1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 15:05:02 -05:00
Commit Graph

10056 Commits

Author SHA1 Message Date
Daniel Stenberg
c3b297466d
http2: clear the drain counter in Curl_http2_done
Reported-by: Andrei Virtosu
Fixes #2800
Closes #2809
2018-07-30 18:30:52 +02:00
Daniel Stenberg
09e401e01b
smb: fix memory leak on early failure
... by making sure connection related data (->share) is stored in the
connection and not in the easy handle.

Detected by OSS-fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
Fixes #2769
Closes #2810
2018-07-30 17:59:36 +02:00
Daniel Stenberg
10061f475e
conn_free: updated comment to clarify
Let's call it disassociate instead of disconnect since the latter term
is used so much for (TCP) connections already.
2018-07-28 23:18:32 +02:00
Daniel Stenberg
d390541944
mime: check Curl_rand_hex's return code
Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html
Reported-by: Jeffrey Walton
Closes #2795
2018-07-28 22:36:15 +02:00
Carie Pointer
10d8f3f134
wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
RNG structure must be freed by call to FreeRng after its use in
Curl_cyassl_random. This call fixes Valgrind failures when running the
test suite with wolfSSL.

Closes #2784
2018-07-26 16:21:59 +02:00
Even Rouault
a7091ba75d
reuse_conn(): free old_conn->options
This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with
connection reuse.

I found this with oss-fuzz on GDAL and curl master:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582
I couldn't reproduce with the oss-fuzz original test case, but looking
at curl source code pointed to this well reproducable leak.

Closes #2790
2018-07-26 16:20:15 +02:00
djelinski
d0d48b4276
system_win32: fix version checking
In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false
when run on windows 10.0. This patch addresses that error.

Closes https://github.com/curl/curl/pull/2792
2018-07-25 22:15:01 +02:00
Johannes Schindelin
6f5ef24f06
auth: pick Bearer authentication whenever a token is available
So far, the code tries to pick an authentication method only if
user/password credentials are available, which is not the case for
Bearer authentictation...

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
2018-07-24 10:11:49 +02:00
Johannes Schindelin
df57b439f4
auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token
The Bearer authentication was added to cURL 7.61.0, but there is a
problem: if CURLAUTH_ANY is selected, and the server supports multiple
authentication methods including the Bearer method, we strongly prefer
that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer
authentication fails, we will never even try to attempt any other
method.

This is particularly unfortunate when we already know that we do not
have any Bearer token to work with.

Such a scenario happens e.g. when using Git to push to Visual Studio
Team Services (which supports Basic and Bearer authentication among
other methods) and specifying the Personal Access Token directly in the
URL (this aproach is frequently taken by automated builds).

Let's make sure that we have a Bearer token to work with before we
select the Bearer authentication among the available authentication
methods.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
2018-07-24 10:11:25 +02:00
Daniel Stenberg
81377cace6
vtls: set conn->data when closing TLS
Follow-up to 1b76c38904. The VTLS backends that close down the TLS
layer for a connection still needs a Curl_easy handle for the session_id
cache etc.

Fixes #2764
Closes #2771
2018-07-22 21:17:27 +02:00
Daniel Stenberg
7b9bc96c77
http2: several cleanups
- separate easy handle from connections better
- added asserts on a number of places
- added sanity check of pipelines for debug builds

Closes #2751
2018-07-20 22:58:42 +02:00
Daniel Stenberg
73af7bcd61
smb_getsock: always wait for write socket too
... the protocol is doing read/write a lot, so it needs to write often
even when downloading. A more proper fix could check for eactly when it
wants to write and only ask for it then.

Without this fix, an SMB download could easily get stuck when the event-driven
API was used.

Closes #2768
2018-07-20 22:53:06 +02:00
Ruslan Baratov
d1207c07d0
CMake: Update scripts to use consistent style
Closes #2727
Reviewed-by: Sergei Nikulov
2018-07-17 11:54:07 +02:00
Rodger Combs
092f6815c8 darwinssl: add support for ALPN negotiation 2018-07-14 18:32:47 -05:00
Patrick Monnerat
f8be737d8f content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
Some servers issue raw deflate data that may be followed by an undocumented
trailer. This commit makes curl tolerate such a trailer of up to 4 bytes
before considering the data is in error.

Reported-by: clbr on github
Fixes #2719
2018-07-12 22:46:15 +02:00
Daniel Stenberg
5b511b0958
smb: fix memory-leak in URL parse error path
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
Closes #2740
2018-07-12 14:47:11 +02:00
Marcel Raad
2c33105dbf
schannel: enable CALG_TLS1PRF for w32api >= 5.1
The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
73aedcc0f2
2018-07-12 14:38:55 +02:00
Daniel Stenberg
acefdd0cd1
multi: always do the COMPLETED procedure/state
It was previously erroneously skipped in some situations.

libtest/libntlmconnect.c wrongly depended on wrong behavior (that it
would get a zero timeout) when no handles are "running" in a multi
handle. That behavior is no longer present with this fix. Now libcurl
will always return a -1 timeout when all handles are completed.

