| #
bf12c2be |
| 11-Nov-2022 |
Daniel Stenberg |
lib: remove bad set.opt_no_body assignments
This struct field MUST remain what the application set it to, so that
handle reuse and handle duplication work.
Instead, the request
lib: remove bad set.opt_no_body assignments
This struct field MUST remain what the application set it to, so that
handle reuse and handle duplication work.
Instead, the request state bit 'no_body' is introduced for code flows
that need to change this in run-time.
Closes #9888
show more ...
|
| #
dafdb20a |
| 11-Nov-2022 |
Stefan Eissing |
lib: connection filters (cfilter) addition to curl:
- general construct/destroy in connectdata
- default implementations of callback functions
- connect: cfilters for connect and
lib: connection filters (cfilter) addition to curl:
- general construct/destroy in connectdata
- default implementations of callback functions
- connect: cfilters for connect and accept
- socks: cfilter for socks proxying
- http_proxy: cfilter for http proxy tunneling
- vtls: cfilters for primary and proxy ssl
- change in general handling of data/conn
- Curl_cfilter_setup() sets up filter chain based on data settings,
if none are installed by the protocol handler setup
- Curl_cfilter_connect() boot straps filters into `connected` status,
used by handlers and multi to reach further stages
- Curl_cfilter_is_connected() to check if a conn is connected,
e.g. all filters have done their work
- Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE
indicators for multi select to work
- Curl_cfilter_data_pending() asks filters if the have incoming
data pending for recv
- Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks
installed in conn->recv/conn->send for io handling
- Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters
and addition/removal of a `data` from their connection
- adding vtl functions to prevent use of Curl_ssl globals directly
in other parts of the code.
Reviewed-by: Daniel Stenberg
Closes #9855
show more ...
|
| #
11ad25ff |
| 09-Nov-2022 |
Fata Nugraha |
http: do not send PROXY more than once
Unlike `CONNECT`, currently we don't keep track whether `PROXY` is
already sent or not. This causes `PROXY` header to be sent twice during
`MST
http: do not send PROXY more than once
Unlike `CONNECT`, currently we don't keep track whether `PROXY` is
already sent or not. This causes `PROXY` header to be sent twice during
`MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`.
Closes #9878
Fixes #9442
show more ...
|
| #
2bc04d49 |
| 08-Nov-2022 |
Daniel Stenberg |
rtsp: fix RTSP auth
Verified with test 3100
Fixes #4750
Closes #9870
|
| #
f151ec6c |
| 28-Oct-2022 |
Rose <83477269+AtariDreams@users.noreply.github.com> |
lib: fix some type mismatches and remove unneeded typecasts
Many of these castings are unneeded if we change the variables to work
better with each other.
Ref: https://github.co
lib: fix some type mismatches and remove unneeded typecasts
Many of these castings are unneeded if we change the variables to work
better with each other.
Ref: https://github.com/curl/curl/pull/9823
Closes https://github.com/curl/curl/pull/9835
show more ...
|
| #
52cc4a85 |
| 30-Oct-2022 |
Daniel Stenberg |
style: use space after comment start and before comment end
/* like this */
/*not this*/
checksrc is updated accordingly
Closes #9828
|
| #
4484270a |
| 26-Oct-2022 |
Ayesh Karunaratne |
misc: typo and grammar fixes
- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing
misc: typo and grammar fixes
- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing repeated words.
- Replace `a HTTP` with `an HTTP`
Closes #9802
show more ...
|
| #
6efb6b1e |
| 12-Oct-2022 |
Shaun Mirani |
url: allow non-HTTPS HSTS-matching for debug builds
Closes #9728
|
| #
b46136f9 |
| 13-Oct-2022 |
Daniel Stenberg |
http: try parsing Retry-After: as a number first
Since the date parser allows YYYYMMDD as a date format (due to it being
a bit too generic for parsing this particular header), a large in
http: try parsing Retry-After: as a number first
Since the date parser allows YYYYMMDD as a date format (due to it being
a bit too generic for parsing this particular header), a large integer
number could wrongly match that pattern and cause the parser to generate
a wrong value.
No date format accepted for this header starts with a decimal number, so
by reversing the check and trying a number first we can deduct that if
that works, it was not a date.
