Daniel Stenberg [Sun, 26 Jun 2022 09:01:01 +0000 (11:01 +0200)]
test444: test many received Set-Cookie:
The amount of sent cookies in the test is limited to 80 because hyper
has its own strict limits in how many headers it allows to be received
which triggers at some point beyond this number.
Daniel Stenberg [Sun, 26 Jun 2022 09:00:48 +0000 (11:00 +0200)]
cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205 Reported-by: Harry Sintonen
Closes #9048
Daniel Stenberg [Thu, 23 Jun 2022 10:02:32 +0000 (12:02 +0200)]
easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro
clang 14 warns about its use. It is being deprecated by the working
group for the programming language C: "The macro ATOMIC_VAR_INIT is
basically useless for the purpose for which it was designed"
Tom Eccles [Thu, 23 Jun 2022 09:09:25 +0000 (10:09 +0100)]
ftp: restore protocol state after http proxy CONNECT
connect_init() (lib/http_proxy.c) swaps out the protocol state while
working on the proxy connection, this is then restored by
Curl_connect_done() after the connection completes.
ftp_do_more() extracted the protocol state pointer to a local variable
at the start of the function then calls Curl_proxy_connect(). If the proxy
connection completes, Curl_proxy_connect() will call Curl_connect_done()
(via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
protocol state instead of the http proxy protocol state, but the local
variable in ftp_do_more still pointed to the old value.
Ultimately this meant that the state worked on by ftp_do_more() was the
http proxy state not the ftp state initialised by ftp_connect(), but
subsequent calls to any ftp_ function would use the original state.
For my use-case, the visible consequence was that ftp->downloadsize was
never set and so downloaded data was never returned to the application.
This commit updates the ftp protocol state pointer in ftp_do_more() after
Curl_proxy_connect() returns, ensuring that the correct state pointer is
used.
Jay Satiro [Wed, 22 Jun 2022 07:35:19 +0000 (03:35 -0400)]
curl_setup: include _mingw.h
Prior to this change _mingw.h needed to be included in each unit before
evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
is included only in some mingw headers (eg stdio.h) and not others
(eg windows.h) so it's better to explicitly include it once.
Viktor Szakats [Wed, 22 Jun 2022 09:35:46 +0000 (09:35 +0000)]
rand: stop detecting /dev/urandom in cross-builds
- Prevent CMake to auto-detect /dev/urandom when cross-building.
Before this patch, it would detect it in a cross-build scenario on *nix
hosts with this device present. This was a problem for example with
Windows builds, but it could affect any target system with this device
missing. This also syncs detection behaviour with autotools, which also
skips it for cross-builds.
- Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
fallback random number generator on Windows. Windows does not have the
concept of reading a random stream from a filename, nor any guaranteed
non-world-writable path on disk. With this, a manual misconfiguration or
an overeager auto-detection can no longer result in a user-controllable
seed source.
Emanuele Torre [Wed, 15 Jun 2022 18:00:42 +0000 (20:00 +0200)]
ci: avoid `cmake -Hpath`
This is an undocumented option similar to the `-Spath' option introduced
in cmake 3.13.
Replace all instances of `-Hpath' with `-Spath' in macos workflow.
Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul
scripts since it runs an older version of cmake.
Viktor Szakats [Wed, 22 Jun 2022 00:06:48 +0000 (00:06 +0000)]
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
XP when the `-ipv6` option is selected. Maybe this was added to support
pre-XP Windows versions (?). These days libcurl builds fine for both XP
and post-XP versions with IPv6 support enabled. The relevance of pre-XP
version is also low by now. Other build methods also do not impose such
limitation for a similar configuration. So, drop this hard-wired
`_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
Windows version set by the compiler. This is Vista for recent MinGW
versions.
Old behaviour can be restored by setting this envvar:
export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
Jay Satiro [Wed, 15 Jun 2022 05:20:27 +0000 (01:20 -0400)]
curl_easy_pause.3: remove explanation of progress function
- Remove misleading text that says progress function "gets called at
least once per second, even if the connection is paused."
The progress function behavior is more nuanced and the user is better
served reading the progress function doc rather than attempt to explain
it in the curl_easy_pause doc.
The progress function can only be called at least once per second if an
appropriate multi transfer function is called (eg curl_multi_perform) in
that time. For a paused transfer there may not be such a call. Rather
than explain this in detail in the curl_easy_pause doc, rely on the user
reading the CURLOPT_PROGRESSFUNCTION doc.
Daniel Stenberg [Wed, 15 Jun 2022 21:43:33 +0000 (23:43 +0200)]
libssh: skip the fake-close when libssh does the right thing
Starting in libssh 0.10.0 ssh_disconnect() will no longer close our
socket. Instead it will be kept alive as we want it, and it is our
responsibility to close it later.
Viktor Szakats [Mon, 13 Jun 2022 18:59:45 +0000 (18:59 +0000)]
version: rename threadsafe-init to threadsafe
Referring to Daniel's article [1], making the init function thread-safe
was the last bit to make libcurl thread-safe as a whole. So the name of
the feature may as well be the more concise 'threadsafe', also telling
the story that libcurl is now fully thread-safe, not just its init
function. Chances are high that libcurl wants to remain so in the
future, so there is little likelihood of ever needing any other distinct
`threadsafe-<name>` feature flags.
For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
`CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
thread safety documentation.
max.mehl [Tue, 17 May 2022 09:16:50 +0000 (11:16 +0200)]
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Daniel Stenberg [Wed, 8 Jun 2022 14:32:46 +0000 (16:32 +0200)]
test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set
Triggered by a bug report from Adam Light:
https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly
a misunderstanding of how CURLINFO_EFFECTIVE_URL works.
Jay Satiro [Wed, 8 Jun 2022 07:02:51 +0000 (03:02 -0400)]
curl_global_init.3: Separate the Windows loader lock warning
This is a slight correction of the parent commit which implied the
loader lock warning only applied if not thread-safe. In fact the loader
lock warning applies either way.
- Document that user input to header options is not sanitized, which
could result in CRLF used to modify the request in a way other than
what was intended.
Jay Satiro [Tue, 7 Jun 2022 07:50:11 +0000 (03:50 -0400)]
CURLOPT_RANGE.3: remove ranged upload advice
The e-mail link in the advice contains instructions that are prone to
error. We need an example that works and can demonstrate how to properly
perform a ranged upload, and then we can refer to that example instead.
Bug: https://github.com/curl/curl/issues/8969 Reported-by: Simon Berger
Closes https://github.com/curl/curl/pull/8970
Daniel Stenberg [Tue, 24 May 2022 21:40:50 +0000 (23:40 +0200)]
docs/CONTRIBUTE.md: document the 'needs-votes' concept
A pull request sent to the project might get labeled `needs-votes` by a
project maintainer. This label means that in addition to meeting all
other checks and qualifications this pull request must also receive
proven support/thumbs-ups from more community members to be considered
for merging.
Evgeny Grin [Wed, 25 May 2022 07:20:18 +0000 (10:20 +0300)]
digest: unquote realm and nonce before processing
RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done
correctly is header parsing function (realm="DOMAIN\\host" and
realm=DOMAN\\host are different realms).
This commit adds unquoting (de-escaping) of all values during header
parsing and quoting of the values during header forming. This approach
should be most straightforward and easy to read/maintain as all values
are processed in the same way as required by RFC.
projects / thirdparty / curl.git / log
