on the 2019 user survey.

Closes #5377
2020-05-12 08:22:04 +02:00
Peter Wu
5d8c53d320
CMake: add ENABLE_ALT_SVC option
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting
(not tested).
2020-05-10 23:36:54 +02:00
Peter Wu
5bfc874a35
CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)
Add three new CMake Find modules (using the curl license, but I grant
others the right to apply the CMake BSD license instead).

This CMake config is simpler than the autotools one because it assumes
ngtcp2 and nghttp3 to be used together. Another difference is that this
CMake config checks whether QUIC is actually supported by the TLS
library (patched OpenSSL or boringssl) since this can be a common
configuration mistake that could result in build errors later.

Unlike autotools, CMake does not warn you that the features are
experimental. The user is supposed to already know that and read the
documentation. It requires a very special build environment anyway.

Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from
current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure
out which features (libldap-2.4, libssh2) to disable due to conflicts
with boringssl.

Closes #5359
2020-05-10 23:36:41 +02:00