Closes #2733
2018-07-11 23:41:24 +02:00
Daniel Stenberg
151d3c56dc
Curl_getoff_all_pipelines: improved for multiplexed
On multiplexed connections, transfers can be removed from anywhere not
just at the head as for pipelines.
2018-07-11 23:41:24 +02:00
Daniel Stenberg
c8373e3dfc
ares: check for NULL in completed-callback 2018-07-11 23:41:24 +02:00
Daniel Stenberg
1b76c38904
conn: remove the boolean 'inuse' field
... as the usage needs to be counted.
2018-07-11 23:41:24 +02:00
Paul Howarth
d6417f6c2d
openssl: assume engine support in 1.0.0 or later
Commit 38203f1585 changed engine detection to be version-based,
with a baseline of openssl 1.0.1. This does in fact break builds
with openssl 1.0.0, which has engine support - the configure script
detects that ENGINE_cleanup() is available - but <openssl/engine.h>
doesn't get included to declare it.

According to upstream documentation, engine support was added to
mainstream openssl builds as of version 0.9.7:
https://github.com/openssl/openssl/blob/master/README.ENGINE

This commit drops the version test down to 1.0.0 as version 1.0.0d
is the oldest version I have to test with.

Closes #2732
2018-07-11 23:40:10 +02:00
Marcel Raad
48cf45c5aa
schannel: fix MinGW compile break
Original MinGW's w32api has a sytax error in its definition of
CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
until this bug [1] is fixed.

[0] d1d4a17e51/w32api/include/wincrypt.h
[1] https://osdn.net/projects/mingw/ticket/38391

Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
Closes https://github.com/curl/curl/pull/2728
2018-07-11 13:04:15 +02:00
Jay Satiro
685dc3c082 lib/curl_setup.h: remove unicode character
Follow-up to 82ce416.

Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818
2018-07-09 16:04:50 -04:00
Daniel Stenberg
82ce416227
lib/curl_setup.h: remove unicode bom from 8272ec50f0 2018-07-09 21:26:32 +02:00
Marcel Raad
424f1cfefb
schannel: fix -Wsign-compare warning
MinGW warns:
/lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
conditional expression [-Wsign-compare]

Fix this by casting the ptrdiff_t to size_t as we know it's positive.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:09:05 +02:00
Marcel Raad
07f7c93f92
schannel: workaround for wrong function signature in w32api
Original MinGW's w32api has CryptHashData's second parameter as BYTE *
instead of const BYTE *.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:08:56 +02:00
Marcel Raad
a189ab91fe
schannel: make more cipher options conditional
They are not defined in the original MinGW's <wincrypt.h>.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:08:46 +02:00
Marcel Raad
8272ec50f0
curl_setup: include <winerror.h> before <windows.h>
Otherwise, only part of it gets pulled in through <windows.h> on
original MinGW.

Fixes https://github.com/curl/curl/issues/2361
Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:08:40 +02:00
Daniel Stenberg
ba1dbd78e5
smtp: use the upload buffer size for scratch buffer malloc
... not the read buffer size, as that can be set smaller and thus cause
a buffer overflow! CVE-2018-0500

Reported-by: Peter Wu
Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
2018-07-09 08:15:48 +02:00
Nick Zitzmann
b78d1a3d45
darwinssl: allow High Sierra users to build the code using GCC
...but GCC users lose out on TLS 1.3 support, since we can't weak-link
enumeration constants.

Fixes #2656
Closes #2703
2018-07-06 11:13:50 +02:00
Daniel Stenberg
03d884b7d8
libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE
... because otherwise not everything get closed down correctly.

Fixes #2708
Closes #2712
2018-07-06 09:11:35 +02:00
Daniel Stenberg
0d3eeaadb4
libssh: include line number in state change debug messages
Closes #2713
2018-07-06 09:11:20 +02:00
Gisle Vanem
ab4cf99694
telnet: fix clang warnings
telnet.c(1401,28): warning: cast from function call of type 'int' to
non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast]

Fixes #2696
Closes #2700
2018-07-01 12:45:27 +02:00
Gaurav Malhotra
09a72f5dd5
openssl: Remove some dead code
Closes #2698
2018-06-29 22:54:53 +02:00
Daniel Stenberg
6015cefb1b
openssl: make the requested TLS version the *minimum* wanted
The code treated the set version as the *exact* version to require in
the TLS handshake, which is not what other TLS backends do and probably
not what most people expect either.

Reported-by: Andreas Olsson
Assisted-by: Gaurav Malhotra
Fixes #2691
Closes #2694
2018-06-29 22:53:02 +02:00
Daniel Stenberg
08c845cfdb
openssl: allow TLS 1.3 by default
Reported-by: Andreas Olsson
Fixes #2692
Closes #2693
2018-06-29 09:15:34 +02:00
Daniel Stenberg
0aeca41702
getnameinfo: not used
Closes #2687
2018-06-27 13:49:18 +02:00
Daniel Stenberg
3ef67c6861
easy_perform: use *multi_timeout() to get wait times
... and trim the threaded Curl_resolver_getsock() to return zero
millisecond wait times during the first three milliseconds so that
localhost or names in the OS resolver cache gets detected and used
faster.

