aboutsummaryrefslogtreecommitdiff
path: root/lib/http.c
AgeCommit message (Collapse)Author
2018-05-22http resume: skip body if http code 416 (range error) is ignored.Patrick Monnerat
This avoids appending error data to already existing good data. Test 92 is updated to match this change. New test 1156 checks all combinations of --range/--resume, --fail, Content-Range header and http status code 200/416. Fixes #1163 Reported-By: Ithubg on github Closes #2578
2018-05-21checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg
... and unify the source code to adhere. Closes #2563
2018-05-14lib: Fix format specifiersRikard Falkeborn
2018-05-14http: restore buffer pointer when bad response-line is parsedDaniel Stenberg
... leaving the k->str could lead to buffer over-reads later on. CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
2018-05-04http: don't set the "rewind" flag when not uploading anythingDaniel Stenberg
It triggers an assert. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 Closes #2546
2018-04-09lib: silence null-dereference warningsMarcel Raad
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
2018-04-02cookies: when reading from a file, only remove_expired onceLauri Kasanen
This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
2018-03-17CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocolLawrence Matthews
Add --haproxy-protocol for the command line tool Closes #2162
2018-03-11HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg
Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
2018-02-16http: fix the max header length detection logicDaniel Stenberg
Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
2018-02-15TODO fixed: Detect when called from within callbacksBjörn Stenberg
Closes #2302
2018-02-01time_t-fixes: remove typecasts to 'long' for info.filetimeDaniel Stenberg
They're now wrong. Reported-by: Michael Kaufmann Closes #2277
2018-01-22http: prevent custom Authorization headers in redirectsDaniel Stenberg
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
2018-01-13HTTP: bail out on negative Content-Length: valuesDaniel Stenberg
... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
2017-11-05HTTP: support multiple Content-EncodingsPatrick Monnerat
This is implemented as an output streaming stack of unencoders, the last calling the client write procedure. New test 230 checks this feature. Bug: https://github.com/curl/curl/pull/2002 Reported-By: Daniel Bankhead
2017-11-01include: remove conncache.h inclusion from where its not neededDaniel Stenberg
2017-10-09RTSP: avoid integer overflow on funny RTSP responseDaniel Stenberg
... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz. Closes #1969
2017-09-28http: add custom empty headers to repeated requestsMichael Kaufmann
Closes #1920
2017-09-12code style: remove wrong uses of multiple spacesDaniel Stenberg
Closes #1878
2017-09-12code style: use space after semicolonDaniel Stenberg
2017-09-11code style: use spaces around plusesDaniel Stenberg
2017-09-11code style: use spaces around equals signsDaniel Stenberg
2017-09-11Curl_checkheaders: make it available for IMAP and SMTP tooDaniel Stenberg
... not only HTTP uses this now. Closes #1875
2017-09-02mime: new MIME API.Patrick Monnerat
Available in HTTP, SMTP and IMAP. Deprecates the FORM API. See CURLOPT_MIMEPOST. Lib code and associated documentation.
2017-09-02http: fix a memory leakage in checkrtspprefix().Patrick Monnerat
2017-08-18http: Don't wait on CONNECT when there is no proxyJan Alexander Steffens (heftig)
Since curl 7.55.0, NetworkManager almost always failed its connectivity check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP CONNECT process entirely non-blocking). This patch replaces !Curl_connect_complete with Curl_connect_ongoing, which returns false if the CONNECT state was left uninitialized and lets the connection continue. Closes #1803 Fixes #1804 Also-fixed-by: Gergely Nagy
2017-08-14strtoofft: reduce integer overflow risks globallyDaniel Stenberg
... make sure we bail out on overflows. Reported-by: Brian Carpenter Closes #1758
2017-07-31http: fix response code parser to avoid integer overflowDaniel Stenberg
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2017-07-06http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLDDaniel Stenberg
Make the name reflect its use better, and add a short comment describing what it's for.
2017-06-30handler: refactor connection checkingMax Dymond
Add a new type of callback to Curl_handler which performs checks on the connection. Alter RTSP so that it uses this callback to do its own check on connection health.
2017-06-21--request-target: instead of --strip-path-slashDaniel Stenberg
... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH. This option instead provides the full "alternative" target to use in the request, instead of extracting the path from the URL. Test 1298 and 1299 updated accordingly. Idea-by: Evert Pot Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373 Closes #1593
2017-06-19http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASHDaniel Stenberg
... to enable sending "OPTIONS *" which wasn't possible previously. This option currently only works for HTTP. Added test cases 1298 + 1299 to verify Fixes #1280 Closes #1462
2017-06-14http-proxy: do the HTTP CONNECT process entirely non-blockingDaniel Stenberg
Mentioned as a problem since 2007 (8f87c15bdac63) and of course it existed even before that. Closes #1547
2017-05-30transfer: init the infilesize from the postfields...Daniel Stenberg
... with a strlen() if no size was set, and do this in the pretransfer function so that the info is set early. Otherwise, the default strlen() done on the POSTFIELDS data never sets state.infilesize. Reported-by: Vincas Razma Bug: #1294
2017-05-10multi: use a fixed array of timers instead of mallocDaniel Stenberg
... since the total amount is low this is faster, easier and reduces memory overhead. Also, Curl_expire_done() can now mark an expire timeout as done so that it never times out. Closes #1472
2017-05-01buffer: use data->set.buffer_size instead of BUFSIZEDaniel Stenberg
... to properly use the dynamically set buffer size!
