Daniel Stenberg [Thu, 27 Oct 2022 11:40:06 +0000 (13:40 +0200)]
curl: timeout in the read callback
The read callback can timeout if there's nothing to read within the
given maximum period. Example use case is when doing "curl -m 3
telnet://example.com" or anything else that expects input on stdin or
similar that otherwise would "hang" until something happens and then not
respect the timeout.
This fixes KNOWN_BUG 8.1, first filed in July 2009.
jonrumsey [Thu, 27 Oct 2022 10:47:02 +0000 (11:47 +0100)]
os400: use platform socklen_t in Curl_getnameinfo_a
Curl_getnameinfo_a() is prototyped before including curl.h as an
ASCII'fied wrapper for getnameinfo(), which itself is prototyped with
socklen_t arguments, so this should use the platform socklen_t and not
curl_socklen_t too.
- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing repeated words.
- Replace `a HTTP` with `an HTTP`
Viktor Szakats [Thu, 27 Oct 2022 06:45:32 +0000 (06:45 +0000)]
windows: fix linking .rc to shared curl with autotools
`./configure --enable-shared --disable-static` fails when trying to link
a shared `curl.exe`, due to `libtool` magically changing the output
filename of `windres` to one that it doesn't find when linking:
Let's resolve this by skipping `libtool` and calling `windres` directly
when building `src` (aka `curl.exe`). Leave `lib` unchanged, as it does
need the `libtool` magic. This solution is compatible with building
a static `curl.exe`.
This build scenario is not CI-tested.
While here, delete an obsolete comment about a permanent `libtool`
warning that we've resolved earlier.
Viktor Szakats [Wed, 26 Oct 2022 09:56:52 +0000 (09:56 +0000)]
cmake: really enable warnings with clang
Even though `PICKY_COMPILER=ON` is the default, warnings were not
enabled when using llvm/clang, because `CMAKE_COMPILER_IS_CLANG` was
always false (in my tests at least).
This is the single use of this variable in curl, and in a different
place we already use `CMAKE_C_COMPILER_ID MATCHES "Clang"`, which works
as expected, so change the condition to use that instead.
Also fix the warnings uncovered by the above:
- lib: add casts to silence clang warnings
- schannel: add casts to silence clang warnings in ALPN code
Assuming the code is correct, solve the warnings with a cast.
This particular build case isn't CI tested.
There is a chance the warning is relevant for some platforms, perhaps
Windows 32-bit ARM7.
Joel Depooter [Wed, 26 Oct 2022 00:12:30 +0000 (17:12 -0700)]
sendf: remove unnecessary if condition
At this point, the psnd->buffer will always exist. We have already
allocated a new buffer if one did not previously exist, and returned
from the function if the allocation failed.
Viktor Szakats [Wed, 26 Oct 2022 09:43:50 +0000 (09:43 +0000)]
winidn: drop WANT_IDN_PROTOTYPES
`WANT_IDN_PROTOTYPES` was necessary to avoid using a header that came
via an optional package. MS stopped distributing this package some
years ago and the winidn definitions are part of standard headers (via
`windows.h`) since Vista.
Auto-detect Vista inside `lib/idn_win32.c` and enable the manual
definitions if building for an older Windows.
This allows to delete this manual knob from all build-systems.
Also drop the `_SAL_VERSION` sub-case:
Our manual definitions are now only enabled with old systems. We assume
that code analysis is not run on such systems, allowing us to delete the
SAL-friendly flavour of these.
When checking for invalid octets the strcspn() call will return the
position of the first found invalid char or the first NULL byte.
This means that we can check the indicated position in the search-
string saving a strlen() call.
Closes: #9736 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Viktor Szakats [Sat, 22 Oct 2022 23:21:03 +0000 (23:21 +0000)]
Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip]
- Reintroduce `CROSSPREFIX`:
If set, we add it to the `CC` and `AR` values, and to the _default_
value of `RC`, which is `windres`. This allows to control each of
these individidually, while also allowing to simplify configuration
via `CROSSPREFIX`.
This variable worked differently earlier. Hopefully this new solution
hits a better compromise in usefulness/complexity/flexibility.
This time with an option to override it via `CFLAGS`. Warnings are
also enabled by default in CMake, `makefile.dj` and `makefile.amiga`
builds (not in autotools though).
