aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-12-14darwinssl: accept setting max-tls with default min-tlsDaniel Stenberg
Reported-by: Andrei Neculau Fixes #3367 Closes #3373
2018-12-13gopher: fix memory leak from 9026083ddb2a9Daniel Stenberg
2018-12-13gopher: always include the entire gopher-path in requestLeonardo Taccari
After the migration to URL API all octets in the selector after the first `?' were interpreted as query and accidentally discarded and not passed to the server. Add a gopherpath to always concatenate possible path and query URL pieces. Fixes #3369 Closes #3370
2018-12-13urlapi: distinguish possibly empty queryLeonardo Taccari
If just a `?' to indicate the query is passed always store a zero length query instead of having a NULL query. This permits to distinguish URL with trailing `?'. Fixes #3369 Closes #3370
2018-12-13cookies: leave secure cookies aloneDaniel Gustafsson
Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12urlapi: Fix port parsing of eol colonDaniel Gustafsson
A URL with a single colon without a portnumber should use the default port, discarding the colon. Fix, add a testcase and also do little bit of comment wordsmithing. Closes #3365 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12Curl_follow: extract the Location: header field unvalidatedDaniel Stenberg
... when not actually following the redirect. Otherwise we return error for this and an application can't extract the value. Test 1518 added to verify. Reported-by: Pavel Pavlov Fixes #3340 Closes #3364
2018-12-11multi: convert two timeout variables to timediff_tDaniel Stenberg
The time_t type is unsigned on some systems and these variables are used to hold return values from functions that return timediff_t already. timediff_t is always a signed type. Closes #3363
2018-12-11tests: add urlapi unittestDaniel Gustafsson
This adds a new unittest intended to cover the internal functions in the urlapi code, starting with parse_port(). In order to avoid name collisions in debug builds, parse_port() is renamed Curl_parse_port() since it will be exported. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11urlapi: fix portnumber parsing for ipv6 zone indexDaniel Gustafsson
An IPv6 URL which contains a zone index includes a '%%25<zode id>' string before the ending ']' bracket. The parsing logic wasn't set up to cope with the zone index however, resulting in a malformed url error being returned. Fix by breaking the parsing into two stages to correctly handle the zone index. Closes #3355 Closes #3319 Reported-by: tonystz on Github Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11http: fix HTTP auth to include query in URIJay Satiro
- Include query in the path passed to generate HTTP auth. Recent changes to use the URL API internally (46e1640, 7.62.0) inadvertently broke authentication URIs by omitting the query. Fixes https://github.com/curl/curl/issues/3353 Closes #3356
2018-12-11http: don't set CURLINFO_CONDITION_UNMET for http status code 204Michael Kaufmann
The http status code 204 (No Content) should not change the "condition unmet" flag. Only the http status code 304 (Not Modified) should do this. Closes #359
2018-12-11ldap: fix LDAP URL parsing regressionsSamuel Surtees
- Match URL scheme with LDAP and LDAPS - Retrieve attributes, scope and filter from URL query instead Regression brought in 46e164069d1a5230 (7.62.0) Closes #3362
2018-12-10(lib)curl.rc: fixup for minor bugsStefan Kanthak
All resources defined in lib/libcurl.rc and curl.rc are language neutral. winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong. Replace the hard-coded constants in both *.rc files with #define'd values. Thumbs-uped-by: Rod Widdowson, Johannes Schindelin URL: https://curl.haxx.se/mail/lib-2018-11/0000.html Closes #3348
2018-12-09cookies: expire "Max-Age=0" immediatelyDaniel Stenberg
Reported-by: Jeroen Ooms Fixes #3351 Closes #3352
2018-12-08Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1Johannes Schindelin
This is a companion patch to cbea2fd2c (NTLM: force the connection to HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1 preemptively. However, with other (Negotiate) authentication it is not clear to this developer whether there is a way to make it work with HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the error HTTP_1_1_REQUIRED. Note: we will still keep the NTLM workaround, as it avoids an extra round trip. Daniel Stenberg helped a lot with this patch, in particular by suggesting to introduce the Curl_h2_http_1_1_error() function. Closes #3349 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07openssl: fix unused variable compiler warning with old opensslBen Greear
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html Closes #3347
