aboutsummaryrefslogtreecommitdiff
path: root/lib/url.c
AgeCommit message (Collapse)Author
2015-05-12connection cache: avoid Curl_hash_alloc()Daniel Stenberg
... by using plain structs instead of pointers for the connection cache, we can avoid several dynamic allocations that weren't necessary.
2015-04-28CURLOPT_HEADEROPT: default to separateDaniel Stenberg
Make the HTTP headers separated by default for improved security and reduced risk for information leakage. Bug: http://curl.haxx.se/docs/adv_20150429.html Reported-by: Yehezkel Horowitz, Oren Souroujon
2015-04-28Negotiate: custom service names for SPNEGO.Linus Nielsen
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME. * Add new curl options, --proxy-service-name and --service-name.
2015-04-27ConnectionExists: call it multi-use instead of pipeliningDaniel Stenberg
So that it fits HTTP/2 as well
2015-04-22connectionexists: follow-up to fd9d3a1ef1fDaniel Stenberg
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not enabled. Mistake-caught-by: Kamil Dudka
2015-04-22connectionexists: fix build without NTLMDaniel Stenberg
Do not access NTLM-specific struct fields when built without NTLM enabled! bug: http://curl.haxx.se/?i=231 Reported-by: Patrick Rapin
2015-04-21fix_hostname: zero length host name caused -1 index offsetDaniel Stenberg
If a URL is given with a zero-length host name, like in "http://:80" or just ":80", `fix_hostname()` will index the host name pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address. CVE-2015-3144 Bug: http://curl.haxx.se/docs/adv_20150422D.html Reported-by: Hanno Böck
2015-04-21ConnectionExists: for NTLM re-use, require credentials to matchDaniel Stenberg
CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia
2015-03-27url: Don't accept CURLOPT_SSLVERSION unless USE_SSL is definedJay Satiro
2015-03-24CURLOPT_PATH_AS_IS: addedDaniel Stenberg
--path-as-is is the command line option Added docs in curl.1 and CURLOPT_PATH_AS_IS.3 Added test in test 1241
2015-03-20url: add CURLOPT_SSL_FALSESTART optionAlessandro Ghedini
This option can be used to enable/disable TLS False Start defined in the RFC draft-bmoeller-tls-falsestart.
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-16free: instead of Curl_safefree()Daniel Stenberg
Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
2015-03-16Bug #149: Deletion of unnecessary checks before a few calls of cURL functionsMarkus Elfring
The following functions return immediately if a null pointer was passed. * Curl_cookie_cleanup * curl_formfree It is therefore not needed that a function caller repeats a corresponding check. This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-16Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring
The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-11proxy: re-use proxy connections (regression)Daniel Stenberg
When checking for a connection to re-use, a proxy-using request must check for and use a proxy connection and not one based on the host name! Added test 1421 to verify Bug: http://curl.haxx.se/bug/view.cgi?id=1492
2015-03-03mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg
... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
2015-02-20configure: allow both --with-ca-bundle and --with-ca-pathJulian Ospald
SSL_CTX_load_verify_locations by default (and if given non-Null parameters) searches the CAfile first and falls back to CApath. This allows for CAfile to be a basis (e.g. installed by the package manager) and CApath to be a user configured directory. This wasn't reflected by the previous configure constraint which this patch fixes. Bug: https://github.com/bagder/curl/pull/139
2015-01-16url: add CURLOPT_SSL_VERIFYSTATUS optionAlessandro Ghedini
This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
2015-01-07url-parsing: reject CRLFs within URLsDaniel Stenberg
Bug: http://curl.haxx.se/docs/adv_20150108B.html Reported-by: Andrey Labunets
2014-12-26code/docs: Use Unix rather than UNIX to avoid use of the trademarkSteve Holme
Use Unix when generically writing about Unix based systems as UNIX is the trademark and should only be used in a particular product's name.
2014-12-17parseurlandfillconn(): fix improper non-numeric scope_id stripping.Kyle J. McKay
Fixes SF bug 1149: http://sourceforge.net/p/curl/bugs/1449/
2014-12-16IPV6: address scope != scope idPatrick Monnerat
There was a confusion between these: this commit tries to disambiguate them. - Scope can be computed from the address itself. - Scope id is scope dependent: it is currently defined as 1-based local interface index for link-local scoped addresses, and as a site index(?) for (obsolete) site-local addresses. Linux only supports it for link-local addresses. The URL parser properly parses a scope id as an interface index, but stores it in a field named "scope": confusion. The field has been renamed into "scope_id". Curl_if2ip() used the scope id as it was a scope. This caused failures to bind to an interface. Scope is now computed from the addresses and Curl_if2ip() matches them. If redundantly specified in the URL, scope id is check for mismatch with the interface index. This commit should fix SF bug #1451.
2014-12-12smb: Disable SMB when 64-bit integers are not supportedSteve Holme
This fixes compilation issues with compilers that don't support 64-bit integers through long long or __int64.
2014-12-10url.c: Fixed compilation warning when USE_NTLM is not definedSteve Holme
url.c:3078: warning: variable 'credentialsMatch' set but not used
2014-12-09cookies: Improved OOM handling in cookiesDan Fandrich
This fixes the test 506 torture test. The internal cookie API really ought to be improved to separate cookie parsing errors (which may be ignored) with OOM errors (which should be fatal).
