Age | Commit message (Collapse) | Author |
|
Fix theoretical integer overflow in Curl_auth_create_plain_message.
The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.
Closes #5391
|
|
Fine: "struct hello *world"
Not fine: "struct hello* world" (and variations)
Closes #5386
|
|
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
|
|
Since input passed to libcurl with CURLOPT_USERPWD and
CURLOPT_PROXYUSERPWD circumvents the regular string length check we have
in Curl_setstropt(), the input length limit is enforced in
Curl_parse_login_details too, separately.
Reported-by: Thomas Bouzerar
Closes #5383
|
|
Closes https://github.com/curl/curl/pull/5363
|
|
When looking for a protocol match among supported schemes, check the
most "popular" schemes first. It has zero functionality difference and
for all practical purposes a speed difference will not be measureable
but it still think it makes sense to put the least likely matches last.
"Popularity" based on the 2019 user survey.
Closes #5377
|
|
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting
(not tested).
|
|
Add three new CMake Find modules (using the curl license, but I grant
others the right to apply the CMake BSD license instead).
This CMake config is simpler than the autotools one because it assumes
ngtcp2 and nghttp3 to be used together. Another difference is that this
CMake config checks whether QUIC is actually supported by the TLS
library (patched OpenSSL or boringssl) since this can be a common
configuration mistake that could result in build errors later.
Unlike autotools, CMake does not warn you that the features are
experimental. The user is supposed to already know that and read the
documentation. It requires a very special build environment anyway.
Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from
current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure
out which features (libldap-2.4, libssh2) to disable due to conflicts
with boringssl.
Closes #5359
|
|
|
|
Closes #4346
|
|
Text 1560 is extended to verify.
Reported-by: Pavel Volgarev
Fixes #5344
Closes #5351
|
|
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other
instances of QuerySecurityPackageInfo failing, as in
commit 2a81439553286f12cd04a4bdcdf66d8e026d8201.
Closes #5355
|
|
If the QLOGDIR environment variable is set, enable qlogging.
... and create Curl_qlogdir() in the new generic vquic/vquic.c file for
QUIC functions that are backend independent.
Closes #5353
|
|
That return code is reserved for build-time conditional code not being
present while this was a regular run-time error from a Windows API.
Reported-by: wangp on github
Fixes #5349
Closes #5350
|
|
Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in
ed35d6590e72. This should make the trailer handling more straight forward and
hopefully less error-prone.
Deliver the trailer header to the callback already at receive-time. No
longer caches the trailers to get delivered at end of stream.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030
Closes #5348
|
|
In my very basic test that lists sftp://127.0.0.1/tmp/, this patched
code makes 161 allocations compared to 194 in git master. A 17%
reduction.
Closes #5336
|
|
quiche has the potential to log qlog files. To enable this, you must
build quiche with the qlog feature enabled `cargo build --features
qlog`. curl then passes a file descriptor to quiche, which takes
ownership of the file. The FD transfer only works on UNIX.
The convention is to enable logging when the QLOGDIR environment is
set. This should be a path to a folder where files are written with the
naming template <SCID>.qlog.
Co-authored-by: Lucas Pardue
Replaces #5337
Closes #5341
|
|
Follow-up to ed35d6590e72c
|
|
Closes #5335
|
|
Follow-up from dbd16c3e256c6c (regression in 7.70.0)
Closes #5334
|
|
|
|
Removes a 16K static buffer from the easy handle. Simplifies the code.
|
|
A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to them. Existing
functionality has been ported over.
In my early basic testing, the total number of allocations seem at
roughly the same amount as before, possibly a few less.
See docs/DYNBUF.md for a description of the API.
Closes #5300
|
|
... and instead convert those to asserts to make sure they are truly
never NULL.
Closes #5324
|
|
- Check for NULL entry parameter before attempting to deref entry in
Curl_resolver_is_resolved, like is already done in asyn-ares.
This is to silence cppcheck which does not seem to understand that
asyn-ares and asyn-thread have separate Curl_resolver_is_resolved
and those units are mutually exclusive. Prior to this change it warned
of a scenario where asyn-thread's Curl_resolver_is_resolved is called
with a NULL entry from asyn-ares, but that couldn't happen.
