aboutsummaryrefslogtreecommitdiff
path: root/lib/formdata.c
AgeCommit message (Collapse)Author
2016-12-14checksrc: warn for assignments within if() expressionsDaniel Stenberg
... they're already frowned upon in our source code style guide, this now enforces the rule harder.
2016-12-13checksrc: stricter no-space-before-paren enforcementDaniel Stenberg
In order to make the code style more uniform everywhere
2016-11-24checksrc: move open braces to comply with function declaration styleDaniel Stenberg
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-11-14Curl_rand: fixed and moved to rand.cDaniel Stenberg
Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-10-08formpost: avoid silent snprintf() truncationDaniel Stenberg
The previous use of snprintf() could make libcurl silently truncate some input data and not report that back on overly large input, which could make data get sent over the network in a bad format. Example: $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
2016-10-04formpost: trying to attach a directory no longer crashesDaniel Stenberg
The error path would previously add a freed entry to the linked list. Reported-by: Toby Peterson Fixes #1053
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-03code: style updatesDaniel Stenberg
2016-04-03formdata: use appropriate fopen() macrosDaniel Stenberg
2016-03-18formdata.c: Fixed compilation warningSteve Holme
formdata.c:390: warning: cast from pointer to integer of different size Introduced in commit ca5f9341ef this happens because a char*, which is 32-bits wide in 32-bit land, is being cast to a curl_off_t which is 64-bits wide where 64-bit integers are supported by the compiler. This doesn't happen in 64-bit land as a pointer is the same size as a curl_off_t. This fix doesn't address the fact that a 64-bit value cannot be used for CURLFORM_CONTENTLEN when set in a form array and compiled on a 32-bit platforms, it does at least suppress the compilation warning.
2016-02-29formpost: fix memory leaks in AddFormData error branchesDaniel Stenberg
Reported-by: Dmitry-Me Fixes #688
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-07formdata: Check if length is too large for memoryJay Satiro
- If the size of the length type (curl_off_t) is greater than the size of the size_t type then check before allocating memory to make sure the value of length will fit in a size_t without overflow. If it doesn't then return CURLE_BAD_FUNCTION_ARGUMENT. Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679 Reported-by: Steve Holme
2015-11-02formadd: support >2GB files on windowsDaniel Stenberg
Closes #425
2015-10-31curl.h: s/HTTPPOST_/CURL_HTTPOST_Daniel Stenberg
Fixes a name space pollution at the cost of programs using one of these defines will no longer compile. However, the vast majority of libcurl programs that do multipart formposts use curl_formadd() to build this list. Closes #506
2015-09-26build: fix failures with -Wcast-align and -WerrorTatsuhiro Tsujikawa
Closes #457
2015-06-02checksrc: detect fopen() for text without the FOPEN_* macrosDaniel Stenberg
Follow-up to e8423f9ce150 with discussionis in https://github.com/bagder/curl/pull/258 This check scans for fopen() with a mode string without 'b' present, as it may indicate that an FOPEN_* define should rather be used.
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-16free: instead of Curl_safefree()Daniel Stenberg
Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
2015-03-16Bug #149: Deletion of unnecessary checks before a few calls of cURL functionsMarkus Elfring
The following functions return immediately if a null pointer was passed. * Curl_cookie_cleanup * curl_formfree It is therefore not needed that a function caller repeats a corresponding check. This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-16Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring
The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-03mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg
... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
2014-11-05curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of boundsDaniel Stenberg
When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-08FormAdd: precaution against memdup() of NULL pointerDaniel Stenberg
Coverity CID 252518. This function is in general far too complicated for its own good and really should be broken down into several smaller funcitons instead - but I'm adding this protection here now since it seems there's a risk the code flow can end up here and dereference a NULL pointer.
