Age | Commit message (Collapse) | Author |
|
|
|
- enable debug log
- fix use of quiche API
- use download buffer
- separate header/body
Closes #4193
|
|
As the plan has been laid out in DEPRECATED. Update docs accordingly and
verify in test 1174. Now requires the option to be set to allow HTTP/0.9
responses.
Closes #4191
|
|
|
|
|
|
Closes #4192
|
|
Closes #3780
|
|
|
|
As the NTLM code no longer calls any of TLS libraries' specific MD4
functions, there is no need to call this function for each #ifdef.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Follow-up to 3af0e76 which added experimental H3 support.
Closes https://github.com/curl/curl/pull/4185
|
|
|
|
|
|
Closes #4183
|
|
Allow pretty much anything to be part of the ALPN identifier. In
particular minus, which is used for "h3-20" (in-progress HTTP/3
versions) etc.
Updated test 356.
Closes #4182
|
|
|
|
To aid debugging
Closes #4181
|
|
If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
gss_init_sec_context() failed, the POST request was sent
with empty body. This commit also restores the original
behavior of `curl --fail --negotiate`, which was changed
by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59.
Add regression tests 2077 and 2078 to cover this.
Fixes #3992
Closes #4171
|
|
... to make it hold microseconds too.
Fixes #4165
Closes #4168
|
|
Reported-by: Michal Čaplygin
Fixes #4174
Closes #4175
|
|
Closes #3701
|
|
|
|
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.
Closes #4169
|
|
Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1)
Reported-by: Jonathan Cardoso Machado
Assisted-by: Jay Satiro
Fixes #4136
Closes #4162
|
|
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
before push...
|
|
Closes #4157
|
|
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.
Fixed-by: Ironbars13 on github
Fixes #4084
Closes #4161
|
|
... so that end-of-stream is detected properly.
Reported-by: Tom van der Woerdt
Fixes #4043
Closes #4160
|
|
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update
test 1514 according to the new behaviour.
Closes #4138
|
|
- In curl_easy_reset attempt to resize the receive buffer to its default
size. If realloc fails then continue using the previous size.
Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.
Reported-by: Felix Hädicke
Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
|
|
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).
Fixes #4147
Closes #4148
|
|
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.
Fixes #4144
Closes #4151
|
|
USe configure --with-ngtcp2 or --with-quiche
Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>
Closes #3500
|
|
Introducing CURLVERSION_SIXTH with nghttp2 info.
Closes #4121
|
|
Several reasons:
- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons
Assisted-by: Daniel Gustafsson
Closes #4129
|
|
Fix regression caused by 21080e1
Reported-by: Chih-Hsuan Yen
Fixes #4122
Closes #4124
|
|
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call. Should it
return false, we should however treat it as an error and bail out.
Closes https://github.com/curl/curl/pull/4110
|
|
- Allow FTPS on redirect.
- Update default allowed redirect protocols in documentation.
Follow-up to 6080ea0.
Ref: https://github.com/curl/curl/pull/4094
Closes https://github.com/curl/curl/pull/4115
|
|
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.
For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.
Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.
[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
Closes #4094
|
|
Closes #4100
|
|
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g.
If-Modified-Since). Allow this to be replaced or suppressed with
CURLOPT_HTTPHEADER.
Fixes #4103
Closes #4109
|
|
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open.
Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead.
Closes https://github.com/curl/curl/pull/4095
|
|
- Declare variable in header as extern.
Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
|
|
There were a leftover few prototypes of Curl_ functions that we used to
export but no longer do, this removes those prototypes and cleans up any
comments still referring to them.
Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free()
Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn()
were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c.
Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3.
For the remainder, I didn't trawl the Git logs hard enough to capture
their exact time of deletion, but they were all gone: Curl_splayprint(),
Curl_http2_send_request(), Curl_global_host_cache_dtor(),
Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(),
Curl_http_auth_stage() and Curl_close_connections().
Closes #4096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
|