c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection

Enable test 1074

Closes #7617

http: consider cookies over localhost to be secure

Updated test31.
Added test 392 to verify secure cookies used for http://localhost

Reviewed-by: Daniel Gustafsson
Fixes #67

http: consider cookies over localhost to be secure

Updated test31.
Added test 392 to verify secure cookies used for http://localhost

Reviewed-by: Daniel Gustafsson
Fixes #6733
Closes #7263

show more ...

lib: fix compiler warnings with CURL_DISABLE_NETRC

warning C4189: 'netrc_user_changed': local variable is initialized but
not referenced

warning C4189: 'netrc_passwd_changed': l

lib: fix compiler warnings with CURL_DISABLE_NETRC

warning C4189: 'netrc_user_changed': local variable is initialized but
not referenced

warning C4189: 'netrc_passwd_changed': local variable is initialized but
not referenced

Closes #7423

show more ...

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes info

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()

Closes #7357

show more ...

c-hyper: add support for transfer-encoding in the request

Closes #7348

http: fix crash in rate-limited upload

- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.

http: fix crash in rate-limited upload

- Don't set the size of the piece of data to send to the rate limit if
that limit is larger than the buffer size that will hold the piece.

Prior to this change if CURLOPT_MAX_SEND_SPEED_LARGE
(curl tool: --limit-rate) was set then it was possible that a temporary
buffer used for uploading could be written to out of bounds. A likely
scenario for this would be a non-trivial amount of post data combined
with a rate limit larger than CURLOPT_UPLOAD_BUFFERSIZE (default 64k).

The bug was introduced in 24e469f which is in releases since 7.76.0.

perl -e "print '0' x 200000" > tmp
curl --limit-rate 128k -d @tmp httpbin.org/post

Reported-by: Richard Marion

Fixes https://github.com/curl/curl/issues/7308
Closes https://github.com/curl/curl/pull/7315

show more ...

http: make the haproxy support work with unix domain sockets

... it should then pass on "PROXY UNKNOWN" since it doesn't know the
involved IP addresses.

Reported-by: Valentín Gu

http: make the haproxy support work with unix domain sockets

... it should then pass on "PROXY UNKNOWN" since it doesn't know the
involved IP addresses.

Reported-by: Valentín Gutiérrez
Fixes #7290
Closes #7291

show more ...

vtls: only store TIMER_APPCONNECT for non-proxy connect

Introducing a 'isproxy' argument to the connect function so that it
knows wether to store the time stamp or not.

Reported

vtls: only store TIMER_APPCONNECT for non-proxy connect

Introducing a 'isproxy' argument to the connect function so that it
knows wether to store the time stamp or not.

Reported-by: Yongkang Huang
Fixes #7274
Closes #7274

show more ...

conn: add 'attach' to protocol handler, make libssh2 use it

The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a conn

conn: add 'attach' to protocol handler, make libssh2 use it

The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a connection gets
attached to a transfer, the protocol handler now allows for a custom
function to get used to set things up correctly.

Reported-by: Michael O'Farrell
Fixes #6898
Closes #7078

show more ...

http: use calculated offsets inst of integer literals for header parsing

Assumed to be a minor coding style improvement with no behavior change.

A modern compiler is expected to hav

http: use calculated offsets inst of integer literals for header parsing

Assumed to be a minor coding style improvement with no behavior change.

A modern compiler is expected to have the calculation optimized during
compilation. It may be deemed okay even if that's not the case, since
the added overhead is considered very low.

Closes #7032

show more ...

http: limit the initial send amount to used upload buffer size

Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer

http: limit the initial send amount to used upload buffer size

Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer has been set, this
function can benefit from sending more bytes. With default size used,
this does the same as before.

Also changed the storage of the size to an 'unsigned int' as it is not
allowed to be set larger than 2M.

Also added cautions to the man pages about changing buffer sizes in
run-time.

Closes #7022

show more ...

http: reset the header buffer when sending the request

A reused transfer handle could otherwise reuse the previous leftover
buffer and havoc would ensue.

