aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2020-05-14vauth/cleartext: fix theoretical integer overflowMajor_Tom
Fix theoretical integer overflow in Curl_auth_create_plain_message. The security impact of the overflow was discussed on hackerone. We agreed this is more of a theoretical vulnerability, as the integer overflow would only be triggerable on systems using 32-bits size_t with over 4GB of available memory space for the process. Closes #5391
2020-05-14checksrc: enhance the ASTERISKSPACE and update code accordinglyDaniel Stenberg
Fine: "struct hello *world" Not fine: "struct hello* world" (and variations) Closes #5386
2020-05-13OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAINDaniel Stenberg
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376
2020-05-13url: reject too long input when parsing credentialsDaniel Stenberg
Since input passed to libcurl with CURLOPT_USERPWD and CURLOPT_PROXYUSERPWD circumvents the regular string length check we have in Curl_setstropt(), the input length limit is enforced in Curl_parse_login_details too, separately. Reported-by: Thomas Bouzerar Closes #5383
2020-05-12easy: fix dangling pointer on easy_perform faildenzor
Closes https://github.com/curl/curl/pull/5363
2020-05-12url: sort the protocol schemes in rough popularity orderDaniel Stenberg
When looking for a protocol match among supported schemes, check the most "popular" schemes first. It has zero functionality difference and for all practical purposes a speed difference will not be measureable but it still think it makes sense to put the least likely matches last. "Popularity" based on the 2019 user survey. Closes #5377
2020-05-10CMake: add ENABLE_ALT_SVC optionPeter Wu
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting (not tested).
2020-05-10CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)Peter Wu
Add three new CMake Find modules (using the curl license, but I grant others the right to apply the CMake BSD license instead). This CMake config is simpler than the autotools one because it assumes ngtcp2 and nghttp3 to be used together. Another difference is that this CMake config checks whether QUIC is actually supported by the TLS library (patched OpenSSL or boringssl) since this can be a common configuration mistake that could result in build errors later. Unlike autotools, CMake does not warn you that the features are experimental. The user is supposed to already know that and read the documentation. It requires a very special build environment anyway. Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure out which features (libldap-2.4, libssh2) to disable due to conflicts with boringssl. Closes #5359
2020-05-08checksrc: close the .checksrc file handle when done readingDaniel Stenberg
2020-05-08CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)Gilles Vollant
Closes #4346
2020-05-08urlapi: accept :: as a valid IPv6 addressDaniel Stenberg
Text 1560 is extended to verify. Reported-by: Pavel Volgarev Fixes #5344 Closes #5351
2020-05-08*_sspi: fix bad uses of CURLE_NOT_BUILT_INPeter Wang
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other instances of QuerySecurityPackageInfo failing, as in commit 2a81439553286f12cd04a4bdcdf66d8e026d8201. Closes #5355
2020-05-07ngtcp2: introduce qlog supportDaniel Stenberg
If the QLOGDIR environment variable is set, enable qlogging. ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for QUIC functions that are backend independent. Closes #5353
2020-05-07ntlm_sspi: fix bad use of CURLE_NOT_BUILT_INDaniel Stenberg
That return code is reserved for build-time conditional code not being present while this was a regular run-time error from a Windows API. Reported-by: wangp on github Fixes #5349 Closes #5350
2020-05-07http2: simplify and clean up trailer handlingDaniel Stenberg
Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in ed35d6590e72. This should make the trailer handling more straight forward and hopefully less error-prone. Deliver the trailer header to the callback already at receive-time. No longer caches the trailers to get delivered at end of stream. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030 Closes #5348
2020-05-05libssh2: convert over to use dynbufDaniel Stenberg
In my very basic test that lists sftp://127.0.0.1/tmp/, this patched code makes 161 allocations compared to 194 in git master. A 17% reduction. Closes #5336
2020-05-05quiche: enable qlog outputDaniel Stenberg
quiche has the potential to log qlog files. To enable this, you must build quiche with the qlog feature enabled `cargo build --features qlog`. curl then passes a file descriptor to quiche, which takes ownership of the file. The FD transfer only works on UNIX. The convention is to enable logging when the QLOGDIR environment is set. This should be a path to a folder where files are written with the naming template <SCID>.qlog. Co-authored-by: Lucas Pardue Replaces #5337 Closes #5341
2020-05-04urldata.h: remove #define HEADERSIZE, not used anymoreDaniel Stenberg
Follow-up to ed35d6590e72c
2020-05-04ngtcp2: convert to dynbufDaniel Stenberg
Closes #5335
2020-05-04connect: make happy eyeballs work for QUIC (again)Daniel Stenberg
Follow-up from dbd16c3e256c6c (regression in 7.70.0) Closes #5334
2020-05-04connect: add two asserts to clue code analyzers in a littleDaniel Stenberg
2020-05-04http_proxy: ported to use dynbuf instead of a static size bufferDaniel Stenberg
Removes a 16K static buffer from the easy handle. Simplifies the code.
