http: avoid auth/cookie on redirects same host diff port

CVE-2022-27776

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27776.html
Closes #8749

url: check sasl additional parameters for connection reuse.

Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.

Bug:

url: check sasl additional parameters for connection reuse.

Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.

Bug: https://curl.se/docs/CVE-2022-22576.html

CVE-2022-22576

Closes #8746

show more ...

English: use American spelling consistently

Authorization, Initialization, Organization etc.

Closes #8673

header api: add curl_easy_header and curl_easy_nextheader

Add test 1940 to 1946 to verify.

Closes #8593

urldata: remove conn->bits.user_passwd

The authentication status should be told by the transfer and not the
connection.

Reported-by: John H. Ayad
Fixes #8449
Closes #8451

misc: remove unused data when IPv6 is not supported

Closes #8430

lib: remove support for CURL_DOES_CONVERSIONS

TPF was the only user and support for that was dropped.

Closes #8378

urldata: CONN_IS_PROXIED replaces bits.close when proxy can be disabled

To remove run-time checks for such builds.

Closes #8350

misc: remove unused doh flags when CURL_DISABLE_DOH is defined

Closes #8148

tftp: mark protocol as not possible to do over CONNECT

... and make connect_init() refusing trying to tunnel protocols marked
as not working. Avoids a double-free.

Reported-by:

tftp: mark protocol as not possible to do over CONNECT

... and make connect_init() refusing trying to tunnel protocols marked
as not working. Avoids a double-free.

Reported-by: Even Rouault
Fixes #8018
Closes #8020

show more ...

mime: use percent-escaping for multipart form field and file names

Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails.

mime: use percent-escaping for multipart form field and file names

Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails. This commit
replaces this with the percent-escaping method for URLs.

As this may introduce incompatibilities with server-side applications, a
new libcurl option CURLOPT_MIME_OPTIONS with bitmask
CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
backslash-escaping. This is controlled by new cli tool option
--form-escape.

New tests and documentation are provided for this feature.

Reported by: Ryan Sleevi
Fixes #7789
Closes #7805

show more ...

lib: fixing comment spelling typos in lib files

Closes #7894
Signed-off-by: ewlumpkin <ewlumpkin@gmail.com>

doh: remove experimental code for DoH with GET

The code for sending DoH requests with GET was never enabled in a way
such that it could be used or tested. As there haven't been requests

doh: remove experimental code for DoH with GET

The code for sending DoH requests with GET was never enabled in a way
such that it could be used or tested. As there haven't been requests
for this feature, and since it at this is effectively dead, remove it
and favor reimplementing the feature in case anyone is interested.

Closes #7870
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse

... and close connections that are too old instead of reusing them.

By default, this behavior is disabled.

CURLOPT_MAXLIFETIME_CONN: maximum allowed lifetime for conn reuse

... and close connections that are too old instead of reusing them.

By default, this behavior is disabled.

Bug: https://curl.se/mail/lib-2021-09/0058.html
Closes #7751

show more ...

CURLOPT_PREREQFUNCTION: add new callback

Triggered before a request is made but after a connection is set up

Changes:

- callback: Update docs and callback for pre-request c

CURLOPT_PREREQFUNCTION: add new callback

Triggered before a request is made but after a connection is set up

Changes:

- callback: Update docs and callback for pre-request callback
- Add documentation for CURLOPT_PREREQDATA and CURLOPT_PREREQFUNCTION,
- Add redirect test and callback failure test
- Note that the function may be called multiple times on a redirection
- Disable new 2086 test due to Windows weirdness

Closes #7477

show more ...

libssh2: add SHA256 fingerprint support

Added support for SHA256 fingerprint in command line curl and in
libcurl.

Closes #7646

http: ignore content-length if any transfer-encoding is used

Fixes #7643
Closes #7649

vtls: fix connection reuse checks for issuer cert and case sensitivity

CVE-2021-22924

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2021-22924.html

lib: fix compiler warnings with CURL_DISABLE_NETRC

warning C4189: 'netrc_user_changed': local variable is initialized but
not referenced

warning C4189: 'netrc_passwd_changed': l

lib: fix compiler warnings with CURL_DISABLE_NETRC

warning C4189: 'netrc_user_changed': local variable is initialized but
not referenced

warning C4189: 'netrc_passwd_changed': local variable is initialized but
not referenced

Closes #7423

show more ...

cleanup: spell DoH with a lowercase o

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

Closes #7413

c-hyper: abort CONNECT response reading early on non 2xx responses

Fixes test 493

Closes #7209

conn: add 'attach' to protocol handler, make libssh2 use it

The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a conn

conn: add 'attach' to protocol handler, make libssh2 use it

The libssh2 backend has SSH session associated with the connection but
the callback context is the easy handle, so when a connection gets
attached to a transfer, the protocol handler now allows for a custom
function to get used to set things up correctly.

Reported-by: Michael O'Farrell
Fixes #6898
Closes #7078

show more ...

http: deal with partial CONNECT sends

Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
which helped verifying this even more.

Add test 363 to verify.

http: deal with partial CONNECT sends

Also added 'CURL_SMALLSENDS' to make Curl_write() send short packets,
which helped verifying this even more.

Add test 363 to verify.

Reported-by: ustcqidi on github
Fixes #6950
Closes #7024

show more ...

http: limit the initial send amount to used upload buffer size

Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer

http: limit the initial send amount to used upload buffer size

Previously this logic would cap the send to CURL_MAX_WRITE_SIZE bytes,
but for the situations where a larger upload buffer has been set, this
function can benefit from sending more bytes. With default size used,
this does the same as before.

Also changed the storage of the size to an 'unsigned int' as it is not
allowed to be set larger than 2M.

Also added cautions to the man pages about changing buffer sizes in
run-time.

Closes #7022

show more ...

SSL: support in-memory CA certs for some backends

- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
specify in-memory PEM certificates for OpenSSL, Schannel (Windows)

SSL: support in-memory CA certs for some backends

- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662

show more ...