aboutsummaryrefslogtreecommitdiff
path: root/lib/url.c
AgeCommit message (Collapse)Author
2014-11-05url.c: Fixed compilation warningSteve Holme
conversion from 'curl_off_t' to 'size_t', possible loss of data
2014-11-05curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of boundsDaniel Stenberg
When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
2014-10-25ntlm: Only define ntlm data structure when USE_NTLM is definedSteve Holme
2014-10-24url.c: use 'CURLcode result'Daniel Stenberg
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-07SSL: implement public key pinningmoparisthebest
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
2014-10-03parse_proxy: remove dead code.Daniel Stenberg
Coverity CID 982331.
2014-10-02detect_proxy: fix possible single-byte memory leakDaniel Stenberg
Coverity CID 1202836. If the proxy environment variable returned an empty string, it would be leaked. While an empty string is not really a proxy, other logic in this function already allows a blank string to be returned so allow that here to avoid the leak.
2014-09-25CURLOPT_COOKIELIST: Added "RELOAD" commandYousuke Kimoto
2014-09-13curlssl: make tls backend symbols use curlssl in the nameDaniel Stenberg
2014-09-13url: let the backend decide CURLOPT_SSL_CTX_ supportDaniel Stenberg
... to further remove specific TLS backend knowledge from url.c
2014-09-13vtls: have the backend tell if it supports CERTINFODaniel Stenberg
2014-09-13CURLOPT_CAPATH: return failure if set without backend supportDaniel Stenberg
2014-09-06url.c: Use CURLAUTH_NONE constant rather than 0Steve Holme
Small follow up to commit 898808fa8c to use auth constants rather than hard code value when clearing picked authentication mechanism.
2014-08-25disconnect: don't touch easy-related state on disconnectsDaniel Stenberg
This was done to make sure NTLM state that is bound to a connection doesn't survive and gets used for the subsequent request - but disconnects can also be done to for example make room in the connection cache and thus that connection is not strictly related to the easy handle's current operation. The http authentication state is still kept in the easy handle since all http auth _except_ NTLM is connection independent and thus survive over multiple connections. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S
2014-08-22NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP authFrank Meier
Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed since NTLM requires multiple requests that re-use the same connection for the authentication to work Solution: Ignore the forbid reuse flag in case the NTLM authentication handshake is in progress, according to the NTLM state flag. Fixed known bug #77.
2014-08-20Curl_disconnect: don't free the URLDaniel Stenberg
The URL is not a property of the connection so it should not be freed in the connection disconnect but in the Curl_close() that frees the easy handle. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S
2014-08-12create_conn: prune dead connectionsFrank Meier
Bringing back the old functionality that was mistakenly removed when the connection cache was remade. When creating a new connection, all the existing ones are checked and those that are known to be dead get disconnected for real and removed from the connection cache. It helps the cache from holding on to very many stale connections and aids in keeping down the number of system sockets in wait states. Help-by: Jonatan Vela <jonatan.vela@ergon.ch> Bug: http://curl.haxx.se/mail/lib-2014-06/0189.html
2014-07-23findprotocol: show unsupported protocol within quotesDaniel Stenberg
... to aid when for example prefixed with a space or other weird character.
2014-07-23docs: Improve inline GSS-API naming in code documentationMichael Osipov
2014-07-23curl.h/features: Deprecate GSS-Negotiate macros due to bad namingMichael Osipov
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - CURL_VERSION_GSSNEGOTIATE is deprecated which is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and CURUL_VERSION_SPNEGO now. - Remove display of feature 'GSS-Negotiate'
2014-07-22url.c: use the preferred symbol name: *READDATAMarcel Raad
with CURL_NO_OLDIES defined, it doesn't compile because this deprecated symbol (*INFILE) is used Bug: http://curl.haxx.se/bug/view.cgi?id=1398
2014-07-15cookie: avoid mutex deadlockYousuke Kimoto
... by removing the extra mutex locks around th call to Curl_flush_cookies() which takes care of the locking itself already. Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
2014-07-09url.c: Fixed memory leak on OOMDan Fandrich
This showed itself on some systems with torture failures in tests 1060 and 1061
2014-07-05Update instances of some obsolete CURLOPTs to their new namesDan Fandrich
2014-07-05compiler warnings: potentially uninitialized variablesMarcel Raad
... pointed out by MSVC2013 Bug: http://curl.haxx.se/bug/view.cgi?id=1391
2014-07-02progress callback: skip last callback update on errorsRay Satiro
When an error has been detected, skip the final forced call to the progress callback by making sure to pass the current return code variable in the Curl_done() call in the CURLM_STATE_DONE state. This avoids the "extra" callback that could occur even if you returned error from the progress callback. Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html Reported by: Jonathan Cardoso Machado
2014-06-13conncache: move the connection counter to the cache structLindley French
The static connection counter caused a race condition. Moving the connection id counter into conncache solves it, as well as simplifying the related logic.
