aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-03-14Negotiate: fix for HTTP POST with NegotiateDominik Hölzl
* Adjusted unit tests 2056, 2057 * do not generally close connections with CURLAUTH_NEGOTIATE after every request * moved negotiatedata from UrlState to connectdata * Added stream rewind logic for CURLAUTH_NEGOTIATE * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC * Consider authproblem state for CURLAUTH_NEGOTIATE * Consider reuse_forbid for CURLAUTH_NEGOTIATE * moved and adjusted negotiate authentication state handling from output_auth_headers into Curl_output_negotiate * Curl_output_negotiate: ensure auth done is always set * Curl_output_negotiate: Set auth done also if result code is GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may also indicate the last challenge request (only works with disabled Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) * Consider "Persistent-Auth" header, detect if not present; Reset/Cleanup negotiate after authentication if no persistent authentication * apply changes introduced with #2546 for negotiate rewind logic Fixes #1261 Closes #1975
2019-03-13http: send payload when (proxy) authentication is doneMarc Schlatter
The check that prevents payload from sending in case of authentication doesn't check properly if the authentication is done or not. They're cases where the proxy respond "200 OK" before sending authentication challenge. This change takes care of that. Fixes #2431 Closes #3669
2019-03-12file: fix "Checking if unsigned variable 'readcount' is less than zero."Daniel Stenberg
Pointed out by codacy Closes #3672
2019-03-12memdebug: log pointer before freeing its dataDaniel Stenberg
Coverity warned for two potentional "Use after free" cases. Both are false positives because the memory wasn't used, it was only the actual pointer value that was logged. The fix still changes the order of execution to avoid the warnings. Coverity CID 1443033 and 1443034 Closes #3671
2019-03-11multi: removed unused code for request retriesDaniel Stenberg
This code was once used for the non multi-interface using code path, but ever since easy_perform was turned into a wrapper around the multi interface, this code path never runs. Closes #3666
2019-03-11doh: inherit some SSL options from user's easy handleJay Satiro
- Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661
2019-03-09Revert "cookies: extend domain checks to non psl builds"Daniel Stenberg
This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649
2019-03-08memdebug: make debug-specific functions use curl_dbg_ prefixDaniel Stenberg
To not "collide" or use up the regular curl_ name space. Also makes them easier to detect in helper scripts. Closes #3656
2019-03-05source: fix two 'nread' may be used uninitialized warningsDaniel Stenberg
Both seem to be false positives but we don't like warnings. Closes #3646
2019-03-05gopher: remove check for path == NULLDaniel Stenberg
Since it can't be NULL and it makes Coverity believe we lack proper NULL checks. Verified by test 659, landed in commit 15401fa886b. Pointed out by Coverity CID 1442746. Assisted-by: Dan Fandrich Fixes #3617 Closes #3642
2019-03-05ssh: loop the state machine if not done and not blockingDaniel Stenberg
If the state machine isn't complete, didn't fail and it didn't return due to blocking it can just as well loop again. This addresses the problem with SFTP directory listings where we would otherwise return back to the parent and as the multi state machine doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the doing phase isn't complete, it would return out when in reality there was more data to deal with. Fixes #3506 Closes #3644
2019-03-05multi: support verbose conncache closure handleJay Satiro
- Change closure handle to receive verbose setting from the easy handle most recently added via curl_multi_add_handle. The closure handle is a special easy handle used for closing cached connections. It receives limited settings from the easy handle most recently added to the multi handle. Prior to this change that did not include verbose which was a problem because on connection shutdown verbose mode was not acknowledged. Ref: https://github.com/curl/curl/pull/3598 Co-authored-by: Daniel Stenberg Closes https://github.com/curl/curl/pull/3618
2019-03-04CURLU: fix NULL dereference when used over proxyDaniel Stenberg
Test 659 verifies Also fixed the test 658 name Closes #3641
2019-03-03altsvc_out: check the return code from Curl_gmtimeDaniel Stenberg
Pointed out by Coverity, CID 1442956. Closes #3640
2019-03-03alt-svc: add test 355 and 356 to verify with command line curlDaniel Stenberg
2019-03-03alt-svc: the libcurl bitsDaniel Stenberg
