aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2020-03-18schannel: add "best effort" revocation check optionJohannes Schindelin
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
2020-03-17windows: suppress UI in all CryptAcquireContext() callsViktor Szakats
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters Reviewed-by: Marc Hörsken Closes https://github.com/curl/curl/pull/5088
2020-03-17writeout_json: add missing comma to fix the HTTP versionDaniel Stenberg
Follow-up to 04c03416e68fd635a15
2020-03-17writeout: support to generate JSON outputMathias Gumz
This commit adds support to generate JSON via the writeout feature: -w "%{json}" It leverages the existing infrastructure as much as possible. Thus, generating the JSON on STDERR is possible by: -w "%{stderr}%{json}" This implements a variant of https://github.com/curl/curl/wiki/JSON#--write-out-json. Closes #4870
2020-03-16tool_operate: fix add_parallel_transfers when more are in queueDaniel Stenberg
Trying to return early from the function if no new transfers were added would break the "morep" argument and cause issues. This could lead to zero content "transfers" (within quotes since they would never be started) when parallel-max was reduced. Reported-by: Gavin Wong Analyzed-by: Jay Satiro Fixes #4937 Closes #5112
2020-03-14Makefile.m32: Improve windres parameter compatibilityJay Satiro
- s/COFF/coff/ Some versions of windres do not recognize uppercase COFF as a valid way to specify the COFF output format. Reported-by: Steven Penny Fixes https://github.com/curl/curl/issues/5099 Closes https://github.com/curl/curl/pull/5101
2020-03-07tool_cb_see: set correct copyright year rangeDaniel Stenberg
Follow-up to a39e5bfb9
2020-03-07seek: fix fallback for missing ftruncate on WindowsMarc Hoersken
This fixes test 198 on versions of MinGW-w64 without ftruncate Reviewed-By: Daniel Stenberg Reviewed-By: Marcel Raad Closes #5055
2020-03-01polarssl: Additional removalSteve Holme
Follow up to 6357a19f. Reviewed-by: Daniel Stenberg Closes #5004
2020-02-21cleanup: comment typosDaniel Stenberg
Spotted by 'codespell' Closes #4957
2020-02-20win32: USE_WIN32_CRYPTO to enable Win32 based MD4, MD5 and SHA256 functionsSteve Holme
Whilst lib\md4.c used this pre-processor, lib\md5.c and src\tool_metalink.c did not and simply relied on the WIN32 pre-processor directive. Reviewed-by: Marcel Raad Closes #4955
2020-02-19nit: Copyright year out of dateDaniel Stenberg
Follow-up to 1fc0617dcc
2020-02-18tool_util: Improve Windows version of tvnow()Jay Satiro
- Change tool_util.c tvnow() for Windows to match more closely to timeval.c Curl_now(). - Create a win32 init function for the tool, since some initialization is required for the tvnow() changes. Prior to this change the monotonic time function used by curl in Windows was determined at build-time and not runtime. That was a problem because when curl was built targeted for compatibility with old versions of Windows (eg _WIN32_WINNT < 0x0600) it would use GetTickCount which wraps every 49.7 days that Windows has been running. This change makes curl behave similar to libcurl's tvnow function, which determines at runtime whether the OS is Vista+ and if so calls QueryPerformanceCounter instead. (Note QueryPerformanceCounter is used because it has higher resolution than the more obvious candidate GetTickCount64). The changes to tvnow are basically a copy and paste but the types in some cases are different. Ref: https://github.com/curl/curl/issues/3309 Closes https://github.com/curl/curl/pull/4847
2020-02-13tool_home: Fix the copyright year being out of dateSteve Holme
Follow up to 9dc350b6.
