1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 14:35:03 -05:00
Commit Graph

27019 Commits

Author SHA1 Message Date
Daniel Stenberg
b09c8ee157
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890
2021-03-28 23:19:56 +02:00
Viktor Szakats
7214288898
transfer: strip credentials from the auto-referer header field
Added test 2081 to verify.

CVE-2021-22876

Bug: https://curl.se/docs/CVE-2021-22876.html
2021-03-28 23:19:55 +02:00
Daniel Stenberg
184ffc0bdf
curl_sasl: fix compiler error with --disable-crypto-auth
... if libgsasl was found.

Closes #6806
2021-03-28 23:03:15 +02:00
Patrick Monnerat
8cbc16b2f9
ldap: only set the callback ptr for TLS context when TLS is used
Follow-up to a5eee22e59
Fixes #6804
Closes #6805
2021-03-28 16:01:20 +02:00
Daniel Stenberg
85e6975643
copyright: update copyright year ranges to 2021
Reviewed-by: Emil Engler
Closes #6802
2021-03-27 23:00:14 +01:00
Daniel Stenberg
b5726e5549
send_speed: simplify the checks for if a speed limit is set
... as we know the value cannot be set to negative: enforced by
setopt()
2021-03-27 12:38:28 +01:00
Daniel Stenberg
24e469f6d6
http: cap body data amount during send speed limiting
By making sure never to send off more than the allowed number of bytes
per second the speed limit logic is given more room to actually work.

Reported-by: Fabian Keil
Bug: https://curl.se/mail/lib-2021-03/0042.html
Closes #6797
2021-03-27 12:38:15 +01:00
Daniel Stenberg
95cbcec8f9
urldata: merge "struct DynamicStatic" into "struct UrlState"
Both were used for the same purposes and there was no logical separation
between them. Combined, this also saves 16 bytes in less holes in my
test build.

Closes #6798
2021-03-26 23:19:20 +01:00
Daniel Stenberg
d003b0213a
tests/README.md: mentioned that en_US.UTF-8 is required
Reported-by: Oumph on github
Fixes #6768
2021-03-26 17:54:12 +01:00
Daniel Stenberg
eef3b43ae8
HISTORY: fixed the Mac OS X 10.1 release date
Based on what Wikipedia says
2021-03-26 09:08:10 +01:00
Jay Satiro
a8da0302a7 examples: Remove threaded-shared-conn.c due to bug
Known bug 11.11 is the shared object's connection cache is not thread
safe, so we should not have an example for it.

Ref: https://github.com/curl/curl/issues/4915
Ref: https://curl.se/docs/knownbugs.html#A_shared_connection_cache_is_not

Closes https://github.com/curl/curl/pull/6795
2021-03-26 03:14:50 -04:00
Jay Satiro
65aa275bbc KNOWN_BUGS: Update 11.9 - DoH option inheritance
- Add description: Explain that some options aren't inherited because
  they are not relevant for the DoH SSL connections or may result in
  unexpected behavior.

- Remove the reference to #4578 (SSL verify options not inherited) since
  that was fixed by #6597 (separate DoH-specific options for verify).

- Explain that DoH-specific options (those created by #6597) are
  available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
  CURLOPT_DOH_SSL_VERIFYSTATUS.

- Add a reference to #6605 and explain that the user's debug function is
  not inherited because it would be unexpected to pass internal handles
  (ie DoH handles) to the user's callback.

Closes https://github.com/curl/curl/issues/6605
2021-03-26 03:14:28 -04:00
Daniel Stenberg
ae42f1df15
curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO 2021-03-26 07:56:22 +01:00
Jean-Philippe Menil
5930cb1c46
openssl: ensure to check SSL_CTX_set_alpn_protos return values
SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure

Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>

Closes #6794
2021-03-25 22:57:20 +01:00
Daniel Stenberg
7b6bfd2d78
multi: close the connection when h2=>h1 downgrading
Otherwise libcurl is likely to reuse the connection again in the next
attempt since the connection reuse logic doesn't take downgrades into
account.

Reported-by: Anthony Ramine
Fixes #6788
Closes #6793
2021-03-25 16:18:13 +01:00
Daniel Stenberg
db4e0bd85f
openssl: set the transfer pointer for logging early
Otherwise, the transfer will be NULL in the trace function when the
early handshake details arrive and then curl won't show them.