2018-12-07NTLM: force the connection to HTTP/1.1Johannes Schindelin
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces the capability. However, NTLM authentication only works with HTTP/1.1, and will likely remain in that boat (for details, see https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported). When we just found out that we want to use NTLM, and when the current connection runs in HTTP/2 mode, let's force the connection to be closed and to be re-opened using HTTP/1.1. Fixes https://github.com/curl/curl/issues/3341. Closes #3345 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07curl_global_sslset(): id == -1 is not necessarily an errorJohannes Schindelin
It is allowed to call that function with id set to -1, specifying the backend by the name instead. We should imitate what is done further down in that function to allow for that. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes #3346
2018-12-06doh: fix memory leak in OOM situationDaniel Stenberg
Reviewed-by: Daniel Gustafsson Closes #3342
2018-12-05doh: make it work for h2-disabled builds tooDaniel Stenberg
Reported-by: dtmsecurity at github Fixes #3325 Closes #3336
2018-12-05openssl: do not use file BIOs if not requestedGergely Nagy
Moves the file handling BIO calls to the branch of the code where they are actually used. Closes #3339
2018-12-05nss: Fix compatibility with nss versions 3.14 to 3.15Paul Howarth
2018-12-05nss: Improve info message when falling back SSL protocolPaul Howarth
Use descriptive text strings rather than decimal numbers.
2018-12-05nss: Fall back to latest supported SSL versionPaul Howarth
NSS may be built without support for the latest SSL/TLS versions, leading to "SSL version range is not valid" errors when the library code supports a recent version (e.g. TLS v1.3) but it has explicitly been disabled. This change adjusts the maximum SSL version requested by libcurl to be the maximum supported version at runtime, as long as that version is at least as high as the minimum version required by libcurl. Fixes #3261
2018-12-03checksrc: add COPYRIGHTYEAR checkDaniel Gustafsson
Forgetting to bump the year in the copyright clause when hacking has been quite common among curl developers, but a traditional checksrc check isn't a good fit as it would penalize anyone hacking on January 1st (among other things). This adds a more selective COPYRIGHTYEAR check which intends to only cover the currently hacked on changeset. The check for updated copyright year is currently not enforced on all files but only on files edited and/or committed locally. This is due to the amount of files which aren't updated with their correct copyright year at the time of their respective commit. To further avoid running this expensive check for every developer, it adds a new local override mode for checksrc where a .checksrc file can be used to turn on extended warnings locally. Closes #3303 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-29connect: fix building for recent versions of MinixSevan Janiyan
EBADIOCTL doesn't exist on more recent Minix. There have also been substantial changes to the network stack. Fixes build on Minix 3.4rc Closes https://github.com/curl/curl/pull/3323
2018-11-26doh: fix typo in infof callDaniel Gustafsson
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-25curl_easy_perform: fix timeout handlingDaniel Stenberg
curl_multi_wait() was erroneously used from within curl_easy_perform(). It could lead to it believing there was no socket to wait for and then instead sleep for a while instead of monitoring the socket and then miss acting on that activity as swiftly as it should (causing an up to 1000 ms delay). Reported-by: Antoni Villalonga Fixes #3305 Closes #3306 Closes #3308
2018-11-23cookies: create the cookiejar even if no cookies to saveDaniel Stenberg
Important for when the file is going to be read again and thus must not contain old contents! Adds test 327 to verify. Reported-by: daboul on github Fixes #3299 Closes #3300
2018-11-23checksrc: ban snprintf use, add command line flag to override warnsDaniel Stenberg
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-22host names: allow trailing dot in name resolve, then strip itTobias Hintze
Delays stripping of trailing dots to after resolving the hostname. Fixes #3022 Closes #3222
2018-11-21openssl: support session resume with TLS 1.3Michael Kaufmann
