#
bf12c2be |
| 11-Nov-2022 |
Daniel Stenberg |
lib: remove bad set.opt_no_body assignments This struct field MUST remain what the application set it to, so that handle reuse and handle duplication work. Instead, the request
lib: remove bad set.opt_no_body assignments This struct field MUST remain what the application set it to, so that handle reuse and handle duplication work. Instead, the request state bit 'no_body' is introduced for code flows that need to change this in run-time. Closes #9888
show more ...
|
#
dafdb20a |
| 11-Nov-2022 |
Stefan Eissing |
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
show more ...
|
#
11ad25ff |
| 09-Nov-2022 |
Fata Nugraha |
http: do not send PROXY more than once Unlike `CONNECT`, currently we don't keep track whether `PROXY` is already sent or not. This causes `PROXY` header to be sent twice during `MST
http: do not send PROXY more than once Unlike `CONNECT`, currently we don't keep track whether `PROXY` is already sent or not. This causes `PROXY` header to be sent twice during `MSTATE_TUNNELING` and `MSTATE_PROTOCONNECT`. Closes #9878 Fixes #9442
show more ...
|
#
2bc04d49 |
| 08-Nov-2022 |
Daniel Stenberg |
rtsp: fix RTSP auth Verified with test 3100 Fixes #4750 Closes #9870
|
#
f151ec6c |
| 28-Oct-2022 |
Rose <83477269+AtariDreams@users.noreply.github.com> |
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.co
lib: fix some type mismatches and remove unneeded typecasts Many of these castings are unneeded if we change the variables to work better with each other. Ref: https://github.com/curl/curl/pull/9823 Closes https://github.com/curl/curl/pull/9835
show more ...
|
#
52cc4a85 |
| 30-Oct-2022 |
Daniel Stenberg |
style: use space after comment start and before comment end /* like this */ /*not this*/ checksrc is updated accordingly Closes #9828
|
#
4484270a |
| 26-Oct-2022 |
Ayesh Karunaratne |
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing
misc: typo and grammar fixes - Replace `Github` with `GitHub`. - Replace `windows` with `Windows` - Replace `advice` with `advise` where a verb is used. - A few fixes on removing repeated words. - Replace `a HTTP` with `an HTTP` Closes #9802
show more ...
|
#
6efb6b1e |
| 12-Oct-2022 |
Shaun Mirani |
url: allow non-HTTPS HSTS-matching for debug builds Closes #9728
|
#
b46136f9 |
| 13-Oct-2022 |
Daniel Stenberg |
http: try parsing Retry-After: as a number first Since the date parser allows YYYYMMDD as a date format (due to it being a bit too generic for parsing this particular header), a large in
http: try parsing Retry-After: as a number first Since the date parser allows YYYYMMDD as a date format (due to it being a bit too generic for parsing this particular header), a large integer number could wrongly match that pattern and cause the parser to generate a wrong value. No date format accepted for this header starts with a decimal number, so by reversing the check and trying a number first we can deduct that if that works, it was not a date. Reported-by Trail of Bits Closes #9718
show more ...
|
#
72652c06 |
| 26-Sep-2022 |
Patrick Monnerat |
http, vauth: always provide Curl_allow_auth_to_host() functionality This function is currently located in the lib/http.c module and is therefore disabled by the CURL_DISABLE_HTTP conditi
http, vauth: always provide Curl_allow_auth_to_host() functionality This function is currently located in the lib/http.c module and is therefore disabled by the CURL_DISABLE_HTTP conditional token. As it may be called by TLS backends, disabling HTTP results in an undefined reference error at link time. Move this function to vauth/vauth.c to always provide it and rename it as Curl_auth_allowed_to_host() to respect the vauth module naming convention. Closes #9600
show more ...
