1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 14:35:03 -05:00
Commit Graph

10856 Commits

Author SHA1 Message Date
Daniel Stenberg
1b71bc532b
file: on Windows, refuse paths that start with \\
... as that might cause an unexpected SMB connection to a given host
name.

Reported-by: Fernando Muñoz
CVE-2019-15601
Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
2020-01-06 10:05:37 +01:00
Marcel Raad
291ed52122
lib: fix compiler warnings with CURL_DISABLE_VERBOSE_STRINGS
Closes https://github.com/curl/curl/pull/4775
2020-01-03 17:02:30 +01:00
Michael Forney
9024b01387 bearssl: Improve I/O handling
Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
records until the desired engine state is reached. This is now used for
the handshake, read, write, and close.

Match OpenSSL SSL_write behavior, and don't return the number of bytes
written until the corresponding records have been completely flushed
across the socket. This involves keeping track of the length of data
buffered into the TLS engine, and assumes that when CURLE_AGAIN is
returned, the write function will be called again with the same data
and length arguments. This is the same requirement of SSL_write.

Handle TLS close notify as EOF when reading by returning 0.

Closes https://github.com/curl/curl/pull/4748
2019-12-31 02:43:47 -05:00
Xiang Xiao
060fb84a5a lib: remove erroneous +x file permission on some c files
Modified by commit eb9a604 accidentally.

Closes https://github.com/curl/curl/pull/4756
2019-12-27 22:55:52 -05:00
Xiang Xiao
4b463992e5 lib: fix warnings found when porting to NuttX
- Undefine DEBUGASSERT in curl_setup_once.h in case it was already
  defined as a system macro.

- Don't compile write32_le in curl_endian unless
  CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le.

- Include <arpa/inet.h> in socketpair.c.

Closes https://github.com/curl/curl/pull/4756
2019-12-27 22:52:31 -05:00
Jay Satiro
10121a417d ngtcp2: Support the latest update key callback type
- Remove our cb_update_key in favor of ngtcp2's new
  ngtcp2_crypto_update_key_cb which does the same thing.

Several days ago the ngtcp2_update_key callback function prototype was
changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to
fix up our cb_update_key for that change they also added
ngtcp2_crypto_update_key_cb which does the same thing so we'll use that
instead.

Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c

Closes https://github.com/curl/curl/pull/4735
2019-12-20 00:34:58 -05:00
Daniel Stenberg
8c0807aa16
create_conn: prefer multiplexing to using new connections
... as it would previously prefer new connections rather than
multiplexing in most conditions! The (now removed) code was a leftover
from the Pipelining code that was translated wrongly into a
multiplex-only world.

Reported-by: Kunal Ekawde
Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html
Closes #4732
2019-12-19 09:00:56 +01:00
Gisle Vanem
ac7b1fb10c strerror: Fix compiler warning "empty expression"
- Remove the final semi-colon in the SEC2TXT() macro definition.

Before:  #define SEC2TXT(sec) case sec: txt = #sec; break;

After:   #define SEC2TXT(sec) case sec: txt = #sec; break

Prior to this change SEC2TXT(foo); would generate break;; which caused
the empty expression warning.

Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547
2019-12-18 14:10:23 -05:00
Daniel Stenberg
0caf1423e5
define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
It is covered by USE_OPENSSL_ENGINE now.

Reported-by: Gisle Vanem
Bug: 87b9337c8f (commitcomment-36447951)

Closes #4725
2019-12-17 07:58:46 +01:00
Daniel Stenberg
bdb5b6dd5b
lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
... even for macros

Reviewed-by: Daniel Gustafsson
Reviewed-by: Jay Satiro
Reported-by: Jay Satiro
Fixes #4683
Closes #4722
2019-12-17 07:36:11 +01:00
Daniel Stenberg
31e637d224
Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION"
This reverts commit ba82673dac.

Bug: #4683
2019-12-16 22:46:35 +01:00
Santino Keupp
1d2d3feb21
libssh2: add support for ECDSA and ed25519 knownhost keys
... if a new enough libssh2 version is present.

