aboutsummaryrefslogtreecommitdiff
path: root/lib/url.c
AgeCommit message (Collapse)Author
2013-09-04Curl_setopt: refuse CURL_HTTP_VERSION_2_0 if built without supportDaniel Stenberg
2013-09-01url.c: Fixed compilation warningSteve Holme
An enumerated type is mixed with another type
2013-08-25options: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth 2.0 Authorization Framework".
2013-08-25FTP: remove krb4 supportDaniel Stenberg
We've announced this pending removal for a long time and we've repeatedly asked if anyone would care or if anyone objects. Nobody has objected. It has probably not even been working for a good while since nobody has tested/used this code recently. The stuff in krb4.h that was generic enough to be used by other sources is now present in security.h
2013-08-20url: handle arbitrary-length username and password before '@'Jonathan Nieder
libcurl quietly truncates usernames, passwords, and options from before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters to fit in fixed-size buffers on the stack. Allocate a buffer large enough to fit the parsed fields on the fly instead to support longer passwords. After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH left, so stop defining that constant while at it. The hardcoded max username and password length constants, on the other hand, are still used in HTTP proxy credential handling (which this patch doesn't touch). Reported-by: Colby Ranger
2013-08-20url: handle exceptional cases first in parse_url_login()Jonathan Nieder
Instead of nesting "if(success)" blocks and leaving the reader in suspense about what happens in the !success case, deal with failure cases early, usually with a simple goto to clean up and return from the function. No functional change intended. The main effect is to decrease the indentation of this function slightly.
2013-08-20Curl_setopt: handle arbitrary-length username and passwordJonathan Nieder
libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' <out | tr -d '\r' | base64 -d ) password=${userpass#me:} echo ${#password} Expected result: 300 Actual result: 255 The fix is simple: allocate appropriately sized buffers on the heap instead of trying to squeeze the provided values into fixed-size on-stack buffers. Bug: http://bugs.debian.org/719856 Reported-by: Colby Ranger
2013-08-20netrc: handle longer username and passwordJonathan Nieder
libcurl truncates usernames and passwords it reads from .netrc to LOGINSIZE and PASSWORDSIZE (64) characters without any indication to the user, to ensure the values returned from Curl_parsenetrc fit in a caller-provided buffer. Fix the interface by passing back dynamically allocated buffers allocated to fit the user's input. The parser still relies on a 256-character buffer to read each line, though. So now you can include an ~246-character password in your .netrc, instead of the previous limit of 63 characters. Reported-by: Colby Ranger
2013-08-20url: allocate username, password, and options on the heapJonathan Nieder
This makes it possible to increase the size of the buffers when needed in later patches. No functional change yet.
2013-08-20url: use goto in create_conn() for exception handlingJonathan Nieder
Instead of remembering before each "return" statement which temporary allocations, if any, need to be freed, take care to set pointers to NULL when no longer needed and use a goto to a common block to exit the function and free all temporaries. No functional change intended. Currently the only temporary buffer in this function is "proxy" which is already correctly freed when appropriate, but there will be more soon.
2013-08-12cleanup: removed one function, made one staticDaniel Stenberg
Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to easy_addmulti and made it static. Removed Curl_easy_initHandleData() and uses of it since it was emptied in commit cdda92ab67b47d74a.
2013-08-12SessionHandle: the protocol specific pointer is now a void *Daniel Stenberg
All protocol handler structs are now opaque (void *) in the SessionHandle struct and moved in the request-specific sub-struct 'SingleRequest'. The intension is to keep the protocol specific knowledge in their own dedicated source files [protocol].c etc. There's some "leakage" where this policy is violated, to be addressed at a later point in time.
2013-08-12urldata: clean up the use of the protocol specific structsDaniel Stenberg
1 - always allocate the struct in protocol->setup_connection. Some protocol handlers had to get this function added. 2 - always free at the end of a request. This is also an attempt to keep less memory in the handle after it is completed.
2013-08-06FTP: when EPSV gets a 229 but fails to connect, retry with PASVDaniel Stenberg
This is a regression as this logic used to work. It isn't clear when it broke, but I'm assuming in 7.28.0 when we went all-multi internally. This likely never worked with the multi interface. As the failed connection is detected once the multi state has reached DO_MORE, the Curl_do_more() function was now expanded somewhat so that the ftp_do_more() function can request to go "back" to the previous state when it makes another attempt - using PASV. Added test case 1233 to verify this fix. It has the little issue that it assumes no service is listening/accepting connections on port 1... Reported-by: byte_bucket in the #curl IRC channel
2013-08-03multi: remove data->state.current_conn struct fieldDaniel Stenberg
Not needed
2013-07-24string formatting: fix 15+ printf-style format stringsYang Tse
2013-07-24string formatting: fix 25+ printf-style format stringsYang Tse
2013-07-23url.c: Fix dot file path cleanup when using an HTTP proxyFabian Keil
Previously the path was cleaned, but the URL wasn't properly updated.
