strcasecompare: all case insensitive string compares ignore locale now

We had some confusions on when each function was used. We should not act
differently on different locales anyway.

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").

show more ...

cookies: getlist() now holds deep copies of all cookies

Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified b

cookies: getlist() now holds deep copies of all cookies

Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.

CVE-2016-8623

Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53

show more ...

cookies: same domain handling changed to match browser behavior

Cokie with the same domain but different tailmatching property are now
considered different and do not replace each other.

cookies: same domain handling changed to match browser behavior

Cokie with the same domain but different tailmatching property are now
considered different and do not replace each other. If header contains
following lines then two cookies will be set: Set-Cookie: foo=bar;
domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033

This matches Chrome, Opera, Safari, and Firefox behavior. When sending
stored tokens to foo.com Chrome, Opera, Firefox store send them in the
stored order, while Safari pre-sort the cookies.

Closes #1050

show more ...

cookie.c: Fix misleading indentation

Closes https://github.com/curl/curl/pull/911

internals: rename the SessionHandle struct to Curl_easy

lib: include curl_printf.h as one of the last headers

curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((fo

lib: include curl_printf.h as one of the last headers

curl_printf.h defines printf to curl_mprintf, etc. This can cause
problems with external headers which may use
__attribute__((format(printf, ...))) markers etc.

To avoid that they cause problems with system includes, we include
curl_printf.h after any system headers. That makes the three last
headers to always be, and we keep them in this order:

curl_printf.h
curl_memory.h
memdebug.h

None of them include system headers, they all do funny #defines.

Reported-by: David Benjamin

Fixes #743

show more ...

cookies: first n/v pair in Set-Cookie: is the cookie, then parameters

RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content

cookies: first n/v pair in Set-Cookie: is the cookie, then parameters

RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.

libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.

The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.

Fixes #709

show more ...

cookie: do not refuse cookies for localhost

Closes #658

cookie: Don't expire session cookies in remove_expired

Prior to this change cookies with an expiry date that failed parsing
and were converted to session cookies could be purged in remov

cookie: Don't expire session cookies in remove_expired

Prior to this change cookies with an expiry date that failed parsing
and were converted to session cookies could be purged in remove_expired.

Bug: https://github.com/curl/curl/issues/697
Reported-by: Seth Mos

show more ...

cookie: remove redundant check

... as it was already checked previously within the function.

Reported-by: Dmitry-Me
Closes #695

cookies: allow spaces in cookie names, cut of trailing spaces

It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned

cookies: allow spaces in cookie names, cut of trailing spaces

It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639

show more ...

URLs: change all http:// URLs to https://

cookies: Add support for Mozilla's Publix Suffix List

Use libpsl to check the domain value of Set-Cookie headers (and cookie
jar entries) for not being a Publix Suffix.

The conf

cookies: Add support for Mozilla's Publix Suffix List

Use libpsl to check the domain value of Set-Cookie headers (and cookie
jar entries) for not being a Publix Suffix.

The configure script checks for "libpsl" by default. Disable the check
with --without-libpsl.

Ref: https://publicsuffix.org/
Ref: https://github.com/publicsuffix/list
Ref: https://github.com/rockdaboot/libpsl

show more ...

cookie: Fix bug in export if any-domain cookie is present

In 3013bb6 I had changed cookie export to ignore any-domain cookies,
however the logic I used to do so was incorrect, and would

cookie: Fix bug in export if any-domain cookie is present

In 3013bb6 I had changed cookie export to ignore any-domain cookies,
however the logic I used to do so was incorrect, and would lead to a
busy loop in the case of exporting a cookie list that contained
any-domain cookies. The result of that is worse though, because in that
case the other cookies would not be written resulting in an empty file
once the application is terminated to stop the busy loop.

show more ...

cookie: Stop exporting any-domain cookies

Prior to this change any-domain cookies (cookies without a domain that
are sent to any domain) were exported with domain name "unknown".

cookie: Stop exporting any-domain cookies

Prior to this change any-domain cookies (cookies without a domain that
are sent to any domain) were exported with domain name "unknown".

Bug: https://github.com/bagder/curl/issues/292

show more ...

curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT

- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- Change fopen calls to use FOPEN_WRITETEXT instead of "w" or

curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT

- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt"
- Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt"

This change is to explicitly specify when we need to read/write text.
Unfortunately 't' is not part of POSIX fopen so we can't specify it
directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT.

Prior to this change we had an issue on Windows if an application that
uses libcurl overrides the default file mode to binary. The default file
mode in Windows is normally text mode (translation mode) and that's what
libcurl expects.

Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055
Reported-by: Orgad Shaneh

show more ...

cookie: cookie parser out of boundary memory access

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when

cookie: cookie parser out of boundary memory access

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

show more ...

cookie: handle spaces after the name in Set-Cookie

"name =value" is fine and the space should just be skipped.

Updated test 31 to also test for this.

Bug: https://github.co

cookie: handle spaces after the name in Set-Cookie

"name =value" is fine and the space should just be skipped.

Updated test 31 to also test for this.

Bug: https://github.com/bagder/curl/issues/195
Reported-by: cromestant
Help-by: Frank Gevaerts

show more ...

curl_memory: make curl_memory.h the second-last header file loaded

This header file must be included after all header files except
memdebug.h, as it does similar memory function redefini

curl_memory: make curl_memory.h the second-last header file loaded

This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.

show more ...

free: instead of Curl_safefree()

Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefre

free: instead of Curl_safefree()

Since we just started make use of free(NULL) in order to simplify code,
this change takes it a step further and:

- converts lots of Curl_safefree() calls to good old free()
- makes Curl_safefree() not check the pointer before free()

The (new) rule of thumb is: if you really want a function call that
frees a pointer and then assigns it to NULL, then use Curl_safefree().
But we will prefer just using free() from now on.

show more ...

Bug #149: Deletion of unnecessary checks before calls of the function "free"

The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is ther

Bug #149: Deletion of unnecessary checks before calls of the function "free"

The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first

This issue was fixed by using the software Coccinelle 1.0.0-rc24.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>

show more ...

mprintf.h: remove #ifdef CURLDEBUG

... and as a consequence, introduce curl_printf.h with that re-define
magic instead and make all libcurl code use that instead.

cookies: Improved OOM handling in cookies

This fixes the test 506 torture test. The internal cookie API really
ought to be improved to separate cookie parsing errors (which may be
ig

cookies: Improved OOM handling in cookies

This fixes the test 506 torture test. The internal cookie API really
ought to be improved to separate cookie parsing errors (which may be
ignored) with OOM errors (which should be fatal).

show more ...

cookie.c: Refactored cleanup code to simplify

Also, fixed the outdated comments on the cookie API.