aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-07-25easy: resize receive buffer on easy handle resetJay Satiro
- In curl_easy_reset attempt to resize the receive buffer to its default size. If realloc fails then continue using the previous size. Prior to this change curl_easy_reset did not properly handle resetting the receive buffer (data->state.buffer). It reset the variable holding its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) but then did not actually resize the buffer. If a user resized the buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the default, later called curl_easy_reset and attempted to reuse the handle then a heap overflow would very likely occur during that handle's next transfer. Reported-by: Felix Hädicke Fixes https://github.com/curl/curl/issues/4143 Closes https://github.com/curl/curl/pull/4145
2019-07-25ssh-libssh: do not specify O_APPEND when not in append modeFelix Hädicke
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not make much sense. And this combination of flags is not accepted by all SFTP servers (at least not Apache SSHD). Fixes #4147 Closes #4148
2019-07-25multi: call detach_connection before Curl_disconnectGergely Nagy
Curl_disconnect bails out if conn->easyq is not empty, detach_connection needs to be called first to remove the current easy from the queue. Fixes #4144 Closes #4151
2019-07-21HTTP3: initial (experimental) supportDaniel Stenberg
USe configure --with-ngtcp2 or --with-quiche Using either option will enable a HTTP3 build. Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> Closes #3500
2019-07-20curl_version_info: provide nghttp2 detailsDaniel Stenberg
Introducing CURLVERSION_SIXTH with nghttp2 info. Closes #4121
2019-07-19source: remove names from source commentsDaniel Stenberg
Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
2019-07-19progress: make the progress meter appear againDaniel Stenberg
Fix regression caused by 21080e1 Reported-by: Chih-Hsuan Yen Fixes #4122 Closes #4124
2019-07-17nss: inspect returnvalue of token checkDaniel Gustafsson
PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110
2019-07-17libcurl: Restrict redirect schemes (follow-up)Jay Satiro
- Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115
2019-07-14libcurl: Restrict redirect schemesLinos Giannopoulos
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094
2019-07-14openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju
Closes #4100
2019-07-14http: allow overriding timecond with custom headerPeter Simonyi
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. If-Modified-Since). Allow this to be replaced or suppressed with CURLOPT_HTTPHEADER. Fixes #4103 Closes #4109
2019-07-11smb: Use the correct error code for access denied on file openJuergen Hoetzel
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. Closes https://github.com/curl/curl/pull/4095
2019-07-11system_win32: fix clang warningGisle Vanem
- Declare variable in header as extern. Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
2019-07-10headers: Remove no longer exported functionsDaniel Gustafsson
There were a leftover few prototypes of Curl_ functions that we used to export but no longer do, this removes those prototypes and cleans up any comments still referring to them. Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. For the remainder, I didn't trawl the Git logs hard enough to capture their exact time of deletion, but they were all gone: Curl_splayprint(), Curl_http2_send_request(), Curl_global_host_cache_dtor(), Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), Curl_http_auth_stage() and Curl_close_connections(). Closes #4096 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-07-08cleanup: fix typo in commentDaniel Gustafsson
2019-07-06nss: support using libnss on macOSDaniel Gustafsson
The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046
2019-07-06nss: don't set unused parameterDaniel Gustafsson
The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054
2019-07-06nss: only cache valid CRL entriesDaniel Gustafsson
Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
2019-07-06lib: Use UTF-8 encoding in commentsGergely Nagy
Some editors and IDEs assume that source files use UTF-8 file encodings. It also fixes the build with MSVC when /utf-8 command line option is used (this option is mandatory for some other open-source projects, this is useful when using the same options is desired for building all libraries of a project). Closes https://github.com/curl/curl/pull/4087
2019-06-30docs: Fix links to OpenSSL docsJay Satiro
OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
2019-06-26openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
2019-06-25win32: make DLL loading a no-op for UWPDaniel Stenberg
Reported-by: Michael Brehm Fixes #4060 Closes #4072
2019-06-24http: clarify header buffer size calculationDaniel Gustafsson
The header buffer size calculation can from static analysis seem to overlow as it performs an addition between two size_t variables and stores the result in a size_t variable. Overflow is however guarded against elsewhere since the input to the addition is regulated by the maximum read buffer size. Clarify this with a comment since the question was asked. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-24http2: call done_sending on end of uploadDaniel Stenberg
To make sure a HTTP/2 stream registers the end of stream. Bug #4043 made me find this problem but this fix doesn't correct the reported issue. Closes #4068