Closes #2685
2018-06-27 13:01:00 +02:00
Daniel Stenberg
f762fec323
url: check Curl_conncache_add_conn return code
... it was previously unchecked in two places and thus errors could
remain undetected and cause trouble.

Closes #2681
2018-06-25 16:36:10 +02:00
Daniel Stenberg
a3b7cb7e84
netrc: use a larger buffer
... to work with longer passwords etc. Grow it from a 256 to a 4096
bytes buffer.

Reported-by: Dario Nieuwenhuis
Fixes #2676
Closes #2680
2018-06-23 22:50:31 +02:00
Javier Blazquez
4c901638b4
multi: fix crash due to dangling entry in connect-pending list
Fixes #2677
Closes #2679
2018-06-23 22:31:52 +02:00
Daniel Stenberg
146178a9df
ConnectionExists: make sure conn->data is set when "taking" a connection
Follow-up to 2c15693.

Bug #2674
Closes #2675
2018-06-22 17:00:22 +02:00
Raphael Gozzo
59b284b6eb
cmake: allow multiple SSL backends
This will make possible to select the SSL backend (using
curl_global_sslset()) even when the libcurl is built using CMake

Closes #2665
2018-06-21 09:48:26 +02:00
Daniel Stenberg
2c15693a3c
url: fix dangling conn->data pointer
By masking sure to use the *current* easy handle with extracted
connections from the cache, and make sure to NULLify the ->data pointer
when the connection is put into the cache to make this mistake easier to
detect in the future.

Reported-by: Will Dietz
Fixes #2669
Closes #2672
2018-06-21 09:44:04 +02:00
Daniel Stenberg
ac9a179fe9
multi: fix memory leak when stopped during name resolve
When the application just started the transfer and then stops it while
the name resolve in the background thread hasn't completed, we need to
wait for the resolve to complete and then cleanup data accordingly.

Enabled test 1553 again and added test 1590 to also check when the host
name resolves successfully.

Detected by OSS-fuzz.
Closes #1968
2018-06-16 12:01:27 +02:00
Matteo Bignotti
47762f5583
mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
certdata.txt should be deleted also when the process is interrupted by
"same certificate downloaded, exiting"

The certdata.txt is currently kept on disk even if you give the -u
option

Closes #2655
2018-06-14 00:02:20 +02:00
Daniel Stenberg
0680ec9e2c
progress: remove a set of unused defines
Reported-by: Peter Wu
Closes #2654
2018-06-13 23:38:40 +02:00
Lyman Epp
a0f9670ec9
Curl_init_do: handle NULL connection pointer passed in
Closes #2653
2018-06-13 09:21:40 +02:00
Daniel Stenberg
5ae22272d1
Curl_debug: remove dead printhost code
The struct field is never set (since 5e0d9aea3) so remove the use of it
and remove the connectdata pointer from the prototype.

Reported-by: Tejas
Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html
Closes #2647
2018-06-12 16:00:27 +02:00
Viktor Szakats
819f44dc07 schannel: avoid incompatible pointer warning
with clang-6.0:
```
vtls/schannel_verify.c: In function 'add_certs_to_store':
vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types]
                              &cert_context)) {
                              ^
In file included from /usr/share/mingw-w64/include/schannel.h:10:0,
                 from /usr/share/mingw-w64/include/schnlsp.h:9,
                 from vtls/schannel.h:29,
                 from vtls/schannel_verify.c:40:
/usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}'
   WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags,
                          ^~~~~~~~~~~~~~~~
```
Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264

Closes https://github.com/curl/curl/pull/2648
2018-06-12 11:23:11 +00:00
Robert Prag
9aefbff30d
schannel: support selecting ciphers
Given the contstraints of SChannel, I'm exposing these as the algorithms
themselves instead; while replicating the ciphersuite as specified by
OpenSSL would have been preferable, I found no way in the SChannel API
to do so.

To use this from the commandline, you need to pass the names of contants
defining the desired algorithms. For example, curl --ciphers
"CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM"
https://github.com The specific names come from wincrypt.h

Closes #2630
2018-06-12 12:08:40 +02:00
Marian Klymov
c45360d463
cppcheck: fix warnings
- Get rid of variable that was generating false positive warning
(unitialized)

- Fix issues in tests

- Reduce scope of several variables all over

etc

Closes #2631
2018-06-11 11:14:48 +02:00
Daniel Stenberg
38203f1585
openssl: assume engine support in 1.0.1 or later
Previously it was checked for in configure/cmake, but that would then
leave other build systems built without engine support.

