aboutsummaryrefslogtreecommitdiff
path: root/lib/url.c
AgeCommit message (Collapse)Author
2020-04-09url: allow non-HTTPS altsvc-matching for debug buildsDaniel Stenberg
This is already partly supported but this part was missing. Reported-by: James Fuller Closes #5205
2020-02-27Curl_is_ASCII_name: handle a NULL argumentDaniel Stenberg
Make the function tolerate a NULL pointer input to avoid dereferencing that pointer. Follow-up to efce3ea5a85126d Detected by OSS-Fuzz Reviewed-By: Steve Holme Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20907 Fixes #4985 Closes #4986
2020-02-26url: Make the IDN conversion functions available to othersSteve Holme
2020-02-18altsvc: make saving the cache an atomic operationDaniel Stenberg
... by writing the file to temp name then rename to the final when done. Assisted-by: Jay Satiro Fixes #4936 Closes #4942
2020-02-09url: Include the failure reason when curl_win32_idn_to_ascii() failsSteve Holme
Provide the failure reason in the failf() info just as we do for the libidn2 version of code. Closes #4899
2020-02-02cleanup: fix typos and wording in docs and commentsPedro Monreal
Closes #4869 Reviewed-by: Emil Engler and Daniel Gustafsson
2020-02-02ntlm: Move the winbind data into the NTLM data structureSteve Holme
To assist with adding winbind support to the SASL NTLM authentication, move the winbind specific data out of conndata into ntlmdata.
2020-01-28multi_done: if multiplexed, make conn->data point to another transferDaniel Stenberg
... since the current transfer is being killed. Setting to NULL is wrong, leaving it pointing to 'data' is wrong since that handle might be about to get freed. Fixes #4845 Closes #4858 Reported-by: dmitrmax on github
2020-01-24conn: do not reuse connection if SOCKS proxy credentials differPeter Piekarski
Closes #4835
2020-01-21http: move "oauth_bearer" from connectdata to Curl_easynao
Fixes the bug where oauth_bearer gets deallocated when we re-use a connection. Closes #4824
2020-01-13ConnectionExists: respect the max_concurrent_streams limitsDaniel Stenberg
A regression made the code use 'multiplexed' as a boolean instead of the counter it is intended to be. This made curl try to "over-populate" connections with new streams. This regression came with 41fcdf71a1, shipped in curl 7.65.0. Also, respect the CURLMOPT_MAX_CONCURRENT_STREAMS value in the same check. Reported-by: Kunal Ekawde Fixes #4779 Closes #4784
2020-01-12wolfSSH: new SSH backendDaniel Stenberg
Adds support for SFTP (not SCP) using WolfSSH. Closes #4231
2019-12-19create_conn: prefer multiplexing to using new connectionsDaniel Stenberg
... as it would previously prefer new connections rather than multiplexing in most conditions! The (now removed) code was a leftover from the Pipelining code that was translated wrongly into a multiplex-only world. Reported-by: Kunal Ekawde Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html Closes #4732
2019-12-09conncache: fix multi-thread use of shared connection cacheDaniel Stenberg
It could accidentally let the connection get used by more than one thread, leading to double-free and more. Reported-by: Christopher Reid Fixes #4544 Closes #4557
2019-12-01build: Disable Visual Studio warning "conditional expression is constant"Jay Satiro
- Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658
2019-11-17lib: Move lib/ssh.h -> lib/vssh/ssh.hJay Satiro
Follow-up to 5b2d703 which moved ssh source files to vssh. Closes https://github.com/curl/curl/pull/4609
2019-11-06build: fix for CURL_DISABLE_DOHWyatt O'Day
Fixes https://github.com/curl/curl/issues/4565 Closes https://github.com/curl/curl/pull/4566
2019-10-30url: make Curl_close() NULLify the pointer tooDaniel Stenberg
This is the common pattern used in the code and by a unified approach we avoid mistakes. Closes #4534
2019-10-29url: Curl_free_request_state() should also free doh handlesDaniel Stenberg
... or risk DoH memory leaks. Reported-by: Paul Dreik Fixes #4463 Closes #4527
2019-10-23conn-reuse: requests wanting NTLM can reuse non-NTLM connectionsDaniel Stenberg
Added test case 338 to verify. Reported-by: Daniel Silverstone Fixes #4499 Closes #4514
2019-10-16url: normalize CURLINFO_EFFECTIVE_URLDaniel Stenberg
The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as input in most cases, which made it not get a scheme prefixed like before if the URL was given without one, and it didn't remove dotdot sequences etc. Added test case 1907 to verify that this now works as intended and as before 7.62.0. Regression introduced in 7.62.0 Reported-by: Christophe Dervieux Fixes #4491 Closes #4493
2019-10-03cookies: change argument type for Curl_flush_cookiesDaniel Stenberg
The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
2019-10-03http2: move state-init from creation to pre-transferDaniel Stenberg
To make sure that the HTTP/2 state is initialized correctly for duplicated handles. It would otherwise easily generate "spurious" PRIORITY frames to get sent over HTTP/2 connections when duplicated easy handles were used. Reported-by: Daniel Silverstone Fixes #4303 Closes #4442
2019-09-26url: don't set appconnect time for non-ssl/non-ssh connectionsJay Satiro
Prior to this change non-ssl/non-ssh connections that were reused set TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH handshake took place. [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in libcurl and %{time_appconnect} in the curl tool. It is documented as "the time until the SSL/SSH handshake is completed". Reported-by: Marcel Hernandez Ref: https://github.com/curl/curl/issues/3760 Closes https://github.com/curl/curl/pull/3773