Daniel Stenberg [Fri, 21 Oct 2022 07:41:54 +0000 (09:41 +0200)]
urlapi: remove two variable assigns
To please scan-build:
urlapi.c:1163:9: warning: Value stored to 'qlen' is never read
qlen = Curl_dyn_len(&enc);
^ ~~~~~~~~~~~~~~~~~~
urlapi.c:1164:9: warning: Value stored to 'query' is never read
query = u->query = Curl_dyn_ptr(&enc);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Joel Depooter [Tue, 18 Oct 2022 05:56:18 +0000 (22:56 -0700)]
schannel: Don't reset recv/send function pointers on renegotiation
These function pointers will have been set when the initial TLS
handshake was completed. If they are unchanged, there is no need to set
them again. If they have been changed, as is the case with HTTP/2, we
don't want to override that change. That would result in the
http22_recv/send functions being completely bypassed.
Prior to this change a connection that uses Schannel with HTTP/2 would
fail on renegotiation with error "Received HTTP/0.9 when not allowed".
Daniel Stenberg [Tue, 18 Oct 2022 08:39:43 +0000 (10:39 +0200)]
cmdline/docs: add a required 'multi' keyword for each option
The keyword specifies how option works when specified multiple times:
- single: the last provided value replaces the earlier ones
- append: it supports being provided multiple times
- boolean: on/off values
- mutex: flag-like option that disable anoter flag
The 'gen.pl' script then outputs the proper and unified language for
each option's multi-use behavior in the generated man page.
The multi: header is requires in each .d file and will cause build error
if missing or set to an unknown value.
Daniel Stenberg [Mon, 17 Oct 2022 15:56:26 +0000 (17:56 +0200)]
mprintf: reject two kinds of precision for the same argument
An input like "%.*1$.9999d" would first use the precision taken as an
argument *and* then the precision specified in the string, which is
confusing and wrong. pass1 will now instead return error on this double
use.
Daniel Stenberg [Sun, 16 Oct 2022 10:58:55 +0000 (12:58 +0200)]
libssh: if sftp_init fails, don't get the sftp error code
This flow extracted the wrong code (sftp code instead of ssh code), and
the code is sometimes (erroneously) returned as zero anyway, so skip
getting it and set a generic error.
Reported-by: David McLaughlin
Fixes #9737
Closes #9740
Viktor Szakats [Fri, 14 Oct 2022 19:06:37 +0000 (19:06 +0000)]
cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows
`lib/config-win32.h` enables this configuration option unconditionally.
Make it apply to CMake builds as well.
While here, delete a broken check for
`HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with
the initial commit [1], but did not include the actual verification code
inside `CMake/CurlTests.c`, so it always failed. A later commit [2]
added a second test, for non-Windows platforms.
Enabling this flag causes test 1056 to fail with CMake builds, as they
do with autotools builds. Let's apply the same solution and ignore the
results here as well.
Viktor Szakats [Fri, 14 Oct 2022 18:19:09 +0000 (18:19 +0000)]
cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows
autotools enables this configuration option unconditionally for Windows
[^1]. Do the same in CMake.
The above will make this work for all reasonably recent environments.
The logic present in `lib/config-win32.h` [^2] has the following
exceptions which we did not cover in this CMake update:
- Builds targeting Windows 2000 and earlier
- MS Visual C++ 5.0 (1997) and earlier
Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't
set, to avoid a broken build. We might want to handle that in the C
sources in a future commit.
Viktor Szakats [Fri, 14 Oct 2022 18:06:30 +0000 (18:06 +0000)]
cmake: sync HAVE_SIGNAL detection with autotools
`HAVE_SIGNAL` means the availability of the `signal()` function in
autotools, while in CMake it meant the availability of that function
_and_ the symbol `SIGALRM`.
The latter is not available on Windows, but the function is, which means
on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not,
introducing a slight difference into the binaries.
This patch syncs CMake behaviour with autotools to look for the function
only.
The logic came with the initial commit adding CMake support to curl, so
the commit history doesn't reveal the reason behind it. In any case,
it's best to check the existence of `SIGALRM` directly in the source
before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and
`SIGALRM` missing.
Viktor Szakats [Fri, 14 Oct 2022 17:31:19 +0000 (17:31 +0000)]
cmake: delete duplicate HAVE_GETADDRINFO test
A custom `HAVE_GETADDRINFO` check came with the initial CMake commit
[1]. A later commit [2] added a standard check for it as well. The
standard check run before the custom one, so CMake ignored the latter.
The custom check was also non-portable, so this patch deletes it in
favor of the standard check.
Daniel Stenberg [Wed, 5 Oct 2022 07:12:39 +0000 (09:12 +0200)]
cookie: reject cookie names or content with TAB characters
TABs in name and content seem allowed by RFC 6265: "the algorithm strips
leading and trailing whitespace from the cookie name and value (but
maintains internal whitespace)"
Cookies with TABs in the names are rejected by Firefox and Chrome.
