aboutsummaryrefslogtreecommitdiff
path: root/lib/http.c
AgeCommit message (Collapse)Author
2019-05-08http: Ignore HTTP/2 prior knowledge setting for HTTP proxiesJay Satiro
- Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to the destination host. We already do something similar for HTTPS proxies by not sending h2. [1] Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would incorrectly use HTTP/2 to talk to the proxy, which is not something we support (yet?). Also it's debatable whether or not that setting should apply to HTTP/2 proxies. [1]: https://github.com/curl/curl/commit/17c5d05 Bug: https://github.com/curl/curl/issues/3570 Bug: https://github.com/curl/curl/issues/3832 Closes https://github.com/curl/curl/pull/3853
2019-05-01http: mark bundle as not for multiuse on < HTTP/2 responseDaniel Stenberg
Fixes #3813 Closes #3815
2019-04-06pipelining: removedDaniel Stenberg
As previously planned and documented in DEPRECATE.md, all pipelining code is removed. Closes #3651
2019-03-14Negotiate: fix for HTTP POST with NegotiateDominik Hölzl
* Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2019-03-13http: send payload when (proxy) authentication is doneMarc Schlatter
The check that prevents payload from sending in case of authentication doesn't check properly if the authentication is done or not. They're cases where the proxy respond "200 OK" before sending authentication challenge. This change takes care of that. Fixes #2431 Closes #3669
2019-03-03alt-svc: add test 355 and 356 to verify with command line curlDaniel Stenberg
2019-03-03alt-svc: the libcurl bitsDaniel Stenberg
2019-03-01urldata: simplify bytecountersDaniel Stenberg
- no need to have them protocol specific - no need to set pointers to them with the Curl_setup_transfer() call - make Curl_setup_transfer() operate on a transfer pointer, not connection - switch some counters from long to the more proper curl_off_t type Closes #3627
2019-02-28http: set state.infilesize when sending formpostsDaniel Stenberg
Without it set, we would unwillingly triger the "HTTP error before end of send, stop sending" condition even if the entire POST body had been sent (since it wouldn't know the expected size) which would unnecessarily log that message and close the connection when it didn't have to. Reported-by: Matt McClure Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html Closes #3624
2019-02-27urldata: convert bools to bitfields and move to endDaniel Stenberg
This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610
2019-02-19http: make adding a blank header thread-safeDaniel Stenberg
Previously the function would edit the provided header in-place when a semicolon is used to signify an empty header. This made it impossible to use the same set of custom headers in multiple threads simultaneously. This approach now makes a local copy when it needs to edit the string. Reported-by: d912e3 on github Fixes #3578 Closes #3579
2019-02-10cleanup: make local functions staticDaniel Stenberg
urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static
2019-01-09cookies: skip custom cookies when redirecting cross-siteKatsuhiko YOSHIDA
Closes #3417
2019-01-07Revert "http_negotiate: do not close connection until negotiation is completed"Daniel Stenberg
This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47. This also reopens PR #3275 which brought the change now reverted. Fixes #3384 Closes #3439
2018-12-21http: added options for allowing HTTP/0.9 responsesDaniel Stenberg
Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. For now, both the tool and library allow HTTP/0.9 by default. docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 months after the 7.64.0 release. The options are added already now so that applications/scripts can start using them already now. Fixes #2873 Closes #3383
2018-12-14http: Implement trailing headers for chunked transfersAyoub Boudhar
This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION options that allow a callback based approach to sending trailing headers with chunked transfers. The test server (sws) was updated to take into account the detection of the end of transfer in the case of trailing headers presence. Test 1591 checks that trailing headers can be sent using libcurl. Closes #3350
2018-12-13cookies: leave secure cookies aloneDaniel Gustafsson
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-11http: fix HTTP auth to include query in URIJay Satiro
- Include query in the path passed to generate HTTP auth. Recent changes to use the URL API internally (46e1640, 7.62.0) inadvertently broke authentication URIs by omitting the query. Fixes https://github.com/curl/curl/issues/3353 Closes #3356
2018-12-11http: don't set CURLINFO_CONDITION_UNMET for http status code 204Michael Kaufmann
The http status code 204 (No Content) should not change the "condition unmet" flag. Only the http status code 304 (Not Modified) should do this. Closes #359
2018-12-07NTLM: force the connection to HTTP/1.1Johannes Schindelin
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces the capability. However, NTLM authentication only works with HTTP/1.1, and will likely remain in that boat (for details, see https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). When we just found out that we want to use NTLM, and when the current connection runs in HTTP/2 mode, let's force the connection to be closed and to be re-opened using HTTP/1.1. Fixes https://github.com/curl/curl/issues/3341. Closes #3345 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-16http_negotiate: do not close connection until negotiation is completedElia Tufarolo
Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
2018-10-08spelling fixes [ci skip]Viktor Szakats
as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-09-25http: fix memleak in rewind error pathDaniel Stenberg
If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 Closes #3044
2018-09-23http: add missing return code checkDaniel Stenberg
Detected by Coverity. CID 1439610. Follow-up from 46e164069d1a523 Closes #3034
2018-09-22url: use the URL API internally as wellDaniel Stenberg
... to make it a truly unified URL parser. Closes #3017
2018-09-16http: made Curl_add_buffer functions take a pointer-pointerDaniel Stenberg
... so that they can clear the original pointer on failure, which makes the error-paths and their cleanups easier. Closes #2992
2018-08-18upload: allocate upload buffer on-demandDaniel Stenberg
Saves 16KB on the easy handle for operations that don't need that buffer. Part 1 of #2888
2018-08-13http: fix for tiny "HTTP/0.9" responseDaniel Stenberg
Deal with tiny "HTTP/0.9" (header-less) responses by checking the status-line early, even before a full "HTTP/" is received to allow detecting 0.9 properly. Test 1266 and 1267 added to verify. Fixes #2420 Closes #2872
2018-08-11CURLINFO_SIZE_UPLOAD: fix missing counter updateDaniel Stenberg
Adds test 1522 for verification. Reported-by: cjmsoregan Fixes #2847 Closes #2864
2018-07-24auth: pick Bearer authentication whenever a token is availableJohannes Schindelin
So far, the code tries to pick an authentication method only if user/password credentials are available, which is not the case for Bearer authentictation... Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
2018-07-24auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer tokenJohannes Schindelin
The Bearer authentication was added to cURL 7.61.0, but there is a problem: if CURLAUTH_ANY is selected, and the server supports multiple authentication methods including the Bearer method, we strongly prefer that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer authentication fails, we will never even try to attempt any other method. This is particularly unfortunate when we already know that we do not have any Bearer token to work with. Such a scenario happens e.g. when using Git to push to Visual Studio Team Services (which supports Basic and Bearer authentication among other methods) and specifying the Personal Access Token directly in the URL (this aproach is frequently taken by automated builds). Let's make sure that we have a Bearer token to work with before we select the Bearer authentication among the available authentication methods. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #2754
2018-07-20http2: several cleanupsDaniel Stenberg
- separate easy handle from connections better - added asserts on a number of places - added sanity check of pipelines for debug builds Closes #2751
2018-06-12Curl_debug: remove dead printhost codeDaniel Stenberg
The struct field is never set (since 5e0d9aea3) so remove the use of it and remove the connectdata pointer from the prototype. Reported-by: Tejas Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html Closes #2647
2018-06-11cppcheck: fix warningsMarian Klymov
- Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
2018-05-31strictness: correct {infof, failf} format specifiersRikard Falkeborn
Closes #2623
2018-05-24httpauth: add support for Bearer tokensLinus Lewandowski
Closes #2102
2018-05-22http resume: skip body if http code 416 (range error) is ignored.Patrick Monnerat
This avoids appending error data to already existing good data. Test 92 is updated to match this change. New test 1156 checks all combinations of --range/--resume, --fail, Content-Range header and http status code 200/416. Fixes #1163 Reported-By: Ithubg on github Closes #2578
2018-05-21checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg
... and unify the source code to adhere. Closes #2563
2018-05-14lib: Fix format specifiersRikard Falkeborn
2018-05-14http: restore buffer pointer when bad response-line is parsedDaniel Stenberg
... leaving the k->str could lead to buffer over-reads later on. CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
2018-05-04http: don't set the "rewind" flag when not uploading anythingDaniel Stenberg
It triggers an assert. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 Closes #2546
2018-04-09lib: silence null-dereference warningsMarcel Raad
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
2018-04-02cookies: when reading from a file, only remove_expired onceLauri Kasanen
This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441
2018-03-17CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocolLawrence Matthews
Add --haproxy-protocol for the command line tool Closes #2162
2018-03-11HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg
Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
2018-02-16http: fix the max header length detection logicDaniel Stenberg
Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
2018-02-15TODO fixed: Detect when called from within callbacksBjörn Stenberg
Closes #2302
2018-02-01time_t-fixes: remove typecasts to 'long' for info.filetimeDaniel Stenberg
They're now wrong. Reported-by: Michael Kaufmann Closes #2277
2018-01-22http: prevent custom Authorization headers in redirectsDaniel Stenberg
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html