aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-04-26http2: fix null pointer dereference in http2_connisdeadDaniel Stenberg
This function can get called on a connection that isn't setup enough to have the 'recv_underlying' function pointer initialized so it would try to call the NULL pointer. Reported-by: Dario Weisser Follow-up to db1b2c7fe9b093f8 (never shipped in a release) Closes #2536
2018-04-26http2: get rid of another strstr()Daniel Stenberg
Follow-up to 1514c44655e12e: replace another strstr() call done on a buffer that might not be zero terminated - with a memchr() call, even if we know the substring will be found. Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 Closes #2534
2018-04-26cyassl: adapt to libraries without TLS 1.0 support built-inDaniel Stenberg
WolfSSL doesn't enable it by default anymore
2018-04-25cookies: ensure that we have cookies before writing jarDaniel Gustafsson
The jar should be written iff there are cookies, so ensure that we still have cookies after expiration to avoid creating an empty file. Closes #2529
2018-04-25strcpy_url: only %-encode values >= 0x80Daniel Stenberg
OSS-Fuzz detected https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 Broke in dd7521bcc1b7
2018-04-24mime: avoid NULL pointer dereference riskDaniel Stenberg
Coverity detected, CID 1435120 Closes #2527
2018-04-24ctype: restore character classification for non-ASCII platformsStephan Mühlstrasser
With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic character classification macros and functions were introduced in curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on non-ASCII, e.g. EBCDIC platforms. This change restores the previous set of character classification macros when CURL_DOES_CONVERSIONS is defined. Closes #2494
2018-04-24ftplistparser: keep state between invokesDaniel Stenberg
Fixes FTP wildcard parsing when done over a number of read buffers. Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2526
2018-04-24Revert "ftplistparser: keep state between invokes"Daniel Stenberg
This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. Caused fuzzer problems on travis not seen when this was a PR!
2018-04-24Curl_memchr: zero length input can't matchDaniel Stenberg
Avoids undefined behavior. Reported-by: Geeknik Labs
2018-04-23ftplistparser: keep state between invokesDaniel Stenberg
Fixes FTP wildcard parsing when doing over a number of read buffers. Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2519
2018-04-23ftplistparser: renamed some members and variablesDaniel Stenberg
... to make them better spell out what they're for.
2018-04-23curl_global_sslset: always provide available backendsChristian Schmitz
Closes #2499
2018-04-23http2: convert an assert to run-time checkDaniel Stenberg
Fuzzing has proven we can reach code in on_frame_recv with status_code not having been set, so let's detect that in run-time (instead of with assert) and error error accordingly. (This should no longer happen with the latest nghttp2) Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 Closes #2514
2018-04-23schannel: fix build error on targets <= XPArchangel_SDY
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't support the latter. Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 Closes https://github.com/curl/curl/pull/2504
2018-04-23Revert "ftplistparser: keep state between invokes"Daniel Stenberg
This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. Unfortunately this fix introduces memory leaks I've not been able to fix in several days. Reverting this for now to get the leaks fixed.