Regresssion in 7.75.0

Reported-by: David Hu
Fixes #6783
Closes #6792
2021-03-25 16:16:55 +01:00
Daniel Stenberg
cd7aec95d6
RELEASE-NOTES: synced 2021-03-25 09:32:02 +01:00
Daniel Stenberg
8494abfb1b
TODO: Custom progress meter update interval
Ref: https://stackoverflow.com/q/66789977/93747
2021-03-25 09:22:52 +01:00
Daniel Stenberg
8593b15c77
docs/ABI: tighten up the language
Make the promises more firm

Closes #6786
2021-03-24 23:45:29 +01:00
Daniel Stenberg
a5eee22e59
openldap: disconnect better
Instead of clearing the callback argument in disconnect, set it to the
(new) transfer to make sure the correct data is passed to the callbacks.

Follow-up to e467ea3bd9
Assisted-by: Patrick Monnerat
Closes #6787
2021-03-24 23:02:33 +01:00
Daniel Stenberg
1803be5746
libssh2: kdb_callback: get the right struct pointer
After the recent conn/data refactor in this source file, this function
was mistakenly still getting the old struct pointer which would lead to
crash on servers with keyboard-interactive auth enabled.

Follow-up to a304051620 (shipped in 7.75.0)

Reported-by: Christian Schmitz
Fixes #6691
Closes #6782
2021-03-23 13:42:22 +01:00
Daniel Stenberg
2258899e97
tftp: remove unused struct fields
Follow-up to d3d90ad9c0

Closes #6781
2021-03-23 13:37:10 +01:00
Daniel Stenberg
e467ea3bd9
openldap: avoid NULL pointer dereferences
Follow-up to a59c33ceff
Reported-by: Patrick Monnerat
Fixes #6676
Closes #6780
2021-03-23 13:34:50 +01:00
Daniel Stenberg
3bbf62b5a4
http: strip default port from URL sent to proxy
To make sure the Host: header and the URL provide the same authority
portion when sent to the proxy, strip the default port number from the
URL if one was provided.

Reported-by: Michael Brown
Fixes #6769
Closes #6778
2021-03-23 13:33:49 +01:00
Daniel Stenberg
45d1e24b74
azure: disable test 433 on azure-ubuntu
Something in that environment sets XDG_CONFIG_HOME for us in a way that
breaks the test.

Reported-by: Marc Hörsken
Fixes #6739
Closes #6777
2021-03-23 10:13:20 +01:00
Daniel Stenberg
d3d90ad9c0
tftp: remove the 3600 second default timeout
... it was never meant to be there.

Reported-by: Tomas Berger
Fixes #6774
Closes #6776
2021-03-22 23:00:23 +01:00
Daniel Stenberg
d7f737dd13
docs: make gen.pl support *italic* and **bold**
Remove some nroffisms from the cmdline doc files to simplify editing,
and instead support this markdown style.

Closes #6771
2021-03-22 16:50:58 +01:00
Daniel Stenberg
c915662485
ngtcp2: sync with recent API updates
Closes #6770
2021-03-22 10:45:00 +01:00
Daniel Stenberg
03c8cef1c3
RELEASE-NOTES: synced 2021-03-21 11:27:12 +01:00
Daniel Stenberg
012c19c33a
libssh2:ssh_connect: clear session pointer after free
If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
ssh session was freed but the pointer wasn't cleared which made libcurl
later call libssh2 to cleanup using the stale pointer.

Fixes #6764
Closes #6766
2021-03-21 11:22:08 +01:00
Jacob Hoffman-Andrews
2e444a17d4
docs: document version of crustls dependency
This also pins a specific release in the Travis test so future
API-breaking changins in crustls won't break curl builds.

Add RUSTLS documentation to release tarball.

Enable running tests for rustls, minus FTP tests (require
connect_blocking, which rustls doesn't implement) and 313 (requires CRL
handling).

Closes #6763
2021-03-21 00:16:32 +01:00
Jacob Hoffman-Andrews
7488ef2960
rustls: Handle close_notify.
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).