Source: https://curl.haxx.se/mail/archive-2019-12/0023.html
Co-Authored-by: Daniel Stenberg
Closes #4714
2019-12-15 23:03:39 +01:00
Daniel Stenberg
29ca9fc596
multi: free sockhash on OOM
This would otherwise leak memory in the error path.

Detected by torture test 1540.

Closes #4713
2019-12-13 22:46:46 +01:00
Marcel Raad
4457e08a7a
hostip: suppress compiler warning
With `--disable-doh --disable-threaded-resolver`, the `dns` parameter
is not used.

Closes https://github.com/curl/curl/pull/4692
2019-12-13 20:55:51 +01:00
Daniel Stenberg
68ffe6c17d
ntlm_wb: fix double-free in OOM
Detected by torture testing test 1310

Closes #4710
2019-12-13 13:01:01 +01:00
Daniel Stenberg
5dc56eb95d
altsvc: make the save function ignore NULL filenames
It might happen in OOM situations. Detected bv torture tests.

Closes #4707
2019-12-12 14:10:09 +01:00
Daniel Stenberg
4940bb8568
doh: make it behave when built without proxy support
Reported-by: Marcel Raad
Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734

Closes #4704
2019-12-12 09:26:08 +01:00
Daniel Stenberg
1d5c427d7f
conncache: CONNECT_ONLY connections assumed always in-use
This makes them never to be considered "the oldest" to be discarded when
reaching the connection cache limit. The reasoning here is that
CONNECT_ONLY is primarily used in combination with using the
connection's socket post connect and since that is used outside of
curl's knowledge we must assume that it is in use until explicitly
closed.

Reported-by: Pavel Pavlov
Reported-by: Pavel Löbl
Fixes #4426
Fixes #4369
Closes #4696
2019-12-11 09:25:56 +01:00
Gisle Vanem
2c0362ee04
vtls: make BearSSL possible to set with CURL_SSL_BACKEND
Ref: 9b879160df (commitcomment-36355622)

Closes #4698
2019-12-10 15:35:23 +01:00
Daniel Stenberg
c7bc689fc3
conn: always set bits.close with connclose()
Closes #4690
2019-12-09 17:17:42 +01:00
Daniel Stenberg
ee263de7a3
conncache: fix multi-thread use of shared connection cache
It could accidentally let the connection get used by more than one
thread, leading to double-free and more.

Reported-by: Christopher Reid
Fixes #4544
Closes #4557
2019-12-09 15:30:09 +01:00
Jay Satiro
689443bf42 lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.

Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)

Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.

Ref: https://github.com/curl/curl/pull/4655
2019-12-05 19:17:31 -05:00
Jay Satiro
0edf75865a setopt: Fix ALPN / NPN user option when built without HTTP2
- Stop treating lack of HTTP2 as an unknown option error result for
  CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN.

Prior to this change it was impossible to disable ALPN / NPN if libcurl
was built without HTTP2. Setting either option would result in
CURLE_UNKNOWN_OPTION and the respective internal option would not be
set. That was incorrect since ALPN and NPN are used independent of
HTTP2.

Reported-by: Shailesh Kapse

Fixes https://github.com/curl/curl/issues/4668
Closes https://github.com/curl/curl/pull/4672
2019-12-05 18:38:40 -05:00
Marcel Raad
bf24e0f928
curl_setup: fix CURLRES_IPV6 condition
Move the definition of `CURLRES_IPV6` to before undefining
`HAVE_GETADDRINFO`. Regression from commit 67a08dca27 which caused
some tests to fail and others to be skipped with c-ares.

Fixes https://github.com/curl/curl/issues/4673
Closes https://github.com/curl/curl/pull/4677
2019-12-05 20:17:47 +01:00
Peter Wu
87b9337c8f CMake: add support for building with the NSS vtls backend
Options are cross-checked with configure.ac and acinclude.m4.
Tested on Arch Linux, untested on other platforms like Windows or macOS.

