Daniel Stenberg [Wed, 2 Aug 2023 21:34:48 +0000 (23:34 +0200)]
http: return error when receiving too large header set
To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete research
suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
1MB.
Stefan Eissing [Tue, 1 Aug 2023 08:31:58 +0000 (10:31 +0200)]
http2: upgrade tests and add fix for non-existing stream
- check in h2 filter recv that stream actually exists
and return error if not
- add test for parallel, extreme h2 upgrades that fail if
connections get reused before fully switched
- add h2 upgrade upload test just for completeness
Daniel Stenberg [Wed, 2 Aug 2023 16:03:59 +0000 (18:03 +0200)]
url: change default value for CURLOPT_MAXREDIRS to 30
It was previously unlimited by default, but that's not a sensible
default. While changing this has a remote risk of breaking an existing
use case, I figure it is more likely to actually save users from loops.
Jay Satiro [Sun, 19 Mar 2023 08:05:08 +0000 (04:05 -0400)]
schannel: fix user-set legacy algorithms in Windows 10 & 11
- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
use the SCHANNEL_CRED legacy structure to pass the list to Schannel.
- If the user set both a legacy algorithm list and a TLS 1.3 cipher list
then abort.
Although MS doesn't document it, Schannel will not negotiate TLS 1.3
when SCHANNEL_CRED is used. That means setting a legacy algorithm list
limits the user to earlier versions of TLS.
Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
ignore legacy algorithms in Windows 10 1809 and later.
Viktor Szakats [Mon, 31 Jul 2023 11:52:44 +0000 (11:52 +0000)]
egd: delete feature detection and related source code
EGD is Entropy Gathering Daemon, a socket-based entropy source supported
by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
a while ago.
Its detection in CMake was broken all along because OpenSSL libs were
not linked at the point of feature check.
Delete detection from both cmake and autotools, along with the related
source snippet, and the `--with-egd-socket=` `./configure` option.
Stefan Eissing [Mon, 31 Jul 2023 08:56:00 +0000 (10:56 +0200)]
tests: fix h3 server check and parallel instances
- fix check for availability of nghttpx server
- add `tcp` frontend config for same port as quic, as
without this, port 3000 is bound which clashes for parallel
testing
Daniel Stenberg [Mon, 31 Jul 2023 15:27:03 +0000 (17:27 +0200)]
http2: avoid too early connection re-use/multiplexing
HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
for reuse and multiplexing by other handles until the 101 switching
process is completed.
Lots-of-debgging-by: Stefan Eissing Reported-by: Richard W.M. Jones
Bug: https://curl.se/mail/lib-2023-07/0045.html
Closes #11557
Viktor Szakats [Sun, 30 Jul 2023 12:14:23 +0000 (12:14 +0000)]
cmake: add support for single libcurl compilation pass
Before this patch CMake builds used two separate compilation passes to
build the shared and static libcurl respectively. This patch allows to
reduce that to a single pass if the target platform and build settings
allow it.
This reduces CMake build times when building both static and shared
libcurl at the same time, making these dual builds an almost zero-cost
option.
Enable this feature for Windows builds, where the difference between the
two passes was the use of `__declspec(dllexport)` attribute for exported
API functions for the shared builds. This patch replaces this method
with the use of `libcurl.def` at DLL link time.
Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
symbols on Windows. This simplifies (or fixes) this build method (e.g.
in curl-for-win, which generated a `libcurl.def` from `.h` files using
an elaborate set of transformations).
`libcurl.def` has the maintenance cost of keeping the list of public
libcurl API symbols up-to-date. This list seldom changes, so the cost
is low.
While here, also fix `RAND_egd()` detection which was broken, likely all
along. This feature is probably broken with CMake builds and also
requires a sufficiently obsolete OpenSSL version, so this part of the
update was not tested.
Pablo Busse [Thu, 22 Jun 2023 06:13:07 +0000 (06:13 +0000)]
openssl: Support async cert verify callback
- Update the OpenSSL connect state machine to handle
SSL_ERROR_WANT_RETRY_VERIFY.
