1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 15:05:02 -05:00
Commit Graph

1764 Commits

Author SHA1 Message Date
Daniel Stenberg
7fdf01f32e
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
Closes #6942
2021-04-26 10:25:03 +02:00
Johann150
68f6c56396
curl_url_set.3: add memory management information
wording taken from man page for CURLOPT_URL.3

As far as I can see, the URL part is either malloc'ed before due to
encoding or it is strdup'ed.

Closes #6953
2021-04-25 14:13:29 +02:00
Daniel Stenberg
f014eeceb2
CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
Ref: https://curl.se/mail/lib-2021-04/0085.html
Closes #6943
2021-04-23 23:20:31 +02:00
Martin Halle
e540b32562 version: add gsasl_version to curl_version_info_data
- Add gsasl_version string and bump to CURLVERSION_TENTH.

Ref: https://curl.se/mail/lib-2021-04/0003.html

Closes https://github.com/curl/curl/pull/6843
2021-04-22 18:28:28 -04:00
Jay Satiro
54e7475016 schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change
  for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
  to automatically locate and use a client certificate for
  authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
  --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673
2021-04-22 16:53:37 -04:00
Daniel Stenberg
eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00
Daniel Stenberg
520bd5225c
cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies
Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
the cookiejar from memory.

Reported-by: Stefan Karpinski
Fixes #6889
Closes #6891
2021-04-14 23:09:36 +02:00
Daniel Stenberg
5a80a869a7
CURLOPT_AUTOREFERER.3: clarify that it sets the full URL
... some users may not want that!
2021-03-30 14:47:14 +02:00
Daniel Stenberg
85e6975643
copyright: update copyright year ranges to 2021
Reviewed-by: Emil Engler
Closes #6802
2021-03-27 23:00:14 +01:00
Daniel Stenberg
ae42f1df15
curl_easy_setopt.3: add curl_easy_option* functions to SEE ALSO 2021-03-26 07:56:22 +01:00
Daniel Stenberg
8593b15c77
docs/ABI: tighten up the language
Make the promises more firm

Closes #6786
2021-03-24 23:45:29 +01:00
Daniel Stenberg
472b537215
docs: clarify timeouts for queued transfers in multi API
Closes #6758
2021-03-19 23:28:21 +01:00
Jay Satiro
2d04286793 docs: Add SSL backend names to CURL_SSL_BACKEND
- Document the names that can be used with CURL_SSL_BACKEND:
  bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
  schannel, secure-transport, wolfssl

Ref: https://github.com/curl/curl/issues/2209#issuecomment-360623286
Ref: https://github.com/curl/curl/issues/6717#issuecomment-800745201

Closes https://github.com/curl/curl/pull/6755
2021-03-17 18:15:10 -04:00
Jay Satiro
8a4ef73c8f docs: Explain DOH transfers inherit some SSL settings
- Document in DOH that some SSL settings are inherited but DOH hostname
  and peer verification are not and are controlled separately.

- Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
  we're considering changing behavior to no longer inherit it. Request
  feedback.

Closes https://github.com/curl/curl/pull/6688
2021-03-17 18:12:45 -04:00
Daniel Gustafsson
4d28382bd3 docs: Fix typos
Random typos spotted when skimming docs.
2021-02-25 09:28:00 +01:00
Jay Satiro
c79b9de45c docs: add CURLOPT_CURLU to 'See also' in curl_url_ functions
Closes https://github.com/curl/curl/pull/6639
2021-02-23 02:31:20 -05:00
Daniel Stenberg
659b05df6a
curl_url_set.3: mention CURLU_PATH_AS_IS
... it has been supported since the URL API was added.

Bug: https://curl.se/mail/lib-2021-02/0046.html

Closes #6638
2021-02-21 23:25:22 +01:00
Viktor Szakats
f65d7889b5
http: add new files missed from referrer commit
Ref: 44872aefc2
Ref: #6591
2021-02-19 16:18:15 +00:00
Viktor Szakats
44872aefc2
http: add support to read and store the referrer header
- add CURLINFO_REFERER libcurl option
- add --write-out '%{referer}' command-line option
- extend --xattr command-line option to fill user.xdg.referrer.url extended
  attribute with the referrer (if there was any)

Closes #6591
2021-02-19 13:57:19 +00:00
Jay Satiro
53022e1893 doh: add options to disable ssl verification
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
  CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
  same as their respective counterparts.