|
#
660cf3d4 |
| 18-Sep-2022 |
Daniel Stenberg |
lib: the number four in a sequence is the "fourth" Spelling is hard Closes #9535
|
#
664249d0 |
| 09-Sep-2022 |
Daniel Stenberg |
ws: initial websockets support Closes #8995
|
#
472f1cbe |
| 01-Sep-2022 |
Daniel Stenberg |
NPN: remove support for and use of Next Protocol Negotiation is a TLS extension that was created and used for agreeing to use the SPDY protocol (the precursor to HTTP/2) for HTTPS. I
NPN: remove support for and use of Next Protocol Negotiation is a TLS extension that was created and used for agreeing to use the SPDY protocol (the precursor to HTTP/2) for HTTPS. In the early days of HTTP/2, before the spec was finalized and shipped, the protocol could be enabled using this extension with some servers. curl supports the NPN extension with some TLS backends since then, with a command line option `--npn` and in libcurl with `CURLOPT_SSL_ENABLE_NPN`. HTTP/2 proper is made to use the ALPN (Application-Layer Protocol Negotiation) extension and the NPN extension has no purposes anymore. The HTTP/2 spec was published in May 2015. Today, use of NPN in the wild should be extremely rare and most likely totally extinct. Chrome removed NPN support in Chrome 51, shipped in June 2016. Removed in Firefox 53, April 2017. Closes #9307
show more ...
|
#
8d1da2e1 |
| 20-Jul-2022 |
Daniel Stenberg |
http: typecast the httpreq assignment to avoid icc compiler warning error #188: enumerated type mixed with another type Closes #9179
|
#
48d7064a |
| 26-Jun-2022 |
Daniel Stenberg |
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
c9b60f00 |
| 24-May-2022 |
Daniel Stenberg |
http: restore header folding behavior Folded header lines will now get passed through like before. The headers API is adapted and will provide the content unfolded. Added test 1
http: restore header folding behavior Folded header lines will now get passed through like before. The headers API is adapted and will provide the content unfolded. Added test 1274 and extended test 1940 to verify. Reported-by: Petr Pisar Fixes #8844 Closes #8899
show more ...
|
#
d7b970e4 |
| 29-Apr-2022 |
Daniel Stenberg |
http: move Curl_allow_auth_to_host() It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef Reported-by: Michael Olbrich Fixes #8772 Closes #8775
|
#
139a54ed |
| 25-Apr-2022 |
Daniel Stenberg |
openssl: don't leak the SRP credentials in redirects either Follow-up to 620ea21410030 Reported-by: Harry Sintonen Closes #8751
|
#
6e659993 |
| 25-Apr-2022 |
Daniel Stenberg |
http: avoid auth/cookie on redirects same host diff port CVE-2022-27776 Reported-by: Harry Sintonen Bug: https://curl.se/docs/CVE-2022-27776.html Closes #8749
|
#
6968fb9d |
| 16-Apr-2022 |
Daniel Stenberg |
lib: remove exclamation marks ... from infof() and failf() calls. Make them less attention seeking. Closes #8713
|
#
854ec765 |
| 01-Apr-2022 |
Daniel Stenberg |
http: streamclose "already downloaded" Instead of connclose()ing, since when HTTP/2 is used it doesn't need to close the connection as stopping the current transfer is enough. R
http: streamclose "already downloaded" Instead of connclose()ing, since when HTTP/2 is used it doesn't need to close the connection as stopping the current transfer is enough. Reported-by: Evangelos Foutras Closes #8665
show more ...
|
#
218cc700 |
| 01-Apr-2022 |
Daniel Stenberg |
http: correct the header error message to say colon Not semicolon Reported-by: Gisle Vanem Ref: #8666 Closes #8667
|
#
b716b5aa |
| 01-Apr-2022 |
Daniel Stenberg |
lib: #ifdef on USE_HTTP2 better ... as nghttp2 might not be the library that provides HTTP/2 support. Closes #8661
|
#
3fa634a3 |
| 01-Apr-2022 |
Daniel Stenberg |
http: close the stream (not connection) on time condition abort Closes #8664
|