Closes #4663
Reviewed-by: Kamil Dudka
2019-12-04 21:34:02 +00:00
Daniel Stenberg
854343fc4e
hostip4.c: bump copyright year range 2019-12-03 23:13:25 +01:00
Marcel Raad
67a08dca27
curl_setup: disable IPv6 resolver without getaddrinfo
Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6
address support. This makes it possible to connect to IPv6 literals by
setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes
the CMake build when using the synchronous resolver without
`getaddrinfo` support.

Closes https://github.com/curl/curl/pull/4662
2019-12-03 21:37:33 +01:00
Daniel Stenberg
564d88a8bd
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
2019-12-03 16:28:50 +01:00
Daniel Stenberg
94f1f77158
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
2019-12-03 16:28:50 +01:00
Daniel Stenberg
d9118e8d71
copyright: fix the year ranges for two files
Follow-up to 9c1806ae
2019-12-02 08:02:39 +01:00
Jay Satiro
9c1806ae46 build: Disable Visual Studio warning "conditional expression is constant"
- Disable warning C4127 "conditional expression is constant" globally
  in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

    #define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658
2019-12-01 19:01:02 -05:00
Jay Satiro
0436d4438a openssl: retrieve reported LibreSSL version at runtime
- Retrieve LibreSSL runtime version when supported (>= 2.7.1).

For earlier versions we continue to use the compile-time version.

Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3

Closes https://github.com/curl/curl/pull/2425
2019-12-01 18:56:24 -05:00
Jay Satiro
5b22e1a5a9 strerror: Add Curl_winapi_strerror for Win API specific errors
- In all code call Curl_winapi_strerror instead of Curl_strerror when
  the error code is known to be from Windows GetLastError.

Curl_strerror prefers CRT error codes (errno) over Windows API error
codes (GetLastError) when the two overlap. When we know the error code
is from GetLastError it is more accurate to prefer the Windows API error
messages.

Reported-by: Richard Alcock

Fixes https://github.com/curl/curl/issues/4550
Closes https://github.com/curl/curl/pull/4581
2019-12-01 18:12:36 -05:00
Daniel Stenberg
bc5d22c3de
global_init: undo the "intialized" bump in case of failure
... so that failures in the global init function don't count as a
working init and it can then be called again.

Reported-by: Paul Groke
Fixes #4636
Closes #4653
2019-12-02 00:04:56 +01:00
Daniel Stenberg
0044443a02
parsedate: offer a getdate_capped() alternative
... and use internally. This function will return TIME_T_MAX instead of
failure if the parsed data is found to be larger than what can be
represented. TIME_T_MAX being the largest value curl can represent.

Reviewed-by: Daniel Gustafsson
Reported-by: JanB on github
Fixes #4152
Closes #4651
2019-11-29 11:01:24 +01:00
Daniel Stenberg
cc4cf93e52
sha256: bump the copyright year range
Follow-up from 66e21520f
2019-11-28 22:28:06 +01:00
Daniel Gustafsson
66e21520f3 curl_setup_once: consistently use WHILE_FALSE in macros
The WHILE_FALSE construction is used to avoid compiler warnings in
macro constructions. This fixes a few instances where it was not
used in order to keep the code consistent.

Closes #4649
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 16:02:13 +01:00
Steve Holme
bb8cf05169
http_ntlm: Remove duplicate NSS initialisation
Given that this is performed by the NTLM code there is no need to
perform the initialisation in the HTTP layer. This also keeps the
initialisation the same as the SASL based protocols and also fixes a
possible compilation issue if both NSS and SSPI were to be used as
multiple SSL backends.

Reviewed-by: Kamil Dudka
Closes #3935
2019-11-28 14:41:55 +01:00
Daniel Gustafsson
ba82673dac checksrc: fix regexp for ASSIGNWITHINCONDITION
The regexp looking for assignments within conditions was too greedy
and matched a too long string in the case of multiple conditionals
on the same line. This is basically only a problem in single line
macros, and the code which exemplified this was essentially:

  do { if((x) != NULL) { x = NULL; } } while(0)

..where the final parenthesis of while(0) matched the regexp, and
the legal assignment in the block triggered the warning. Fix by
making the regexp less greedy by matching for the tell-tale signs
of the if statement ending.