TABs in content are stripped out by Firefox, while Chrome discards the
whole cookie.
TABs in cookies also cause issues in saved netscape cookie files.
Reported-by: Trail of Bits
URL: https://curl.se/mail/lib-2022-10/0032.html
URL: https://github.com/httpwg/http-extensions/issues/2262
- `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both
the `signal()` function and the `SIGALRM` macro are found. In
autotools and this header, it means the function only. For the
function alone, CMake uses `HAVE_SIGNAL_FUNC`.
Daniel Stenberg [Thu, 13 Oct 2022 10:00:09 +0000 (12:00 +0200)]
tool_paramhelp: asserts verify maximum sizes for string loading
The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest
strings accepted when loading files into memory, but as the size is
later used as input to functions that take the size as 'int' as
argument, the sizes must not be larger than INT_MAX.
These two new assert()s make the code error out if someone would bump
the sizes without this consideration.
Daniel Stenberg [Thu, 13 Oct 2022 09:30:16 +0000 (11:30 +0200)]
http: try parsing Retry-After: as a number first
Since the date parser allows YYYYMMDD as a date format (due to it being
a bit too generic for parsing this particular header), a large integer
number could wrongly match that pattern and cause the parser to generate
a wrong value.
No date format accepted for this header starts with a decimal number, so
by reversing the check and trying a number first we can deduct that if
that works, it was not a date.
Viktor Szakats [Wed, 12 Oct 2022 14:19:09 +0000 (14:19 +0000)]
tidy-up: delete unused HAVE_STRUCT_POLLFD
It was only defined in `lib/config-win32.h`, when building for Vista.
It was only used in `select.h`, in a condition that also included a
check for `POLLIN` which is a superior choice for this detection and
which was already used by cmake and autotools builds.
Viktor Szakats [Tue, 11 Oct 2022 21:16:00 +0000 (21:16 +0000)]
Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip]
This patch aimed to fix a regression [0], where `CC` initialization
moved beyond its first use. But, on closer inspection it turned out that
the `CC` initialization does not work as expected due to GNU Make
filling it with `cc` by default. So unless implicit values were
explicitly disabled via a GNU Make option, the default value of
`$CROSSPREFIX` + `gcc` was never used. At the same time the implicit
value `cc` maps to `gcc` in (most/all?) MinGW envs.
`AR` has the same issue, with a default value of `ar`.
We could reintroduce a separate variable to fix this without ill
effects, but for simplicity and flexibility, it seems better to drop
support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and
require the caller to initialize `CC`, `AR` and `RC` to the full
(prefixed if necessary) names of these tools, as desired.
We keep `RC ?= windres` because `RC` is empty by default.
Viktor Szakats [Tue, 11 Oct 2022 21:05:44 +0000 (21:05 +0000)]
smb: replace CURL_WIN32 with WIN32
PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the
`CURL_WIN32` macro, but that one is not defined here, while compiling
curl itself. This patch changes this to `WIN32`, assuming this was the
original intent.
Matthias Gatto [Thu, 13 Jan 2022 14:53:52 +0000 (15:53 +0100)]
aws_sigv4: fix header computation
Handle canonical headers and signed headers creation as explained here:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
The algo tells that signed and canonical must contain at last host and
x-amz-date.
So we check whatever thoses are present in the curl http headers list.
If they are, we use the one enter by curl user, otherwise we generate
them. then we to lower, and remove space from each http headers plus
host and x-amz-date, then sort them all by alphabetical order.
This patch also fix a bug with host header, which was ignoring the port.
Dustin Howett [Thu, 25 Aug 2022 00:20:43 +0000 (19:20 -0500)]
schannel: when importing PFX, disable key persistence
By default, the PFXImportCertStore API persists the key in the user's
key store (as though the certificate was being imported for permanent,
ongoing use.)
The documentation specifies that keys that are not to be persisted
should be imported with the flag PKCS12_NO_PERSIST_KEY.
NOTE: this flag is only supported on versions of Windows newer than XP
and Server 2003.
--
This is take 2 of the original fix. It extends the lifetime of the
client certificate store to that of the credential handle. The original
fix which landed in 70d010d and was later reverted in aec8d30 failed to
work properly because it did not do that.
Minor changes were made to the schannel credential context to support
closing the client certificate store handle at the end of an SSL session.
projects / thirdparty / curl.git / log