While engine support probably existed prior to 1.0.1, I decided to play
safe. If someone experience a problem with this, we can widen the
version check.

Fixes #2641
Closes #2644
2018-06-11 10:20:18 +02:00
Gisle Vanem
274940d743
boringssl + schannel: undef X509_NAME in lib/schannel.h
Fixes the build problem when both boringssl and schannel are enabled.

Fixes #2634
Closes #2643
2018-06-08 23:25:17 +02:00
Vladimir Kotal
9ff67f7b00
mk-ca-bundle.pl: leave certificate name untouched in decode()
Closes #2640
2018-06-08 09:37:56 +02:00
Viktor Szakats
4bd91bc474 spelling fixes
Detected using the `codespell` tool (version 1.13.0).

Also secure and fix an URL.
2018-06-03 12:14:45 +00:00
Daniel Stenberg
71c39f2965
axtls: follow-up spell fix of comment 2018-06-02 13:40:41 +02:00
Daniel Stenberg
9f89cd5ae4
axTLS: not considered fit for use
URL: https://curl.haxx.se/mail/lib-2018-06/0000.html

This is step one. It adds #error statements that require source edits to
make curl build again if asked to use axTLS. At a later stage we might
remove the axTLS specific code completely.

Closes #2628
2018-06-02 11:27:39 +02:00
Daniel Stenberg
aca1aba0bd
build: remove the Borland specific makefiles
According to the user survey 2018, not even one out of 670 users use
them. Nobody on the mailing list spoke up for them either.

Closes #2629
2018-06-02 11:23:40 +02:00
Daniel Stenberg
5712806785
curl_addrinfo: use same #ifdef conditions in source as header
... for curl_dofreeaddrinfo
2018-06-01 14:40:35 +02:00
Daniel Stenberg
923ce4a590
multi: remove a DEBUGF()
... it might call infof() with a NULL first argument that isn't harmful
but makes it not do anything. The infof() line is not very useful
anymore, it has served it purpose. Good riddance!

Fixes #2627
2018-06-01 12:55:41 +02:00
Alibek.Jorajev
f66d97b677
CURLOPT_RESOLVE: always purge old entry first
If there's an existing entry using the selected name.

Closes #2622
2018-06-01 12:47:52 +02:00
Daniel Stenberg
a115c6bbe7
fnmatch: use the system one if available
If configure detects fnmatch to be available, use that instead of our
custom one for FTP wildcard pattern matching. For standard compliance,
to reduce our footprint and to use already well tested and well
exercised code.

A POSIX fnmatch behaves slightly different than the internal function
for a few test patterns currently and the macOS one yet slightly
different. Test case 1307 is adjusted for these differences.

Closes #2626
2018-06-01 12:29:21 +02:00
Bernhard Walle
9c33813d83
configure: check for declaration of getpwuid_r
On our x86 Android toolchain, getpwuid_r is implemented but the header
is missing:

 netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration]

Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved
the prototype to curl_setup.h.

Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
Closes #2609
2018-05-31 12:51:15 +02:00
Rikard Falkeborn
8ea5d41fe0
strictness: correct {infof, failf} format specifiers
Closes #2623
2018-05-31 11:34:32 +02:00
Björn Stenberg
946ce5b61f
option: disallow username in URL
Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes
libcurl reject URLs with a username in them.

Closes #2340
2018-05-31 11:27:16 +02:00
Daniel Stenberg
050c93c46f
setopt: add TLS 1.3 ciphersuites
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.

curl: added --tls13-ciphers and --proxy-tls13-ciphers

Fixes #2435
Reported-by: zzq1015 on github
Closes #2607
2018-05-29 16:12:52 +02:00
Daniel Stenberg
6482773d30
fnmatch: insist on escaped bracket to match
A non-escaped bracket ([) is for a character group - as documented. It
will *not* match an individual bracket anymore. Test case 1307 updated
accordingly to match.

Problem detected by OSS-Fuzz, although this fix is probably not a final
fix for the notorious timeout issues.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525
Closes #2614
2018-05-28 23:57:31 +02:00
Patrick Monnerat
8541d02c96 psl: use latest psl and refresh it periodically
The latest psl is cached in the multi or share handle. It is refreshed
before use after 72 hours.
New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing.
If the latest psl is not available, the builtin psl is used.

Reported-by: Yaakov Selkowitz
Fixes #2553
Closes #2601
2018-05-28 20:37:14 +02:00
Bernhard Walle
645948dffb
cmake: check for getpwuid_r
The autotools-based build system does it, so we do it also in CMake.

Bug: #2609
Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
2018-05-28 15:23:18 +02:00
ralcock
45eefbd0dd
schannel: add failf calls for client certificate failures
Closes #2604
2018-05-27 23:30:23 +02:00
Alejandro R. Sedeño
d0f1d6c8fa
content_encoding: handle zlib versions too old for Z_BLOCK
Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available.

Fixes #2606
Closes #2608
2018-05-25 10:04:08 +02:00
Daniel Stenberg
3e0dee065f
multi: provide a socket to wait for in Curl_protocol_getsock
... even when there's no protocol specific handler setup.

Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html
Reported-by: Sean Miller
Closes #2600
2018-05-24 20:49:32 +02:00
Linus Lewandowski
239a7061f8
httpauth: add support for Bearer tokens
Closes #2102
2018-05-24 20:39:49 +02:00
Sergei Nikulov
2c0225e042 cmake: set -d postfix for debug builds if not specified
using -DCMAKE_DEBUG_POSTFIX explicitly

       fixes #2121, obsoletes #2384
2018-05-24 17:25:41 +03:00
Patrick Monnerat
09d16af49a http resume: skip body if http code 416 (range error) is ignored.
This avoids appending error data to already existing good data.

Test 92 is updated to match this change.
New test 1156 checks all combinations of --range/--resume, --fail,
Content-Range header and http status code 200/416.

Fixes #1163
Reported-By: Ithubg on github
Closes #2578
2018-05-22 13:23:02 +02:00
Daniel Stenberg
2e65a92052
tftp: make sure error is zero terminated before printfing it 2018-05-22 10:10:39 +02:00
Johannes Schindelin
aa0f41a5fc schannel: make CAinfo parsing resilient to CR/LF
OpenSSL has supported --cacert for ages, always accepting LF-only line
endings ("Unix line endings") as well as CR/LF line endings ("Windows
line endings").

When we introduced support for --cacert also with Secure Channel (or in
cURL speak: "WinSSL"), we did not take care to support CR/LF line
endings, too, even if we are much more likely to receive input in that
form when using Windows.

Let's fix that.

Happily, CryptQueryObject(), the function we use to parse the ca-bundle,
accepts CR/LF input already, and the trailing LF before the END
CERTIFICATE marker catches naturally any CR/LF line ending, too. So all
we need to care about is the BEGIN CERTIFICATE marker. We do not
actually need to verify here that the line ending is CR/LF. Just
checking for a CR or an LF is really plenty enough.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/2592
2018-05-22 02:29:55 -04:00
Daniel Stenberg
cb529b713f
checksrc: make sure sizeof() is used *with* parentheses
... and unify the source code to adhere.

Closes #2563
2018-05-21 23:21:47 +02:00
Daniel Stenberg
404c8850da
curl_fnmatch: only allow two asterisks for matching
The previous limit of 5 can still end up in situation that takes a very
long time and consumes a lot of CPU.

If there is still a rare use case for this, a user can provide their own
fnmatch callback for a version that allows a larger set of wildcards.

This commit was triggered by yet another OSS-Fuzz timeout due to this.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369

Closes #2587
2018-05-18 23:33:44 +02:00
Aleks
e05ad5dd99
docs: mention HAproxy protocol "version 1"
...as there's also a version 2.

Closes #2579
2018-05-18 17:48:40 +02:00
Philip Prindeville
ce2140a8c1
getinfo: add microsecond precise timers for various intervals
Provide a set of new timers that return the time intervals using integer
number of microseconds instead of floats.

The new info names are as following:

CURLINFO_APPCONNECT_TIME_T
CURLINFO_CONNECT_TIME_T
CURLINFO_NAMELOOKUP_TIME_T
CURLINFO_PRETRANSFER_TIME_T
CURLINFO_REDIRECT_TIME_T
CURLINFO_STARTTRANSFER_TIME_T
CURLINFO_TOTAL_TIME_T

Closes #2495
2018-05-17 13:41:04 +02:00
Daniel Stenberg
c5fe86804c
openssl: acknowledge --tls-max for default version too
... previously it only used the max setting if a TLS version was also
explicitly asked for.

Reported-by: byte_bucket
Fixes #2571
Closes #2572
2018-05-17 13:34:47 +02:00
Daniel Stenberg
f0c466dced
schannel_verify: fix build for non-schannel 2018-05-16 10:12:57 +02:00
Jay Satiro
4f9bbd3ac7 rand: fix typo 2018-05-16 02:21:06 -04:00
Jay Satiro
4584cc4499 schannel: disable manual verify if APIs not available
.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.
2018-05-16 02:21:05 -04:00
Archangel_SDY
1592ea9792 schannel: disable client cert option if APIs not available
Original MinGW targets Windows 2000 by default, which lacks some APIs and
definitions for this feature. Disable it if these APIs are not available.

Closes https://github.com/curl/curl/pull/2522
2018-05-16 02:21:04 -04:00
steini2000
0055545705
http2: remove unused variable
Closes #2570
2018-05-14 23:14:04 +02:00
steini2000
d6dd322d7a
http2: use easy handle of stream for logging 2018-05-14 23:13:44 +02:00
Daniel Stenberg
c0f704dbae
gcc: disable picky gcc-8 function pointer warnings in two places
Reported-by: Rikard Falkeborn
Bug: #2560
Closes #2569
2018-05-14 23:09:51 +02:00
Daniel Stenberg
a5aa2bdf34
http2: use the correct function pointer typedef
Fixes gcc-8 picky compiler warnings
Reported-by: Rikard Falkeborn
Bug: #2560
Closes #2568
2018-05-14 12:44:20 +02:00
Rikard Falkeborn
b9446d18e7
ntlm: Fix format specifiers 2018-05-14 09:42:27 +02:00
Rikard Falkeborn
eb49683e55
lib: Fix format specifiers 2018-05-14 09:42:27 +02:00
Daniel Stenberg
7d6e01441a
http2: getsock fix for uploads
When there's an upload in progress, make sure to wait for the socket to
become writable.