Reported-by Trail of Bits
Closes #9718
show more ...
|
| #
72652c06 |
| 26-Sep-2022 |
Patrick Monnerat |
http, vauth: always provide Curl_allow_auth_to_host() functionality
This function is currently located in the lib/http.c module and is
therefore disabled by the CURL_DISABLE_HTTP conditi
http, vauth: always provide Curl_allow_auth_to_host() functionality
This function is currently located in the lib/http.c module and is
therefore disabled by the CURL_DISABLE_HTTP conditional token.
As it may be called by TLS backends, disabling HTTP results in an
undefined reference error at link time.
Move this function to vauth/vauth.c to always provide it and rename it
as Curl_auth_allowed_to_host() to respect the vauth module naming
convention.
Closes #9600
show more ...
|
| #
660cf3d4 |
| 18-Sep-2022 |
Daniel Stenberg |
lib: the number four in a sequence is the "fourth"
Spelling is hard
Closes #9535
|
| #
664249d0 |
| 09-Sep-2022 |
Daniel Stenberg |
ws: initial websockets support
Closes #8995
|
| #
472f1cbe |
| 01-Sep-2022 |
Daniel Stenberg |
NPN: remove support for and use of
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. I
NPN: remove support for and use of
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. In the early days of HTTP/2, before the spec was finalized and
shipped, the protocol could be enabled using this extension with some
servers.
curl supports the NPN extension with some TLS backends since then, with
a command line option `--npn` and in libcurl with
`CURLOPT_SSL_ENABLE_NPN`.
HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
Negotiation) extension and the NPN extension has no purposes
anymore. The HTTP/2 spec was published in May 2015.
Today, use of NPN in the wild should be extremely rare and most likely
totally extinct. Chrome removed NPN support in Chrome 51, shipped in
June 2016. Removed in Firefox 53, April 2017.
Closes #9307
show more ...
|
| #
8d1da2e1 |
| 20-Jul-2022 |
Daniel Stenberg |
http: typecast the httpreq assignment to avoid icc compiler warning
error #188: enumerated type mixed with another type
Closes #9179
|
| #
48d7064a |
| 26-Jun-2022 |
Daniel Stenberg |
cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205
Reported-by: Harry Sintonen
Closes #9048
show more ...
|
| #
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes #8869
show more ...
|
| #
c9b60f00 |
| 24-May-2022 |
Daniel Stenberg |
http: restore header folding behavior
Folded header lines will now get passed through like before. The headers
API is adapted and will provide the content unfolded.
Added test 1
http: restore header folding behavior
Folded header lines will now get passed through like before. The headers
API is adapted and will provide the content unfolded.
Added test 1274 and extended test 1940 to verify.
Reported-by: Petr Pisar
Fixes #8844
Closes #8899
show more ...
|
| #
d7b970e4 |
| 29-Apr-2022 |
Daniel Stenberg |
http: move Curl_allow_auth_to_host()
It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
Reported-by: Michael Olbrich
Fixes #8772
Closes #8775
|
| #
139a54ed |
| 25-Apr-2022 |
Daniel Stenberg |
openssl: don't leak the SRP credentials in redirects either
Follow-up to 620ea21410030
Reported-by: Harry Sintonen
Closes #8751
|
| #
6e659993 |
| 25-Apr-2022 |
Daniel Stenberg |
http: avoid auth/cookie on redirects same host diff port
CVE-2022-27776
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27776.html
Closes #8749
|
| #
6968fb9d |
| 16-Apr-2022 |
Daniel Stenberg |
lib: remove exclamation marks
... from infof() and failf() calls. Make them less attention seeking.
Closes #8713
|
| #
854ec765 |
| 01-Apr-2022 |
Daniel Stenberg |
http: streamclose "already downloaded"
Instead of connclose()ing, since when HTTP/2 is used it doesn't need to
close the connection as stopping the current transfer is enough.
R
http: streamclose "already downloaded"
Instead of connclose()ing, since when HTTP/2 is used it doesn't need to
close the connection as stopping the current transfer is enough.
Reported-by: Evangelos Foutras
Closes #8665
show more ...
|
| #
218cc700 |
| 01-Apr-2022 |
Daniel Stenberg |
http: correct the header error message to say colon
Not semicolon
Reported-by: Gisle Vanem
Ref: #8666
Closes #8667
|
| #
b716b5aa |
| 01-Apr-2022 |
Daniel Stenberg |
lib: #ifdef on USE_HTTP2 better
... as nghttp2 might not be the library that provides HTTP/2 support.
Closes #8661
|
| #
3fa634a3 |
| 01-Apr-2022 |
Daniel Stenberg |
http: close the stream (not connection) on time condition abort
Closes #8664
|