2014-12-07smb: Fixed Windows autoconf builds following commit eb88d778e7Steve Holme
As Windows based autoconf builds don't yet define USE_WIN32_CRYPTO either explicitly through --enable-win32-cypto or automatically on _WIN32 based platforms, subsequent builds broke with the following error message: "Can't compile NTLM support without a crypto library."
2014-12-07smb: Build with SSPI enabledBill Nagel
Build SMB/CIFS protocol support when SSPI is enabled.
2014-12-04docs: Fix FAILONERROR typosAnthon Pang
It returns error for >= 400 HTTP responses. Bug: https://github.com/bagder/curl/pull/129
2014-12-04libcurl: add UNIX domain sockets supportPeter Wu
The ability to do HTTP requests over a UNIX domain socket has been requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a discussion happened, no patch seems to get through. I decided to give it a go since I need to test a nginx HTTP server which listens on a UNIX domain socket. One patch [3] seems to make it possible to use the CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket. Another person wrote a Go program which can do HTTP over a UNIX socket for Docker[4] which uses a special URL scheme (though the name contains cURL, it has no relation to the cURL library). This patch considers support for UNIX domain sockets at the same level as HTTP proxies / IPv6, it acts as an intermediate socket provider and not as a separate protocol. Since this feature affects network operations, a new feature flag was added ("unix-sockets") with a corresponding CURL_VERSION_UNIX_SOCKETS macro. A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This option enables UNIX domain sockets support for all requests on the handle (replacing IP sockets and skipping proxies). A new configure option (--enable-unix-sockets) and CMake option (ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I deliberately did not mark this feature as advanced, this is a feature/component that should easily be available. [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/ [2]: http://sourceforge.net/p/curl/feature-requests/53/ [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html [4]: https://github.com/Soulou/curl-unix-socket Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-11-30libcurl: Exclude SMB from the protocol redirectSteve Holme
As local files could be accessed through \\localhost\c$.
2014-11-30libcurl: Enable support for the SMB protocolBill Nagel
This patch enables SMB/CIFS support in libcurl.
2014-11-09build: Fixed no NTLM support for email when CURL_DISABLE_HTTP is definedSteve Holme
USE_NTLM would only be defined if: HTTP support was enabled, NTLM and cryptography weren't disabled, and either a supporting cryptography library or Windows SSPI was being compiled against. This means it was not possible to build libcurl without HTTP support and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather than introduce a new SASL pre-processor definition, removed the HTTP prerequisite just like USE_SPNEGO and USE_KRB5. Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP as it is only available to HTTP at present. This bug dates back to August 2011 when I started to add support for NTLM to SMTP.
2014-11-05url.c: Fixed compilation warningSteve Holme
conversion from 'curl_off_t' to 'size_t', possible loss of data
2014-11-05curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of boundsDaniel Stenberg
When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
2014-10-25ntlm: Only define ntlm data structure when USE_NTLM is definedSteve Holme
2014-10-24url.c: use 'CURLcode result'Daniel Stenberg
2014-10-24code cleanup: we prefer 'CURLcode result'Daniel Stenberg
... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-07SSL: implement public key pinningmoparisthebest
Option --pinnedpubkey takes a path to a public key in DER format and only connect if it matches (currently only implemented with OpenSSL). Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt(). Extract a public RSA key from a website like so: openssl s_client -connect google.com:443 2>&1 < /dev/null | \ sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \ | openssl rsa -pubin -outform DER > google.com.der
2014-10-03parse_proxy: remove dead code.Daniel Stenberg
Coverity CID 982331.
2014-10-02detect_proxy: fix possible single-byte memory leakDaniel Stenberg
Coverity CID 1202836. If the proxy environment variable returned an empty string, it would be leaked. While an empty string is not really a proxy, other logic in this function already allows a blank string to be returned so allow that here to avoid the leak.
2014-09-25CURLOPT_COOKIELIST: Added "RELOAD" commandYousuke Kimoto
2014-09-13curlssl: make tls backend symbols use curlssl in the nameDaniel Stenberg
2014-09-13url: let the backend decide CURLOPT_SSL_CTX_ supportDaniel Stenberg
... to further remove specific TLS backend knowledge from url.c
2014-09-13vtls: have the backend tell if it supports CERTINFODaniel Stenberg
2014-09-13CURLOPT_CAPATH: return failure if set without backend supportDaniel Stenberg
2014-09-06url.c: Use CURLAUTH_NONE constant rather than 0Steve Holme
Small follow up to commit 898808fa8c to use auth constants rather than hard code value when clearing picked authentication mechanism.
2014-08-25disconnect: don't touch easy-related state on disconnectsDaniel Stenberg
This was done to make sure NTLM state that is bound to a connection doesn't survive and gets used for the subsequent request - but disconnects can also be done to for example make room in the connection cache and thus that connection is not strictly related to the easy handle's current operation. The http authentication state is still kept in the easy handle since all http auth _except_ NTLM is connection independent and thus survive over multiple connections. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S
2014-08-22NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP authFrank Meier
Problem: if CURLOPT_FORBID_REUSE is set, requests using NTLM failed since NTLM requires multiple requests that re-use the same connection for the authentication to work Solution: Ignore the forbid reuse flag in case the NTLM authentication handshake is in progress, according to the NTLM state flag. Fixed known bug #77.
2014-08-20Curl_disconnect: don't free the URLDaniel Stenberg
The URL is not a property of the connection so it should not be freed in the connection disconnect but in the Curl_close() that frees the easy handle. Bug: http://curl.haxx.se/mail/lib-2014-08/0148.html Reported-by: Paras S