Daniel Stenberg [Thu, 27 Feb 2020 10:06:14 +0000 (11:06 +0100)]
Curl_is_ASCII_name: handle a NULL argument
Make the function tolerate a NULL pointer input to avoid dereferencing
that pointer.
Follow-up to efce3ea5a85126d
Detected by OSS-Fuzz Reviewed-By: Steve Holme
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20907
Fixes #4985
Closes #4986
Daniel Stenberg [Thu, 27 Feb 2020 08:42:11 +0000 (09:42 +0100)]
http2: make pausing/unpausing set/clear local stream window
This reduces the HTTP/2 window size to 32 MB since libcurl might have to
buffer up to this amount of data in memory and yet we don't want it set
lower to potentially impact tranfer performance on high speed networks.
Requires nghttp2 commit b3f85e2daa629
(https://github.com/nghttp2/nghttp2/pull/1444) to work properly, to end
up in the next release after 1.40.0.
Previously, it was not possible to get a known hosts file entry due to
the lack of an API. ssh_session_get_known_hosts_entry(), introduced in
libssh-0.9.0, allows libcurl to obtain such information and behave the
same as when compiled with libssh2.
This also tries to avoid the usage of deprecated functions when the
replacements are available. The behaviour will not change if versions
older than libssh-0.8.0 are used.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Fixes #4953
Closes #4962
Steve Holme [Sun, 23 Feb 2020 08:20:32 +0000 (08:20 +0000)]
tests: Automatically deduce the tool name from the test case for unit tests
It is still possible to override the executable to run during the test,
using the <tool> tag, but this patch removes the requirement that the
tag must be present for unit tests.
It also removes the possibility of human error when existing test cases
are used as the basis for new tests, as recently witnessed in 81c37124.
Daniel Stenberg [Wed, 26 Feb 2020 21:48:09 +0000 (22:48 +0100)]
http: added 417 response treatment
When doing a request with a body + Expect: 100-continue and the server
responds with a 417, the same request will be retried immediately
without the Expect: header.
Added test 357 to verify.
Also added a control instruction to tell the sws test server to not read
the request body if Expect: is present, which the new test 357 uses.
Reported-by: bramus on github
Fixes #4949
Closes #4964
Steve Holme [Thu, 13 Feb 2020 22:39:28 +0000 (22:39 +0000)]
smtp: Support the SMTPUTF8 extension in the RCPT TO command
Note: The RCPT TO command isn't required to advertise to the server that
it contains UTF-8 characters, instead the server is told that a mail may
contain UTF-8 in any envelope command via the MAIL command.
Steve Holme [Thu, 13 Feb 2020 20:59:36 +0000 (20:59 +0000)]
smtp: Support the SMTPUTF8 extension in the MAIL command
Support the SMTPUTF8 extension when sending mailbox information in the
MAIL command (FROM and AUTH parameters). Non-ASCII domain names will
be ACE encoded, if IDN is supported, whilst non-ASCII characters in
the local address part are passed to the server.
Steve Holme [Mon, 10 Feb 2020 20:50:50 +0000 (20:50 +0000)]
ftpserver: Corrected the e-mail address regex in MAIL_smtp() and RCTP_smtp()
The dot character between the host and the tld was not being escaped,
which meant it specified a match of 'any' character rather than an
explicit dot separator.
Additionally removed the dot character from the host name as it allowed
the following to be specified as a valid address in our test cases:
I can't remember whether my intention was to allow sub-domains to be
specified in the host or not with these additional dots, but by placing
it outside of the host means it can only be specified once per domain
and by placing a + after the new grouping support for sub-domains is
kept.
Steve Holme [Thu, 20 Feb 2020 18:55:55 +0000 (18:55 +0000)]
md4: Fixed compilation issues when using GNU TLS gcrypt
* Don't include 'struct' in the gcrypt MD4_CTX typedef
* The call to gcry_md_read() should use a dereferenced ctx
* The call to gcry_md_close() should use a dereferenced ctx
Additional minor whitespace issue in the USE_WIN32_CRYPTO code.
jethrogb [Thu, 20 Feb 2020 19:36:25 +0000 (20:36 +0100)]
GnuTLS: Always send client cert
TLS servers may request a certificate from the client. This request
includes a list of 0 or more acceptable issuer DNs. The client may use
this list to determine which certificate to send. GnuTLS's default
behavior is to not send a client certificate if there is no
match. However, OpenSSL's default behavior is to send the configured
certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL
behavior.
