diff --git a/vendor/curl/CHANGES b/vendor/curl/CHANGES index e45ee08aae..d48ababb4f 100644 --- a/vendor/curl/CHANGES +++ b/vendor/curl/CHANGES @@ -6,7779 +6,8860 @@ Changelog -Version 7.85.0 (31 Aug 2022) - -Daniel Stenberg (31 Aug 2022) -- RELEASE-NOTES: synced +Version 7.86.0 (26 Oct 2022) - curl 7.85.0 release - -- THANKS: add contributors from the 7.85.0 release +Daniel Stenberg (26 Oct 2022) +- RELEASE: synced -- getparam: correctly clean args + The 7.86.0 release - Follow-up to bf7e887b2442783ab52 +- THANKS: added from the 7.86.0 release - The previous fix for #9128 was incomplete and caused #9397. +Viktor Szakats (25 Oct 2022) +- noproxy: include netinet/in.h for htonl() - Fixes #9397 - Closes #9399 + Solve the Amiga build warning by including `netinet/in.h`. -- zuul: remove the clang-tidy job + `krb5.c` and `socketpair.c` are using `htonl()` too. This header is + already included in those sources. - Turns out we don't see the warnings, but the warnings right now are - plain ridiculous and unhelpful so we can just as well just kill this - job. + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 - Closes #9390 + Reviewed-by: Daniel Stenberg + Closes #9787 -- cmake: set feature PSL if present +Marc Hoersken (24 Oct 2022) +- CI: fix AppVeyor status failing for starting jobs - ... make test 1014 pass when libpsl is used. +Daniel Stenberg (24 Oct 2022) +- test445: verifies the protocols-over-http-proxy flaw and fix - Closes #9391 +- http_proxy: restore the protocol pointer on error -- lib530: simplify realloc failure exit path + Reported-by: Trail of Bits - To make code analyzers happier + Closes #9790 - Closes #9392 +- multi: remove duplicate include of connect.h -- [Orgad Shaneh brought this change] + Reported-by: Martin Strunz + Fixes #9794 + Closes #9795 - tests: add tests for netrc login/password combinations +Daniel Gustafsson (24 Oct 2022) +- idn: fix typo in test description - Covers the following PRs: + s/enabked/enabled/i - - #9066 - - #9247 - - #9248 +Daniel Stenberg (24 Oct 2022) +- url: use IDN decoded names for HSTS checks - Closes #9256 + Reported-by: Hiroki Kurosawa -- [Orgad Shaneh brought this change] + Closes #9791 - url: really use the user provided in the url when netrc entry exists +- unit1614: fix disabled-proxy build - If the user is specified as part of the URL, and the same user exists - in .netrc, Authorization header was not sent at all. + Follow-up to 1e9a538e05c01 - The user and password fields were assigned in conn->user and password - but the user was not assigned to data->state.aptr, which is the field - that is used in output_auth_headers and friends. + Closes #9792 - Fix by assigning the user also to aptr. +Daniel Gustafsson (24 Oct 2022) +- cookies: optimize control character check - Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. + When checking for invalid octets the strcspn() call will return the + position of the first found invalid char or the first NULL byte. + This means that we can check the indicated position in the search- + string saving a strlen() call. - Fixes #9243 + Closes: #9736 + Reviewed-by: Jay Satiro -- [Orgad Shaneh brought this change] +Daniel Stenberg (24 Oct 2022) +- netrc: replace fgets with Curl_get_line - netrc: Use the password from lines without login + Make the parser only accept complete lines and avoid problems with + overly long lines. - If netrc entry has password with empty login, use it for any username. + Reported-by: Hiroki Kurosawa - Example: - .netrc: - machine example.com password 123456 + Closes #9789 - curl -vn http://user@example.com/ +- RELEASE-NOTES: add "Planned upcoming removals include" - Fix it by initializing state_our_login to TRUE, and reset it only when - finding an entry with the same host and different login. + URL: https://curl.se/mail/archive-2022-10/0001.html - Closes #9248 + Suggested-by: Dan Fandrich -- [Jay Satiro brought this change] +Viktor Szakats (23 Oct 2022) +- ci: bump to gcc-11 for macos - url: treat missing usernames in netrc as empty + Ref: https://github.blog/changelog/2022-10-03-github-actions-jobs-running-on-macos-latest-are-now-running-on-macos-12/ + Ref: https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md - - If, after parsing netrc, there is a password with no username then - set a blank username. + Reviewed-by: Max Dymond + Closes #9785 - This used to be the case prior to 7d600ad (precedes 7.82). Note - parseurlandfillconn already does the same thing for URLs. +- Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [ci