Closes #6763
2021-03-21 00:16:27 +01:00
Daniel Stenberg
472b537215
docs: clarify timeouts for queued transfers in multi API
Closes #6758
2021-03-19 23:28:21 +01:00
Daniel Stenberg
bd738bef12
ftpserver: only load the preprocessed test file
We always preprocess and tests are no longer sensible to load "raw"

Closes #6738
2021-03-19 15:57:27 +01:00
Daniel Stenberg
e2b4df7b5e
tests: use %TESTNUMBER instead of fixed number
This makes the tests easier to copy and relocate to other test numbers
without having to update content.

Closes #6738
2021-03-19 15:57:21 +01:00
Daniel Stenberg
453ad35d15
KNOWN_BUGS: CURLOPT_OPENSOCKETPAIRFUNCTION is missing
Closes #5747
2021-03-18 12:53:28 +01:00
Daniel Stenberg
74ec0e5ec0
TODO: provide timing info for each redirect
Closes #6743
2021-03-18 08:39:59 +01:00
Jay Satiro
2d04286793 docs: Add SSL backend names to CURL_SSL_BACKEND
- Document the names that can be used with CURL_SSL_BACKEND:
  bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
  schannel, secure-transport, wolfssl

Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201

Closes https://github.com/curl/curl/pull/6755
2021-03-17 18:15:10 -04:00
Jay Satiro
8a4ef73c8f docs: Explain DOH transfers inherit some SSL settings
- Document in DOH that some SSL settings are inherited but DOH hostname
  and peer verification are not and are controlled separately.

- Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
  we're considering changing behavior to no longer inherit it. Request
  feedback.

Closes https://github.com/curl/curl/pull/6688
2021-03-17 18:12:45 -04:00
Daniel Stenberg
6d176bee59
http: make 416 not fail with resume + CURLOPT_FAILONERRROR
When asked to resume a download, libcurl will convert that to HTTP logic
and if then the entire file is already transferred it will result in a
416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
scenario, it should *not* lead to an error return.

Updated test 1156, added test 1273

Reported-by: Jonathan Watt
Fixes #6740
Closes #6753
2021-03-17 08:26:46 +01:00
Daniel Stenberg
e8e7ef3612
Curl_timeleft: check both timeouts during connect
The duration of a connect and the total transfer are calculated from two
different time-stamps. It can end up with the total timeout triggering
before the connect timeout expires and we should make sure to
acknowledge whichever timeout that is reached first.

This is especially notable when a transfer first sits in PENDING, as
that time is counted in the total time but the connect timeout is based
on the time since the handle changed to the CONNECT state.

The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
operation.

Fixes #6744
Closes #6745
Reported-by: Andrei Bica
Assisted-by: Jay Satiro
2021-03-17 00:28:44 +01:00
Daniel Stenberg
2682e5f502
configure: remove use of deprecated macros
AC_HEADER_TIME, AC_HEADER_STDC and AC_TYPE_SIGNAL
2021-03-16 23:02:02 +01:00
Daniel Stenberg
d2ea5d166e
configure: make AC_TRY_* into AC_*_IFELSE
... as the former versions are deprecated.
2021-03-16 23:02:02 +01:00
Daniel Stenberg
a59f046116
configure: s/AC_HELP_STRING/AS_HELP_STRING
AC_HELP_STRING is deprecated in 2.70+ and I believe AS_HELP_STRING works
already since 2.59 so bump the minimum required version to that.

Reported-by: Emil Engler
Fixes #6647
Closes #6748
2021-03-16 23:01:53 +01:00
Daniel Stenberg
55ae13dcc1
RELEASE-NOTES: synced 2021-03-16 17:27:22 +01:00
Daniel Stenberg
c44cf858f2
travis: use ubuntu nghttp2 package instead of build our own
Closes #6751
2021-03-16 11:00:29 +01:00
Daniel Stenberg
0785a77767
travis: bump wolfssl to 4.7.0 2021-03-16 11:00:29 +01:00
Daniel Stenberg
e4a41c1042
travis: only build wolfssl when needed
Closes #6751
2021-03-16 11:00:19 +01:00
Jacob Hoffman-Andrews
3780717db0
rustls: allocate a buffer for TLS data.
Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
initialized before writing to them. By using calloc, we can ensure the
buffer is initialized once and then reuse it across calls.

Closes #6742
2021-03-16 10:11:04 +01:00
Daniel Stenberg
7dbb0a87e6
travis: add a rustls build
... that doesn't run any tests (yet)

Closes #6750
2021-03-16 10:08:15 +01:00