Daniel Stenberg [Mon, 17 May 2021 06:54:00 +0000 (08:54 +0200)]
conn: add 'attach' to protocol handler, make libssh2 use it
The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a connection gets
attached to a transfer, the protocol handler now allows for a custom
function to get used to set things up correctly.
Reported-by: Michael O'Farrell
Fixes #6898
Closes #7078
Marc Hoersken [Sat, 15 May 2021 18:54:57 +0000 (20:54 +0200)]
CI/cirrus: add shared and static Windows release builds
Azure Pipelines is currently being used for debug builds,
let's also run some non-debug (release) Windows builds and
make use of previously underutilized Cirrus CI for that.
Some of the time, we get a HYPER_TASK_EMPTY response before the status
line, headers, and body have been read. Previously, that would cause us
to poll again, leading to a 1 second timeout.
The HYPER_TASK_EMPTY docs say:
The value of this task is null (does not imply an error).
So, if we receive a HYPER_TASK_EMPTY, continue on with processing the
response.
Joel Depooter [Wed, 12 May 2021 02:45:59 +0000 (19:45 -0700)]
schannel: Ensure the security context request flags are always set
As of commit 54e7475, these flags would only be set when using a new
credential handle. When re-using an existing credential handle, the
flags would not be set.
Daniel Stenberg [Tue, 11 May 2021 07:49:31 +0000 (09:49 +0200)]
hostip: remove the debug code for LocalHost
The Curl_resolv() had special code (when built in debug mode) for when
resolving the host name "LocalHost" (using that exact casing). It would
then get the host name from the --interface option instead.
This development-only feature was not used by anything (anymore) and we
have the --resolve feature if we want to play similar tricks properly
going forward.
Writing the cookie file has multiple error conditions, and was using an
int with magic numbers to report the different error (which in turn were
disregarded anyways). This moves reporting to use a CURLcode value.
Lightly-touched-by: Daniel Stenberg
Closes #7037
Closes #6749
strstore() is defined as a strdup which ensures to free the target
pointer before duping the source char * into it. Make use of it in
two more cases where it can simplify the code.
Comments in the cookie code were a bit all over the place in terms of
style and wording. This takes a stab at cleaning them up by keeping to
a single style and overall shape. Some comments are moved a little and
some removed alltogether due to being redundant. No functional changes
have been made,
Peng-Yu Chen [Mon, 10 May 2021 22:05:36 +0000 (23:05 +0100)]
http2: skip immediate parsing of payload following protocol switch
This is considered not harmful as a following http2_recv shall be
called very soon.
This is considered helpful in the specific situation where some
servers (e.g. nghttpx v1.43.0) may fulfill stream 1 immediately
following the return of HTTP status 101, other than waiting for
the client-side connection preface to arrive.
Daniel Stenberg [Sat, 8 May 2021 09:10:22 +0000 (11:10 +0200)]
travis: disable the libssh build
It can't run on focal and causes warnings on bionic. Since the focal
failure started rather suddenly a while ago, we can suspect it might be
temporary.
Added "bring back the build" to the TODO document.
Peng-Yu Chen [Fri, 7 May 2021 23:35:45 +0000 (00:35 +0100)]
http: use calculated offsets inst of integer literals for header parsing
Assumed to be a minor coding style improvement with no behavior change.
A modern compiler is expected to have the calculation optimized during
compilation. It may be deemed okay even if that's not the case, since
the added overhead is considered very low.
Daniel Stenberg [Thu, 6 May 2021 08:25:56 +0000 (10:25 +0200)]
http: limit the initial send amount to used upload buffer size
Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer has been set, this
function can benefit from sending more bytes. With default size used,
this does the same as before.
Also changed the storage of the size to an 'unsigned int' as it is not
allowed to be set larger than 2M.
Also added cautions to the man pages about changing buffer sizes in
run-time.
Daniel Stenberg [Wed, 5 May 2021 09:07:40 +0000 (11:07 +0200)]
curl_mprintf.3: add description
These functions have existed in the API since the dawn of time. It is
about time we describe how they work, even if we discourage users from
using them.
Timothy Gu [Thu, 6 May 2021 18:22:57 +0000 (14:22 -0400)]
URL-SYNTAX: update IDNA section for WHATWG spec changes
WHATWG URL has dictated the use of Nontransitional Processing (IDNA
2008) for several years now. Chrome (and derivatives) still use
Transitional Processing, but Firefox and Safari have both switched.
Also document the fact that winidn functions differently from libidn2
here.
Kamil Dudka [Thu, 6 May 2021 12:26:58 +0000 (14:26 +0200)]
tool_getparam: handle failure of curlx_convert_tchar_to_UTF8()
Reported by GCC analyzer:
Error: GCC_ANALYZER_WARNING (CWE-476):
src/tool_getparam.c: scope_hint: In function 'parse_args'
src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
lib/curlx.h:56: included_from: Included from here.
src/tool_getparam.c:28: included_from: Included from here.
lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
Reviewed-by: Marcel Raad Reviewed-by: Daniel Stenberg
Closes #7023
Daniel Stenberg [Tue, 4 May 2021 11:34:14 +0000 (13:34 +0200)]
gnutls: make setting only the MAX TLS allowed version work
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!
As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb0242cb).
Reported-by: Daniel Carpenter
Fixes #6998
Closes #7000
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
and Secure Transport (Apple) SSL backends.
Prior to this change PEM certificates could only be imported from a file
and not from memory.
David Cook [Tue, 4 May 2021 00:29:40 +0000 (19:29 -0500)]
tests: ignore case of chunked hex numbers in tests
When hyper is used, it emits uppercase hexadecimal numbers for chunked
encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
This change adds preprocessor statements to tests where this is an
issue, and adapts the fixtures to match.
Daniel Stenberg [Mon, 3 May 2021 11:21:15 +0000 (13:21 +0200)]
libssh2: ignore timeout during disconnect
... to avoid memory leaks!
libssh2 is tricky as we have to deal with the non-blockiness even in
close and shutdown cases. In the cases when we shutdown after a timeout
already expired, it is crucial that curl doen't let the timeout abort
the shutdown process as that then leaks memory!
ejanchivdorj [Thu, 11 Mar 2021 07:50:13 +0000 (23:50 -0800)]
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT
Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Kevin Burke [Mon, 26 Apr 2021 22:04:02 +0000 (15:04 -0700)]
c-hyper: don't write to set.writeheader if null
Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
the data->set.writeheader header buffer, even though it is null. This
led to NPE segfaults attempting to use libcurl+Hyper with Git, for
example.
Instead, process the client write for the status line using the same
logic we use to process the client write for the later HTTP headers,
which contains the appropriate guard logic. As a side benefit,
data->set.writeheader is now only read in one file instead of two.
Kevin Burke [Sat, 24 Apr 2021 21:20:08 +0000 (14:20 -0700)]
m4: add security frameworks on Mac when compiling rustls
Previously compiling rustls on Mac would only complete if you also
compiled the SecureTransport TLS backend, which curl would prefer to
the Rust backend.
Appending these flags to LDFLAGS makes it possible to compile the
Rustls backend on Mac without the SecureTransport backend, which means
this patch will make it possible for Mac users to use the Rustls
backend for TLS.
Reviewed-by: Jacob Hoffman-Andrews
Fixes #6955
Cloes #6956
projects / thirdparty / curl.git / log