2020-02-12tool_homedir: Change GetEnv() to use libcurl's curl_getenv()Jay Satiro
- Deduplicate GetEnv() code. - On Windows change ultimate call to use Windows API GetEnvironmentVariable() instead of C runtime getenv(). Prior to this change both libcurl and the tool had their own GetEnv which over time diverged. Now the tool's GetEnv is a wrapper around curl_getenv (libcurl API function which is itself a wrapper around libcurl's GetEnv). Furthermore this change fixes a bug in that Windows API GetEnvironmentVariable() is called instead of C runtime getenv() to get the environment variable since some changes aren't always visible to the latter. Reported-by: Christoph M. Becker Fixes https://github.com/curl/curl/issues/4774 Closes https://github.com/curl/curl/pull/4863
2020-02-05curl: error on --alt-svc use w/o supportDaniel Stenberg
Make the tool check for alt-svc support at run-time and return error accordingly if not present when the option is used. Reported-by: Harry Sintonen Closes #4878
2020-02-04tool_operhlp: Copyright year out of date, should be 2020Daniel Stenberg
Follow-up from 2bc373740a3
2020-02-04curl: avoid using strlen for testing if a string is emptyOrgad Shaneh
Closes #4873
2020-01-26curl: make the -# spaceship bar not wrap the lineDaniel Stenberg
The fixed-point math made us lose precision and thus a too high index value could be used for outputting the hashtags which could overwrite the newline. The fix increases the precision in the sine table (*100) and the associated position math. Reported-by: Andrew Potter Fixes #4849 Closes #4850
2020-01-21smtp: Allow RCPT TO command to fail for some recipientsPavel Volgarev
Introduces CURLOPT_MAIL_RCPT_ALLLOWFAILS. Verified with the new tests 3002-3007 Closes #4816
2020-01-21curl: Let -D merge headers in one file againEmil Engler
Closes #4762 Fixes #4753
2020-01-16curl:progressbarinit: ignore column width from terminals < 20Daniel Stenberg
To avoid division by zero - or other issues. Reported-by: Daniel Marjamäki Closes #4818
2020-01-13CMake: Add support for CMAKE_LTO option.Tobias Hieta
This enables Link Time Optimization. LTO is a proven technique for optimizing across compilation units. Closes #4799
2020-01-13curl: make #0 not output the full URLDaniel Stenberg
It was not intended nor documented! Added test 1176 to verify. Reported-by: vshmuk on hackerone Closes #4812
2020-01-12curl: remove 'config' field from OutStructDaniel Stenberg
As it was just unnecessary duplicated information already stored in the 'per_transfer' struct and that's around mostly anyway. The duplicated pointer caused problems when the code flow was aborted before the dupe was filled in and could cause a NULL pointer access. Reported-by: Brian Carpenter Fixes #4807 Closes #4810
2020-01-09tool_dirhie.c: fix the copyright year rangeDaniel Stenberg
Follow-up to: 4027bd72d9
2020-01-09tool_dirhie: Allow directory traversal during creationJay Satiro
- When creating a directory hierarchy do not error when mkdir fails due to error EACCESS (13) "access denied". Some file systems allow for directory traversal; in this case that it should be possible to create child directories when permission to the parent directory is restricted. This is a regression caused by me in f16bed0 (precedes curl-7_61_1). Basically I had assumed that if a directory already existed it would fail only with error EEXIST, and not error EACCES. The latter may happen if the directory exists but has certain restricted permissions. Reported-by: mbeifuss@users.noreply.github.com Fixes https://github.com/curl/curl/issues/4796 Closes https://github.com/curl/curl/pull/4797
2020-01-06curl -w: handle a blank input file correctlyDaniel Stenberg
Previously it would end up with an uninitialized memory buffer that would lead to a crash or junk getting output. Added test 1271 to verify. Reported-by: Brian Carpenter Closes #4786
2020-01-05curl:getparameter return error for --http3 if libcurl doesn't supportDaniel Stenberg
Closes #4785
2020-01-04curl: properly free mimepost dataDaniel Stenberg
... as it could otherwise leak memory when a transfer failed. Added test 1293 to verify. Reported-by: Brian Carpenter Fixes #4781 Closes #4782
2020-01-04curl: cleanup multi handle on failureDaniel Stenberg
... to fix memory leak in error path. Fixes #4772 Closes #4780 Reported-by: Brian Carpenter
