aboutsummaryrefslogtreecommitdiff
path: root/lib/urlapi.c
AgeCommit message (Collapse)Author
2019-10-03urlapi: fix use-after-free bugDaniel Stenberg
Follow-up from 2c20109a9b5d04 Added test 663 to verify. Reported by OSS-Fuzz Bug: https://crbug.com/oss-fuzz/17954 Closes #4453
2019-10-02urlapi: fix URL encoding when setting a full URLDaniel Stenberg
2019-10-01urlapi: fix unused variable warningMarcel Raad
`dest` is only used with `ENABLE_IPV6`. Closes https://github.com/curl/curl/pull/4444
2019-09-24urlapi: question mark within fragment is still fragmentDaniel Stenberg
The parser would check for a query part before fragment, which caused it to do wrong when the fragment contains a question mark. Extended test 1560 to verify. Reported-by: Alex Konev Fixes #4412 Closes #4413
2019-09-21urlapi: avoid index underflow for short ipv6 hostnamesPaul Dreik
If the input hostname is "[", hlen will underflow to max of size_t when it is subtracted with 2. hostname[hlen] will then cause a warning by ubsanitizer: runtime error: addition of unsigned offset to 0x<snip> overflowed to 0x<snip> I think that in practice, the generated code will work, and the output of hostname[hlen] will be the first character "[". This can be demonstrated by the following program (tested in both clang and gcc, with -O3) int main() { char* hostname=strdup("["); size_t hlen = strlen(hostname); hlen-=2; hostname++; printf("character is %d\n",+hostname[hlen]); free(hostname-1); } I found this through fuzzing, and even if it seems harmless, the proper thing is to return early with an error. Closes #4389
2019-09-20urlapi: Expression 'storep' is always trueDaniel Stenberg
Fixes warning detected by PVS-Studio Fixes #4374
2019-09-20urlapi: 'scheme' is always trueDaniel Stenberg
Fixes warning detected by PVS-Studio Fixes #4374
2019-09-20urlapi: part of conditional expression is always true: (relurl[0] == '/')Daniel Stenberg
Fixes warning detected by PVS-Studio Fixes #4374
2019-09-19urlapi: CURLU_NO_AUTHORITY allows empty authority/host partJens Finkhaeuser
CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not "file:///") to override cURL's default demand that an authority exists. Closes #4349
2019-09-10urlapi: one colon is enough for the strspn() input (typo)Daniel Stenberg
2019-09-10urlapi: verify the IPv6 numerical addressDaniel Stenberg
It needs to parse correctly. Otherwise it could be tricked into letting through a-f using host names that libcurl would then resolve. Like '[ab.be]'. Reported-by: Thomas Vegas Closes #4315
2019-05-20urlapi: increase supported scheme length to 40 bytesOmar Ramadan
The longest currently registered URI scheme at IANA is 36 bytes long. Closes #3905 Closes #3900
2019-05-20lib: reduce variable scopesMarcel Raad
Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
2019-05-14urlapi: require a non-zero host name length when parsing URLDaniel Stenberg
Updated test 1560 to verify. Closes #3880
2019-05-05urlapi: add CURLUPART_ZONEID to set and getDaniel Stenberg
The zoneid can be used with IPv6 numerical addresses. Updated test 1560 to verify. Closes #3834
2019-05-03urlapi: strip off scope id from numerical IPv6 addressesDaniel Stenberg
... to make the host name "usable". Store the scope id and put it back when extracting a URL out of it. Also makes curl_url_set() syntax check CURLUPART_HOST. Fixes #3817 Closes #3822
2019-04-29CURL_MAX_INPUT_LENGTH: largest acceptable string input sizeDaniel Stenberg
This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805
2019-04-13urlapi: stricter CURLUPART_PORT parsingDaniel Stenberg
Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753 Closes #3762
2019-04-07urlapi: urlencode characters above 0x7f correctlyJakub Zakrzewski
fixes #3741 Closes #3742
2019-02-10cleanup: make local functions staticDaniel Stenberg
urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static
2019-02-09urlapi: reduce variable scope, remove unreachable 'break'Daniel Stenberg
Both nits pointed out by codacy.com Closes #3540
2018-12-30urlapi: fix parsing ipv6 with zone indexDaniel Gustafsson
The previous fix for parsing IPv6 URLs with a zone index was a paddle short for URLs without an explicit port. This patch fixes that case and adds a unit test case. This bug was highlighted by issue #3408, and while it's not the full fix for the problem there it is an isolated bug that should be fixed regardless. Closes #3411 Reported-by: GitYuanQu on github Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13urlapi: distinguish possibly empty queryLeonardo Taccari
If just a `?' to indicate the query is passed always store a zero length query instead of having a NULL query. This permits to distinguish URL with trailing `?'. Fixes #3369 Closes #3370
2018-12-12urlapi: Fix port parsing of eol colonDaniel Gustafsson
A URL with a single colon without a portnumber should use the default port, discarding the colon. Fix, add a testcase and also do little bit of comment wordsmithing. Closes #3365 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-11tests: add urlapi unittestDaniel Gustafsson
This adds a new unittest intended to cover the internal functions in the urlapi code, starting with parse_port(). In order to avoid name collisions in debug builds, parse_port() is renamed Curl_parse_port() since it will be exported. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11urlapi: fix portnumber parsing for ipv6 zone indexDaniel Gustafsson
An IPv6 URL which contains a zone index includes a '%%25<zode id>' string before the ending ']' bracket. The parsing logic wasn't set up to cope with the zone index however, resulting in a malformed url error being returned. Fix by breaking the parsing into two stages to correctly handle the zone index. Closes #3355 Closes #3319 Reported-by: tonystz on Github Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-07urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
2018-11-06url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
2018-11-05Revert "url: a short host name + port is not a scheme"Daniel Stenberg
This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
2018-11-03url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
2018-11-03URL: fix IPv6 numeral address parserDaniel Stenberg
Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
2018-10-02urlapi: starting with a drive letter on win32 is not an abs urlDaniel Stenberg
... and libcurl doesn't support any single-letter URL schemes (if there even exist any) so it should be fairly risk-free. Reported-by: Marcel Raad Fixes #3070 Closes #3071
2018-09-21urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg
Closes #3024
2018-09-19urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptanceDaniel Stenberg
In order for this API to fully work for libcurl itself, it now offers a CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host name prefix just like libcurl always did. If there's no known prefix, it will guess "http://". Separately, it relaxes the check of the host name so that IDN host names can be passed in as well. Both these changes are necessary for libcurl itself to use this API. Assisted-by: Daniel Gustafsson Closes #3018
2018-09-19urlapi: don't set value which is never readDaniel Gustafsson
In the CURLUPART_URL case, there is no codepath which invokes url decoding so remove the assignment of the urldecode variable. This fixes the deadstore bug-report from clang static analysis. Closes #3015 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-10misc: fix typos in commentsDaniel Gustafsson
Closes #2963
2018-09-08urlapi: avoid derefencing a possible NULL pointerDaniel Stenberg
Coverity CID 1439134
2018-09-08URL-APIDaniel Stenberg
See header file and man pages for API. All documented API details work and are tested in the 1560 test case. Closes #2842