Wyatt OʼDay reported in #7385 that mbedTLS isn't backwards compatible
and curl no longer builds with it. Document the need to fix our support
until so has been done.
docs: fix inconsistencies in EGDSOCKET documentation
Only the OpenSSL backend actually use the EGDSOCKET, and also use
TLS consistently rather than mixing SSL and TLS. While there, also
fix a minor spelling nit.
Closes: #7391 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Revert "ftp: Expression 'ftpc->wait_data_conn' is always false"
The reverted commit introduced a logic error in code that was
correct.
The client using libcurl would notice the error since FTP file
uploads in active transfer mode would somtimes complete with
success despite no transfer having been performed and the
"uploaded" file thus not being on the remote server afterwards.
The FTP server would notice the error because it receives a
RST on the data connection it has established with the client
before any data was transferred at all.
The logic error happens if the STOR response from the server have
arrived by the time ftp_multi_statemach() in the affected code path
is called, but the incoming data connection have not arrived yet.
In that case, the processing of the STOR response will cause
'ftpc->wait_data_conn' to be set to TRUE, contradicting the comment
in the code. Since 'complete' will also be set, later logic would
believe the transfer was done.
In most cases, the STOR response will not have arrived yet when
the affected code path is executed, or the incoming connection will
also have arrived, and thus the error would not express itself.
But if the speed difference of the device using libcurl and the
FTP server is exactly right, the error may happen as often as in
one out of hundred file transfers.
Daniel Stenberg [Mon, 5 Jul 2021 11:28:26 +0000 (13:28 +0200)]
socks4: scan for the IPv4 address in resolve results
Follow-up to 84d2839740 which changed the resolving to always resolve
both address families, but since SOCKS4 only supports IPv4 it should
scan for and use the first available IPv4 address.
Reported-by: shithappens2016 on github
Fixes #7345
Closes #7346
It should not assume that it can copy full lines into the buffer as it
will encourage sloppy coding practices. Instead use byte-wise logic and
check/acknowledge the buffer size appropriately.
Reported-by: Harry Sintonen
Fixes #7330
Closes #7331
Daniel Stenberg [Wed, 30 Jun 2021 09:17:57 +0000 (11:17 +0200)]
url: (void)-prefix a curl_url_get() call
Coverity (CID 1486645) pointed out a use of curl_url_get() in the
parse_proxy function where the return code wasn't checked. A
(void)-prefix makes the intention obvious.
Jay Satiro [Tue, 29 Jun 2021 15:43:35 +0000 (11:43 -0400)]
http: fix crash in rate-limited upload
- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.
Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).
The bug was introduced in 24e469f which is in releases since 7.76.0.
Daniel Stenberg [Mon, 28 Jun 2021 14:41:17 +0000 (16:41 +0200)]
openssl: avoid static variable for seed flag
Avoid the race condition risk by instead storing the "seeded" flag in
the multi handle. Modern OpenSSL versions handle the seeding itself so
doing the seeding once per multi-handle instead of once per process is
less of an issue.
Andrei Rybak [Mon, 28 Jun 2021 10:15:34 +0000 (12:15 +0200)]
misc: fix typos in comments which repeat a word
Fix typos in code comments which repeat various words. In trivial
cases, just delete the repeated word. Reword the affected sentence in
"lib/url.c" for it to make sense.
Closes #7303 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
- Check whether a connection has succeded before checking whether it's
timed out.
This means if we've connected quickly, but subsequently been
descheduled, we allow the connection to succeed. Note, if we timeout,
but between checking the timeout, and connecting to the server the
connection succeeds, we will allow it to go ahead. This is viewed as
an acceptable trade off.
- Add additional failf logging around failed connection attempts to
propogate the cause up to the caller.
Gregory Muchka [Wed, 16 Jun 2021 00:12:49 +0000 (18:12 -0600)]
hostip: (macOS) free returned memory of SCDynamicStoreCopyProxies
From Apples documentation on SCDynamicStoreCopyProxies, "Return Value: A
dictionary of key-value pairs that represent the current internet proxy
settings, or NULL if no proxy settings have been defined or if an error
occurred. You must release the returned value."
Failure to release the returned value of SCDynamicStoreCopyProxies can
result in a memory leak.
Jay Satiro [Tue, 15 Jun 2021 04:13:36 +0000 (00:13 -0400)]
curl_multibyte: Remove local encoding fallbacks
- If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
no longer fall back to assuming the string is in a local encoding.
Background:
Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
pass to the Windows CRT API wide-character functions since in Windows
UTF-8 is not a valid locale (or at least 99% of the time right now).
Prior to this change if the Unicode encoding conversion failed then
libcurl would assume, for backwards compatibility with applications that
may have written their code for non-Unicode builds, attempt to convert
the string from local encoding to UTF-16.
That type of "best effort" could theoretically cause some type of
security or other problem if a string that was locally encoded was also
valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
could occur.
it needs to be processed by autoconf or autoreconf, and doesn't have a
suitable shebang to be directly executed. other projects normally set
configure.ac -x.
Viktor Szakats [Tue, 15 Jun 2021 12:10:48 +0000 (12:10 +0000)]
idn: fix libidn2 with windows unicode builds
Unicode Windows builds use UTF-8 strings internally in libcurl,
so make sure to call the UTF-8 flavour of the libidn2 API. Also
document that Windows builds with libidn2 and UNICODE do expect
CURLOPT_URL as an UTF-8 string.
Reported-by: dEajL3kA on github Assisted-by: Jay Satiro Reviewed-by: Marcel Raad
Closes #7246
Fixes #7228
Daniel Stenberg [Mon, 31 May 2021 06:59:24 +0000 (08:59 +0200)]
curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.
The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.
projects / thirdparty / curl.git / log