Detected-by: steini2000 on github
Bug: #2520
Closes #2567
2018-05-14 08:22:46 +02:00
Daniel Stenberg
583b42cb3b
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.

Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
2018-05-14 07:40:31 +02:00
Daniel Stenberg
8c7b3737d2
http: restore buffer pointer when bad response-line is parsed
... leaving the k->str could lead to buffer over-reads later on.

CVE: CVE-2018-1000301
Assisted-by: Max Dymond

Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
2018-05-14 07:40:31 +02:00
Patrick Monnerat
1b55d270ad cookies: do not take cookie name as a parameter
RFC 6265 section 4.2.1 does not set restrictions on cookie names.
This is a follow-up to commit 7f7fcd0.
Also explicitly check proper syntax of cookie name/value pair.

New test 1155 checks that cookie names are not reserved words.

Reported-By: anshnd at github
Fixes #2564
Closes #2566
2018-05-13 01:23:10 +02:00
Daniel Stenberg
9cacc24630 smb: reject negative file sizes
Assisted-by: Max Dymond

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
2018-05-12 22:24:25 +02:00
Daniel Stenberg
fe6b78b42d
setup_transfer: deal with both sockets being -1
Detected by Coverity; CID 1435559.  Follow-up to f8d608f38d. It would
index the array with -1 if neither index was a socket.
2018-05-11 23:56:37 +02:00
Sunny Purushe
18cbbb702c openssl: change FILE ops to BIO ops
To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
handling is causing problems. This fix changes the OpenSSL backend code
to use BIO functions instead of FILE I/O functions to circumvent those
problems.

Closes #2512
2018-05-10 16:30:32 +02:00
Daniel Stenberg
babd55e25f
vtls: fix missing commas
follow-up to e66cca046c
2018-05-04 23:02:57 +02:00
Daniel Stenberg
e66cca046c
vtls: use unified "supports" bitfield member in backends
... instead of previous separate struct fields, to make it easier to
extend and change individual backends without having to modify them all.

closes #2547
2018-05-04 22:31:19 +02:00
Daniel Stenberg
f8d608f38d
transfer: don't unset writesockfd on setup of multiplexed conns
Curl_setup_transfer() can be called to setup a new individual transfer
over a multiplexed connection so it shouldn't unset writesockfd.

Bug: #2520
Closes #2549
2018-05-04 22:30:32 +02:00
Daniel Stenberg
e9d9d1af8a
http: don't set the "rewind" flag when not uploading anything
It triggers an assert.

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
Closes #2546
2018-05-04 13:51:25 +02:00
Daniel Stenberg
1156fdd01d
ssh-libssh.c: fix left shift compiler warning
ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
represent, but 'int' only has 32 bits [-Wshift-overflow=]

'len' will never be that big anyway so I converted the run-time check to
a regular assert.
2018-05-03 22:16:57 +02:00
Stephan Mühlstrasser
7f41432c19
URL: fix ASCII dependency in strcpy_url and strlen_url
Commit 3c630f9b0a partially reverted the
changes from commit dd7521bcc1 because of
the problem that strcpy_url() was modified unilaterally without also
modifying strlen_url(). As a consequence strcpy_url() was again
depending on ASCII encoding.

This change fixes strlen_url() and strcpy_url() in parallel to use a
common host-encoding independent criterion for deciding whether an URL
character must be %-escaped.

Closes #2535
2018-05-03 15:19:20 +02:00
Daniel Stenberg
1621aed9be
vtls: don't define MD5_DIGEST_LENGTH for wolfssl
... as it defines it (too)
2018-05-02 11:21:48 +02:00
David Garske
b2e59a886b wolfssl: Fix non-blocking connect
Closes https://github.com/curl/curl/pull/2542
2018-05-02 03:01:54 -04:00
Daniel Gustafsson
85437697da cookies: remove unused macro
Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
so remove as it's not part of the published API.

Closes https://github.com/curl/curl/pull/2537
2018-04-27 02:54:15 -04:00
Daniel Gustafsson
2f13e3d23d
checksrc: force indentation of lines after an else
This extends the INDENTATION case to also handle 'else' statements
and require proper indentation on the following line. Also fixes the
offending cases found in the codebase.

Closes #2532
2018-04-27 00:51:35 +02:00
Daniel Stenberg
1d71ce845a
http2: fix null pointer dereference in http2_connisdead
This function can get called on a connection that isn't setup enough to
have the 'recv_underlying' function pointer initialized so it would try
to call the NULL pointer.