2013-07-18CURLOPT_XFERINFOFUNCTION: introducing a new progress callbackDaniel Stenberg
CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function and CURLOPT_PROGRESSFUNCTION is considered deprecated. This new callback uses pure 'curl_off_t' arguments to pass on full resolution sizes. It otherwise retains the same characteristics: the same call rate, the same meanings for the arguments and the return code is used the same way. The progressfunc.c example is updated to show how to use the new callback for newer libcurls while supporting the older one if built with an older libcurl or even built with a newer libcurl while running with an older.
2013-07-15OS400: new SSL backend GSKitPatrick Monnerat
2013-07-15x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extractPatrick Monnerat
Use from qssl backend
2013-07-14url.c: fix parse_url_login() OOM handlingYang Tse
2013-07-12url.c: fix parse_login_details() OOM handlingYang Tse
2013-07-11url.c: fix SIGSEGVYang Tse
2013-06-30url: restore the functionality of 'curl -u :'Kamil Dudka
This commit fixes a regression introduced in fddb7b44a79d78e05043e1c97e069308b6b85f79. Reported by: Markus Moeller Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
2013-06-22dotdot: introducing dot file path cleanupDaniel Stenberg
RFC3986 details how a path part passed in as part of a URI should be "cleaned" from dot sequences before getting used. The described algorithm is now implemented in lib/dotdot.c with the accompanied test case in test 1395. Bug: http://curl.haxx.se/bug/view.cgi?id=1200 Reported-by: Alex Vinnik
2013-06-17CURLOPT_COOKIELIST: take cookie share lockDaniel Stenberg
When performing COOKIELIST operations the cookie lock needs to be taken for the cases where the cookies are shared among multiple handles! Verified by Benjamin Gilbert's updated test 506 Bug: http://curl.haxx.se/bug/view.cgi?id=1215 Reported-by: Benjamin Gilbert
2013-04-27sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial responseSteve Holme
2013-04-26url: initialize speed-check data for file:// protocolZdenek Pavlas
... in order to prevent an artificial timeout event based on stale speed-check data from a previous network transfer. This commit fixes a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. Bug: https://bugzilla.redhat.com/906031
2013-04-23url: Added smtp and pop3 hostnames to the protocol detection listSteve Holme
2013-04-21url: Fixed missing length check in parse_proxy()Steve Holme
Commit 11332577b3cb removed the length check that was performed by the old scanf() code.
2013-04-21url: Fixed crash when no username or password supplied for proxySteve Holme
Fixed an issue in parse_proxy(), introduced in commit 11332577b3cb, where an empty username or password (For example: http://:@example.com) would cause a crash.
2013-04-21url: Updated proxy URL parsing to use parse_login_details()Steve Holme
2013-04-21url: Tidy up of setstropt_userpwd() parametersSteve Holme
Updated the naming convention of the login parameters to match those of other functions.
2013-04-21url: Tidy up of code and comments following recent changesSteve Holme
Tidy up of variable names and comments in setstropt_userpwd() and parse_login_details().
2013-04-20url: Simplified setstropt_userpwd() following recent changesSteve Holme
There is no need to perform separate clearing of data if a NULL option pointer is passed in. Instead this operation can be performed by simply not calling parse_login_details() and letting the rest of the code do the work.
2013-04-20url: Correction to scope of if statements when setting dataSteve Holme
2013-04-20url: Fixed memory leak in setstropt_userpwd()Steve Holme
setstropt_userpwd() was calling setstropt() in commit fddb7b44a79d to set each of the login details which would duplicate the strings and subsequently cause a memory leak.
2013-04-20url: Added overriding of URL login options from CURLOPT_USERPWDSteve Holme
2013-04-20url: Added support for parsing login options from the CURLOPT_USERPWDSteve Holme
In addition to parsing the optional login options from the URL, added support for parsing them from CURLOPT_USERPWD, to allow the following supported command line: --user username:password;options
2013-04-19url: Added bounds checking to parse_login_details()Steve Holme
Added bounds checking when searching for the separator characters within the login string as this string may not be NULL terminated (For example it is the login part of a URL). We do this in preference to allocating a new string to copy the login details into which could then be passed to parse_login_details() for performance reasons.
2013-04-19url: Added size_t cast to pointer based length calculationsSteve Holme
2013-04-19url: Corrected minor typo in commentSteve Holme
2013-04-18url: Fix chksrc longer than 79 columns warningSteve Holme
2013-04-18url: Fix incorrect variable type for result codeSteve Holme
2013-04-18url: Fix compiler warningSteve Holme
signed and unsigned type in conditional expression
2013-04-18url: Moved parsing of login details out of parse_url_login()Steve Holme
Separated the parsing of login details from the processing of them in parse_url_login() ready for use by setstropt_userpwd().
2013-04-18url: Re-factored set_userpass() and parse_url_userpass()Steve Holme
Re-factored these functions to reflect their new behaviour following the addition of login options.
2013-04-18url: Reworked URL parsing to allow overriding by CURLOPT_USERPWDSteve Holme
2013-04-13url: Added support for parsing login options from the URLSteve Holme
As well as parsing the username and password from the URL, added support for parsing the optional options part from the login details, to allow the following supported URL format: schema://username:password;options@example.com/path?q=foobar This will only be used by IMAP, POP3 and SMTP at present but any protocol that may be given login options in the URL will be able to add support for them.