2018-04-20http2: handle GOAWAY properlyDaniel Stenberg
When receiving REFUSED_STREAM, mark the connection for close and retry streams accordingly on another/fresh connection. Reported-by: Terry Wu Fixes #2416 Fixes #1618 Closes #2510
2018-04-20http2: clear the "drain counter" when a stream is closedDaniel Stenberg
This fixes the notorious "httpc->drain_total >= data->state.drain" assert. Reported-by: Anders Bakken Fixes #1680 Closes #2509
2018-04-20http2: avoid strstr() on data not zero terminatedDaniel Stenberg
It's not strictly clear if the API contract allows us to call strstr() on a string that isn't zero terminated even when we know it will find the substring, and clang's ASAN check dislikes us for it. Also added a check of the return code in case it fails, even if I can't think of a situation how that can trigger. Detected by OSS-Fuzz Closes #2513 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
2018-04-20openssl: fix subjectAltName check on non-ASCII platformsStephan Mühlstrasser
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison. Closes #2493
2018-04-20openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messagesJay Satiro
- Support handling verbose-mode trace messages of type SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, SSL3_MT_MESSAGE_HASH Reported-by: iz8mbw@users.noreply.github.com Fixes https://github.com/curl/curl/issues/2403
2018-04-19ftplistparser: keep state between invokesDaniel Stenberg
Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2508
2018-04-19detect_proxy: only show proxy use if it had contentsDaniel Stenberg
2018-04-19http2: handle on_begin_headers() called more than onceDaniel Stenberg
This triggered an assert if called more than once in debug mode (and a memory leak if not debug build). With the right sequence of HTTP/2 headers incoming it can happen. Detected by OSS-Fuzz Closes #2507 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
2018-04-18schannel: add support for CURLOPT_CAINFODan McNulty
- Move verify_certificate functionality in schannel.c into a new file called schannel_verify.c. Additionally, some structure defintions from schannel.c have been moved to schannel.h to allow them to be used in schannel_verify.c. - Make verify_certificate functionality for Schannel available on all versions of Windows instead of just Windows CE. verify_certificate will be invoked on Windows CE or when the user specifies CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. - In verify_certificate, create a custom certificate chain engine that exclusively trusts the certificate store backed by the CURLOPT_CAINFO file. - doc updates of --cacert/CAINFO support for schannel - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString when available. This implements a TODO in schannel.c to improve handling of multiple SANs in a certificate. In particular, all SANs will now be searched instead of just the first name. - Update tool_operate.c to not search for the curl-ca-bundle.crt file when using Schannel to maintain backward compatibility. Previously, any curl-ca-bundle.crt file found in that search would have been ignored by Schannel. But, with CAINFO support, the file found by that search would have been used as the certificate store and could cause issues for any users that have curl-ca-bundle.crt in the search path. - Update url.c to not set the build time CURL_CA_BUNDLE if the selected SSL backend is Schannel. We allow setting CA location for schannel only when explicitly specified by the user via CURLOPT_CAINFO / --cacert. - Add new test cases 3000 and 3001. These test cases check that the first and last SAN, respectively, matches the connection hostname. New test certificates have been added for these cases. For 3000, the certificate prefix is Server-localhost-firstSAN and for 3001, the certificate prefix is Server-localhost-secondSAN. - Remove TODO 15.2 (Add support for custom server certificate validation), this commit addresses it. Closes https://github.com/curl/curl/pull/1325
2018-04-17schannel: fix warningJay Satiro
- Fix warning 'integer from pointer without a cast' on 3rd arg in CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer type of the same size. Follow-up to e35b025. Caught by Marc's CI builds.
2018-04-17schannel: add client certificate authenticationArchangel_SDY
Users can now specify a client certificate in system certificates store explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` Closes #2376
2018-04-16ntlm_sspi: fix authentication using Credential Managertoughengineer
If you pass empty user/pass asking curl to use Windows Credential Storage (as stated in the docs) and it has valid credentials for the domain, e.g. curl -v -u : --ntlm example.com currently authentication fails. This change fixes it by providing proper SPN string to the SSPI API calls. Fixes https://github.com/curl/curl/issues/1622 Closes https://github.com/curl/curl/pull/1660
2018-04-16urldata: make service names unconditionalMarcel Raad