2019-06-24c-ares: honor port numbers in CURLOPT_DNS_SERVERSJames Brown
By using ares_set_servers_ports_csv on new enough c-ares. Fixes #4066 Closes #4067
2019-06-23multi: enable multiplexing by default (again)Daniel Stenberg
It was originally made default in d7c4213bd0c (7.62.0) but mistakenly reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. Closes #4051
2019-06-21http2: don't call stream-close on already closed streamsDaniel Stenberg
Closes #4055
2019-06-20system_win32: fix typoGisle Vanem
2019-06-18configure: --disable-progress-meterDaniel Stenberg
Builds libcurl without support for the built-in progress meter. Closes #4023
2019-06-18netrc: Return the correct error code when out of memorySteve Holme
Introduced in 763c5178. Closes #4036
2019-06-18config-os400: add getpeername and getsockname definesDaniel Stenberg
Reported-by: jonrumsey on github Fixes #4037 Closes #4039
2019-06-18openssl: fix pubkey/signature algorithm detection in certinfoGergely Nagy
Certinfo gives the same result for all OpenSSL versions. Also made printing RSA pubkeys consistent with older versions. Reported-by: Michael Wallner Fixes #3706 Closes #4030
2019-06-17conn_maxage: move the check to prune_dead_connections()Daniel Stenberg
... and avoid the locking issue. Reported-by: Kunal Ekawde Fixes #4029 Closes #4032
2019-06-17openssl: remove outdated commentDaniel Gustafsson
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), which is why we switched to CONF_modules_load_file() and introduced a comment stating why. This behavior was however changed in OpenSSL commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now outdated and incorrect comment. The mentioned commit also declares OPENSSL_config() deprecated so keep the current coding. Closes #4033 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-16os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.Patrick Monnerat
Use it in curl_easy_setopt_ccsid(). Reported-by: jonrumsey on github Fixes #3833 Closes #4028
2019-06-14multi: fix the transfer hash functionDaniel Stenberg
Follow-up from 8b987cc7eb Reported-by: Tom van der Woerdt Fixes #4018 Closes #4024
2019-06-13krb5: fix compiler warningMarcel Raad
Even though the variable was used in a DEBUGASSERT, GCC 8 warned in debug mode: krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] Just suppress the warning and declare the variable unconditionally instead of only for DEBUGBUILD (which also missed the check for HAVE_ASSERT_H). Closes https://github.com/curl/curl/pull/4020
2019-06-12multi: fix the transfer hashes in the socket hash entriesDaniel Stenberg
- The transfer hashes weren't using the correct keys so removing entries failed. - Simplified the iteration logic over transfers sharing the same socket and they now simply are set to expire and thus get handled in the "regular" timer loop instead. Reported-by: Tom van der Woerdt Fixes #4012 Closes #4014
2019-06-12url: Fix CURLOPT_MAXAGE_CONN time comparisonCliff Crosland
Old connections are meant to expire from the connection cache after CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x that value. This occurs because a time value measured in milliseconds is accidentally divided by 1M instead of by 1,000. Closes https://github.com/curl/curl/pull/4013
2019-06-11http2: remove CURL_DISABLE_TYPECHECK defineDaniel Stenberg
... in http2-less builds as it served no use.
2019-06-11wolfssl: fix key pinning build errorDaniel Stenberg
follow-up from deb9462ff2de8
2019-06-10wolfssl: fixup for SNI useDaniel Stenberg
follow-up from deb9462ff2de8 Closes #4007
2019-06-10wolfssl: refer to it as wolfSSL onlyDaniel Stenberg
Remove support for, references to and use of "cyaSSL" from the source and docs. wolfSSL is the current name and there's no point in keeping references to ancient history. Assisted-by: Daniel Gustafsson Closes #3903
2019-06-10bindlocal: detect and avoid IP version mismatches in bind()Daniel Stenberg
Reported-by: Alex Grebenschikov Fixes #3993 Closes #4002
2019-06-10multi: make sure 'data' can present in several sockhash entriesDaniel Stenberg
Since more than one socket can be used by each transfer at a given time, each sockhash entry how has its own hash table with transfers using that socket. In addition, the sockhash entry can now be marked 'blocked = TRUE'" which then makes the delete function just set 'removed = TRUE' instead of removing it "for real", as a way to not rip out the carpet under the feet of a parent function that iterates over the transfers of that same sockhash entry. Reported-by: Tom van der Woerdt Fixes #3961 Fixes #3986 Fixes #3995 Fixes #4004 Closes #3997
2019-06-09unpause: trigger a timeout for event-based transfersDaniel Stenberg
... so that timeouts or other state machine actions get going again after a changing pause state. For example, if the last delivery was paused there's no pending socket activity. Reported-by: sstruchtrup on github Fixes #3994 Closes #4001
2019-06-05build: fix Codacy warningsMarcel Raad
Reduce variable scopes and remove redundant variable stores. Closes https://github.com/curl/curl/pull/3975
2019-06-04ssl: Update outdated "openssl-only" comments for supported backendsFrank Gevaerts
These are for features that used to be openssl-only but were expanded over time to support other SSL backends. Closes #3985
2019-06-02NTLM: reset proxy "multipass" state when CONNECT request is doneSergey Ogryzkov
Closes #3972