Also remove the one occurrence where the warning was disabled due
to a construction like the above, where the warning didn't apply
when fixed.

Closes #4647
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 14:18:16 +01:00
Niall
8acfad38ca
doh: use dedicated probe slots
... to easier allow additional DNS transactions.

Closes #4629
2019-11-28 12:49:44 +01:00
David Benjamin
d94aa39410
ngtcp2: fix thread-safety bug in error-handling
ERR_error_string(NULL) should never be called. It places the error in a
global buffer, which is not thread-safe. Use ERR_error_string_n with a
local buffer instead.

Closes #4645
2019-11-28 00:48:19 +01:00
John Schroeder
7cf18b05e0
XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
(also for PROGRESSFUNCTION)

By returning this value from the callback, the internal progress
function call is still called afterward.

Closes #4599
2019-11-26 09:16:01 +01:00
Michael Forney
9b879160df
TLS: add BearSSL vtls implementation
Closes #4597
2019-11-26 08:32:23 +01:00
Gergely Nagy
f3c35e371c
multi: add curl_multi_wakeup()
This commit adds curl_multi_wakeup() which was previously in the TODO
list under the curl_multi_unblock name.

On some platforms and with some configurations this feature might not be
available or can fail, in these cases a new error code
(CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup().

Fixes #4418
Closes #4608
2019-11-25 15:45:56 +01:00
Xiaoyin Liu
0a65febccf schannel: fix --tls-max for when min is --tlsv1 or default
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.

Closes https://github.com/curl/curl/pull/4633
2019-11-24 03:16:26 -05:00
Jay Satiro
78cef06847 openssl: Revert to less sensitivity for SYSCALL errors
- Disable the extra sensitivity except in debug builds (--enable-debug).

- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
  "No error" / "Success" socket error text isn't shown on SYSCALL error.

Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.

To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.

Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.

This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.

Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke

Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
2019-11-22 22:29:39 -05:00
Daniel Stenberg
1f4e7dc661 openssl: improve error message for SYSCALL during connect
Reported-by: Paulo Roberto Tomasi
Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html

Closes https://github.com/curl/curl/pull/4593
2019-11-22 22:29:37 -05:00
Daniel Stenberg
f70da9c17e
include: make CURLE_HTTP3 use a new error code
To avoid potential issues with error code reuse.

Reported-by: Christoph M. Becker
Assisted-by: Dan Fandrich
Fixes #4601
Closes #4627
2019-11-21 23:16:29 +01:00
Javier Blazquez
e0363a47de
ngtcp2: use overflow buffer for extra HTTP/3 data
Fixes #4525
Closes #4603
2019-11-18 16:40:08 +01:00
Daniel Stenberg
425c572a19
altsvc: bump to h3-24
... as both ngtcp2 and quiche now support that in their master branches

Closes #4604
2019-11-18 14:49:34 +01:00
Daniel Stenberg
82e4d029c5
ngtcp2: free used resources on disconnect
Fixes #4614
Closes #4615
2019-11-18 14:46:12 +01:00
Daniel Stenberg
a72b6b9606
ngtcp2: handle key updates as ngtcp2 master branch tells us
Reviewed-by: Tatsuhiro Tsujikawa

Fixes #4612
Closes #4613
2019-11-18 14:42:51 +01:00
Gergely Nagy
d1476aa11e multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds
Prior to this change:

The check if an extra wait is necessary was based not on the
number of extra fds but on the pointer.

If a non-null pointer was given in extra_fds, but extra_nfds
was zero, then the wait was skipped even though poll was not
called.

Closes https://github.com/curl/curl/pull/4610
2019-11-17 23:35:48 -05:00
Jay Satiro
1f6a18685e lib: Move lib/ssh.h -> lib/vssh/ssh.h
Follow-up to 5b2d703 which moved ssh source files to vssh.

