aboutsummaryrefslogtreecommitdiff
path: root/lib/http.c
AgeCommit message (Collapse)Author
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-10-31cookies: getlist() now holds deep copies of all cookiesDaniel Stenberg
Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
2016-09-22New libcurl option to keep sending on errorMichael Kaufmann
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether sending the request body shall be completed when the server responds early with an error status code. This is suitable for manual NTLM authentication. Reviewed-by: Jay Satiro Closes https://github.com/curl/curl/pull/904
2016-09-16http: accept "Transfer-Encoding: chunked" for HTTP/2 as wellDaniel Stenberg
... but don't send the actual header over the wire as it isn't accepted. Chunked uploading is still triggered using this method. Fixes #1013 Fixes #662
2016-08-28http2: make sure stream errors don't needlessly close the connectionDaniel Stenberg
With HTTP/2 each transfer is made in an indivial logical stream over the connection, making most previous errors that caused the connection to get forced-closed now instead just kill the stream and not the connection. Fixes #941
2016-08-25HTTP: stop parsing headers when switching to unknown protocolsMichael Kaufmann
- unknown protocols probably won't send more headers (e.g. WebSocket) - improved comments and moved them to the correct case statements Closes #899
2016-08-21http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) checkSteve Holme
From commit 2708d4259b.
2016-08-20http.c: Corrected indentation change from commit 2708d4259bSteve Holme
Made by Visual Studio's auto-correct feature and missed by me in my own code reviews!
2016-08-20http: Added calls to Curl_auth_is_<mechansism>_supported()Steve Holme
Hooked up the HTTP authentication layer to query the new 'is mechanism supported' functions when deciding what mechanism to use. As per commit 00417fd66c existing functionality is maintained for now.
2016-08-16Revert "Proxy-Connection: stop sending this header by default"Daniel Stenberg
This reverts commit 113f04e664b16b944e64498a73a4dab990fe9a68.
2016-06-28cleanup: minor code cleanup in Curl_http_readwrite_headers()Michael Kaufmann
- the expression of an 'if' was always true - a 'while' contained a condition that was always true - use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)' - fixed a typo Closes #889
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-21cleanup: fix method names in code commentsMichael Kaufmann
Closes #887
2016-06-05http: Fix HTTP/2 connection reuseJay Satiro
- Change the parser to not require a minor version for HTTP/2. HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2 in 8243a95 because the parser still expected a minor version. Bug: https://github.com/curl/curl/issues/855 Reported-by: Andrew Robbins, Frank Gevaerts
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-02http: make sure a blank header overrides accept_decodingDaniel Stenberg
Reported-by: rcanavan Assisted-by: Isaac Boukris Closes #785
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-26CONNECT_ONLY: don't close connection on GSS 401/407 reponsesMarcel Raad
Previously, connections were closed immediately before the user had a chance to extract the socket when the proxy required Negotiate authentication. This regression was brought in with the security fix in commit 79b9d5f1a42578f Closes #655
2016-04-17news: CURLOPT_CONNECT_TO and --connect-toMichael Kaufmann
Makes curl connect to the given host+port instead of the host+port found in the URL.
2016-04-03code: style updatesDaniel Stenberg
2016-03-31http2: support "prior knowledge", no upgrade from HTTP/1.1Diego Bes
Supports HTTP/2 over clear TCP - Optimize switching to HTTP/2 by removing calls to init and setup before switching. Switching will eventually call setup and setup calls init. - Supports new version to “force” the use of HTTP/2 over clean TCP - Add common line parameter “--http2-prior-knowledge” to the Curl command line tool.
2016-03-31http: remove ((expression)) double parenthesesDaniel Stenberg
2016-03-31Curl_add_buffer_send: avoid possible NULL dereferenceDaniel Stenberg
... as we check for a NULL pointer below, we move the derefence to after the check. Detected by PVS Studio. Reported-by: Alexis La Goutte
2016-03-30multi: turn Curl_done into file local multi_doneDaniel Stenberg
... as it now is used by multi.c only.
2016-03-27http_ntlm: Renamed from curl_ntlm.[c|h]Steve Holme
Renamed the header and source files for this module as they are HTTP specific and as such, they should use the naming convention as other HTTP authentication source files do - this revert commit 260ee6b7bf. Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind code needs separating from the HTTP protocol and migrating into the vauth directory, thus adding support for Winbind to the SASL based protocols such as IMAP, POP3 and SMTP.