Reported-by: sergio-nsk

http: reset the header buffer when sending the request

A reused transfer handle could otherwise reuse the previous leftover
buffer and havoc would ensue.

Reported-by: sergio-nsk on github
Fixes #7018
Closes #7021

show more ...

Curl_http_header: check for colon when matching Persistent-Auth

Closes #6993

Curl_http_input_auth: require valid separator after negotiation type

Closes #6993

http: fix the check for 'Authorization' with Bearer

The code would wrongly check for it using an additional colon.

Reported-by: Blake Burkhart
Closes #6988

hsts: enable by default

No longer considered experimental.

Closes #6700

send_speed: simplify the checks for if a speed limit is set

... as we know the value cannot be set to negative: enforced by
setopt()

http: cap body data amount during send speed limiting

By making sure never to send off more than the allowed number of bytes
per second the speed limit logic is given more room to actual

http: cap body data amount during send speed limiting

By making sure never to send off more than the allowed number of bytes
per second the speed limit logic is given more room to actually work.

Reported-by: Fabian Keil
Bug: https://curl.se/mail/lib-2021-03/0042.html
Closes #6797

show more ...

urldata: merge "struct DynamicStatic" into "struct UrlState"

Both were used for the same purposes and there was no logical separation
between them. Combined, this also saves 16 bytes in

urldata: merge "struct DynamicStatic" into "struct UrlState"

Both were used for the same purposes and there was no logical separation
between them. Combined, this also saves 16 bytes in less holes in my
test build.

Closes #6798

show more ...

http: strip default port from URL sent to proxy

To make sure the Host: header and the URL provide the same authority
portion when sent to the proxy, strip the default port number from th

http: strip default port from URL sent to proxy

To make sure the Host: header and the URL provide the same authority
portion when sent to the proxy, strip the default port number from the
URL if one was provided.

Reported-by: Michael Brown
Fixes #6769
Closes #6778

show more ...

http: make 416 not fail with resume + CURLOPT_FAILONERRROR

When asked to resume a download, libcurl will convert that to HTTP logic
and if then the entire file is already transferred it

http: make 416 not fail with resume + CURLOPT_FAILONERRROR

When asked to resume a download, libcurl will convert that to HTTP logic
and if then the entire file is already transferred it will result in a
416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
scenario, it should *not* lead to an error return.

Updated test 1156, added test 1273

Reported-by: Jonathan Watt
Fixes #6740
Closes #6753

show more ...

http: remove superfluous NULL assign

Closes #6727

http2: remove conn->data use

... but instead use a private alternative that points to the "driving
transfer" from the connection. We set the "user data" associated with
the connectio

http2: remove conn->data use

... but instead use a private alternative that points to the "driving
transfer" from the connection. We set the "user data" associated with
the connection to be the connectdata struct, but when we drive transfers
the code still needs to know the pointer to the transfer. We can change
the user data to become the Curl_easy handle, but with older nghttp2
version we cannot dynamically update that pointer properly when
different transfers are used over the same connection.

Closes #6520

show more ...

http: use credentials from transfer, not connection

HTTP auth "accidentally" worked before this cleanup since the code would
always overwrite the connection credentials with the credenti

http: use credentials from transfer, not connection

HTTP auth "accidentally" worked before this cleanup since the code would
always overwrite the connection credentials with the credentials from
the most recent transfer and since HTTP auth is typically done first
thing, this has not been an issue. It was still wrong and subject to
possible race conditions or future breakage if the sequence of functions
would change.

The data.set.str[] strings MUST remain unmodified exactly as set by the
user, and the credentials to use internally are instead set/updated in
state.aptr.*

Added test 675 to verify different credentials used in two requests done
over a reused HTTP connection, which previously behaved wrongly.

Fixes #6542
Closes #6545

show more ...

urldata: don't touch data->set.httpversion at run-time

Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-support

urldata: don't touch data->set.httpversion at run-time

Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-supported HTTP versions. Verified with test 129.

Closes #6585

show more ...