single_transfer: ignore blank --output-dir

... as otherwise it creates a rather unexpected target directory with a
leading slash.

Reported-by: Harry Sintonen
Fixes #7218

single_transfer: ignore blank --output-dir

... as otherwise it creates a rather unexpected target directory with a
leading slash.

Reported-by: Harry Sintonen
Fixes #7218
Closes #7233

show more ...

metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems an

metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.

2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.

3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.

4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.

5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.

6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.

Cloes #7176

show more ...

schannel: Disable auto credentials; add an option to enable it

- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.

schannel: Disable auto credentials; add an option to enable it

- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
to automatically locate and use a client certificate for
authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
--proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673

show more ...

tidy-up: make conditional checks more consistent

... remove '== NULL' and '!= 0'

Closes #6912

tool_operate: don't discard failed parallel transfer result

- Save a parallel transfer's result code only when it fails and the
transfer is not being retried.

Prior to this ch

tool_operate: don't discard failed parallel transfer result

- Save a parallel transfer's result code only when it fails and the
transfer is not being retried.

Prior to this change the result code was always set which meant that a
failed result could be erroneously discarded if a different transfer
later had a successful result (CURLE_OK).

Before:

> curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
> echo %ERRORLEVEL%
0

After:

> curl --fail -Z https://httpbin.org/status/404 https://httpbin.org/delay/10
> echo %ERRORLEVEL%
22

Closes #xxxx

show more ...

tool_operate: bail if set CURLOPT_HTTP09_ALLOWED returns error

Closes #6727

curl: set CURLOPT_NEW_FILE_PERMS if requested

The --create-file-mode code logic accepted the value but never actually
passed it on to libcurl!

Follow-up to a7696c73436f (shipped

curl: set CURLOPT_NEW_FILE_PERMS if requested

The --create-file-mode code logic accepted the value but never actually
passed it on to libcurl!

Follow-up to a7696c73436f (shipped in 7.75.0)
Reported-by: Johannes Lesr
Fixes #6657
Closes #6666

show more ...

tool_operate: check argc before accessing argv[1]

Follow-up to 09363500b
Reported-by: Emil Engler
Reviewed-by: Daniel Gustafsson
Closes #6668

cookies: Support multiple -b parameters

Previously only a single -b cookie parameter was supported with the last
one winning. This adds support for supplying multiple -b params to have

cookies: Support multiple -b parameters

Previously only a single -b cookie parameter was supported with the last
one winning. This adds support for supplying multiple -b params to have
them serialized semicolon separated. Both cookiefiles and cookies can be
entered multiple times.

Closes #6649
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

doh: add options to disable ssl verification

- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
same as their re

doh: add options to disable ssl verification

- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
same as their respective counterparts.

- New curl tool options --doh-insecure and --doh-cert-status do the same
as their respective counterparts.

Prior to this change DOH SSL certificate verification settings for
verifyhost and verifypeer were supposed to be inherited respectively
from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
were not. As a result DOH verification remained at the default, ie
enabled, and it was not possible to disable. This commit changes
behavior so that the DOH verification settings are independent and not
inherited.

Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676

Fixes https://github.com/curl/curl/issues/4578
Closes https://github.com/curl/curl/pull/6597

show more ...

curl: add --fail-with-body

Prevent both --fail and --fail-with-body on the same command line.

Verify with test 349, 360 and 361.

Closes #6449

tool_writeout: refactor write-out and write-out json

- Deduplicate the logic used by write-out and write-out json.

Rather than have separate writeLong, writeString, etc, logic for

tool_writeout: refactor write-out and write-out json

- Deduplicate the logic used by write-out and write-out json.

Rather than have separate writeLong, writeString, etc, logic for
each of write-out and write-out json instead have respective shared
functions that can output either format and a 'use_json' parameter to
indicate whether it is json that is output.

This will make it easier to maintain. Rather than have to go through
two sets of logic now we only have to go through one.

- Support write-out %{errormsg} and %{exitcode} in json.

- Clarify in the doc that %{exitcode} is the exit code of the transfer.

Prior to this change it just said "The numerical exitcode" which
implies it's the exit code of the tool, and it's not necessarily that.

