Age | Commit message (Collapse) | Author |
|
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.
Closes https://github.com/curl/curl/pull/4633
|
|
- Disable the extra sensitivity except in debug builds (--enable-debug).
- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
"No error" / "Success" socket error text isn't shown on SYSCALL error.
Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.
To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.
Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.
This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.
Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke
Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
|
|
Reported-by: Paulo Roberto Tomasi
Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html
Closes https://github.com/curl/curl/pull/4593
|
|
To avoid potential issues with error code reuse.
Reported-by: Christoph M. Becker
Assisted-by: Dan Fandrich
Fixes #4601
Closes #4627
|
|
Fixes #4525
Closes #4603
|
|
... as both ngtcp2 and quiche now support that in their master branches
Closes #4604
|
|
Fixes #4614
Closes #4615
|
|
Reviewed-by: Tatsuhiro Tsujikawa
Fixes #4612
Closes #4613
|
|
Prior to this change:
The check if an extra wait is necessary was based not on the
number of extra fds but on the pointer.
If a non-null pointer was given in extra_fds, but extra_nfds
was zero, then the wait was skipped even though poll was not
called.
Closes https://github.com/curl/curl/pull/4610
|
|
Follow-up to 5b2d703 which moved ssh source files to vssh.
Closes https://github.com/curl/curl/pull/4609
|
|
Improved estimation of expected_len and updated related comments;
increased strictness of QNAME-encoding, adding error detection for empty
labels and names longer than the overall limit; avoided treating DNAME
as unexpected;
updated unit test 1655 with more thorough set of proofs and tests
Closes #4598
|
|
Assisted-by: Javier Blazquez
Ref #4525 (partial fix)
Closes #4600
|
|
Define the OS macro properly for Windows on ARM builds. Also, we might
as well add the GCC-style IA-64 macro.
Closes #4590
|
|
Fixes #4594
Closes #4595
Reported-by: 3dyd on github
|
|
Pseudo header MUST come before regular headers or cause an error.
Reported-by: Cynthia Coan
Fixes #4571
Closes #4584
|
|
Follow the pattern of many other callbacks.
Ref: #4546
Closes #4585
|
|
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!
Reported-by: Max Kellermann
Fixes #4575
Closes #4583
|
|
... avoids unnecesary recursive risk when the transfer is already done.
Reported-by: Richard Bowker
Fixes #4563
Closes #4574
|
|
- Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in
Windows error strings.
Since we are not in control of the error code we don't know what
information may be needed by the error string's format specifiers.
Prior to this change Windows API error strings which contain specifiers
(think specifiers like similar to printf specifiers) would not be shown.
The FormatMessage Windows API call which turns a Windows error code into
a string could fail and set error ERROR_INVALID_PARAMETER if that error
string contained a format specifier. FormatMessage expects a va_list for
the specifiers, unless inserts are ignored in which case no substitution
is attempted.
Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353
|
|
- Consider a modified file to be committed this year.
- Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and
includes
- Ignore 0 parents when getting latest commit date of file.
since in the CI we're dealing with a truncated repo of last 50 commits,
the file's most recent commit may not be available. when this happens
git log and rev-list show the initial commit (ie first commit not to be
truncated) but that's incorrect so ignore it.
Ref: https://github.com/curl/curl/pull/4547
Closes https://github.com/curl/curl/pull/4549
Co-authored-by: Jay Satiro
|
|
.. because checksrc's copyright year check stopped working.
Ref: https://github.com/curl/curl/pull/4547
Closes https://github.com/curl/curl/pull/4549
|
|
Closes #3704
|
|
Fixes https://github.com/curl/curl/issues/4565
Closes https://github.com/curl/curl/pull/4566
|
|
Closes #4547
|
|
Closes #4552
|
|
- Open the CA file using FILE_SHARE_READ mode so that others can read
from it as well.