2020-05-04dynbuf: introduce internal generic dynamic buffer functionsDaniel Stenberg
A common set of functions instead of many separate implementations for creating buffers that can grow when appending data to them. Existing functionality has been ported over. In my early basic testing, the total number of allocations seem at roughly the same amount as before, possibly a few less. See docs/DYNBUF.md for a description of the API. Closes #5300
2020-05-03asyn-*: remove support for never-used NULL entry pointersDaniel Stenberg
... and instead convert those to asserts to make sure they are truly never NULL. Closes #5324
2020-05-02asyn-thread: fix cppcheck warningJay Satiro
- Check for NULL entry parameter before attempting to deref entry in Curl_resolver_is_resolved, like is already done in asyn-ares. This is to silence cppcheck which does not seem to understand that asyn-ares and asyn-thread have separate Curl_resolver_is_resolved and those units are mutually exclusive. Prior to this change it warned of a scenario where asyn-thread's Curl_resolver_is_resolved is called with a NULL entry from asyn-ares, but that couldn't happen. Reported-by: rl1987@users.noreply.github.com Fixes https://github.com/curl/curl/issues/5326
2020-05-02select: fix overflow protection in Curl_socket_checkJay Satiro
Follow-up to a96c752 which changed the timeout_ms type from time_t to timediff_t. Ref: https://github.com/curl/curl/pull/5240 Closes https://github.com/curl/curl/pull/5286
2020-05-02libssh2: set the expected total size in SCP upload initDaniel Stenberg
... as otherwise the progress callback gets called without that information, making the progress meter have less info. Reported-by: Murugan Balraj Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html Closes #5317
2020-04-30GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULTEmil Engler
Closes #5287
2020-04-30conncache: various concept cleanupsDaniel Stenberg
More connection cache accesses are protected by locks. CONNCACHE_* is a beter prefix for the connection cache lock macros. Curl_attach_connnection: now called as soon as there's a connection struct available and before the connection is added to the connection cache. Curl_disconnect: now assumes that the connection is already removed from the connection cache. Ref: #4915 Closes #5009
2020-04-29schannel: source code reindentDaniel Stenberg
White space edits only. Conform better to standard curl source code indenting style. Closes #5305
2020-04-28headers: copyright range fixDaniel Stenberg
2020-04-28doh: Constify some input pointersRikard Falkeborn
Closes #5306
2020-04-27nss: check for PK11_CreateDigestContext() returning NULLDaniel Stenberg
... to avoid crashes! Reported-by: Hao Wu Fixes #5302 Closes #5303
2020-04-26copyright updates: adjust year rangesDaniel Stenberg
2020-04-25smtp: set auth correctlyDaniel Stenberg
Regression since 7.69.0 and 68fb25fa3fcff. The code wrongly assigned 'from' instead of 'auth' which probably was a copy and paste mistake from other code, leading to that auth could remain NULL and later cause an error to be returned. Assisted-by: Eric Sauvageau Fixes #5294 Closes #5295
2020-04-25lib: clean up whitespaceMarcel Raad
This fixes CodeFactor warnings.
2020-04-25libssh: avoid options override by configuration filesAnderson Toshiyuki Sasaki
Previously, options set explicitly through command line options could be overridden by the configuration files parsed automatically when ssh_connect() was called. By calling ssh_options_parse_config() explicitly, the configuration files are parsed before setting the options, avoiding the options override. Once the configuration files are parsed, the automatic configuration parsing is not executed. Fixes #4972 Closes #5283 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2020-04-23select: make Curl_socket_check take timediff_t timeoutDaniel Stenberg
Coverity found CID 1461718: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms > 9223372036854775807L" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". Closes #5240
2020-04-22transfer: Switch PUT to GET/HEAD on 303 redirectJay Satiro
Prior to this change if there was a 303 reply to a PUT request then the subsequent request to respond to that redirect would also be a PUT. It was determined that was most likely incorrect based on the language of the RFCs. Basically 303 means "see other" resource, which implies it is most likely not the same resource, therefore we should not try to PUT to that different resource. Refer to the discussions in #5237 and #5248 for more information. Fixes https://github.com/curl/curl/issues/5237 Closes https://github.com/curl/curl/pull/5248
2020-04-22lib/mk-ca-bundle: skip empty certsDaniel Stenberg
Reviewed-by: Emil Engler Reported-by: Ashwin Metpalli Fixes #5278 Closes #5280
2020-04-22version: skip idn2_check_version() check and add precautionDaniel Stenberg
A gcc-10's -fanalyze complaint made me spot and do these improvements. Closes #5281
2020-04-21GnuTLS: Don't skip really long certificate fieldsEmil Engler
Closes #5271
2020-04-21gnutls: bump lowest supported version to 3.1.10Daniel Stenberg
GnuTLS 3.1.10 added new functions we want to use. That version was released on Mar 22, 2013. Removing support for older versions also greatly simplifies the code. Ref: #5271 Closes #5276
2020-04-20mqtt: make NOSTATE get within the debug name arrayDaniel Stenberg
2020-04-20mqtt: remove code with no purposeDaniel Stenberg
Detected by Coverity. CID 1462319. "The same code is executed when the condition result is true or false, because the code in the if-then branch and after the if statement is identical." Closes #5275
2020-04-20mqtt: fix Curl_read() error handling while reading remaining lengthDaniel Stenberg
Detected by Coverity. CID 1462320. Closes #5274
2020-04-20http: free memory when Alt-Used header creation fails due to OOMDaniel Stenberg
Reported-by: James Fuller Fixes #5268 Closes #5269
2020-04-20lib: fix typos in comments and errormessagesDaniel Gustafsson
This fixes a few randomly spotted typos in recently merged code, most notably one in a userfacing errormessage the schannel code.
2020-04-20multi-ssl: reset the SSL backend on `Curl_global_cleanup()`Johannes Schindelin
When cURL is compiled with support for multiple SSL backends, it is possible to configure an SSL backend via `curl_global_sslset()`, but only *before* `curl_global_init()` was called. If another SSL backend should be used after that, a user might be tempted to call `curl_global_cleanup()` to start over. However, we did not foresee that use case and forgot to reset the SSL backend in that cleanup. Let's allow that use case. Fixes #5255 Closes #5257 Reported-by: davidedec on github Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2020-04-20mqtt: improve the state machineDaniel Stenberg
To handle PUBLISH before SUBACK and more. Updated the existing tests and added three new ones. Reported-by: Christoph Krey Bug: https://curl.haxx.se/mail/lib-2020-04/0021.html Closes #5246