- New curl tool options --doh-insecure and --doh-cert-status do the same
  as their respective counterparts.

Prior to this change DOH SSL certificate verification settings for
verifyhost and verifypeer were supposed to be inherited respectively
from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
were not. As a result DOH verification remained at the default, ie
enabled, and it was not possible to disable. This commit changes
behavior so that the DOH verification settings are independent and not
inherited.

Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676

Fixes https://github.com/curl/curl/issues/4578
Closes https://github.com/curl/curl/pull/6597
2021-02-14 18:20:48 -05:00
Daniel Stenberg
8d9346f1a0
gsasl: provide CURL_VERSION_GSASL if built-in
To let applications know the feature is available.

Closes #6592
2021-02-11 16:16:34 +01:00
Jacob Hoffman-Andrews
246399a874
vtls: initial implementation of rustls backend
This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
from https://github.com/abetterinternet/crustls.

Rustls is at https://github.com/ctz/rustls/.

There is still a fair bit to be done, like sending CloseNotify on
connection shutdown, respecting CAPATH, and properly indicating features
like "supports TLS 1.3 ciphersuites." But it works well enough to make
requests and receive responses.

Blog post for context:
https://www.abetterinternet.org/post/memory-safe-curl/

Closes #6350
2021-02-09 11:06:18 +01:00
Daniel Stenberg
ff9ec4e4a0
CURLOPT_QUOTE.3: clarify that libcurl doesn't parse what's sent
... so passed in commands may confuse libcurl's knowledge of state.

Reported-by: Bodo Bergmann
Fixes #6577
Closes #6580
2021-02-08 22:35:50 +01:00
Dmitry Wagin
796ce293de
http: improve AWS HTTP v4 Signature auth
- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
by providing region and service parameters via aws-sigv4 option.
- Add [:region[:service]] suffix to aws-sigv4 option;
- Fix memory allocation errors.
- Refactor memory management.
- Use Curl_http_method instead() STRING_CUSTOMREQUEST.
- Refactor canonical headers generating.
- Remove repeated sha256_to_hex() usage.
- Add some docs fixes.
- Add some codestyle fixes.
- Add overloaded strndup() for debug - curl_dbg_strndup().
- Update tests.

Closes #6524
2021-01-30 23:48:22 +01:00
Daniel Stenberg
ec8dcd7b33
CURLINFO_PRETRANSFER_TIME.3: clarify
... the timer *does* include the instructions for getting the remote
file.

Ref: #6452
Closes #6453
2021-01-14 23:15:07 +01:00
Daniel Stenberg
f52c6981c5
curl.h: add CURLPROTO_GOPHERS as own protocol identifier
Follow-up to a1f06f32b8, to make sure it can be handled separately
from plain gopher.

Closes #6418
2021-01-06 15:23:41 +01:00
Emil Engler
725ec470e2
language: s/behaviour/behavior/g
We currently use both spellings the british "behaviour" and the american
"behavior". However "behavior" is more used in the project so I think
it's worth dropping the british name.

Closes #6395
2021-01-02 23:35:59 +01:00
Olaf Hering
f2ed79d8ee
docs/examples: adjust prototypes for CURLOPT_READFUNCTION
The type of the buffer in curl_read_callback is 'char *', not 'void *'.

Signed-off-by: Olaf Hering <olaf@aepfle.de>
Closes #6392
2020-12-30 22:20:24 +01:00
Paul Groke
8324dc8b1a
dns: extend CURLOPT_RESOLVE syntax for adding non-permanent entries
Extend the syntax of CURLOPT_RESOLVE strings: allow using a '+' prefix
(similar to the existing '-' prefix for removing entries) to add
DNS cache entries that will time out just like entries that are added
by libcurl itself.

Append " (non-permanent)" to info log message in case a non-permanent
entry is added.

Adjust relevant comments to reflect the new behavior.

Adjust documentation.

Extend unit1607 to test the new functionality.

Closes #6294
2020-12-29 17:49:36 +01:00
Daniel Stenberg
64e6e54f4b
curl_easy_pause.3: add multiplexed pause effects
and generally refresh and update. Remove details for ancient versions.

Reviewed-by: Jay Satiro
Closes #6360
2020-12-22 23:08:03 +01:00
Jay Satiro
f0ba3d5e1b curl_easy_pause.3: fix man page reference
Follow-up to ac9a724 from earlier today.