2014-09-13formdata: removed unnecessary USE_SSLEAY useDaniel Stenberg
2014-02-09formdata: Must use Curl_safefree instead of freeDan Fandrich
2014-02-08formdata: Fixed memory leak on OOM conditionDan Fandrich
2014-02-07formpost: use semicolon in multipart/mixedDaniel Stenberg
Not comma, which is an inconsistency and a mistake probably inherited from the examples section of RFC1867. This bug has been present since the day curl started to support multipart formposts, back in the 90s. Reported-by: Rob Davies Bug: http://curl.haxx.se/bug/view.cgi?id=1333
2013-12-20vtls: renamed sslgen.[ch] to vtls.[ch]Daniel Stenberg
2013-12-20vtls: created subdir, moved sslgen.[ch] there, updated all include linesDaniel Stenberg
2013-08-04formadd: wrong pointer for file name when CURLFORM_BUFFERPTR usedDaniel Stenberg
The internal function that's used to detect known file extensions for the default Content-Type got the the wrong pointer passed in when CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that strlen() would be used which could lead to an out-of-bounds read (and thus segfault). In most cases it would only lead to it not finding or using the correct default content-type. It also showed that test 554 and test 587 were testing for the previous/wrong behavior and now they're updated as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1262 Reported-by: Konstantin Isakov
2013-07-29curl_formadd: fix file upload on VMSJohn E. Malmberg
For the standard VMS text file formats, VMS needs to read the file to get the actual file size. For the standard VMS binary file formats, VMS needs a special format of fopen() call so that it stops reading at the logical end of file instead of at the end of the blocks allocated to the file. I structured the patch this way as I was not sure about changing the structures or parameters to the routines, but would prefer to only call the stat() function once and pass the information to where the fopen() call is made. Bug: https://sourceforge.net/p/curl/bugs/758/
2013-07-26formadd: CURLFORM_FILECONTENT wrongly rejected some option combosDaniel Stenberg
The code for CURLFORM_FILECONTENT had its check for duplicate options wrong so that it would reject CURLFORM_PTRNAME if used in combination with it (but not CURLFORM_COPYNAME)! The flags field used for this purpose cannot be interpreted that broadly. Bug: http://curl.haxx.se/mail/lib-2013-07/0258.html Reported-by: Byrial Jensen
2013-06-25formpost: better random boundariesDaniel Stenberg
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
2013-03-04AddFormData: prevent only directories from being postedDaniel Stenberg
Commit f4cc54cb4746ae5a6d (shipped as part of the 7.29.0 release) was a bug fix that introduced a regression in that while trying to avoid allowing directory names, it also forbade "special" files like character devices and more. like "/dev/null" as was used by Oliver who reported this regression. Reported by: Oliver Gondža Bug: http://curl.haxx.se/mail/archive-2013-02/0040.html
2013-02-14Curl_FormBoundary: made staticDaniel Stenberg
As Curl_FormBoundary() is no longer used outside of this file (since commit ad7291c1a9d), it is now renamed to formboundary() and is made static.
2013-01-22formpost: support quotes, commas and semicolon in file namesUlion
- document the double-quote and backslash need be escaped if quoting. - libcurl formdata escape double-quote in filename by backslash. - curl formparse can parse filename both contains '"' and ',' or ';'. - curl now can uploading file with ',' or ';' in filename. Bug: http://curl.haxx.se/bug/view.cgi?id=1171
2013-01-19formadd: reject trying to read a directory where a file is expectedDaniel Stenberg
Bug: http://curl.haxx.se/mail/archive-2013-01/0017.html Reported by: Ulrich Doehner
2013-01-09build: fix circular header inclusion with other packagesYang Tse
This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03build: rename 93 lib/*.c filesYang Tse