Closes https://github.com/curl/curl/pull/4609
2019-11-17 23:27:39 -05:00
Niall
b6a53fff6c
doh: improced both encoding and decoding
Improved estimation of expected_len and updated related comments;
increased strictness of QNAME-encoding, adding error detection for empty
labels and names longer than the overall limit; avoided treating DNAME
as unexpected;

updated unit test 1655 with more thorough set of proofs and tests

Closes #4598
2019-11-16 16:15:03 +01:00
Daniel Stenberg
7627a2dd9d
ngtcp2: increase QUIC window size when data is consumed
Assisted-by: Javier Blazquez
Ref #4525 (partial fix)
Closes #4600
2019-11-16 00:12:53 +01:00
Melissa Mears
c6b70de246
config-win32: cpu-machine-OS for Windows on ARM
Define the OS macro properly for Windows on ARM builds.  Also, we might
as well add the GCC-style IA-64 macro.

Closes #4590
2019-11-14 23:27:06 +01:00
Daniel Stenberg
4e1eee1500
multi_poll: avoid busy-loop when called without easy handles attached
Fixes #4594
Closes #4595
Reported-by: 3dyd on github
2019-11-14 23:22:22 +01:00
Daniel Stenberg
b3eb7d172a
quiche: reject headers in the wrong order
Pseudo header MUST come before regular headers or cause an error.

Reported-by: Cynthia Coan
Fixes #4571
Closes #4584
2019-11-12 09:44:24 +01:00
Daniel Stenberg
8686aab694
openssl: prevent recursive function calls from ctx callbacks
Follow the pattern of many other callbacks.

Ref: #4546
Closes #4585
2019-11-12 09:40:00 +01:00
Daniel Stenberg
13182b33f7
remove_handle: clear expire timers after multi_done()
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
Closes #4583
2019-11-11 14:49:17 +01:00
Daniel Stenberg
32747aafa0
pause: avoid updating socket if done was already called
... avoids unnecesary recursive risk when the transfer is already done.

Reported-by: Richard Bowker
Fixes #4563
Closes #4574
2019-11-10 16:48:47 +01:00
Jay Satiro
07cf042ece strerror: Fix an error looking up some Windows error strings
- Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in
  Windows error strings.

Since we are not in control of the error code we don't know what
information may be needed by the error string's format specifiers.

Prior to this change Windows API error strings which contain specifiers
(think specifiers like similar to printf specifiers) would not be shown.
The FormatMessage Windows API call which turns a Windows error code into
a string could fail and set error ERROR_INVALID_PARAMETER if that error
string contained a format specifier. FormatMessage expects a va_list for
the specifiers, unless inserts are ignored in which case no substitution
is attempted.

Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353
2019-11-09 18:07:59 -05:00
Daniel Stenberg
1f73138ce1
checksrc: repair the copyrightyear check
- Consider a modified file to be committed this year.

- Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and
  includes

- Ignore 0 parents when getting latest commit date of file.

since in the CI we're dealing with a truncated repo of last 50 commits,
the file's most recent commit may not be available. when this happens
git log and rev-list show the initial commit (ie first commit not to be
truncated) but that's incorrect so ignore it.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549

Co-authored-by: Jay Satiro
2019-11-08 14:51:42 +01:00
Daniel Stenberg
0bc60d91de
copyrights: fix copyright year range
.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549
2019-11-08 14:51:42 +01:00
Christian Schmitz
93213b2421
ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
Closes #3704
2019-11-07 23:14:02 +01:00
Wyatt O'Day
93738efe16 build: fix for CURL_DISABLE_DOH
Fixes https://github.com/curl/curl/issues/4565
Closes https://github.com/curl/curl/pull/4566
2019-11-06 23:48:10 -05:00
Vilhelm Prytz
d0319adb0c
copyrights: update all copyright notices to 2019 on files changed this year
Closes #4547
2019-11-02 23:15:56 +01:00
Bastien Bouclet
9910d6b9a4
mbedtls: add error message for cert validity starting in the future
Closes #4552
2019-11-02 22:59:13 +01:00
Jay Satiro
9c49824902 schannel_verify: Fix concurrent openings of CA file
- Open the CA file using FILE_SHARE_READ mode so that others can read
  from it as well.

