aboutsummaryrefslogtreecommitdiff
path: root/lib/http.c
AgeCommit message (Collapse)Author
2015-04-21http_done: close Negotiate connections when doneDaniel Stenberg
When doing HTTP requests Negotiate authenticated, the entire connnection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request. CVE-2015-3148 Bug: http://curl.haxx.se/docs/adv_20150422B.html Reported-by: Isaac Boukris
2015-04-17Revert "HTTP: don't abort connections with pending Negotiate authentication"Daniel Stenberg
This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6. Bug: https://github.com/bagder/curl/issues/223 Reported-by: Michael Osipov
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-17HTTP: don't use Expect: headers when on HTTP/2Daniel Stenberg
Reported-by: Stefan Eissing Bug: https://github.com/bagder/curl/issues/169
2015-03-17checksrc: detect and remove space before trailing semicolonsDaniel Stenberg
2015-03-16free: instead of Curl_safefree()Daniel Stenberg
Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
2015-03-16Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring
The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-12http: always send Host: header as first headerDaniel Stenberg
...after the method line: "Since the Host field-value is critical information for handling a request, a user agent SHOULD generate Host as the first header field following the request-line." / RFC 7230 section 5.4 Additionally, this will also make libcurl ignore multiple specified custom Host: headers and only use the first one. Test 1121 has been updated accordingly Bug: http://curl.haxx.se/bug/view.cgi?id=1491 Reported-by: Rainer Canavan
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-05openssl: remove all uses of USE_SSLEAYDaniel Stenberg
SSLeay was the name of the library that was subsequently turned into OpenSSL many moons ago (1999). curl does not work with the old SSLeay library since years. This is now reflected by only using USE_OPENSSL in code that depends on OpenSSL.
2015-03-03mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg
... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
2015-01-17http_negotiate: Return CURLcode in Curl_input_negotiate() instead of intSteve Holme
2014-12-04http_perhapsrewind: don't abort CONNECT requestsStefan Bühler
...they never have a body
2014-12-04HTTP: Free (proxy)userpwd for NTLM/Negotiate after sending a requestStefan Bühler
Sending NTLM/Negotiate header again after successful authentication breaks the connection with certain Proxies and request types (POST to MS Forefront).
2014-12-04HTTP: don't abort connections with pending Negotiate authenticationStefan Bühler
... similarly to how NTLM works as Negotiate is in fact often NTLM with another name.
2014-11-27http.c: Fixed compilation warnings from features being disabledSteve Holme
warning: unused variable 'data' warning: variable 'addcookies' set but not used ...and some very minor coding style policing.
2014-11-20http.c: log if it notices HTTP 1.1 after a upgrade to http2Daniel Stenberg
2014-11-20http: Disable pipelining for HTTP/2 and upgraded connectionsTatsuhiro Tsujikawa
This commit disables pipelining for HTTP/2 or upgraded connections. For HTTP/2, we do not support multiplexing. In general, requests cannot be pipelined in an upgraded connection, since it is now different protocol.
2014-11-15http2: Don't send Upgrade headers when we already do HTTP/2Tatsuhiro Tsujikawa
2014-11-13http2: Deal with HTTP/2 data inside response header bufferTatsuhiro Tsujikawa
Previously if HTTP/2 traffic is appended to HTTP Upgrade response header (thus they are in the same buffer), the trailing HTTP/2 traffic is not processed and lost. The appended data is most likely SETTINGS frame. If it is lost, nghttp2 library complains server does not obey the HTTP/2 protocol and issues GOAWAY frame and curl eventually drops connection. This commit fixes this problem and now trailing data is processed.
2014-11-05http_digest: Use CURLcode instead of CURLdigestSteve Holme
To provide consistent behaviour between the various HTTP authentication functions use CURLcode based error codes for Curl_input_digest() especially as the calling code doesn't use the specific error code just that it failed.
2014-10-27HTTP: return larger than 3 digit response codes tooDaniel Stenberg
HTTP 1.1 is clearly specified to only allow three digit response codes, and libcurl used sscanf("%3d") for that purpose. This made libcurl support smaller numbers but not larger. It does now, but we will not make any specific promises nor document this further since it is going outside of what HTTP is. Bug: http://curl.haxx.se/bug/view.cgi?id=1441 Reported-by: Balaji
2014-10-25ntlm: Only define ntlm data structure when USE_NTLM is definedSteve Holme
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-24Curl_add_timecondition: skip superfluous varible assignmentDaniel Stenberg
Detected by cppcheck.
2014-09-07Ensure progress.size_dl/progress.size_ul are always >= 0Brandon Casey
Historically the default "unknown" value for progress.size_dl and progress.size_ul has been zero, since these values are initialized implicitly by the calloc that allocates the curl handle that these variables are a part of. Users of curl that install progress callbacks may expect these values to always be >= 0. Currently it is possible for progress.size_dl and progress.size_ul to by set to a value of -1, if Curl_pgrsSetDownloadSize() or Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few places currently do, and a following patch will add more). So lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize() so they make sure that these variables always contain a value that is >= 0. Updates test579 and test599. Signed-off-by: Brandon Casey <drafnel@gmail.com>
2014-08-15http: fix the Content-Range: parserDaniel Stenberg
... to handle "*/[total]". Also, removed the strange hack that made CURLOPT_FAILONERROR on a 416 response after a *RESUME_FROM return CURLE_OK. Reported-by: Dimitrios Siganos Bug: http://curl.haxx.se/mail/lib-2014-06/0221.html
2014-08-02HTTP2: Support expect: 100-continueTatsuhiro Tsujikawa
"Expect: 100-continue", which was once deprecated in HTTP/2, is now resurrected in HTTP/2 draft 14. This change adds its support to HTTP/2 code. This change also includes stricter header field checking.