2017-05-01http: don't clobber the receive buffer for timecondDaniel Stenberg
2017-05-01http: use private user:password output bufferDaniel Stenberg
Don't clobber the receive buffer.
2017-03-28http: do not treat FTPS over CONNECT as HTTPSKamil Dudka
If we use FTPS over CONNECT, the TLS handshake for the FTPS control connection needs to be initiated in the SENDPROTOCONNECT state, not the WAITPROXYCONNECT state. Otherwise, if the TLS handshake completed without blocking, the information about the completed TLS handshake would be saved to a wrong flag. Consequently, the TLS handshake would be initiated in the SENDPROTOCONNECT state once again on the same connection, resulting in a failure of the TLS handshake. I was able to observe the failure with the NSS backend if curl ran through valgrind. Note that this commit partially reverts curl-7_21_6-52-ge34131d.
2017-03-28http: Fix proxy connection reuse with basic-authIsaac Boukris
When using basic-auth, connections and proxy connections can be re-used with different Authorization headers since it does not authenticate the connection (like NTLM does). For instance, the below command should re-use the proxy connection, but it currently doesn't: curl -v -U alice:a -x http://localhost:8181 http://localhost/ --next -U bob:b -x http://localhost:8181 http://localhost/ This is a regression since refactoring of ConnectionExists() as part of: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151 Fix the above by removing the username and password compare when re-using proxy connection at proxy_info_matches(). However, this fix brings back another bug would make curl to re-print the old proxy-authorization header of previous proxy basic-auth connection because it wasn't cleared. For instance, in the below command the second request should fail if the proxy requires authentication, but would succeed after the above fix (and before aforementioned commit): curl -v -U alice:a -x http://localhost:8181 http://localhost/ --next -x http://localhost:8181 http://localhost/ Fix this by clearing conn->allocptr.proxyuserpwd after use unconditionally, same as we do for conn->allocptr.userpwd. Also fix test 540 to not expect digest auth header to be resent when connection is reused. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Closes https://github.com/curl/curl/pull/1350
2017-03-26spelling fixesklemens
Closes #1356
2017-03-13Improve code readbilitySylvestre Ledru
... by removing the else branch after a return, break or continue. Closes #1310
2017-03-11proxy: skip SSL initialization for closed connectionsMichael Kaufmann
This prevents a "Descriptor is not a socket" error for WinSSL. Reported-by: Antony74@users.noreply.github.com Reviewed-by: Jay Satiro Fixes https://github.com/curl/curl/issues/1239
2017-03-11authneg: clear auth.multi flag at http_doneIsaac Boukris
This flag is meant for the current request based on authentication state, once the request is done we can clear the flag. Also change auth.multi to auth.multipass for better readability. Fixes https://github.com/curl/curl/issues/1095 Closes https://github.com/curl/curl/pull/1326 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reported-by: Michael Kaufmann
2017-03-07http2: Fix assertion error on redirect with CL=0Tatsuhiro Tsujikawa
This fixes assertion error which occurs when redirect is done with 0 length body via HTTP/2, and the easy handle is reused, but new connection is established due to hostname change: curl: http2.c:1572: ssize_t http2_recv(struct connectdata *, int, char *, size_t, CURLcode *): Assertion `httpc->drain_total >= data->state.drain' failed. To fix this bug, ensure that http2_handle_stream is called. Fixes #1286 Closes #1302
2017-02-17http: fix missing 'Content-Length: 0' while negotiating authIsaac Boukris
- While negotiating auth during PUT/POST if a user-specified Content-Length header is set send 'Content-Length: 0'. This is what we do already in HTTPREQ_POST_FORM and what we did in the HTTPREQ_POST case (regression since afd288b). Prior to this change no Content-Length header would be sent in such a case. Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html Reported-by: Dominik Hölzl Closes https://github.com/curl/curl/pull/1242
2017-01-19CURLOPT_BUFFERSIZE: support enlarging receive bufferRichy Kim
Replace use of fixed macro BUFSIZE to define the size of the receive buffer. Reappropriate CURLOPT_BUFFERSIZE to include enlarging receive buffer size. Upon setting, resize buffer if larger than the current default size up to a MAX_BUFSIZE (512KB). This can benefit protocols like SFTP. Closes #1222
2017-01-14http: print correct HTTP string in verbose output when using HTTP/2Alessandro Ghedini
Before: ``` % src/curl https://sigsegv.ninja/ -v --http2 ... > GET / HTTP/1.1 > Host: sigsegv.ninja > User-Agent: curl/7.52.2-DEV > Accept: */* > ... ``` After: ``` % src/curl https://sigsegv.ninja/ -v --http2 ... > GET / HTTP/2 > Host: sigsegv.ninja > User-Agent: curl/7.52.2-DEV > Accept: */* > ```
2016-12-23http: remove "Curl_http_done: called premature" messageDaniel Stenberg
... it only confuses people.
2016-12-14checksrc: warn for assignments within if() expressionsDaniel Stenberg
... they're already frowned upon in our source code style guide, this now enforces the rule harder.