Prior to this change our schannel code opened the CA file without
sharing which meant concurrent openings (eg an attempt from another
thread or process) would fail during the time it was open without
sharing, which in curl's case would cause error:
"schannel: failed to open CA file".
Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
Reported-by: Richard Alcock
|
|
... as it can make it wait there for a long time for no good purpose.
Patched-by: Jay Satiro
Reported-by: Bylon2 on github
Adviced-by: Nikos Mavrogiannopoulos
Fixes #4487
Closes #4541
|
|
This is the common pattern used in the code and by a unified approach we
avoid mistakes.
Closes #4534
|
|
... or risk DoH memory leaks.
Reported-by: Paul Dreik
Fixes #4463
Closes #4527
|
|
On macOS/BSD, trying to call sendto on a connected UDP socket fails
with a EISCONN error. Because the singleipconnect has already called
connect on the socket when we're trying to use it for QUIC transfers
we need to use plain send instead.
Fixes #4529
Closes https://github.com/curl/curl/pull/4533
|
|
The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv
in order to perform nonblocking operations. On Windows this flag does
not exist. Instead, the socket must be set to nonblocking mode via
ioctlsocket.
This change sets the nonblocking flag on UDP sockets used for QUIC on
all platforms so the use of MSG_DONTWAIT is not needed.
Fixes #4531
Closes #4532
|
|
Fixes #4518
Closes #4519
|
|
Added test case 338 to verify.
Reported-by: Daniel Silverstone
Fixes #4499
Closes #4514
|
|
... and thus should return 0, not EAGAIN.
Reported-by: Tom van der Woerdt
Fixes #4496
Closes #4505
|
|
To make sure that transfer is being dealt with. Streams without
Content-Length need a final read to notice the end-of-stream state.
Reported-by: Tom van der Woerdt
Fixes #4496
|
|
The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as
input in most cases, which made it not get a scheme prefixed like before
if the URL was given without one, and it didn't remove dotdot sequences
etc.
Added test case 1907 to verify that this now works as intended and as
before 7.62.0.
Regression introduced in 7.62.0
Reported-by: Christophe Dervieux
Fixes #4491
Closes #4493
|
|
With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer,
while `read` expects a 32 bit signed integer.
Use `sread` instead of `read` to use the correct parameter type.
Closes https://github.com/curl/curl/pull/4483
|
|
With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the
result of `sizeof` is unsigned.
Closes https://github.com/curl/curl/pull/4483
|
|
fixed build for systems that need netinet/in.h for IPPROTO_TCP and are
missing INADDR_LOOPBACK
Closes #4480
|
|
Follow-up to bc2dbef0afc08
|
|
|
|
|
|
Curl_socketpair() is designed to be used and work everywhere if there's
no native version or the native version isn't good enough.
Closes #4466
|
|
Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no
matter what errno said.
This makes for example --retry work on these transfer failures.
Reported-by: Nathaniel J. Smith
Fixes #4461
Clsoes #4462
|
|
- Allow missing queries, don't return NO_MEMORY error in such a case.
It is acceptable for there to be no specified query string, for example:
curl ldap://ldap.forumsys.com
A regression bug in 1b443a7 caused this issue.
This is a partial fix for #4261.
Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077
Reported-by: Jojojov@users.noreply.github.com
Analyzed-by: Samuel Surtees
Closes https://github.com/curl/curl/pull/4467
|
|
Closes https://github.com/curl/curl/pull/4460
|
|
Closes #4457
|
|
The second argument is really a 'bool' so use that and pass in TRUE/FALSE
to make it clear.
Closes #4455
|
|
To make sure that the HTTP/2 state is initialized correctly for
duplicated handles. It would otherwise easily generate "spurious"
PRIORITY frames to get sent over HTTP/2 connections when duplicated easy
handles were used.
Reported-by: Daniel Silverstone
Fixes #4303
Closes #4442
|
|
Follow-up from 2c20109a9b5d04
Added test 663 to verify.
Reported by OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17954
Closes #4453
|