Reported-by: Dario Weisser

Follow-up to db1b2c7fe9 (never shipped in a release)
Closes #2536
2018-04-26 23:23:02 +02:00
Daniel Stenberg
2ef1662e4b
http2: get rid of another strstr()
Follow-up to 1514c44655: replace another strstr() call done on a
buffer that might not be zero terminated - with a memchr() call, even if
we know the substring will be found.

Assisted-by: Max Dymond

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021

Closes #2534
2018-04-26 14:55:26 +02:00
Daniel Stenberg
3b41839e2e
cyassl: adapt to libraries without TLS 1.0 support built-in
WolfSSL doesn't enable it by default anymore
2018-04-26 07:57:19 +02:00
Daniel Gustafsson
732d093835
cookies: ensure that we have cookies before writing jar
The jar should be written iff there are cookies, so ensure that we still
have cookies after expiration to avoid creating an empty file.

Closes #2529
2018-04-25 08:20:24 +02:00
Daniel Stenberg
3c630f9b0a
strcpy_url: only %-encode values >= 0x80
OSS-Fuzz detected

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000

Broke in dd7521bcc1
2018-04-25 07:56:01 +02:00
Daniel Stenberg
ba67f7d65a
mime: avoid NULL pointer dereference risk
Coverity detected, CID 1435120

Closes #2527
2018-04-24 17:11:01 +02:00
Stephan Mühlstrasser
dd7521bcc1
ctype: restore character classification for non-ASCII platforms
With commit 4272a0b0fc curl-speficic
character classification macros and functions were introduced in
curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
of character classification macros when CURL_DOES_CONVERSIONS is
defined.

Closes #2494
2018-04-24 14:36:06 +02:00
Daniel Stenberg
e6c22368c6
ftplistparser: keep state between invokes
Fixes FTP wildcard parsing when done over a number of read buffers.

Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2526
2018-04-24 14:23:20 +02:00
Daniel Stenberg
5c39ccd83f
Revert "ftplistparser: keep state between invokes"
This reverts commit abbc8457d8.

Caused fuzzer problems on travis not seen when this was a PR!
2018-04-24 08:19:54 +02:00
Daniel Stenberg
a7df35ce21
Curl_memchr: zero length input can't match
Avoids undefined behavior.

Reported-by: Geeknik Labs
2018-04-24 08:03:23 +02:00
Daniel Stenberg
abbc8457d8
ftplistparser: keep state between invokes
Fixes FTP wildcard parsing when doing over a number of read buffers.

Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2519
2018-04-23 22:52:52 +02:00
Daniel Stenberg
98a768f0a6
ftplistparser: renamed some members and variables
... to make them better spell out what they're for.
2018-04-23 22:52:48 +02:00
Christian Schmitz
d0394de152
curl_global_sslset: always provide available backends
Closes #2499
2018-04-23 14:18:55 +02:00
Daniel Stenberg
0a3589ccd0
http2: convert an assert to run-time check
Fuzzing has proven we can reach code in on_frame_recv with status_code
not having been set, so let's detect that in run-time (instead of with
assert) and error error accordingly.

(This should no longer happen with the latest nghttp2)

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
Closes #2514
2018-04-23 13:51:32 +02:00
Archangel_SDY
ab988caef6 schannel: fix build error on targets <= XP
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
  support the latter.

Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668

Closes https://github.com/curl/curl/pull/2504
2018-04-23 03:16:49 -04:00
Daniel Stenberg
10b195d3b0
Revert "ftplistparser: keep state between invokes"
This reverts commit 8fb78f9ddc.

Unfortunately this fix introduces memory leaks I've not been able to fix
in several days. Reverting this for now to get the leaks fixed.
2018-04-23 07:51:11 +02:00
Daniel Stenberg
d122df5972
http2: handle GOAWAY properly
When receiving REFUSED_STREAM, mark the connection for close and retry
streams accordingly on another/fresh connection.

Reported-by: Terry Wu
Fixes #2416
Fixes #1618
Closes #2510
2018-04-20 22:19:23 +02:00
Daniel Stenberg
7645c6bd5e
http2: clear the "drain counter" when a stream is closed
This fixes the notorious "httpc->drain_total >= data->state.drain"
assert.

Reported-by: Anders Bakken

Fixes #1680
Closes #2509
2018-04-20 22:18:19 +02:00
Daniel Stenberg
1514c44655
http2: avoid strstr() on data not zero terminated
It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.

Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.

Detected by OSS-Fuzz
Closes #2513
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
2018-04-20 22:16:50 +02:00
Stephan Mühlstrasser
b0a50227c0
openssl: fix subjectAltName check on non-ASCII platforms
Curl_cert_hostcheck operates with the host character set, therefore the
ASCII subjectAltName string retrieved with OpenSSL must be converted to
the host encoding before comparison.

