aboutsummaryrefslogtreecommitdiff
path: root/lib/http.c
AgeCommit message (Collapse)Author
2018-07-24auth: pick Bearer authentication whenever a token is availableJohannes Schindelin
So far, the code tries to pick an authentication method only if user/password credentials are available, which is not the case for Bearer authentictation... Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
2018-07-24auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer tokenJohannes Schindelin
The Bearer authentication was added to cURL 7.61.0, but there is a problem: if CURLAUTH_ANY is selected, and the server supports multiple authentication methods including the Bearer method, we strongly prefer that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer authentication fails, we will never even try to attempt any other method. This is particularly unfortunate when we already know that we do not have any Bearer token to work with. Such a scenario happens e.g. when using Git to push to Visual Studio Team Services (which supports Basic and Bearer authentication among other methods) and specifying the Personal Access Token directly in the URL (this aproach is frequently taken by automated builds). Let's make sure that we have a Bearer token to work with before we select the Bearer authentication among the available authentication methods. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
2018-07-20http2: several cleanupsDaniel Stenberg
- separate easy handle from connections better - added asserts on a number of places - added sanity check of pipelines for debug builds Closes #2751
2018-06-12Curl_debug: remove dead printhost codeDaniel Stenberg
The struct field is never set (since 5e0d9aea3) so remove the use of it and remove the connectdata pointer from the prototype. Reported-by: Tejas Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html Closes #2647
2018-06-11cppcheck: fix warningsMarian Klymov
- Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
2018-05-31strictness: correct {infof, failf} format specifiersRikard Falkeborn
Closes #2623
2018-05-24httpauth: add support for Bearer tokensLinus Lewandowski
Closes #2102
2018-05-22http resume: skip body if http code 416 (range error) is ignored.Patrick Monnerat
This avoids appending error data to already existing good data. Test 92 is updated to match this change. New test 1156 checks all combinations of --range/--resume, --fail, Content-Range header and http status code 200/416. Fixes #1163 Reported-By: Ithubg on github Closes #2578
2018-05-21checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg
... and unify the source code to adhere. Closes #2563
2018-05-14lib: Fix format specifiersRikard Falkeborn
2018-05-14http: restore buffer pointer when bad response-line is parsedDaniel Stenberg
... leaving the k->str could lead to buffer over-reads later on. CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
2018-05-04http: don't set the "rewind" flag when not uploading anythingDaniel Stenberg
It triggers an assert. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 Closes #2546
2018-04-09lib: silence null-dereference warningsMarcel Raad
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
2018-04-02cookies: when reading from a file, only remove_expired onceLauri Kasanen
This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
2018-03-17CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocolLawrence Matthews
Add --haproxy-protocol for the command line tool Closes #2162
2018-03-11HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg
Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
2018-02-16http: fix the max header length detection logicDaniel Stenberg
Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
2018-02-15TODO fixed: Detect when called from within callbacksBjörn Stenberg
Closes #2302
2018-02-01time_t-fixes: remove typecasts to 'long' for info.filetimeDaniel Stenberg
They're now wrong. Reported-by: Michael Kaufmann Closes #2277
2018-01-22http: prevent custom Authorization headers in redirectsDaniel Stenberg
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
2018-01-13HTTP: bail out on negative Content-Length: valuesDaniel Stenberg
... and make the max filesize check trigger if the value is too big. Updates test 178. Reported-by: Brad Spencer Fixes #2212 Closes #2223
2017-11-05HTTP: support multiple Content-EncodingsPatrick Monnerat
This is implemented as an output streaming stack of unencoders, the last calling the client write procedure. New test 230 checks this feature. Bug: https://github.com/curl/curl/pull/2002 Reported-By: Daniel Bankhead
2017-11-01include: remove conncache.h inclusion from where its not neededDaniel Stenberg
2017-10-09RTSP: avoid integer overflow on funny RTSP responseDaniel Stenberg
... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz. Closes #1969
2017-09-28http: add custom empty headers to repeated requestsMichael Kaufmann
Closes #1920
2017-09-12code style: remove wrong uses of multiple spacesDaniel Stenberg
Closes #1878
2017-09-12code style: use space after semicolonDaniel Stenberg
2017-09-11code style: use spaces around plusesDaniel Stenberg
2017-09-11code style: use spaces around equals signsDaniel Stenberg
2017-09-11Curl_checkheaders: make it available for IMAP and SMTP tooDaniel Stenberg
... not only HTTP uses this now. Closes #1875
2017-09-02mime: new MIME API.Patrick Monnerat
Available in HTTP, SMTP and IMAP. Deprecates the FORM API. See CURLOPT_MIMEPOST. Lib code and associated documentation.