Closes https://github.com/curl/curl/pull/6544

show more ...

http: improve AWS HTTP v4 Signature auth

- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)

http: improve AWS HTTP v4 Signature auth

- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
by providing region and service parameters via aws-sigv4 option.
- Add [:region[:service]] suffix to aws-sigv4 option;
- Fix memory allocation errors.
- Refactor memory management.
- Use Curl_http_method instead() STRING_CUSTOMREQUEST.
- Refactor canonical headers generating.
- Remove repeated sha256_to_hex() usage.
- Add some docs fixes.
- Add some codestyle fixes.
- Add overloaded strndup() for debug - curl_dbg_strndup().
- Update tests.

Closes #6524

show more ...

curl: include the file name in --xattr/--remote-time error msgs

curl: s/config->global/global/ in single_transfer()

curl: move fprintf outputs to warnf

For setting and getting time of the download. To make the outputs
respect --silent etc.

Reported-by: Viktor Szakats
Fixes #6533
Close

curl: move fprintf outputs to warnf

For setting and getting time of the download. To make the outputs
respect --silent etc.

Reported-by: Viktor Szakats
Fixes #6533
Closes #6535

show more ...

tool_operate: spellfix a comment

tool_operate: fix the suppression logic of some error messages

- Fix the failed truncation and failed writing body error messages to
not be shown unless error messages are shown. (ie t

tool_operate: fix the suppression logic of some error messages

- Fix the failed truncation and failed writing body error messages to
not be shown unless error messages are shown. (ie the user has
specified -sS, or has not specified -s).

- Also prefix same error messages with "curl: ", for example:
curl: (23) Failed to truncate, exiting

Prior to this change the failed truncation error messages would be shown
if not -s, but did not account for -sS which should show.

Prior to this change the failed writing body error messages would be
shown always.

Ref: https://curl.se/docs/manpage.html#-S

Bug: https://curl.se/mail/archive-2020-12/0017.html
Reported-by: Hongyi Zhao

Closes https://github.com/curl/curl/pull/6402

show more ...

language: s/behaviour/behavior/g

We currently use both spellings the british "behaviour" and the american
"behavior". However "behavior" is more used in the project so I think
it's w

language: s/behaviour/behavior/g

We currently use both spellings the british "behaviour" and the american
"behavior". However "behavior" is more used in the project so I think
it's worth dropping the british name.

Closes #6395

show more ...

tool_operate: avoid NULL dereference of first_arg

Follow-up to 6a5e020d4d2b04a
Identified by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28999
Closes #6377

misc: fix "warning: empty expression statement has no effect"

Turned several macros into do-while(0) style to allow their use to work
find with semicolon.

Bug: https://github.co

misc: fix "warning: empty expression statement has no effect"

Turned several macros into do-while(0) style to allow their use to work
find with semicolon.

Bug: https://github.com/curl/curl/commit/08e8455dddc5e48e58a12ade3815c01ae3da3b64#commitcomment-45433279
Follow-up to 08e8455dddc5e4
Reported-by: Gisle Vanem
Closes #6376

show more ...

curl: fix handling of -q option

The match of the "-q" option (short for "--disable") should:
a) allow concatenation with other single-letters; and
b) be case-sensitive, lest confusin

curl: fix handling of -q option

The match of the "-q" option (short for "--disable") should:
a) allow concatenation with other single-letters; and
b) be case-sensitive, lest confusing with "-Q" ("--quote")

Closes #6364

show more ...

curl: add variables to --write-out

In particular, these ones can help a user to create its own error
message when one or transfers fail.

writeout: add 'onerror', 'url', 'urlnum'

curl: add variables to --write-out

In particular, these ones can help a user to create its own error
message when one or transfers fail.

writeout: add 'onerror', 'url', 'urlnum', 'exitcode', 'errormsg'

onerror - lets a user only show the rest on non-zero exit codes

url - the input URL used for this transfer

urlnum - the numerical URL counter (0 indexed) for this transfer

exitcode - the numerical exit code for the transfer

errormsg - obvious

Reported-by: Earnestly on github
Fixes #6199
Closes #6207

show more ...

tool: add AWS HTTP v4 Signature support

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

curl: only warn not fail, if not finding the home dir

... as there's no good reason to error out completely.

Reported-by: Andreas Fischer
Fixes #6200
Closes #6201