1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-14 05:25:06 -05:00
Commit Graph

24202 Commits

Author SHA1 Message Date
Daniel Gustafsson
7a09b52c98 cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 09:57:58 +01:00
Daniel Stenberg
fdc5563b6e
docs: fix the --tls-max description
Reported-by: Tobias Lindgren
Pointed out in #3367

Closes #3368
2018-12-13 08:35:55 +01:00
Daniel Gustafsson
d8607da1a6 urlapi: Fix port parsing of eol colon
A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12 11:48:04 +01:00
Daniel Stenberg
4258dc02d8
RELEASE-NOTES: 7.63.0 2018-12-12 08:12:27 +01:00
Daniel Stenberg
a58741aab7
THANKS: from the curl 7.62.0 cycle 2018-12-12 08:12:27 +01:00
Daniel Stenberg
1945460d48
test1519: use lib1518 and test CURLINFO_REDIRECT_URL more 2018-12-12 07:58:54 +01:00
Daniel Stenberg
435402cfe3
Curl_follow: extract the Location: header field unvalidated
... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364
2018-12-12 07:58:47 +01:00
Daniel Stenberg
ecb2e194d4
multi: convert two timeout variables to timediff_t
The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363
2018-12-11 15:43:20 +01:00
Daniel Stenberg
1568d710cd
delta: use --diff-filter on the git diff-tree invokes
Suggested-by: Dave Reisner
2018-12-11 15:32:34 +01:00
Patrick Monnerat
37093a21a6 documentation: curl_formadd field and file names are now escaped
Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition
header without special processing: this may lead to invalid RFC 822
quoted-strings.
7.56.0 introduces escaping of backslashes and double quotes in these names:
mention it in the documentation.

Reported-by: daboul on github
Closes #3361
2018-12-11 15:31:23 +01:00
Daniel Stenberg
70d8ac624f
scripts/delta: show repo delta info from last release
... where "last release" should be the git tag in the repo.
2018-12-11 15:07:26 +01:00
Daniel Gustafsson
e1be2ecba4 tests: add urlapi unittest
This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:24 +01:00
Daniel Gustafsson
63533cbde2 urlapi: fix portnumber parsing for ipv6 zone index
An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:19 +01:00
Jay Satiro
552f0205e6
http: fix HTTP auth to include query in URI
- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356
2018-12-11 13:28:20 +01:00
Michael Kaufmann
c8bf8cc1e4
http: don't set CURLINFO_CONDITION_UNMET for http status code 204
The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359
2018-12-11 13:22:42 +01:00
Samuel Surtees
1b443a7c00
ldap: fix LDAP URL parsing regressions
- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d (7.62.0)

Closes #3362
2018-12-11 13:20:12 +01:00
Daniel Stenberg
3a9cb0d74d
RELEASE-NOTES: synced 2018-12-10 00:26:55 +01:00
Stefan Kanthak
e1360a1c91
(lib)curl.rc: fixup for minor bugs
All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348
2018-12-10 00:10:04 +01:00
Daniel Stenberg
4e326f9247
test329: verify cookie max-age=0 immediate expiry 2018-12-09 18:35:02 +01:00
Daniel Stenberg
1e9abfedfa
cookies: expire "Max-Age=0" immediately
Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352
2018-12-09 18:34:55 +01:00
Johannes Schindelin
d997aa0e96
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-08 10:59:23 +01:00
Ben Greear
07e61abdac
openssl: fix unused variable compiler warning with old openssl
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347
2018-12-07 17:03:17 +01:00
Johannes Schindelin
cbea2fd2c7
NTLM: force the connection to HTTP/1.1
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07 13:03:21 +01:00
Johannes Schindelin
2456152069
curl_global_sslset(): id == -1 is not necessarily an error
It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes #3346
2018-12-07 11:38:22 +01:00
Johannes Schindelin
4db1874f88 .gitattributes: make tabs in indentation a visible error
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-06 20:21:17 +01:00
Daniel Stenberg
26cfceaa4c
RELEASE-NOTES: synced 2018-12-06 10:02:09 +01:00
Daniel Stenberg
d506df860f
doh: fix memory leak in OOM situation
Reviewed-by: Daniel Gustafsson
Closes #3342
2018-12-06 09:52:38 +01:00
Daniel Stenberg
027d66e5f1
doh: make it work for h2-disabled builds too
Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336
2018-12-05 23:44:26 +01:00
Daniel Stenberg
bae0d473f5
packages: remove old leftover files and dirs
This subdir has mostly become an attic of never-used cruft from the
past.

