aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-08-07quiche: flush egress in h3_stream_recv() tooDaniel Stenberg
2019-08-06sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186
2019-08-06mesalink: implement client authenticationYiming Jing
Closes #4184
2019-08-06curl_multi_poll: a sister to curl_multi_wait() that waits moreDaniel Stenberg
Repeatedly we see problems where using curl_multi_wait() is difficult or just awkward because if it has no file descriptor to wait for internally, it returns immediately and leaves it to the caller to wait for a small amount of time in order to avoid occasional busy-looping. This is often missed or misunderstood, leading to underperforming applications. This change introduces curl_multi_poll() as a replacement drop-in function that accepts the exact same set of arguments. This function works identically to curl_multi_wait() - EXCEPT - for the case when there's nothing to wait for internally, as then this function will by itself wait for a "suitable" short time before it returns. This effectiely avoids all risks of busy-looping and should also make it less likely that apps "over-wait". This also changes the curl tool to use this funtion internally when doing parallel transfers and changes curl_easy_perform() to use it internally. Closes #4163
2019-08-06quiche:h3_stream_recv return 0 at end of streamDaniel Stenberg
... and remove some verbose messages we don't need. Made transfers from facebook.com work better.
2019-08-06altsvc: make quiche use h3-22 nowDaniel Stenberg
2019-08-06quiche: show the actual version numberDaniel Stenberg
2019-08-06quiche: first working HTTP/3 requestDaniel Stenberg
- enable debug log - fix use of quiche API - use download buffer - separate header/body Closes #4193
2019-08-06http09: disable HTTP/0.9 by default in both tool and libraryDaniel Stenberg
As the plan has been laid out in DEPRECATED. Update docs accordingly and verify in test 1174. Now requires the option to be set to allow HTTP/0.9 responses. Closes #4191
2019-08-05quiche: initial h3 request send/receiveDaniel Stenberg
2019-08-05lib/Makefile.am: make checksrc run in vquic tooDaniel Stenberg
2019-08-05altsvc: fix removal of expired cache entryDaniel Stenberg
Closes #4192
2019-08-04md4: Use our own MD4 implementation when no crypto libraries are availableSteve Holme
Closes #3780
2019-08-04md4: No need to include Curl_md4.h for each TLS librarySteve Holme
2019-08-04md4: No need for the NTLM code to call Curl_md4it() for each TLS librarySteve Holme
As the NTLM code no longer calls any of TLS libraries' specific MD4 functions, there is no need to call this function for each #ifdef.
2019-08-04md4: Move the mbed TLS MD4 implementation out of the NTLM codeSteve Holme
2019-08-04md4: Move the WinCrypt implementation out of the NTLM codeSteve Holme
2019-08-04md4: Move the SecureTransport implementation out of the NTLM codeSteve Holme
2019-08-04md4: Use the Curl_md4it() function for OpenSSL based NTLMSteve Holme
2019-08-04md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM codeSteve Holme
2019-08-04md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM codeSteve Holme
2019-08-04OS400: Add CURLOPT_H3 symbolsJay Satiro
Follow-up to 3af0e76 which added experimental H3 support. Closes https://github.com/curl/curl/pull/4185
2019-08-03url: make use of new HTTP version if alt-svc has oneDaniel Stenberg
2019-08-03url: set conn->transport to default TCP at init timeDaniel Stenberg
2019-08-03altsvc: with quiche, use the quiche h3 alpn stringDaniel Stenberg
Closes #4183
2019-08-03alt-svc: more liberal ALPN name parsingDaniel Stenberg
Allow pretty much anything to be part of the ALPN identifier. In particular minus, which is used for "h3-20" (in-progress HTTP/3 versions) etc. Updated test 356. Closes #4182
2019-08-02quiche: use the proper HTTP/3 ALPNDaniel Stenberg
2019-08-02quiche: add failf() calls for two error casesDaniel Stenberg
To aid debugging Closes #4181
2019-08-01http_negotiate: improve handling of gss_init_sec_context() failuresKamil Dudka
If HTTPAUTH_GSSNEGOTIATE was used for a POST request and gss_init_sec_context() failed, the POST request was sent with empty body. This commit also restores the original behavior of `curl --fail --negotiate`, which was changed by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. Add regression tests 2077 and 2078 to cover this. Fixes #3992 Closes #4171