2019-03-02gnutls: remove call to deprecated gnutls_compression_get_nameDaniel Stenberg
It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636
2019-03-02system_win32: move win32_init here from easy.cJay Satiro
.. since system_win32 is a more appropriate location for the functions and to extern the globals. Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 Reported-by: Gisle Vanem Closes https://github.com/curl/curl/pull/3625
2019-03-01urldata: simplify bytecountersDaniel Stenberg
- no need to have them protocol specific - no need to set pointers to them with the Curl_setup_transfer() call - make Curl_setup_transfer() operate on a transfer pointer, not connection - switch some counters from long to the more proper curl_off_t type Closes #3627
2019-03-01threaded-resolver: shutdown the resolver thread without error messageDaniel Stenberg
When a transfer is done, the resolver thread will be brought down. That could accidentally generate an error message in the error buffer even though this is not an error situationand the transfer would still return OK. An application that still reads the error buffer could find a "Could not resolve host: [host name]" message there and get confused. Reported-by: Michael Schmid Fixes #3629 Closes #3630
2019-03-01ssh: fix Condition '!status' is always trueDaniel Stenberg
in the same sftp_done function in both SSH backends. Simplify them somewhat. Pointed out by Codacy. Closes #3628
2019-02-28Curl_easy: remove req.maxfd - never used!Daniel Stenberg
Introduced in 8b6314ccfb, but not used anymore in current code. Unclear since when. Closes #3626
2019-02-28http: set state.infilesize when sending formpostsDaniel Stenberg
Without it set, we would unwillingly triger the "HTTP error before end of send, stop sending" condition even if the entire POST body had been sent (since it wouldn't know the expected size) which would unnecessarily log that message and close the connection when it didn't have to. Reported-by: Matt McClure Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html Closes #3624
2019-02-28Secure Transport: no more "darwinssl"Daniel Stenberg
Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619
2019-02-27cookies: only save the cookie file if the engine is enabledDaniel Stenberg
Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, we got a problem when a handle was using shared object with cookies and is told to "FLUSH" it to file (which worked) and then the share object was removed and when the easy handle was closed just afterwards it has no cookieinfo and no cookies so it decided to save an empty jar (overwriting the file just flushed). Test 1905 now verifies that this works. Assisted-by: Michael Wallner Assisted-by: Marcel Raad Closes #3621
2019-02-27urldata: convert bools to bitfields and move to endDaniel Stenberg
This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610
2019-02-26strerror: make the strerror function use local buffersDaniel Stenberg
Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612
2019-02-26cookies: fix NULL dereference if flushing cookies with no CookieInfo setMichael Wallner
Regression brought by a52e46f3900fb0 (shipped in 7.63.0) Closes #3613
2019-02-25OpenSSL: add support for TLS ASYNC stateBernd Mueller
Closes #3591
2019-02-25schannel: support CALG_ECDH_EPHEM algorithmgeorgeok
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608
2019-02-24multi: call multi_done on connect timeoutsDaniel Stenberg
Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get updated correctly and could end up getting reported to the application completely wrong (way too small). Reported-by: accountantM on github Fixes #3602 Closes #3605
2019-02-23wolfssl: stop custom-adding curvesDaniel Stenberg
since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599
2019-02-22configure: remove the unused fdopen macroDaniel Stenberg
and the two remaining #ifdefs for it Closes #3600
2019-02-22url: change conn shutdown order to unlink data as last stepJay Satiro
- Split off connection shutdown procedure from Curl_disconnect into new function conn_shutdown. - Change the shutdown procedure to close the sockets before disassociating the transfer. Prior to this change the sockets were closed after disassociating the transfer so SOCKETFUNCTION wasn't called since the transfer was already disassociated. That likely came about from recent work started in Jan 2019 (#3442) to separate transfers from connections. Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html Reported-by: Pavel Löbl Closes https://github.com/curl/curl/issues/3597 Closes https://github.com/curl/curl/pull/3598
2019-02-22Fix strict-prototypes GCC warningMarcel Raad
As seen in the MinGW autobuilds. Caused by commit f26bc29cfec0be84c67cf74065cf8e5e78fd68b7.
