Age | Commit message (Collapse) | Author |
|
So far, the code tries to pick an authentication method only if
user/password credentials are available, which is not the case for
Bearer authentictation...
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
|
|
The Bearer authentication was added to cURL 7.61.0, but there is a
problem: if CURLAUTH_ANY is selected, and the server supports multiple
authentication methods including the Bearer method, we strongly prefer
that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer
authentication fails, we will never even try to attempt any other
method.
This is particularly unfortunate when we already know that we do not
have any Bearer token to work with.
Such a scenario happens e.g. when using Git to push to Visual Studio
Team Services (which supports Basic and Bearer authentication among
other methods) and specifying the Personal Access Token directly in the
URL (this aproach is frequently taken by automated builds).
Let's make sure that we have a Bearer token to work with before we
select the Bearer authentication among the available authentication
methods.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
|
|
- separate easy handle from connections better
- added asserts on a number of places
- added sanity check of pipelines for debug builds
Closes #2751
|
|
The struct field is never set (since 5e0d9aea3) so remove the use of it
and remove the connectdata pointer from the prototype.
Reported-by: Tejas
Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html
Closes #2647
|
|
- Get rid of variable that was generating false positive warning
(unitialized)
- Fix issues in tests
- Reduce scope of several variables all over
etc
Closes #2631
|
|
Closes #2623
|
|
Closes #2102
|
|
This avoids appending error data to already existing good data.
Test 92 is updated to match this change.
New test 1156 checks all combinations of --range/--resume, --fail,
Content-Range header and http status code 200/416.
Fixes #1163
Reported-By: Ithubg on github
Closes #2578
|
|
... and unify the source code to adhere.
Closes #2563
|
|
|
|
... leaving the k->str could lead to buffer over-reads later on.
CVE: CVE-2018-1000301
Assisted-by: Max Dymond
Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
|
|
It triggers an assert.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
Closes #2546
|
|
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
when dereferencing pointers after DEBUGASSERT-ing that they are not
NULL.
Fix this by removing the DEBUGASSERTs.
Suggested-by: Daniel Stenberg
Ref: https://github.com/curl/curl/pull/2463
|
|
This drops the cookie load time for 8k cookies from 178ms to 15ms.
Closes #2441
|
|
Add --haproxy-protocol for the command line tool
Closes #2162
|
|
Reported-by: Michael Kaufmann
Fixes #2357
Closes #2362
|
|
Previously, it would only check for max length if the existing alloc
buffer was to small to fit it, which often would make the header still
get used.
Reported-by: Guido Berhoerster
Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
Closes #2315
|
|
Closes #2302
|
|
They're now wrong.
Reported-by: Michael Kaufmann
Closes #2277
|
|
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.
Note: this changes behavior slightly, for the sake of reducing mistakes.
Added test 317 and 318 to verify.
Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
|
|
... and make the max filesize check trigger if the value is too big.
Updates test 178.
Reported-by: Brad Spencer
Fixes #2212
Closes #2223
|
|
This is implemented as an output streaming stack of unencoders, the last
calling the client write procedure.
New test 230 checks this feature.
Bug: https://github.com/curl/curl/pull/2002
Reported-By: Daniel Bankhead
|
|
|
|
... like a very large non-existing RTSP version number.
Added test 577 to verify.
Detected by OSS-fuzz.
Closes #1969
|
|
Closes #1920
|
|
Closes #1878
|
|
|
|
|
|
|
|
... not only HTTP uses this now.
Closes #1875
|
|
Available in HTTP, SMTP and IMAP.
Deprecates the FORM API.
See CURLOPT_MIMEPOST.
Lib code and associated documentation.
|
|
|
|
Since curl 7.55.0, NetworkManager almost always failed its connectivity
check by timeout. I bisected this to 5113ad04 (http-proxy: do the HTTP
CONNECT process entirely non-blocking).