2019-08-01timediff: make it 64 bit (if possible) even with 32 bit time_tDaniel Stenberg
... to make it hold microseconds too. Fixes #4165 Closes #4168
2019-07-31getenv: support up to 4K environment variable contents on windowsDaniel Stenberg
Reported-by: Michal Čaplygin Fixes #4174 Closes #4175
2019-07-31plan9: add support for running on Plan 9lufia
Closes #3701
2019-07-31ntlm: explicit type castinglufia
2019-07-30cleanup: remove the 'numsocks' argument used in many placesDaniel Stenberg
It was used (intended) to pass in the size of the 'socks' array that is also passed to these functions, but was rarely actually checked/used and the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries that should be used instead. Closes #4169
2019-07-30readwrite_data: repair setting the TIMER_STARTTRANSFER stampDaniel Stenberg
Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) Reported-by: Jonathan Cardoso Machado Assisted-by: Jay Satiro Fixes #4136 Closes #4162
2019-07-30asyn-thread: removed unused variableDaniel Stenberg
Follow-up to eb9a604f. Mistake caused by me when I edited the commit before push...
2019-07-30asyn-thread: create a socketpair to wait onamkatyal
Closes #4157
2019-07-29progress: reset download/uploaded counterDaniel Stenberg
... to make CURLOPT_MAX_RECV_SPEED_LARGE and CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that reuse the same handle. Fixed-by: Ironbars13 on github Fixes #4084 Closes #4161
2019-07-29http2_recv: trigger another read when the last data is returnedDaniel Stenberg
... so that end-of-stream is detected properly. Reported-by: Tom van der Woerdt Fixes #4043 Closes #4160
2019-07-29HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknownBalazs Kovacsics
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, automatically add a Transfer-Encoding: chunked header, same as it is already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update test 1514 according to the new behaviour. Closes #4138
2019-07-25easy: resize receive buffer on easy handle resetJay Satiro
- In curl_easy_reset attempt to resize the receive buffer to its default size. If realloc fails then continue using the previous size. Prior to this change curl_easy_reset did not properly handle resetting the receive buffer (data->state.buffer). It reset the variable holding its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) but then did not actually resize the buffer. If a user resized the buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the default, later called curl_easy_reset and attempted to reuse the handle then a heap overflow would very likely occur during that handle's next transfer. Reported-by: Felix Hädicke Fixes https://github.com/curl/curl/issues/4143 Closes https://github.com/curl/curl/pull/4145
2019-07-25ssh-libssh: do not specify O_APPEND when not in append modeFelix Hädicke
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not make much sense. And this combination of flags is not accepted by all SFTP servers (at least not Apache SSHD). Fixes #4147 Closes #4148
2019-07-25multi: call detach_connection before Curl_disconnectGergely Nagy
Curl_disconnect bails out if conn->easyq is not empty, detach_connection needs to be called first to remove the current easy from the queue. Fixes #4144 Closes #4151
2019-07-21HTTP3: initial (experimental) supportDaniel Stenberg
USe configure --with-ngtcp2 or --with-quiche Using either option will enable a HTTP3 build. Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> Closes #3500
2019-07-20curl_version_info: provide nghttp2 detailsDaniel Stenberg
Introducing CURLVERSION_SIXTH with nghttp2 info. Closes #4121
2019-07-19source: remove names from source commentsDaniel Stenberg
Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
2019-07-19progress: make the progress meter appear againDaniel Stenberg
Fix regression caused by 21080e1 Reported-by: Chih-Hsuan Yen Fixes #4122 Closes #4124
2019-07-17nss: inspect returnvalue of token checkDaniel Gustafsson
PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110
2019-07-17libcurl: Restrict redirect schemes (follow-up)Jay Satiro
- Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115
2019-07-14libcurl: Restrict redirect schemesLinos Giannopoulos
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094