2019-02-20http2: verify :athority in push promise requestsDaniel Stenberg
RFC 7540 says we should verify that the push is for an "authoritative" server. We make sure of this by only allowing push with an :athority header that matches the host that was asked for in the URL. Fixes #3577 Reported-by: Nicolas Grekas Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html Closes #3581
2019-02-20singlesocket: fix the 'sincebefore' placementDaniel Stenberg
The variable wasn't properly reset within the loop and thus could remain set for sockets that hadn't been set before and miss notifying the app. This is a follow-up to 4c35574 (shipped in curl 7.64.0) Reported-by: buzo-ffm on github Detected-by: Jan Alexander Steffens Fixes #3585 Closes #3589
2019-02-19connection: never reuse CONNECT_ONLY conectionsDaniel Stenberg
and make CONNECT_ONLY conections never reuse any existing ones either. Reported-by: Pavel Löbl Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html Closes #3586
2019-02-19x509asn1: cleanup and unify code layoutDaniel Stenberg
- rename 'n' to buflen in functions, and use size_t for them. Don't pass in negative buffer lengths. - move most function comments to above the function starts like we use to - remove several unnecessary typecasts (especially of NULL) Reviewed-by: Patrick Monnerat Closes #3582
2019-02-19http: make adding a blank header thread-safeDaniel Stenberg
Previously the function would edit the provided header in-place when a semicolon is used to signify an empty header. This made it impossible to use the same set of custom headers in multiple threads simultaneously. This approach now makes a local copy when it needs to edit the string. Reported-by: d912e3 on github Fixes #3578 Closes #3579
2019-02-18rand: Fix a mismatch between comments in source and header.Frank Gevaerts
Reported-by: Björn Stenberg <bjorn@haxx.se> Closes #3584
2019-02-18x509asn1: replace single char with an arrayPatrick Monnerat
Although safe in this context, using a single char as an array may cause invalid accesses to adjacent memory locations. Detected by Coverity.
2019-02-18easy: fix win32 init to work without CURL_GLOBAL_WIN32Jay Satiro
- Change the behavior of win32_init so that the required initialization procedures are not affected by CURL_GLOBAL_WIN32 flag. libcurl via curl_global_init supports initializing for win32 with an optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop Winsock initialization. It did so internally by skipping win32_init() when that flag was set. Since then win32_init() has been expanded to include required initialization routines that are separate from Winsock and therefore must be called in all cases. This commit fixes it so that CURL_GLOBAL_WIN32 only controls the optional win32 initialization (which is Winsock initialization, according to our doc). The only users affected by this change are those that don't pass CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the risk of a potential crash. Ref: https://github.com/curl/curl/pull/3573 Fixes https://github.com/curl/curl/issues/3313 Closes https://github.com/curl/curl/pull/3575
2019-02-17cookie: Add support for cookie prefixesDaniel Gustafsson
The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-16mbedtls: release sessionid resources on errorDaniel Gustafsson
If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: Michał Antoniak <M.Antoniak@posnet.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-16version.c: silent scan-build even when librtmp is not enabledPatrick Monnerat
2019-02-15Curl_now: figure out windows version in win32_initDaniel Stenberg
... and avoid use of static variables that aren't thread safe. Fixes regression from e9ababd4f5a (present in the 7.64.0 release) Reported-by: Paul Groke Fixes #3572 Closes #3573
2019-02-14strip_trailing_dot: make sure NULL is never used for strlenDaniel Stenberg
scan-build warning: Null pointer passed as an argument to a 'nonnull' parameter
2019-02-14connection_check: restore original conn->data after the checkJay Satiro
- Save the original conn->data before it's changed to the specified data transfer for the connection check and then restore it afterwards. This is a follow-up to 38d8e1b 2019-02-11. History: It was discovered a month ago that before checking whether to extract a dead connection that that connection should be associated with a "live" transfer for the check (ie original conn->data ignored and set to the passed in data). A fix was landed in 54b201b which did that and also cleared conn->data after the check. The original conn->data was not restored, so presumably it was thought that a valid conn->data was no longer needed. Several days later it was discovered that a valid conn->data was needed after the check and follow-up fix was landed in bbae24c which partially reverted the original fix and attempted to limit the scope of when conn->data was changed to only when pruning dead connections. In that case conn->data was not cleared and the original conn->data not restored. A month later it was discovered that the original fix was somewhat correct; a "live" transfer is needed for the check in all cases because original conn->data could be null which could cause a bad deref at arbitrary points in the check. A fix was landed in 38d8e1b which expanded the scope to all cases. conn->data was not cleared and the original conn->data not restored. A day later it was discovered that not restoring the original conn->data may lead to busy loops in applications that use the event interface, and given this observation it's a pretty safe assumption that there is some code path that still needs the original conn->data. This commit is the follow-up fix for that, it restores the original conn->data after the connection check. Assisted-by: tholin@users.noreply.github.com Reported-by: tholin@users.noreply.github.com Fixes https://github.com/curl/curl/issues/3542 Closes #3559
2019-02-14memdebug: bring back curl_mark_scloseDaniel Stenberg
Used by debug builds with NSS. Reverted from 05b100aee247bb