2017-09-02http: fix a memory leakage in checkrtspprefix().Patrick Monnerat
2017-08-18http: Don't wait on CONNECT when there is no proxyJan Alexander Steffens (heftig)
Since curl 7.55.0, NetworkManager almost always failed its connectivity check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP CONNECT process entirely non-blocking). This patch replaces !Curl_connect_complete with Curl_connect_ongoing, which returns false if the CONNECT state was left uninitialized and lets the connection continue. Closes #1803 Fixes #1804 Also-fixed-by: Gergely Nagy
2017-08-14strtoofft: reduce integer overflow risks globallyDaniel Stenberg
... make sure we bail out on overflows. Reported-by: Brian Carpenter Closes #1758
2017-07-31http: fix response code parser to avoid integer overflowDaniel Stenberg
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2017-07-06http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLDDaniel Stenberg
Make the name reflect its use better, and add a short comment describing what it's for.
2017-06-30handler: refactor connection checkingMax Dymond
Add a new type of callback to Curl_handler which performs checks on the connection. Alter RTSP so that it uses this callback to do its own check on connection health.
2017-06-21--request-target: instead of --strip-path-slashDaniel Stenberg
... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH. This option instead provides the full "alternative" target to use in the request, instead of extracting the path from the URL. Test 1298 and 1299 updated accordingly. Idea-by: Evert Pot Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373 Closes #1593
2017-06-19http: add --strip-path-slash and CURLOPT_STRIP_PATH_SLASHDaniel Stenberg
... to enable sending "OPTIONS *" which wasn't possible previously. This option currently only works for HTTP. Added test cases 1298 + 1299 to verify Fixes #1280 Closes #1462
2017-06-14http-proxy: do the HTTP CONNECT process entirely non-blockingDaniel Stenberg
Mentioned as a problem since 2007 (8f87c15bdac63) and of course it existed even before that. Closes #1547
2017-05-30transfer: init the infilesize from the postfields...Daniel Stenberg
... with a strlen() if no size was set, and do this in the pretransfer function so that the info is set early. Otherwise, the default strlen() done on the POSTFIELDS data never sets state.infilesize. Reported-by: Vincas Razma Bug: #1294
2017-05-10multi: use a fixed array of timers instead of mallocDaniel Stenberg
... since the total amount is low this is faster, easier and reduces memory overhead. Also, Curl_expire_done() can now mark an expire timeout as done so that it never times out. Closes #1472
2017-05-01buffer: use data->set.buffer_size instead of BUFSIZEDaniel Stenberg
... to properly use the dynamically set buffer size!
2017-05-01http: don't clobber the receive buffer for timecondDaniel Stenberg
2017-05-01http: use private user:password output bufferDaniel Stenberg
Don't clobber the receive buffer.
2017-03-28http: do not treat FTPS over CONNECT as HTTPSKamil Dudka
If we use FTPS over CONNECT, the TLS handshake for the FTPS control connection needs to be initiated in the SENDPROTOCONNECT state, not the WAITPROXYCONNECT state. Otherwise, if the TLS handshake completed without blocking, the information about the completed TLS handshake would be saved to a wrong flag. Consequently, the TLS handshake would be initiated in the SENDPROTOCONNECT state once again on the same connection, resulting in a failure of the TLS handshake. I was able to observe the failure with the NSS backend if curl ran through valgrind. Note that this commit partially reverts curl-7_21_6-52-ge34131d.
2017-03-28http: Fix proxy connection reuse with basic-authIsaac Boukris
When using basic-auth, connections and proxy connections can be re-used with different Authorization headers since it does not authenticate the connection (like NTLM does). For instance, the below command should re-use the proxy connection, but it currently doesn't: curl -v -U alice:a -x http://localhost:8181 http://localhost/ --next -U bob:b -x http://localhost:8181 http://localhost/ This is a regression since refactoring of ConnectionExists() as part of: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151 Fix the above by removing the username and password compare when re-using proxy connection at proxy_info_matches(). However, this fix brings back another bug would make curl to re-print the old proxy-authorization header of previous proxy basic-auth connection because it wasn't cleared. For instance, in the below command the second request should fail if the proxy requires authentication, but would succeed after the above fix (and before aforementioned commit): curl -v -U alice:a -x http://localhost:8181 http://localhost/ --next -x http://localhost:8181 http://localhost/ Fix this by clearing conn->allocptr.proxyuserpwd after use unconditionally, same as we do for conn->allocptr.userpwd. Also fix test 540 to not expect digest auth header to be resent when connection is reused. Signed-off-by: Isaac Boukris <iboukris@gmail.com> Closes https://github.com/curl/curl/pull/1350
2017-03-26spelling fixesklemens
Closes #1356
2017-03-13Improve code readbilitySylvestre Ledru
... by removing the else branch after a return, break or continue. Closes #1310
2017-03-11proxy: skip SSL initialization for closed connectionsMichael Kaufmann
This prevents a "Descriptor is not a socket" error for WinSSL. Reported-by: Antony74@users.noreply.github.com Reviewed-by: Jay Satiro Fixes https://github.com/curl/curl/issues/1239