This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.
Jay Satiro [Tue, 4 Apr 2023 09:10:52 +0000 (05:10 -0400)]
tool_cb_wrt: fix invalid unicode for windows console
- Suppress an incomplete UTF-8 sequence at the end of the buffer.
- Attempt to reconstruct incomplete UTF-8 sequence from prior call(s)
in current call.
Prior to this change, in Windows console UTF-8 sequences split between
two or more calls to the write callback would cause invalid "replacement
characters" U+FFFD to be printed instead of the actual Unicode
character. This is because in Windows only UTF-16 encoded characters are
printed to the console, therefore we convert the UTF-8 contents to
UTF-16, which cannot be done with partial UTF-8 sequences.
Reported-by: Maksim Arhipov
Fixes https://github.com/curl/curl/issues/9841
Closes https://github.com/curl/curl/pull/10890
Daniel Stenberg [Mon, 31 Jul 2023 09:01:51 +0000 (11:01 +0200)]
sectransp: prevent CFRelease() of NULL
When SecCertificateCopyCommonName() returns NULL, the common_name
pointer remains set to NULL which apparently when calling CFRelease() on
(sometimes?) crashes.
`u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-terminator.
```
==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 at pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
READ of size 78 at 0x04d48c75 thread T0
#0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
#1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_party\curl\lib\strdup.c:97
#2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1297
#3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1342
#4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1790
#5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:1768
#6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3403
#7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3888
#8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:1982
#9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:2756
```
Daniel Stenberg [Mon, 31 Jul 2023 09:50:28 +0000 (11:50 +0200)]
tool: add "variable" support
Add support for command line variables. Set variables with --variable
name=content or --variable name@file (where "file" can be stdin if set
to a single dash (-)).
Variable content is expanded in option parameters using "{{name}}"
(without the quotes) if the option name is prefixed with
"--expand-". This gets the contents of the variable "name" inserted, or
a blank if the name does not exist as a variable. Insert "{{" verbatim
in the string by prefixing it with a backslash, like "\\{{".
Import an environment variable with --variable %name. It makes curl exit
with an error if the environment variable is not set. It can also rather
get a default value if the variable does not exist, using =content or
@file like shown above.
Example: get the USER environment variable into the URL:
When expanding variables, curl supports a set of functions that can make
the variable contents more convenient to use. It can trim leading and
trailing white space with "trim", output the contents as a JSON quoted
string with "json", URL encode it with "url" and base 64 encode it with
"b64". To apply functions to a variable expansion, add them colon
separated to the right side of the variable. They are then performed in
a left to right order.
Example: get the contents of a file called $HOME/.secret into a variable
called "fix". Make sure that the content is trimmed and percent-encoded
sent as POST data:
Patrick Monnerat [Tue, 15 Nov 2022 16:50:22 +0000 (17:50 +0100)]
configure, cmake, lib: more form api deprecation
Introduce a --enable-form-api configure option to control its inclusion
in builds. The condition name defined for it is CURL_DISABLE_FORM_API.
Form api code is dependent of MIME: configure and CMake handle this
dependency automatically: CMake by making it a dependent option
explicitly, configure by inheriting the MIME value by default and
rejecting explicit incompatible values.
"form-api" is now a new hidden test feature.
Update libcurl modules to respect this option and adjust tests
accordingly.
Ryan Schmidt [Tue, 25 Jul 2023 09:32:59 +0000 (04:32 -0500)]
macOS: fix target detection more
Now SCDynamicStoreCopyProxies is called (and the required frameworks are
linked in) on all versions of macOS and only on macOS. Fixes crash due
to undefined symbol when built with the macOS 10.11 SDK or earlier.
CURL_OSX_CALL_COPYPROXIES is renamed to CURL_MACOS_CALL_COPYPROXIES and
is now only defined when SCDynamicStoreCopyProxies will actually be
called. Previously, it was defined when ENABLE_IPV6 was not defined but
SCDynamicStoreCopyProxies is not called in that case.