2014-07-23http2: more and better error checkingDaniel Stenberg
1 - fixes the warnings when built without http2 support 2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2 basically when they are about http2 specific things.
2014-07-23docs: Improve inline GSS-API naming in code documentationMichael Osipov
2014-07-23curl.h/features: Deprecate GSS-Negotiate macros due to bad namingMichael Osipov
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - CURL_VERSION_GSSNEGOTIATE is deprecated which is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and CURUL_VERSION_SPNEGO now. - Remove display of feature 'GSS-Negotiate'
2014-07-23HTTP: Remove checkprefix("GSS-Negotiate")Michael Osipov
That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO.
2014-07-16Fix negotiate auth to proxies to track correct stateDavid Woodhouse
2014-07-16Don't abort Negotiate auth when the server has a response for usDavid Woodhouse
It's wrong to assume that we can send a single SPNEGO packet which will complete the authentication. It's a *negotiation* — the clue is in the name. So make sure we handle responses from the server. Curl_input_negotiate() will already handle bailing out if it thinks the state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps talking to us, so we should avoid endless loops that way.
2014-07-16Don't clear GSSAPI state between each exchange in the negotiationDavid Woodhouse
GSSAPI doesn't work very well if we forget everything ever time. XX: Is Curl_http_done() the right place to do the final cleanup?
2014-06-15https: Fix build when http2 is disabledDan Fandrich
2014-06-14http2: better return code error checkingDaniel Stenberg
2014-05-22http: Fix a compiler warning when http2 support is disabledDan Fandrich
2014-05-22bits.close: introduce connection close trackingDaniel Stenberg
Make all code use connclose() and connkeep() when changing the "close state" for a connection. These two macros take a string argument with an explanation, and debug builds of curl will include that in the debug output. Helps tracking connection re-use/close issues.
2014-05-20http2: make connection re-use workDaniel Stenberg
Http2 connections would wrongly get closed after each individual request. Co-authored-by: Tatsuhiro Tsujikawa Bug: http://curl.haxx.se/bug/view.cgi?id=1374
2014-05-15HTTP: CREDSPERREQUEST is for HTTP tooDaniel Stenberg
Commit 517b06d657ace (in 7.36.0) that brought the CREDSPERREQUEST flag only set it for HTTPS, making HTTP less good at doing connection re-use than it should be. Now set it for HTTP as well. Simple test case "curl -v -u foo:bar localhost --next -u bar:foo localhos" Bug: http://curl.haxx.se/mail/lib-2014-05/0127.html Reported-by: Kamil Dudka
2014-05-09http: avoid auth failure on a duplicated headerKamil Dudka
... 'WWW-Authenticate: Negotiate' received from server Reported by: David Woodhouse Bug: https://bugzilla.redhat.com/1093348
2014-04-26INFILESIZE: fields in UserDefined must not be changed run-timeDaniel Stenberg
set.infilesize in this case was modified in several places, which could lead to repeated requests using the same handle to get unintendent/wrong consequences based on what the previous request did!
2014-04-25nss: propagate blocking direction from NSPR I/OKamil Dudka
... during the non-blocking SSL handshake
2014-04-23handler: make 'protocol' always specified as a single bitDaniel Stenberg
This makes the findprotocol() function work as intended so that libcurl can properly be restricted to not support HTTP while still supporting HTTPS - since the HTTPS handler previously set both the HTTP and HTTPS bits in the protocol field. This fixes --proto and --proto-redir for most SSL protocols. This is done by adding a few new convenience defines that groups HTTP and HTTPS, FTP and FTPS etc that should then be used when the code wants to check for both protocols at once. PROTO_FAMILY_[protocol] style. Bug: https://github.com/bagder/curl/pull/97 Reported-by: drizzt
2014-04-04PROXYHEADER: send these headers in "normal" proxy requests tooDaniel Stenberg
Updated the docs to clarify and the code accordingly, with test 1528 to verify: When CURLHEADER_SEPARATE is set and libcurl is asked to send a request to a proxy but it isn't CONNECT, then _both_ header lists (CURLOPT_HTTPHEADER and CURLOPT_PROXYHEADER) will be used since the single request is then made for both the proxy and the server.
2014-04-04CURLOPT_HEADEROPT: addedDaniel Stenberg
Modified the logic so that CURLOPT_HEADEROPT now controls if PROXYHEADER is actually used or not.
2014-04-04CURLOPT_PROXYHEADER: set headers for proxy-onlyDaniel Stenberg
Includes docs and new test cases: 1525, 1526 and 1527 Co-written-by: Vijay Panghal
2014-04-04HTTP: don't send Content-Length: 0 _and_ Expect: 100-continueDaniel Stenberg
Without request body there's no point in asking for 100-continue. Bug: http://curl.haxx.se/bug/view.cgi?id=1349 Reported-by: JimS
2014-03-31http2: let openssl mention the exact protocol negotiatedDaniel Stenberg
Remove a superfluous "negotiated http2" info line