Reported-by: rl1987@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/5326
|
|
Follow-up to a96c752 which changed the timeout_ms type from time_t to
timediff_t.
Ref: https://github.com/curl/curl/pull/5240
Closes https://github.com/curl/curl/pull/5286
|
|
... as otherwise the progress callback gets called without that
information, making the progress meter have less info.
Reported-by: Murugan Balraj
Bug: https://curl.haxx.se/mail/archive-2020-05/0000.html
Closes #5317
|
|
Closes #5287
|
|
More connection cache accesses are protected by locks.
CONNCACHE_* is a beter prefix for the connection cache lock macros.
Curl_attach_connnection: now called as soon as there's a connection
struct available and before the connection is added to the connection
cache.
Curl_disconnect: now assumes that the connection is already removed from
the connection cache.
Ref: #4915
Closes #5009
|
|
White space edits only. Conform better to standard curl source code
indenting style.
Closes #5305
|
|
|
|
Closes #5306
|
|
... to avoid crashes!
Reported-by: Hao Wu
Fixes #5302
Closes #5303
|
|
|
|
Regression since 7.69.0 and 68fb25fa3fcff.
The code wrongly assigned 'from' instead of 'auth' which probably was a
copy and paste mistake from other code, leading to that auth could
remain NULL and later cause an error to be returned.
Assisted-by: Eric Sauvageau
Fixes #5294
Closes #5295
|
|
This fixes CodeFactor warnings.
|
|
Previously, options set explicitly through command line options could be
overridden by the configuration files parsed automatically when
ssh_connect() was called.
By calling ssh_options_parse_config() explicitly, the configuration
files are parsed before setting the options, avoiding the options
override. Once the configuration files are parsed, the automatic
configuration parsing is not executed.
Fixes #4972
Closes #5283
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
|
Coverity found CID 1461718:
Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".
Closes #5240
|
|
Prior to this change if there was a 303 reply to a PUT request then
the subsequent request to respond to that redirect would also be a PUT.
It was determined that was most likely incorrect based on the language
of the RFCs. Basically 303 means "see other" resource, which implies it
is most likely not the same resource, therefore we should not try to PUT
to that different resource.
Refer to the discussions in #5237 and #5248 for more information.
Fixes https://github.com/curl/curl/issues/5237
Closes https://github.com/curl/curl/pull/5248
|
|
Reviewed-by: Emil Engler
Reported-by: Ashwin Metpalli
Fixes #5278
Closes #5280
|
|
A gcc-10's -fanalyze complaint made me spot and do these improvements.
Closes #5281
|
|
Closes #5271
|
|
GnuTLS 3.1.10 added new functions we want to use. That version was
released on Mar 22, 2013. Removing support for older versions also
greatly simplifies the code.
Ref: #5271
Closes #5276
|
|
|
|
Detected by Coverity. CID 1462319.
"The same code is executed when the condition result is true or false,
because the code in the if-then branch and after the if statement is
identical."
Closes #5275
|
|
Detected by Coverity. CID 1462320.
Closes #5274
|
|
Reported-by: James Fuller
Fixes #5268
Closes #5269
|
|
This fixes a few randomly spotted typos in recently merged code, most
notably one in a userfacing errormessage the schannel code.
|
|
When cURL is compiled with support for multiple SSL backends, it is
possible to configure an SSL backend via `curl_global_sslset()`, but
only *before* `curl_global_init()` was called.
If another SSL backend should be used after that, a user might be
tempted to call `curl_global_cleanup()` to start over. However, we did
not foresee that use case and forgot to reset the SSL backend in that
cleanup.
Let's allow that use case.
Fixes #5255
Closes #5257
Reported-by: davidedec on github
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
|
To handle PUBLISH before SUBACK and more.
Updated the existing tests and added three new ones.
Reported-by: Christoph Krey
Bug: https://curl.haxx.se/mail/lib-2020-04/0021.html
Closes #5246
|