TARGET_OS_OSX is only defined in the macOS 10.12 SDK and later and only
when dynamic targets are enabled. TARGET_OS_MAC is always defined but
means any Mac OS or derivative including macOS, iOS, tvOS, and watchOS.
TARGET_OS_IPHONE means any Darwin OS other than macOS.
Windows does not guarantee a particular certificate ordering, even
though TLS may have its own ordering/relationship guarantees. Recent
versions of Windows 11 reversed the ordering of ceritifcates returned by
CertEnumCertificatesInStore, therefore this commit no longer works as
initially intended. libcurl makes no guarantees about certificate
ordering if the operating system can't.
- Check for zlib static library name zlibstatic.lib.
zlib's static library has a different name depending on how it was
built. zlibstatic.lib is output by cmake. zlibstat.lib is output by
their pre-generated Visual Studio project files (in the contrib
directory) and defines ZLIB_WINAPI (ie it's meant to use stdcall
instead of cdecl if you end up exporting the zlib functions).
Prior to this change the makefile only checked for the latter.
Viktor Szakats [Thu, 22 Jun 2023 09:24:37 +0000 (09:24 +0000)]
cmake: support building static and shared libcurl in one go
This patch adds the ability to build a static and shared libcurl library
in a single build session. It also adds an option to select which one to
use when building the curl executable.
New build options:
- `BUILD_STATIC_LIBS`. Default: `OFF`.
Enabled automatically if `BUILD_SHARED_LIBS` is `OFF`.
- `BUILD_STATIC_CURL`. Default: `OFF`.
Requires `BUILD_STATIC_LIBS` enabled.
Enabled automatically if building static libcurl only.
- `STATIC_LIB_SUFFIX`. Default: empty.
- `IMPORT_LIB_SUFFIX`. Default: `_imp` if implib filename would collide
with static lib name (typically with MSVC) in Windows builds.
Otherwise empty.
Also:
- Stop setting the `CURL_STATICLIB` macro via `curl_config.h`, and pass
it directly to the compiler. This also allows to delete a condition
from `tests/server/CMakeLists.txt`.
- Complete a TODO by following the logic used in autotools (also for
`LIBCURL_NO_SHARED`), and set `-DCURL_STATICLIB` in `Cflags:` of
`libcurl.pc` for _static-only_ curl builds.
- Convert an existing CI test to build both shared and static libcurl.
Stefan Eissing [Thu, 27 Jul 2023 12:26:39 +0000 (14:26 +0200)]
CI: quiche updates
- remove quiche from standard `linux` workflow
- add mod_h2 caching to quiche workflow
- rename quiche to quiche-linux
- move version definitions into env section
- not clear how this triggers and it blocks OSSFuzz testing other
things. Since we handle the case with an error return, disabling the
assertion for now seems the best way forward.
Stefan Eissing [Thu, 27 Jul 2023 10:59:03 +0000 (12:59 +0200)]
http2: fix in h2 proxy tunnel: progress in ingress on sending
- depending on what is tunneled, the proxy may never get invoked for
receiving data explicitly. Not progressing ingress may lead to stalls
due to missed WINDOW_UPDATEs.
Stefan Eissing [Mon, 24 Jul 2023 13:38:04 +0000 (15:38 +0200)]
http: VLH, very large header test and fixes
- adding tests using very large passwords in auth
- fixes general http sending to treat h3 like h2, and
not like http1.1
- eliminate H2_HEADER max definitions and use the commmon
DYN_HTTP_REQUEST everywhere, different limits do not help
- fix http2 handling of requests denied by nghttp2 on send
to immediately report the refused stream
Andrei Rybak [Sun, 23 Jul 2023 21:33:45 +0000 (23:33 +0200)]
CONTRIBUTE: drop mention of copyright year ranges
Year ranges in copyrights were dropped in commits [1] and [2].
Verification of year ranges in copyrights was dropped from script
'scripts/copyright.pl' in commit [3]. However, the corresponding
passages in file 'docs/CONTRIBUTE.md' weren't updated.
Drop mentions of copyright year ranges from 'docs/CONTRIBUTE.md'.