Prior to this change our schannel code opened the CA file without
sharing which meant concurrent openings (eg an attempt from another
thread or process) would fail during the time it was open without
sharing, which in curl's case would cause error:
"schannel: failed to open CA file".

Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
Reported-by: Richard Alcock
2019-11-01 18:02:59 -04:00
Daniel Stenberg
c2b01cce5c
gtls: make gnutls_bye() not wait for response on shutdown
... as it can make it wait there for a long time for no good purpose.

Patched-by: Jay Satiro
Reported-by: Bylon2 on github
Adviced-by: Nikos Mavrogiannopoulos

Fixes #4487
Closes #4541
2019-10-31 09:10:50 +01:00
Daniel Stenberg
dcd7e37c3a
url: make Curl_close() NULLify the pointer too
This is the common pattern used in the code and by a unified approach we
avoid mistakes.

Closes #4534
2019-10-30 09:36:21 +01:00
Daniel Stenberg
0cbd6f8df7
url: Curl_free_request_state() should also free doh handles
... or risk DoH memory leaks.

Reported-by: Paul Dreik
Fixes #4463
Closes #4527
2019-10-29 22:48:19 +01:00
Javier Blazquez
9f5b26d23f HTTP3: fix invalid use of sendto for connected UDP socket
On macOS/BSD, trying to call sendto on a connected UDP socket fails
with a EISCONN error. Because the singleipconnect has already called
connect on the socket when we're trying to use it for QUIC transfers
we need to use plain send instead.

Fixes #4529
Closes https://github.com/curl/curl/pull/4533
2019-10-28 15:00:33 -04:00
Javier Blazquez
e0ee3d9f9b
HTTP3: fix Windows build
The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv
in order to perform nonblocking operations. On Windows this flag does
not exist. Instead, the socket must be set to nonblocking mode via
ioctlsocket.

This change sets the nonblocking flag on UDP sockets used for QUIC on
all platforms so the use of MSG_DONTWAIT is not needed.

Fixes #4531
Closes #4532
2019-10-28 09:21:43 +01:00
Francois Rivard
8986df802d
schannel: reverse the order of certinfo insertions
Fixes #4518
Closes #4519
2019-10-24 16:30:40 +02:00
Daniel Stenberg
807c056c08
conn-reuse: requests wanting NTLM can reuse non-NTLM connections
Added test case 338 to verify.

Reported-by: Daniel Silverstone
Fixes #4499
Closes #4514
2019-10-23 10:15:39 +02:00
Daniel Stenberg
95a4cfd888
http2_recv: a closed stream trumps pause state
... and thus should return 0, not EAGAIN.

Reported-by: Tom van der Woerdt
Fixes #4496
Closes #4505
2019-10-18 23:23:48 +02:00
Daniel Stenberg
59041f052a
http2: expire a timeout at end of stream
To make sure that transfer is being dealt with. Streams without
Content-Length need a final read to notice the end-of-stream state.

Reported-by: Tom van der Woerdt
Fixes #4496
2019-10-18 23:23:43 +02:00
Daniel Stenberg
e062043433
url: normalize CURLINFO_EFFECTIVE_URL
The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as
input in most cases, which made it not get a scheme prefixed like before
if the URL was given without one, and it didn't remove dotdot sequences
etc.

Added test case 1907 to verify that this now works as intended and as
before 7.62.0.

Regression introduced in 7.62.0

Reported-by: Christophe Dervieux
Fixes #4491
Closes #4493
2019-10-16 14:10:55 +02:00
Marcel Raad
a626fa128c
security: silence conversion warning
With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer,
while `read` expects a 32 bit signed integer.
Use `sread` instead of `read` to use the correct parameter type.

Closes https://github.com/curl/curl/pull/4483
2019-10-13 22:10:12 +02:00
Marcel Raad
be16d8d994
connect: silence sign-compare warning
With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the
result of `sizeof` is unsigned.