2014-05-26url-parser: only use if_nametoindex if detected by configureDaniel Stenberg
The previous #ifdef detection wasn't good enough. Bug: http://curl.haxx.se/mail/lib-2014-05/0260.html Reported-by: Chris Young
2014-05-24curl_easy_reset: reset the URLDaniel Stenberg
Make sure that the URL is reset and cleared. Bug: http://curl.haxx.se/mail/lib-2014-05/0235.html Reported-by: Jonathan Cardoso Machado
2014-05-22bits.close: introduce connection close trackingDaniel Stenberg
Make all code use connclose() and connkeep() when changing the "close state" for a connection. These two macros take a string argument with an explanation, and debug builds of curl will include that in the debug output. Helps tracking connection re-use/close issues.
2014-05-07url.c: Fixed compilation warning/errorSteve Holme
Depending on compiler line 3505 could generate the following warning or error: * warning: ISO C90 forbids mixed declarations and code * A declaration cannot appear after an executable statement in a block * error C2275: 'size_t' : illegal use of this type as an expression
2014-05-06fix_hostname: strip off a single trailing dot from host nameDaniel Stenberg
Primarily for SNI, we need the host name without a trailing dot. "https://www.example.com." resolves fine but fails on SNI unless the dot is removed. Reported-by: Leon Winter Bug: http://curl.haxx.se/mail/lib-2014-04/0161.html
2014-04-26INFILESIZE: fields in UserDefined must not be changed run-timeDaniel Stenberg
set.infilesize in this case was modified in several places, which could lead to repeated requests using the same handle to get unintendent/wrong consequences based on what the previous request did!
2014-04-23handler: make 'protocol' always specified as a single bitDaniel Stenberg
This makes the findprotocol() function work as intended so that libcurl can properly be restricted to not support HTTP while still supporting HTTPS - since the HTTPS handler previously set both the HTTP and HTTPS bits in the protocol field. This fixes --proto and --proto-redir for most SSL protocols. This is done by adding a few new convenience defines that groups HTTP and HTTPS, FTP and FTPS etc that should then be used when the code wants to check for both protocols at once. PROTO_FAMILY_[protocol] style. Bug: https://github.com/bagder/curl/pull/97 Reported-by: drizzt
2014-04-19url.c: fix possible use of non-null-terminated string with strlenMarc Hoersken
Follow up on b0e742544be22ede33206a597b22682e51e0c676
2014-04-19url.c: fix possible use of non-null-terminated string with strlenMarc Hoersken
2014-04-18url.c: Fixed typo in commentSteve Holme
2014-04-14url: only use if_nametoindex() if IFNAMSIZ is availableDan Fandrich
2014-04-04CURLOPT_HEADEROPT: addedDaniel Stenberg
Modified the logic so that CURLOPT_HEADEROPT now controls if PROXYHEADER is actually used or not.
2014-04-04CURLOPT_PROXYHEADER: set headers for proxy-onlyDaniel Stenberg
Includes docs and new test cases: 1525, 1526 and 1527 Co-written-by: Vijay Panghal
2014-03-31ipv6: strip off zone identifiers in redirects tooDaniel Stenberg
Follow up to 9317eced984 makes test 1056 work again.
2014-03-31URL parser: IPv6 zone identifiers are now supportedTill Maas
2014-03-25url: Fixed connection re-use when using different log-in credentialsSteve Holme
In addition to FTP, other connection based protocols such as IMAP, POP3, SMTP, SCP, SFTP and LDAP require a new connection when different log-in credentials are specified. Fixed the detection logic to include these other protocols. Bug: http://curl.haxx.se/docs/adv_20140326A.html
2014-03-06parse_remote_port: error out on illegal port numbers betterDaniel Stenberg
2014-03-05remote_port: allow connect to port 0Daniel Stenberg
Port number zero is perfectly allowed to connect to. I moved to storing the remote port number in an int so that -1 means undefined and 0-65535 can be used for legitimate port numbers.
2014-02-17ConnectionDone: default maxconnects to 4 x number of easy handlesShao Shuchao
... as documented!
2014-02-16ConnectionExists: re-use connections betterDaniel Stenberg
When allowing NTLM, the re-use connection logic was too focused on finding an existing NTLM connection to use and didn't properly allow re-use of other ones. This made the logic not re-use perfectly re-usable connections. Added test case 1418 and 1419 to verify. Regression brought in 8ae35102c (curl 7.35.0) Reported-by: Jeff King Bug: http://thread.gmane.org/gmane.comp.version-control.git/242213
2014-02-13ConnectionExists: reusing possible HTTP+NTLM connections betterDaniel Stenberg
Make sure that the special NTLM magic we do is for HTTP+NTLM only since that's where the authenticated connection is a weird non-standard paradigm. Regression brought in 8ae35102c (curl 7.35.0) Bug: http://curl.haxx.se/mail/lib-2014-02/0100.html Reported-by: Dan Fandrich
2014-02-13transfer: make Expect: 100-continue timeout configurable.Tiit Pikma
Replaced the #define CURL_TIMEOUT_EXPECT_100 in transfer.c with the CURLOPT_EXPECT_100_TIMEOUT_MS option to make the timeout configurable.