93 lib/*.c source files renamed to use our standard naming scheme. This commit only does the file renaming. ---------------------------------------- renamed: lib/amigaos.c -> lib/curl_amigaos.c renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c renamed: lib/axtls.c -> lib/curl_axtls.c renamed: lib/base64.c -> lib/curl_base64.c renamed: lib/bundles.c -> lib/curl_bundles.c renamed: lib/conncache.c -> lib/curl_conncache.c renamed: lib/connect.c -> lib/curl_connect.c renamed: lib/content_encoding.c -> lib/curl_content_encoding.c renamed: lib/cookie.c -> lib/curl_cookie.c renamed: lib/cyassl.c -> lib/curl_cyassl.c renamed: lib/dict.c -> lib/curl_dict.c renamed: lib/easy.c -> lib/curl_easy.c renamed: lib/escape.c -> lib/curl_escape.c renamed: lib/file.c -> lib/curl_file.c renamed: lib/fileinfo.c -> lib/curl_fileinfo.c renamed: lib/formdata.c -> lib/curl_formdata.c renamed: lib/ftp.c -> lib/curl_ftp.c renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c renamed: lib/getenv.c -> lib/curl_getenv.c renamed: lib/getinfo.c -> lib/curl_getinfo.c renamed: lib/gopher.c -> lib/curl_gopher.c renamed: lib/gtls.c -> lib/curl_gtls.c renamed: lib/hash.c -> lib/curl_hash.c renamed: lib/hmac.c -> lib/curl_hmac.c renamed: lib/hostasyn.c -> lib/curl_hostasyn.c renamed: lib/hostcheck.c -> lib/curl_hostcheck.c renamed: lib/hostip.c -> lib/curl_hostip.c renamed: lib/hostip4.c -> lib/curl_hostip4.c renamed: lib/hostip6.c -> lib/curl_hostip6.c renamed: lib/hostsyn.c -> lib/curl_hostsyn.c renamed: lib/http.c -> lib/curl_http.c renamed: lib/http_chunks.c -> lib/curl_http_chunks.c renamed: lib/http_digest.c -> lib/curl_http_digest.c renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c renamed: lib/http_proxy.c -> lib/curl_http_proxy.c renamed: lib/idn_win32.c -> lib/curl_idn_win32.c renamed: lib/if2ip.c -> lib/curl_if2ip.c renamed: lib/imap.c -> lib/curl_imap.c renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c renamed: lib/inet_pton.c -> lib/curl_inet_pton.c renamed: lib/krb4.c -> lib/curl_krb4.c renamed: lib/krb5.c -> lib/curl_krb5.c renamed: lib/ldap.c -> lib/curl_ldap.c renamed: lib/llist.c -> lib/curl_llist.c renamed: lib/md4.c -> lib/curl_md4.c renamed: lib/md5.c -> lib/curl_md5.c renamed: lib/memdebug.c -> lib/curl_memdebug.c renamed: lib/mprintf.c -> lib/curl_mprintf.c renamed: lib/multi.c -> lib/curl_multi.c renamed: lib/netrc.c -> lib/curl_netrc.c renamed: lib/non-ascii.c -> lib/curl_non_ascii.c renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h renamed: lib/nonblock.c -> lib/curl_nonblock.c renamed: lib/nss.c -> lib/curl_nss.c renamed: lib/nwlib.c -> lib/curl_nwlib.c renamed: lib/nwos.c -> lib/curl_nwos.c renamed: lib/openldap.c -> lib/curl_openldap.c renamed: lib/parsedate.c -> lib/curl_parsedate.c renamed: lib/pingpong.c -> lib/curl_pingpong.c renamed: lib/polarssl.c -> lib/curl_polarssl.c renamed: lib/pop3.c -> lib/curl_pop3.c renamed: lib/progress.c -> lib/curl_progress.c renamed: lib/qssl.c -> lib/curl_qssl.c renamed: lib/rawstr.c -> lib/curl_rawstr.c renamed: lib/rtsp.c -> lib/curl_rtsp.c renamed: lib/security.c -> lib/curl_security.c renamed: lib/select.c -> lib/curl_select.c renamed: lib/sendf.c -> lib/curl_sendf.c renamed: lib/share.c -> lib/curl_share.c renamed: lib/slist.c -> lib/curl_slist.c renamed: lib/smtp.c -> lib/curl_smtp.c renamed: lib/socks.c -> lib/curl_socks.c renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c renamed: lib/speedcheck.c -> lib/curl_speedcheck.c renamed: lib/splay.c -> lib/curl_splay.c renamed: lib/ssh.c -> lib/curl_ssh.c renamed: lib/sslgen.c -> lib/curl_sslgen.c renamed: lib/ssluse.c -> lib/curl_ssluse.c renamed: lib/strdup.c -> lib/curl_strdup.c renamed: lib/strequal.c -> lib/curl_strequal.c renamed: lib/strerror.c -> lib/curl_strerror.c renamed: lib/strtok.c -> lib/curl_strtok.c renamed: lib/strtoofft.c -> lib/curl_strtoofft.c renamed: lib/telnet.c -> lib/curl_telnet.c renamed: lib/tftp.c -> lib/curl_tftp.c renamed: lib/timeval.c -> lib/curl_timeval.c renamed: lib/transfer.c -> lib/curl_transfer.c renamed: lib/url.c -> lib/curl_url.c renamed: lib/version.c -> lib/curl_version.c renamed: lib/warnless.c -> lib/curl_warnless.c renamed: lib/wildcard.c -> lib/curl_wildcard.c ----------------------------------------
2013-01-03build: make use of 93 lib/*.c renamed filesYang Tse
93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-06-14Fix bad failf() and info() usageYang Tse
Calls to failf() are not supposed to provide trailing newline. Calls to infof() must provide trailing newline. Fixed 30 or so strings.
2011-12-21formdata.c: OOM handling fixesYang Tse
2011-10-16formdata: ack read callback abortDaniel Stenberg
When doing a multipart formpost with a read callback, and that callback returns CURL_READFUNC_ABORT, that return code must be properly propagated back and handled accordingly. Previously it would be handled as a zero byte read which would cause a hang! Added test case 587 to verify. It uses the lib554.c source code with a small ifdef. Reported by: Anton Bychkov Bug: http://curl.haxx.se/mail/lib-2011-10/0097.html