2019-12-31tool: make a few char pointers point to const char insteadMarcel Raad
These are read-only. Closes https://github.com/curl/curl/pull/4771
2019-12-29tool_operate: fix mem leak when failed config parseJay Satiro
Found by fuzzing the config file. Reported-by: Geeknik Labs Fixes https://github.com/curl/curl/issues/4767
2019-12-18curl/parseconfig: use curl_free() to free memory allocated by libcurlDaniel Stenberg
Reported-by: bxac on github Fixes #4730 Closes #4731
2019-12-18curl/parseconfig: fix mem-leakDaniel Stenberg
When looping, first trying '.curlrc' and then '_curlrc', the function would not free the first string. Closes #4731
2019-12-12curl: fix memory leak in OOM in etags logicDaniel Stenberg
Detected by torture tests Closes #4706
2019-12-12curl: improved cleanup in upload error pathDaniel Stenberg
Memory leak found by torture test 58 Closes #4705
2019-12-10curl: use errorf() betterDaniel Stenberg
Change series of error outputs to use errorf(). Only errors that are due to mistakes in command line option usage should use helpf(), other types of errors in the tool should rather use errorf(). Closes #4691
2019-12-06curl: make the etag load logic work without fseekDaniel Stenberg
The fseek()s were unnecessary and caused Coverity warning CID 1456554 Closes #4681
2019-12-05lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAINJay Satiro
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS and OS400 package spec. Also I added the option to the NameValue list in the tool even though it isn't exposed as a command-line option (...yet?). (NameValue stringizes the option name for the curl cmd -> libcurl source generator) Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. Ref: https://github.com/curl/curl/pull/4655
2019-12-05etag: allow both --etag-compare and --etag-save in same cmdlineDaniel Stenberg
Fixes #4669 Closes #4678
2019-12-03curl: show better error message when no homedir is foundDaniel Stenberg
Reported-by: Vlastimil Ovčáčík Fixes #4644 Closes #4665
2019-12-02copyright: fix the year ranges for two filesDaniel Stenberg
Follow-up to 9c1806ae
2019-12-01build: Disable Visual Studio warning "conditional expression is constant"Jay Satiro
- Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658
2019-11-28curl: two new command line options for etagsMaros Priputen
--etag-compare and --etag-save Suggested-by: Paul Hoffman Fixes #4277 Closes #4543
2019-11-26curl: fix --upload-file . hangs if delay in STDINJohn Schroeder
Attempt to unpause a busy read in the CURLOPT_XFERINFOFUNCTION. When uploading from stdin in non-blocking mode, a delay in reading the stream (EAGAIN) causes curl to pause sending data (CURL_READFUNC_PAUSE). Prior to this change, a busy read was detected and unpaused only in the CURLOPT_WRITEFUNCTION handler. This change performs the same busy read handling in a CURLOPT_XFERINFOFUNCTION handler. Fixes #2051 Closes #4599 Reported-by: bdry on github
2019-11-21curl: add --parallel-immediateDaniel Stenberg
Starting with this change when doing parallel transfers, without this option set, curl will prefer to create new transfers multiplexed on an existing connection rather than creating a brand new one. --parallel-immediate can be set to tell curl to prefer to use new connections rather than to wait and try to multiplex. libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default on parallel transfers. Suggested-by: Tom van der Woerdt Closes #4500
2019-11-14curl: fix -T globbingDaniel Stenberg
Regression from e59371a4936f8 (7.67.0) Added test 490, 491 and 492 to verify the functionality. Reported-by: Kamil Dudka Reported-by: Anderson Sasaki Fixes #4588 Closes #4591
2019-11-08copyrights: fix copyright year rangeDaniel Stenberg
.. because checksrc's copyright year check stopped working. Ref: https://github.com/curl/curl/pull/4547 Closes https://github.com/curl/curl/pull/4549
2019-10-16tool_operate: Fix retry sleep time shown to user when Retry-AfterStian Soiland-Reyes
- If server header Retry-After is being used for retry sleep time then show that value to the user instead of the normal retry sleep time. This is a follow-up to 640b973 (7.66.0) which changed curl tool so that the value from Retry-After header overrides other retry timing options. Closes https://github.com/curl/curl/pull/4498