2019-09-25url: fix the NULL hostname compiler warning caseJay Satiro
Closes #4403
2019-09-20url: remove dead codeDaniel Stenberg
Fixes warning detected by PVS-Studio Fixes #4374
2019-09-20url: part of expression is always true: (bundle->multiuse == 0)Daniel Stenberg
Fixes warning detected by PVS-Studio Fixes #4374
2019-09-19url: only reuse TLS connections with matching pinningDaniel Stenberg
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the connection should not be reused. Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html Reported-by: Sebastian Haglund Closes #4347
2019-09-18url: cleanup dangling DOH request headers tooDaniel Stenberg
Follow-up to 9bc44ff64d9081 Credit to OSS-Fuzz Bug: https://crbug.com/oss-fuzz/17269 Closes #4372
2019-09-16doh: clean up dangling DOH handles and memory on easy closeDaniel Stenberg
If you set the same URL for target as for DoH (and it isn't a DoH server), like "https://example.com" in both, the easy handles used for the DoH requests could be left "dangling" and end up not getting freed. Reported-by: Paul Dreik Closes #4366
2019-09-03cleanup: move functions out of url.c and make them staticDaniel Stenberg
Closes #4289
2019-08-20cleanup: remove DOT_CHAR completelyDaniel Stenberg
Follow-up to f9c7ba9096ec The use of DOT_CHAR for ".ssh" was probably a mistake and is removed now. Pointed-out-by: Gisle Vanem Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 Closes #4247
2019-08-08alt-svc: add protocol version selection maskingDaniel Stenberg
So that users can mask in/out specific HTTP versions when Alt-Svc is used. - Removed "h2c" and updated test case accordingly - Changed how the altsvc struct is laid out - Added ifdefs to make the unittest run even in a quiche-tree Closes #4201
2019-08-08http3: fix the HTTP/3 in the request, make alt-svc set right versionsDaniel Stenberg
Closes #4200
2019-08-08alt-svc: send Alt-Used: in redirected requestsDaniel Stenberg
RFC 7838 section 5: When using an alternative service, clients SHOULD include an Alt-Used header field in all requests. Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus this is deemed ok). You can disable sending this header just like you disable any other HTTP header in libcurl. Closes #4199
2019-08-07curl.h: add CURL_HTTP_VERSION_3 to the version enumDaniel Stenberg
It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with CURLINFO_HTTP_VERSION.
2019-08-06sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186
2019-08-06http09: disable HTTP/0.9 by default in both tool and libraryDaniel Stenberg
As the plan has been laid out in DEPRECATED. Update docs accordingly and verify in test 1174. Now requires the option to be set to allow HTTP/0.9 responses. Closes #4191
2019-08-03url: make use of new HTTP version if alt-svc has oneDaniel Stenberg
2019-08-03url: set conn->transport to default TCP at init timeDaniel Stenberg
2019-08-01timediff: make it 64 bit (if possible) even with 32 bit time_tDaniel Stenberg
... to make it hold microseconds too. Fixes #4165 Closes #4168
2019-07-30cleanup: remove the 'numsocks' argument used in many placesDaniel Stenberg
It was used (intended) to pass in the size of the 'socks' array that is also passed to these functions, but was rarely actually checked/used and the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries that should be used instead. Closes #4169
2019-07-21HTTP3: initial (experimental) supportDaniel Stenberg
USe configure --with-ngtcp2 or --with-quiche Using either option will enable a HTTP3 build. Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> Closes #3500
2019-07-17libcurl: Restrict redirect schemes (follow-up)Jay Satiro
- Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115
2019-07-14libcurl: Restrict redirect schemesLinos Giannopoulos
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094
2019-06-17conn_maxage: move the check to prune_dead_connections()Daniel Stenberg
... and avoid the locking issue. Reported-by: Kunal Ekawde Fixes #4029 Closes #4032
2019-06-12url: Fix CURLOPT_MAXAGE_CONN time comparisonCliff Crosland
Old connections are meant to expire from the connection cache after CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x that value. This occurs because a time value measured in milliseconds is accidentally divided by 1M instead of by 1,000. Closes https://github.com/curl/curl/pull/4013
2019-06-10multi: make sure 'data' can present in several sockhash entriesDaniel Stenberg
Since more than one socket can be used by each transfer at a given time, each sockhash entry how has its own hash table with transfers using that socket. In addition, the sockhash entry can now be marked 'blocked = TRUE'" which then makes the delete function just set 'removed = TRUE' instead of removing it "for real", as a way to not rip out the carpet under the feet of a parent function that iterates over the transfers of that same sockhash entry. Reported-by: Tom van der Woerdt Fixes #3961 Fixes #3986 Fixes #3995 Fixes #4004 Closes #3997
2019-05-29url: Load if_nametoindex() dynamically from iphlpapi.dll on WindowsSteve Holme
This fixes the static dependency on iphlpapi.lib and allows curl to build for targets prior to Windows Vista. This partially reverts 170bd047. Fixes #3960 Closes #3958
2019-05-28parse_proxy: make sure portptr is initializedDaniel Stenberg
Reported-by: Benbuck Nason fixes #3959