Authored-by: jethrogb on github
Fixes #1411
Closes #4958
Daniel Stenberg [Tue, 18 Feb 2020 13:23:04 +0000 (14:23 +0100)]
HTTP-COOKIES: mention that a trailing newline is required
... so that we know we got the whole and not a partial line.
Also, changed the formatting of the fields away from a table again since
the table format requires a github-markdown tool version that we don't
run on the web server atm.
Jay Satiro [Fri, 24 Jan 2020 08:34:52 +0000 (03:34 -0500)]
tool_util: Improve Windows version of tvnow()
- Change tool_util.c tvnow() for Windows to match more closely to
timeval.c Curl_now().
- Create a win32 init function for the tool, since some initialization
is required for the tvnow() changes.
Prior to this change the monotonic time function used by curl in Windows
was determined at build-time and not runtime. That was a problem because
when curl was built targeted for compatibility with old versions of
Windows (eg _WIN32_WINNT < 0x0600) it would use GetTickCount which wraps
every 49.7 days that Windows has been running.
This change makes curl behave similar to libcurl's tvnow function, which
determines at runtime whether the OS is Vista+ and if so calls
QueryPerformanceCounter instead. (Note QueryPerformanceCounter is used
because it has higher resolution than the more obvious candidate
GetTickCount64). The changes to tvnow are basically a copy and paste but
the types in some cases are different.
Jay Satiro [Wed, 29 Jan 2020 08:23:55 +0000 (03:23 -0500)]
tool_homedir: Change GetEnv() to use libcurl's curl_getenv()
- Deduplicate GetEnv() code.
- On Windows change ultimate call to use Windows API
GetEnvironmentVariable() instead of C runtime getenv().
Prior to this change both libcurl and the tool had their own GetEnv
which over time diverged. Now the tool's GetEnv is a wrapper around
curl_getenv (libcurl API function which is itself a wrapper around
libcurl's GetEnv).
Furthermore this change fixes a bug in that Windows API
GetEnvironmentVariable() is called instead of C runtime getenv() to get
the environment variable since some changes aren't always visible to the
latter.
Reported-by: Christoph M. Becker
Fixes https://github.com/curl/curl/issues/4774
Closes https://github.com/curl/curl/pull/4863
Jay Satiro [Sun, 9 Feb 2020 08:15:13 +0000 (03:15 -0500)]
multi: fix outdated comment
- Do not say that conn->data is "cleared" by multi_done().
If the connection is in use then multi_done assigns another easy handle
still using the connection to conn->data, therefore in that case it is
not cleared.
Steve Holme [Sun, 9 Feb 2020 15:50:57 +0000 (15:50 +0000)]
smtp: Simplify the MAIL command and avoid a duplication of send strings
This avoids the duplication of strings when the optional AUTH and SIZE
parameters are required. It also assists with the modifications that
are part of #4892.
Daniel Stenberg [Sun, 9 Feb 2020 14:28:03 +0000 (15:28 +0100)]
altsvc: keep a copy of the file name to survive handle reset
The alt-svc cache survives a call to curl_easy_reset fine, but the file
name to use for saving the cache was cleared. Now the alt-svc cache has
a copy of the file name to survive handle resets.
Steve Holme [Fri, 7 Feb 2020 16:51:09 +0000 (16:51 +0000)]
checksrc.bat: Fix not being able to run script from the main curl directory
If the script was ran from the main curl directory rather then the
projects directory then the script would simply exit without error:
C:\url> projects\checksrc.bat
The user would either need to change to the projects directory,
explicitly specify the current working directory, or perform a
oneline hacky workaround:
digest: Do not quote algorithm in HTTP authorisation
RFC 7616 section 3.4 (The Authorization Header Field) states that "For
historical reasons, a sender MUST NOT generate the quoted string syntax
for the following parameters: algorithm, qop, and nc". This removes the
quoting for the algorithm parameter.
Harry Sintonen [Tue, 4 Feb 2020 04:21:58 +0000 (06:21 +0200)]
altsvc: improved header parser
- Fixed the flag parsing to apply to specific alternative entry only, as
per RFC. The earlier code would also get totally confused by
multiprotocol header, parsing flags from the wrong part of the header.
- Fixed the parser terminating on unknown protocols, instead of skipping
them.
- Fixed a busyloop when protocol-id was present without an equal sign.
Dan Fandrich [Mon, 3 Feb 2020 11:27:30 +0000 (12:27 +0100)]
cirrus: Add some missing semicolons
Newlines aren't preserved in this section so they're needed to separate
commands. The exports luckily worked anyway as a single long line, but
erroneously exported a variable called "export"
[skip ci]
projects / thirdparty / curl.git / log