2016-03-26vauth: Moved the Negotiate authentication code to the new vauth directorySteve Holme
Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
2016-03-24http: Minor update based on CODE_STYLE guidelinesSteve Holme
2016-03-20connect/ntlm/http: Fixed compilation warnings when verbose strings disabledSteve Holme
warning C4189: 'data': local variable is initialized but not referenced
2016-02-17http2: don't decompress gzip decoding automaticallyDaniel Stenberg
At one point during the development of HTTP/2, the commit 133cdd29ea0 introduced automatic decompression of Content-Encoding as that was what the spec said then. Now however, HTTP/2 should work the same way as HTTP/1 in this regard. Reported-by: Kazuho Oku Closes #661
2016-02-16http: Don't break the header into chunks if HTTP/2Tatsuhiro Tsujikawa
nghttp2 callback deals with TLS layer and therefore the header does not need to be broken into chunks. Bug: https://github.com/curl/curl/issues/659 Reported-by: Kazuho Oku
2016-02-08Proxy-Connection: stop sending this header by defaultDaniel Stenberg
RFC 7230 says we should stop. Firefox already stopped. Bug: https://github.com/curl/curl/issues/633 Reported-By: Brad Fitzpatrick Closes #633
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-15http2: Support trailer fieldsTatsuhiro Tsujikawa
This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked encoding must be used to send trialer fields. HTTP/2 deprecated any trandfer-encoding, including chunked. But trailer fields are now always available. Since trailer fields are relatively rare these days (gRPC uses them extensively though), allocating buffer for trailer fields is done when we detect that HEADERS frame containing trailer fields is started. We use Curl_add_buffer_* functions to buffer all trailers, just like we do for regular header fields. And then deliver them when stream is closed. We have to be careful here so that all data are delivered to upper layer before sending trailers to the application. We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE mechanism, but current method is far more simple. Another possibility is use chunked encoding internally for HTTP/2 traffic. I have not tested it, but it could add another overhead. Closes #564
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-12-09fix b6d5cb40d7038feDaniel Stenberg
2015-12-08build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGSChristian Stewart
With curl disable verbose strings in http.c the compilation fails due to the data variable being undefined later on in the function. Closes #558
2015-11-25timecond: do not add if-modified-since without timeconditionDaniel Stenberg
The RTSP code path didn't skip adding the if-modified-since for certain RTSP code paths, even if CURLOPT_TIMECONDITION was set to CURL_TIMECOND_NONE. Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals CURL_TIMECOND_IFMODSINCE. Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-17http2: http_done: don't free already-freed push headersDaniel Stenberg
The push headers are freed after the push callback has been invoked, meaning this code should only free the headers if the callback was never invoked and thus the headers weren't freed at that time. Reported-by: Davey Shafik
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-10-20vtls: added support for mbedTLSJonas Minnberg
closes #496
2015-10-15fread_func: move callback pointer from set to state structDaniel Stenberg
... and assign it from the set.fread_func_set pointer in the Curl_init_CONNECT function. This A) avoids that we have code that assigns fields in the 'set' struct (which we always knew was bad) and more importantly B) it makes it impossibly to accidentally leave the wrong value for when the handle is re-used etc. Introducing a state-init functionality in multi.c, so that we can set a specific function to get called when we enter a state. The Curl_init_CONNECT is thus called when switching to the CONNECT state. Bug: https://github.com/bagder/curl/issues/346 Closes #346
2015-08-20rtsp: stop reading empty DESCRIBE responsesErik Janssen
Based-on-patch-by: Jim Hollinger
2015-08-11http2: discard frames with no SessionHandleAnders Bakken
Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the SessionHandle. Apparently mod_h2 will sometimes send a frame for a stream_id we're finished with. Use nghttp2_session_get_stream_user_data and nghttp2_session_set_stream_user_data to identify SessionHandles instead of a hash. Closes #372
2015-07-30http: move HTTP/2 cleanup code off http_disconnect()Kamil Dudka
Otherwise it would never be called for an HTTP/2 connection, which has its own disconnect handler. I spotted this while debugging <https://bugzilla.redhat.com/1248389> where the http_disconnect() handler was called on an FTP session handle causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *) was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in Curl_add_buffer_free() after printing the "Connection cache is full, closing the oldest one." message. A previously working version of libcurl started to crash after it was recompiled with the HTTP/2 support despite the HTTP/2 protocol was not actually used. This commit makes it work again although I suspect the root cause (reinterpreting session handle data of incompatible protocol) still has to be fixed. Otherwise the same will happen when mixing FTP and HTTP/2 connections and exceeding the connection cache limit. Reported-by: Tomas Tomecek Bug: https://bugzilla.redhat.com/1248389
2015-07-25HTTP: ignore "Content-Encoding: compress"Michael Kaufmann
Currently, libcurl rejects responses with "Content-Encoding: compress" when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should treat the Content-Encoding "compress" the same as other Content-Encodings that it does not support, e.g. "bzip2". That means just ignoring it.
2015-07-07http2: Fix memory leak in push header arrayTatsuhiro Tsujikawa
2015-06-24http2: fixed the header accessor functions for the push callbackDaniel Stenberg
2015-06-24http2: setup the new pushed stream properlyDaniel Stenberg
2015-06-17http: do not leak basic auth credentials on re-used connectionsKamil Dudka
CVE-2015-3236 This partially reverts commit curl-7_39_0-237-g87c4abb Reported-by: Tomas Tomecek, Kamil Dudka Bug: http://curl.haxx.se/docs/adv_20150617A.html