Closes #2493
2018-04-20 16:55:31 +02:00
Jay Satiro
a3f385393a openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
- Support handling verbose-mode trace messages of type
  SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
  SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
  SSL3_MT_MESSAGE_HASH

Reported-by: iz8mbw@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/2403
2018-04-20 01:28:32 -04:00
Daniel Stenberg
8fb78f9ddc
ftplistparser: keep state between invokes
Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2508
2018-04-19 20:10:52 +02:00
Daniel Stenberg
5c8521851f
detect_proxy: only show proxy use if it had contents 2018-04-19 14:59:06 +02:00
Daniel Stenberg
6d3c9c8ab4
http2: handle on_begin_headers() called more than once
This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
2018-04-19 08:06:40 +02:00
Dan McNulty
8996300211 schannel: add support for CURLOPT_CAINFO
- Move verify_certificate functionality in schannel.c into a new
  file called schannel_verify.c. Additionally, some structure defintions
  from schannel.c have been moved to schannel.h to allow them to be
  used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
  all versions of Windows instead of just Windows CE. verify_certificate
  will be invoked on Windows CE or when the user specifies
  CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
  exclusively trusts the certificate store backed by the CURLOPT_CAINFO
  file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
  when available. This implements a TODO in schannel.c to improve
  handling of multiple SANs in a certificate. In particular, all SANs
  will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
  when using Schannel to maintain backward compatibility. Previously,
  any curl-ca-bundle.crt file found in that search would have been
  ignored by Schannel. But, with CAINFO support, the file found by
  that search would have been used as the certificate store and
  could cause issues for any users that have curl-ca-bundle.crt in
  the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
  SSL backend is Schannel. We allow setting CA location for schannel
  only when explicitly specified by the user via CURLOPT_CAINFO /
  --cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
  and last SAN, respectively, matches the connection hostname. New test
  certificates have been added for these cases. For 3000, the certificate
  prefix is Server-localhost-firstSAN and for 3001, the certificate
  prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
  validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325
2018-04-18 03:59:47 -04:00
Jay Satiro
4d660fdcb0 schannel: fix warning
- Fix warning 'integer from pointer without a cast' on 3rd arg in
  CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
  type of the same size.

Follow-up to e35b025.

Caught by Marc's CI builds.
2018-04-17 15:43:30 -04:00
Archangel_SDY
e35b0256eb
schannel: add client certificate authentication
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`

Closes #2376
2018-04-17 00:23:01 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Marcel Raad
627bd7da76
urldata: make service names unconditional
The ifdefs have become quite long. Also, the condition for the
definition of CURLOPT_SERVICE_NAME and for setting it from
CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
options for NTLM, at least when using SSPI, for
https://github.com/curl/curl/pull/1660.
Just make the definitions unconditional to make that easier.

Closes https://github.com/curl/curl/pull/2479
2018-04-16 20:11:41 +02:00
Christian Schmitz
78611c745c
ssh: show libSSH2 error code when closing fails
Closes #2500
2018-04-16 16:46:08 +02:00
Daniel Gustafsson
36f0f47887 vauth: Fix typo
Address various spellings of "credentials".

Closes https://github.com/curl/curl/pull/2496
2018-04-15 03:25:48 -04:00
Daniel Gustafsson
9b96e0bb44 checksrc: Fix typo
Fix typo in "semicolon" spelling and remove stray tab character.

Closes https://github.com/curl/curl/pull/2498
2018-04-15 03:05:45 -04:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Daniel Stenberg
2b126cd708
duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
Verified in test 1502 now

Fixes #2485
Closes #2486
Reported-by: Ernst Sjöstrand
2018-04-12 16:21:24 +02:00
Daniel Stenberg
85eea2fb38
proxy: show getenv proxy use in verbose output
... to aid debugging etc as it sometimes isn't immediately obvious why
curl uses or doesn't use a proxy.

Inspired by #2477

Closes #2480
2018-04-11 10:56:03 +02:00
Marcel Raad
0f31647cf7
lib: silence null-dereference warnings
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
when dereferencing pointers after DEBUGASSERT-ing that they are not
NULL.
Fix this by removing the DEBUGASSERTs.

Suggested-by: Daniel Stenberg
Ref: https://github.com/curl/curl/pull/2463
2018-04-09 15:54:52 +02:00
Daniel Stenberg
dc1b6c5a00
build: cleanup to fix clang warnings/errors
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
cast from integer to pointer is a GNU extension

Reported-by: Rikard Falkeborn

Fixes #2466
Closes #2468
2018-04-08 13:59:30 +02:00
Daniel Stenberg
8020a0c62f
curl_setup: provide a CURL_SA_FAMILY_T type if none exists
... and use this type instead of 'sa_family_t' in the code since several
platforms don't have it.

Closes #2463
2018-04-07 11:19:46 +02:00
Eric Gallager
a19fefb070
build: add picky compiler warning flags for gcc 6 and 7 2018-04-07 11:18:58 +02:00