Session resumption information is not available immediately after a TLS 1.3 handshake. The client must wait until the server has sent a session ticket. Use OpenSSL's "new session" callback to get the session information and put it into curl's session cache. For TLS 1.3 sessions, this callback will be invoked after the server has sent a session ticket. The "new session" callback is invoked only if OpenSSL's session cache is enabled, so enable it and use the "external storage" mode which lets curl manage the contents of the session cache. A pointer to the connection data and the sockindex are now saved as "SSL extra data" to make them available to the callback. This approach also works for old SSL/TLS versions and old OpenSSL versions. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Fixes #3202 Closes #3271
2018-11-21ssl: fix compilation with OpenSSL 0.9.7Michael Kaufmann
- ENGINE_cleanup() was used without including "openssl/engine.h" - enable engine support for OpenSSL 0.9.7 Closes #3266
2018-11-21openssl: disable TLS renegotiation with BoringSSLDaniel Stenberg
Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293
2018-11-20ares: remove fd from multi fd set when ares is about to close the fdRomain Fliedel
When using c-ares for asyn dns, the dns socket fd was silently closed by c-ares without curl being aware. curl would then 'realize' the fd has been removed at next call of Curl_resolver_getsock, and only then notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with CURL_POLL_REMOVE. At this point the fd is already closed. By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this patch allows curl to be notified that the fd is not longer needed for neither for write nor read. At this point by calling Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE before the fd is actually closed by ares. In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore since it does not allow passing a different sock_state_cb_data Closes #3238
2018-11-20ntlm: Remove redundant ifdef USE_OPENSSLpkubaj
lib/curl_ntlm.c had code that read as follows: #ifdef USE_OPENSSL # ifdef USE_OPENSSL # else # .. # endif #endif Remove the redundant USE_OPENSSL along with #else (it's not possible to reach it anyway). The removed construction is a leftover from when the SSLeay support was removed. Closes #3269 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20ssl: replace all internal uses of CURLE_SSL_CACERTHan Han
Closes #3291
2018-11-17openssl: Remove SSLEAY leftoversDaniel Gustafsson
Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't compatible with the SSLeay library. This removes the few leftovers that were omitted in the less frequently used platform targets. Closes #3270 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-16http_negotiate: do not close connection until negotiation is completedElia Tufarolo
Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
2018-11-16pop3: only do APOP with a valid timestampDaniel Stenberg
Brought-by: bobmitchell1956 on github Fixes #3278 Closes #3279
2018-11-16openssl: do not log excess "TLS app data" lines for TLS 1.3Peter Wu
The SSL_CTX_set_msg_callback callback is not just called for the Handshake or Alert protocols, but also for the raw record header (SSL3_RT_HEADER) and the decrypted inner record type (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid excess debug spam when using `curl -v` against a TLSv1.3-enabled server: * TLSv1.3 (IN), TLS app data, [no content] (0): (Following this message, another callback for the decrypted handshake/alert messages will be be present anyway.) Closes https://github.com/curl/curl/pull/3281
2018-11-13nss: remove version selecting dead codeKamil Dudka
Closes #3262
2018-11-13nss: set default max-tls to 1.3/1.2Daniel Stenberg
Fixes #3261
2018-11-12nss: fix fallthrough comment to fix picky compiler warningDaniel Stenberg
2018-11-09ftp: avoid two unsigned int overflows in FTP listing parserTim Rühsen
Curl_ftp_parselist: avoid unsigned integer overflows The overflow has no real world impact, just avoid it for "best practice". Closes #3225
2018-11-09openssl: support BoringSSL TLS renegotiationJérémy Rocher
As per BoringSSL porting documentation [1], BoringSSL rejects peer renegotiations by default. curl fails when trying to authenticate to server through client certificate if it is requested by server after the initial TLS handshake. Enable renegotiation by default with BoringSSL to get same behavior as with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] which was introduced in commit 1d5ef3bb1eb9 [3]. 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> Fixes #3258 Closes #3259
2018-11-09setopt: add CURLOPT_CURLUJim Fuller
Allows an application to pass in a pre-parsed URL via a URL handle. Closes #3227
2018-11-07winssl: be consistent in Schannel capitalizationDaniel Gustafsson
The productname from Microsoft is "Schannel", but in infof/failf reporting we use "schannel". This removes different versions. Closes #3243 Reviewed-by: Daniel Stenberg <daniel@haxx.se>