Closes #3331
2018-12-05 15:29:24 +01:00
Gergely Nagy
08efa19e6a
openssl: do not use file BIOs if not requested
Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339
2018-12-05 15:26:18 +01:00
Paul Howarth
8ad9e5915a
nss: Fix compatibility with nss versions 3.14 to 3.15 2018-12-05 15:24:32 +01:00
Paul Howarth
71a1442eb2
nss: Improve info message when falling back SSL protocol
Use descriptive text strings rather than decimal numbers.
2018-12-05 15:24:32 +01:00
Paul Howarth
6848ea585b
nss: Fall back to latest supported SSL version
NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261
2018-12-05 15:24:32 +01:00
Daniel Gustafsson
f7bdf4b2e1 travis: enable COPYRIGHTYEAR extended warning
The extended warning for checking incorrect COPYRIGHTYEAR is quite
expensive to run, so rather than expecting every developer to do it
we ensure it's turned on locally for Travis.
2018-12-03 23:18:59 +01:00
Daniel Gustafsson
6381708970 checksrc: add COPYRIGHTYEAR check
Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-03 23:13:40 +01:00
Daniel Stenberg
847b130244
CHECKSRC.md: document more warnings
Closes #3335
[ci skip]
2018-12-03 09:47:13 +01:00
Daniel Stenberg
a79714b49a
RELEASE-NOTES: synced 2018-11-30 23:54:37 +01:00
Daniel Stenberg
4a01a20bdb
SECURITY-PROCESS: bountygraph shuts down
This backpedals back the documents to the state before bountygraph.

Closes #3311
2018-11-30 22:50:36 +01:00
Daniel Stenberg
650281ed5b
curl: fix memory leak reading --writeout from file
If another string had been set first, the writout function for reading
the syntax from file would leak the previously allocated memory.

Reported-by: Brian Carpenter
Fixes #3322
Closes #3330
2018-11-30 22:48:09 +01:00
Daniel Stenberg
8e2549b86c
tool_main: rename function to make it unique and better
... there's already another function in the curl tool named
free_config_fields!
2018-11-30 12:02:27 +01:00
Daniel Gustafsson
436b50f2f7 TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry
Commit 7c5837e792 deprecated the option
making it a manual code-edit operation to turn it back on. The removal
process has thus started and is now documented in docs/DEPRECATE.md so
remove from the TODO to avoid anyone looking for something to pick up
spend cycles on an already in-progress entry.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-29 12:15:04 +01:00
Sevan Janiyan
b466560124 connect: fix building for recent versions of Minix
EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323
2018-11-29 02:05:23 -05:00
Konstantin Kushnir
a39d8f7056 CMake: fix MIT/Heimdal Kerberos detection
- fix syntax error in FindGSS.cmake
- correct krb5 include directory. FindGSS exports
  "GSS_INCLUDE_DIR" variable.

Closes https://github.com/curl/curl/pull/3316
2018-11-29 02:05:21 -05:00
Daniel Stenberg
40ac6f1e50
test328: verify Content-Encoding: none
Because of issue #3315

Closes #3317
2018-11-28 14:13:14 +01:00
James Knight
0fac7a10fd
configure: include all libraries in ssl-libs fetch
When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` can produce
only a subset of found in a `--libs` call (e.x. pthread may be excluded).
Adding `--libs-only-other` ensures other libraries are also included in
the list. This corrects select build environments compiling against a
static version of OpenSSL. Before the change, the following could be
observed:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... no
    checking for HMAC_Init_ex in -lcrypto... no
    checking OpenSSL linking with -ldl... no
    checking OpenSSL linking with -ldl and -lpthread... no
    configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
    configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
    ...
    SSL support:      no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
    ...

And include the other libraries when compiling SSL_LIBS succeeds with:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... yes
    checking for SSL_connect in -lssl... yes
    ...
    SSL support:      enabled (OpenSSL)
    ...

Signed-off-by: James Knight <james.d.knight@live.com>
Closes #3193
2018-11-26 13:10:38 +01:00
Daniel Gustafsson
fd1049554f doh: fix typo in infof call
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-26 11:40:26 +01:00
Daniel Gustafsson
8802ad965d cmdline-opts/gen.pl: define the correct varname
The variable definition had a small typo making it declare another
variable then the intended.

Closes #3304
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-26 09:56:49 +01:00
Daniel Stenberg
27a5e1f111
RELEASE-NOTES: synced 2018-11-25 23:50:39 +01:00
Daniel Stenberg
34fe0e1622
curl_easy_perform: fix timeout handling
curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308
2018-11-25 11:25:43 +01:00
Daniel Stenberg
ae7a09db20
CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times 2018-11-23 16:55:33 +01:00