Closes https://github.com/curl/curl/pull/4483
2019-10-13 22:09:59 +02:00
Harry Sintonen
0dc14b8381
socketpair: fix include and define for older TCP header systems
fixed build for systems that need netinet/in.h for IPPROTO_TCP and are
missing INADDR_LOOPBACK

Closes #4480
2019-10-10 23:20:15 +02:00
Daniel Stenberg
622cf7db6b
socketpair: fix double-close in error case
Follow-up to bc2dbef0af
2019-10-10 11:18:21 +02:00
Daniel Stenberg
1b843bb5ed
gskit: use the generic Curl_socketpair 2019-10-10 11:04:38 +02:00
Daniel Stenberg
9c76f694de
asyn-thread: make use of Curl_socketpair() where available 2019-10-10 11:04:38 +02:00
Daniel Stenberg
bc2dbef0af
socketpair: an implemention for Windows and more
Curl_socketpair() is designed to be used and work everywhere if there's
no native version or the native version isn't good enough.

Closes #4466
2019-10-10 11:04:38 +02:00
Daniel Stenberg
490effc193
connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no
matter what errno said.

This makes for example --retry work on these transfer failures.

Reported-by: Nathaniel J. Smith
Fixes #4461
Clsoes #4462
2019-10-09 14:16:28 +02:00
Nicolas
8bb3a95ce1 ldap: fix OOM error on missing query string
- Allow missing queries, don't return NO_MEMORY error in such a case.

It is acceptable for there to be no specified query string, for example:

curl ldap://ldap.forumsys.com

A regression bug in 1b443a7 caused this issue.

This is a partial fix for #4261.

Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077
Reported-by: Jojojov@users.noreply.github.com
Analyzed-by: Samuel Surtees

Closes https://github.com/curl/curl/pull/4467
2019-10-05 19:47:31 -04:00
Paul B. Omta
df85b86a92 build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
Closes https://github.com/curl/curl/pull/4460
2019-10-05 19:18:30 -04:00
Daniel Stenberg
b902b0632d
ngtcp2: adapt to API change
Closes #4457
2019-10-04 10:31:36 +02:00
Daniel Stenberg
249541f12f
cookies: change argument type for Curl_flush_cookies
The second argument is really a 'bool' so use that and pass in TRUE/FALSE
to make it clear.

Closes #4455
2019-10-03 22:56:28 +02:00
Daniel Stenberg
8a00560de2
http2: move state-init from creation to pre-transfer
To make sure that the HTTP/2 state is initialized correctly for
duplicated handles. It would otherwise easily generate "spurious"
PRIORITY frames to get sent over HTTP/2 connections when duplicated easy
handles were used.

Reported-by: Daniel Silverstone
Fixes #4303
Closes #4442
2019-10-03 22:55:42 +02:00
Daniel Stenberg
02c6b984cb
urlapi: fix use-after-free bug
Follow-up from 2c20109a9b

Added test 663 to verify.

Reported by OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17954

Closes #4453
2019-10-03 22:54:26 +02:00
Paul Dreik
13ecc0725f
cookie: avoid harmless use after free
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

Closes #4454
2019-10-03 15:43:50 +02:00
Niall
0f48055c40
ESNI: initial build/setup
Closes #4011
2019-10-02 12:33:08 +02:00
Daniel Stenberg
c6f250c4d6
redirect: when following redirects to an absolute URL, URL encode it
... to make it handle for example (RFC violating) embeded spaces.

Reported-by: momala454 on github
Fixes #4445
Closes #4447
2019-10-02 07:53:32 +02:00
Daniel Stenberg
2c20109a9b
urlapi: fix URL encoding when setting a full URL 2019-10-02 07:53:17 +02:00
Kunal Ekawde
c124e6b3c0
CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt
Closes #4410
2019-10-02 07:47:48 +02:00
Daniel Stenberg
f0f053fed0
chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the
response is chunked-encoded.

Reported-by: Ilya Kosarev
Fixes #4310
Closes #4449
2019-10-02 07:46:05 +02:00