[1] 2bc1d775f (copyright: update all copyright lines and remove year
ranges, 2023-01-02)
[2] c46761bd8 (tests/http: remove year ranges from copyrights,
2023-03-14)
[3] 0e293bacb (copyright.pl: cease doing year verifications, 2023-01-28)
Andrei Rybak [Sun, 23 Jul 2023 21:32:45 +0000 (23:32 +0200)]
CONTRIBUTE: fix syntax in commit message description
File 'docs/CONTRIBUTE.md' includes a description of how one should write
commit messages in the curl project. Different possible parts of the
message are enclosed in square brackets. One exception is the section
describing how the curl project doesn't use "Signed-off-by" commit
trailers [1], which is enclosed in an opening curly brace paired with a
closing square bracket.
Fix the enclosing square brackets in description of "Signed-off-by"
trailers in commit messages in file 'docs/CONTRIBUTE.md'.
[1] See description of option '--signoff' in Git documentation:
https://git-scm.com/docs/git-commit
These custom `unit1394_LDADD` and similar automake overrides are no
longer neded. They were originally added by added by [8dac7be][] for
metalink support, but are no longer after [265b14d][] removed metalink.
cmake: add `libcurlu`/`libcurltool` for unit tests
Add a `libcurlu`/`libcurltool` static library that is compiled only for
unit tests. We use `EXCLUDE_FROM_ALL` to make sure that they're not
built by default, they're only built if unit tests are built.
These libraries allow us to compile every unit test with CMake.
Jon Rumsey [Wed, 19 Jul 2023 13:49:34 +0000 (14:49 +0100)]
os400: correct EXPECTED_STRING_LASTZEROTERMINATED
Correct EXPECTED_STRING_LASTZEROTERMINATED to account for
CURLOPT_HAPROXY_CLIENT_IP which requires EBCDIC to ASCII conversion when
passed into curl_easy_setopt().
The updated Curl_http_req_make and Curl_http_req_make2 functions spawned
a parameter called m_len. The AmigaOS networking headers, derived from
NetBSD, contain "#define m_len m_hdr.mh_len" which clashes with
this. Since we do not actually use mbuf, force the include file to be
ignored, removing the clash.
cfilters: rename close/connect functions to avoid clashes
Rename `close` and `connect` in `struct Curl_cftype` for
consistency and to avoid clashes with macros of the same name
(the standard AmigaOS networking connect() function is implemented
via a macro).
Stefan Eissing [Thu, 20 Jul 2023 11:08:00 +0000 (13:08 +0200)]
http2: fix regression on upload EOF handling
- a regression introduced by c9ec85121110d7cbbbed2990024222c8f5b8afe5
where optimization of small POST bodies leads to a new code path
for such uploads that did not trigger the "done sending" event
- add triggering this event for early "upload_done" situations
Fixes #11485
Closes #11487 Reported-by: Aleksander Mazur
Stefan Eissing [Wed, 19 Jul 2023 08:42:07 +0000 (10:42 +0200)]
quiche: fix segfault and other things
- refs #11449 where a segfault is reported when IP Eyeballing did
not immediately connect but made several attempts
- The transfer initiating the eyeballing was initialized too early,
leadding to references to the filter instance that was then
replaced in the subsequent eyeball attempts. That led to a use
after free in the buffer handling for the transfer
- transfers are initiated now more lazy (like in the ngtcp2 filter),
when the stream is actually opened
- suppress reporting on quiche event errors for "other" transfers
than the current one to not fail a transfer due to faults in
another one.
- revert recent return value handling for quiche_h3_recv_body()
to not indicate an error but an EAGAIN situation. We wish quiche
would document what functions return.
Stefan Eissing [Tue, 18 Jul 2023 15:37:58 +0000 (17:37 +0200)]
quiche: fix lookup of transfer at multi
- refs #11449 where weirdness in quiche multi connection tranfers was
observed
- fixes lookup of transfer for a quiche event to take the connection
into account
- formerly, a transfer with the same stream_id, but on another connection
could be found
projects / thirdparty / curl.git / log