This patch replaces !Curl_connect_complete with Curl_connect_ongoing,
which returns false if the CONNECT state was left uninitialized and lets
the connection continue.
Closes #1803
Fixes #1804
Also-fixed-by: Gergely Nagy
|
|
... make sure we bail out on overflows.
Reported-by: Brian Carpenter
Closes #1758
|
|
test 1429 and 1433 were updated to work with the stricter HTTP status line
parser.
Closes #1714
Reported-by: Brian Carpenter
|
|
Make the name reflect its use better, and add a short comment describing
what it's for.
|
|
Add a new type of callback to Curl_handler which performs checks on
the connection. Alter RTSP so that it uses this callback to do its
own check on connection health.
|
|
... and CURLOPT_REQUEST_TARGET instead of CURLOPT_STRIP_PATH_SLASH.
This option instead provides the full "alternative" target to use in the
request, instead of extracting the path from the URL.
Test 1298 and 1299 updated accordingly.
Idea-by: Evert Pot
Suggestion: https://daniel.haxx.se/blog/2017/06/19/options-with-curl/comment-page-1/#comment-18373
Closes #1593
|
|
... to enable sending "OPTIONS *" which wasn't possible previously.
This option currently only works for HTTP.
Added test cases 1298 + 1299 to verify
Fixes #1280
Closes #1462
|
|
Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
existed even before that.
Closes #1547
|
|
... with a strlen() if no size was set, and do this in the pretransfer
function so that the info is set early. Otherwise, the default strlen()
done on the POSTFIELDS data never sets state.infilesize.
Reported-by: Vincas Razma
Bug: #1294
|
|
... since the total amount is low this is faster, easier and reduces
memory overhead.
Also, Curl_expire_done() can now mark an expire timeout as done so that
it never times out.
Closes #1472
|
|
... to properly use the dynamically set buffer size!
|
|
|
|
Don't clobber the receive buffer.
|
|
If we use FTPS over CONNECT, the TLS handshake for the FTPS control
connection needs to be initiated in the SENDPROTOCONNECT state, not
the WAITPROXYCONNECT state. Otherwise, if the TLS handshake completed
without blocking, the information about the completed TLS handshake
would be saved to a wrong flag. Consequently, the TLS handshake would
be initiated in the SENDPROTOCONNECT state once again on the same
connection, resulting in a failure of the TLS handshake. I was able to
observe the failure with the NSS backend if curl ran through valgrind.
Note that this commit partially reverts curl-7_21_6-52-ge34131d.
|
|
When using basic-auth, connections and proxy connections
can be re-used with different Authorization headers since
it does not authenticate the connection (like NTLM does).
For instance, the below command should re-use the proxy
connection, but it currently doesn't:
curl -v -U alice:a -x http://localhost:8181 http://localhost/
--next -U bob:b -x http://localhost:8181 http://localhost/
This is a regression since refactoring of ConnectionExists()
as part of: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151
Fix the above by removing the username and password compare
when re-using proxy connection at proxy_info_matches().
However, this fix brings back another bug would make curl
to re-print the old proxy-authorization header of previous
proxy basic-auth connection because it wasn't cleared.
For instance, in the below command the second request should
fail if the proxy requires authentication, but would succeed
after the above fix (and before aforementioned commit):
curl -v -U alice:a -x http://localhost:8181 http://localhost/
--next -x http://localhost:8181 http://localhost/
Fix this by clearing conn->allocptr.proxyuserpwd after use
unconditionally, same as we do for conn->allocptr.userpwd.
Also fix test 540 to not expect digest auth header to be
resent when connection is reused.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Closes https://github.com/curl/curl/pull/1350
|
|
Closes #1356
|
|
... by removing the else branch after a return, break or continue.
Closes #1310
|
|
This prevents a "Descriptor is not a socket" error for WinSSL.
Reported-by: Antony74@users.noreply.github.com
Reviewed-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1239
|