The ifdefs have become quite long. Also, the condition for the definition of CURLOPT_SERVICE_NAME and for setting it from CURLOPT_SERVICE_NAME have diverged. We will soon also need the two options for NTLM, at least when using SSPI, for https://github.com/curl/curl/pull/1660. Just make the definitions unconditional to make that easier. Closes https://github.com/curl/curl/pull/2479
2018-04-16ssh: show libSSH2 error code when closing failsChristian Schmitz
Closes #2500
2018-04-15vauth: Fix typoDaniel Gustafsson
Address various spellings of "credentials". Closes https://github.com/curl/curl/pull/2496
2018-04-15checksrc: Fix typoDaniel Gustafsson
Fix typo in "semicolon" spelling and remove stray tab character. Closes https://github.com/curl/curl/pull/2498
2018-04-15all: Refactor malloc+memset to use callocDaniel Gustafsson
When a zeroed out allocation is required, use calloc() rather than malloc() followed by an explicit memset(). The result will be the same, but using calloc() everywhere increases consistency in the codebase and avoids the risk of subtle bugs when code is injected between malloc and memset by accident. Closes https://github.com/curl/curl/pull/2497
2018-04-12duphandle: make sure CURLOPT_RESOLVE is duplicated fine tooDaniel Stenberg
Verified in test 1502 now Fixes #2485 Closes #2486 Reported-by: Ernst Sjöstrand
2018-04-11proxy: show getenv proxy use in verbose outputDaniel Stenberg
... to aid debugging etc as it sometimes isn't immediately obvious why curl uses or doesn't use a proxy. Inspired by #2477 Closes #2480
2018-04-09lib: silence null-dereference warningsMarcel Raad
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
2018-04-08build: cleanup to fix clang warnings/errorsDaniel Stenberg
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension Reported-by: Rikard Falkeborn Fixes #2466 Closes #2468
2018-04-07curl_setup: provide a CURL_SA_FAMILY_T type if none existsDaniel Stenberg
... and use this type instead of 'sa_family_t' in the code since several platforms don't have it. Closes #2463
2018-04-07build: add picky compiler warning flags for gcc 6 and 7Eric Gallager
2018-04-06hash: calculate sizes with size_t instead of longsDaniel Stenberg
... since they return size_t anyway! closes #2462
2018-04-06FTP: allow PASV on IPv6 connections when a proxy is being usedLaurie Clark-Michalek
In the situation of a client connecting to an FTP server using an IPv6 tunnel proxy, the connection info will indicate that the connection is IPv6. However, because the server behing the proxy is IPv4, it is permissable to attempt PSV mode. In the case of the FTP server being IPv4 only, EPSV will always fail, and with the current logic curl will be unable to connect to the server, as the IPv6 fwdproxy causes curl to think that EPSV is impossible. Closes #2432
2018-04-06file: restore old behavior for file:////foo/bar URLsJon DeVree
curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC 8089 but then returns an error saying this is unimplemented. This is actually a regression in behavior on both Windows and Unix. Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and then passed to the relevant OS API. This means that the behavior of this case is actually OS dependent. The Unix path resolution rules say that the OS must handle swallowing the extra "/" and so this path is the same as "/foo/bar" The Windows path resolution rules say that this is a UNC path and automatically handles the SMB access for the program. So curl on Windows was already doing Appendix E.3.2 without any special code in curl. Regression Closes #2438
2018-04-06Revert "openssl: Don't add verify locations when verifypeer==0"Gaurav Malhotra
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. libcurl (with the OpenSSL backend) performs server certificate verification even if verifypeer == 0 and the verification result is available using CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the CURLINFO_SSL_VERIFYRESULT to not have useful information for the verifypeer == 0 use case (it would always have X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Closes #2451
2018-04-06tls: fix mbedTLS 2.7.0 build + handle sha256 failuresWyatt O'Day
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes #2453
2018-04-06cookie: case-insensitive hashing for the domainsLauri Kasanen
closes #2458
2018-04-04cookie: fix and optimize 2nd top level domain name extractionPatrick Monnerat
This fixes a segfault occurring when a name of the (invalid) form "domain..tld" is processed. test46 updated to cover this case. Follow-up to commit c990ead. Ref: https://github.com/curl/curl/pull/2440
2018-04-04openssl: provide defines for argument typecasts to build warning-freeDaniel Stenberg
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
2018-04-04openssl: fix build with LibreSSL 2.7Bernard Spil
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API Fixes #2319 Closes #2447 Closes #2448 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-04-02cookie: store cookies per top-level-domain-specific hash tableLauri Kasanen
This makes libcurl handle thousands of cookies much better and speedier. Closes #2440
2018-04-02cookies: when reading from a file, only remove_expired onceLauri Kasanen
This drops the cookie load time for 8k cookies from 178ms to 15ms. Closes #2441