Ref: https://github.com/curl/curl/pull/6359
2020-12-22 16:51:19 -05:00
Daniel Stenberg
ac9a7245fc
speedcheck: exclude paused transfers
Paused transfers should not be stopped due to slow speed even when
CURLOPT_LOW_SPEED_LIMIT is set. Additionally, the slow speed timer is
now reset when the transfer is unpaused - as otherwise it would easily
just trigger immediately after unpausing.

Reported-by: Harry Sintonen
Fixes #6358
Closes #6359
2020-12-22 13:51:07 +01:00
Matthias Gatto
e2b2afbeea
docs: add AWS HTTP v4 Signature 2020-12-21 16:28:03 +01:00
Matthias Gatto
08e8455ddd
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.

It doesn't seems to be standard, but it is used by some cloud providers.

Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually

most of the code is in lib/http_v4_signature.c

Information require by the algorithm:
- The URL
- Current time
-  some prefix that are append to some of the signature parameters.

The data extracted from the URL are: the URI, the region,
the host and the API type

example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
        ~~~ ~~~~~~~~               ~~~~~~~~~~~~~~~~~~~
        ^       ^                          ^
       /         \                        URI
   API type     region

Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
  the get data, the canonical header, the signed header
  and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
  the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
  the date, and above hash

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

Closes #5703
2020-12-21 16:27:50 +01:00
Daniel Stenberg
9211cb2034
version: include hyper version 2020-12-18 09:58:03 +01:00
Daniel Stenberg
a0f0c7149f
CURLOPT_URL.3: remove scheme specific details
... that are now found in URL-SYNTAX.md

Closes #6307
2020-12-12 22:46:37 +01:00
Daniel Stenberg
ec9cc725d5
ftp: CURLOPT_FTP_SKIP_PASV_IP by default
The command line tool also independently sets --ftp-skip-pasv-ip by
default.

Ten test cases updated to adapt the modified --libcurl output.

Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284

Reported-by: Varnavas Papaioannou
2020-12-07 08:38:05 +01:00
Daniel Stenberg
03822c3a6d
CURLOPT_HSTS.3: document the file format
Closes #6205
2020-11-13 23:28:58 +01:00
Daniel Stenberg
8b151cb944
docs: document the 8MB input string limit
for curl_easy_escape and curl_easy_setopt()

The limit is there to catch mistakes and abuse. It is meant to be large
enough to allow virtually all "fine" use cases.

Reported-by: Marc Schlatter
Fixes #6190
Closes #6191
2020-11-09 17:28:45 +01:00
Daniel Stenberg
ac0a88fd25
copyright: fix year ranges
Follow-up from 4d2f800677
2020-11-05 08:22:10 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
2cfc4ed983
hsts: add read/write callbacks
- read/write callback options
- man pages for the 4 new setopts
- test 1915 verifies the callbacks

Closes #5896
2020-11-03 16:08:48 +01:00
Daniel Stenberg
7385610d0c
hsts: add support for Strict-Transport-Security
- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle

Closes #5896
2020-11-03 16:08:42 +01:00
Jay Satiro
9f4c1c0cce CURLOPT_DNS_USE_GLOBAL_CACHE.3: fix typo
Reported-by: Rui LIU

Closes https://github.com/curl/curl/issues/6131
2020-10-26 17:18:44 -04:00
Daniel Stenberg
96450a1a33
alt-svc: enable by default
Remove CURLALTSVC_IMMEDIATELY, which was never implemented/supported.

alt-svc support in curl is no longer considered experimental

Closes #5868
2020-10-25 23:08:54 +01:00
Daniel Stenberg
65fb4d16a3
curl_url_set.3: fix typo in the RETURN VALUE section
Reported-by: Basuke Suzuki
Fixes #6102
2020-10-18 23:02:57 +02:00
Daniel Stenberg
6f85968678
CURLOPT_NOBODY.3: fix typo
Reported-by: Basuke Suzuki
Fixes #6097
2020-10-16 23:02:49 +02:00
Daniel Stenberg
bfd35d5eda
CURLOPT_URL.3: clarify SCP/SFTP URLs are for uploads as well 2020-10-16 15:36:01 +02:00
Zenju
6d1a05b0bf
CURLOPT_TCP_NODELAY.3: fix comment in example code
Closes #6096
2020-10-16 15:06:51 +02:00
Samanta Navarro
2ead0ca482
docs/opts: fix typos in two manual pages
Closes #6039
2020-10-03 22:53:16 +02:00