skip] - Reported-by: Raivis - Testing-by: Domen Kožar + - Reintroduce `CROSSPREFIX`: - Fixes https://github.com/curl/curl/issues/8653 - Closes #9334 - Closes #9066 + If set, we add it to the `CC` and `AR` values, and to the _default_ + value of `RC`, which is `windres`. This allows to control each of + these individidually, while also allowing to simplify configuration + via `CROSSPREFIX`. -- test8: verify that "ctrl-byte cookies" are ignored + This variable worked differently earlier. Hopefully this new solution + hits a better compromise in usefulness/complexity/flexibility. -- cookie: reject cookies with "control bytes" + Follow-up to: aa970c4c08775afcd0c2853be89b0a6f02582d50 - Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + - Enable warnings again: - Reported-by: Axel Chong + This time with an option to override it via `CFLAGS`. Warnings are + also enabled by default in CMake, `makefile.dj` and `makefile.amiga` + builds (not in autotools though). - Bug: https://curl.se/docs/CVE-2022-35252.html + Follow-up to 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - CVE-2022-35252 + Closes #9784 - Closes #9381 +- noproxy: silence unused variable warnings with no ipv6 -- libssh: ignore deprecation warnings + Follow-up to 36474f1050c7f4117e3c8de6cc9217cfebfc717d - libssh 0.10.0 marks all SCP functions as "deprecated" which causes - compiler warnings and errors in our CI jobs and elsewhere. Ignore - deprecation warnings if 0.10.0 or later is found in the build. + Reviewed-by: Daniel Stenberg + Closes #9782 - If they actually remove the functions at a later point, then someone can - deal with that pain and functionality break then. +Daniel Stenberg (22 Oct 2022) +- test644: verify --xattr (with redirect) - Fixes #9382 - Closes #9383 +- tool_xattr: save the original URL, not the final redirected one -- Revert "schannel: when importing PFX, disable key persistence" + Adjusted test 1621 accordingly. - This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. + Reported-by: Viktor Szakats + Fixes #9766 + Closes #9768 - Due to further reports in #9300 that indicate this commit might - introduce problems. +- docs: make sure libcurl opts examples pass in long arguments -- multi: use larger dns hash table for multi interface + Reported-by: Sergey + Fixes #9779 + Closes #9780 - Have curl_multi_init() use a much larger DNS hash table than used for - the easy interface to scale and perform better when used with _many_ - host names. +Marc Hoersken (21 Oct 2022) +- CI: fix AppVeyor job links only working for most recent build - curl_share_init() sets an in-between size. + Ref: https://github.com/curl/curl/pull/9768#issuecomment-1286675916 + Reported-by: Daniel Stenberg - Inspired-by: Ivan Tsybulin - See #9340 - Closes #9376 + Follow up to #9769 -Marc Hoersken (28 Aug 2022) -- CI/runtests.pl: add param for dedicated curl to talk to APIs +Viktor Szakats (21 Oct 2022) +- noproxy: fix builds without AF_INET6 - This should make it possible to also report test failures - if our freshly build curl binary is not fully functional. + Regression from 1e9a538e05c0107c54ef81d9de7cd0b27cd13309 Reviewed-by: Daniel Stenberg - Closes #9360 -Daniel Stenberg (27 Aug 2022) -- [Jacob Tolar brought this change] + Closes #9778 - openssl: add cert path in error message +Daniel Stenberg (21 Oct 2022) +- noproxy: support proxies specified using cidr notation - Closes #9349 + For both IPv4 and IPv6 addresses. Now also checks IPv6 addresses "correctly" + and not with string comparisons. -- [Jacob Tolar brought this change] + Split out the noproxy checks and functionality into noproxy.c - cert.d: clarify that escape character works for file paths + Added unit test 1614 to verify checking functions. - Closes #9349 + Reported-by: Mathieu Carbonneaux -- gha: move over ngtcp2-gnutls CI job from zuul + Fixes #9773 + Fixes #5745 + Closes #9775 - Closes #9331 +- urlapi: remove two variable assigns -Marc Hoersken (26 Aug 2022) -- cmake: add detection of threadsafe feature + To please scan-build: - Avoids failing test 1014 by replicating configure checks - for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. + urlapi.c:1163:9: warning: Value stored to 'qlen' is never read + qlen = Curl_dyn_len(&enc); + ^ ~~~~~~~~~~~~~~~~~~ + urlapi.c:1164:9: warning: Value stored to 'query' is never read + query = u->query = Curl_dyn_ptr(&enc); + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Reviewed-by: Marcel Raad + Follow-up to 7d6cf06f571d57 - Follow up to #8680 - Closes #9312 + Closes #9777 -Daniel Stenberg (26 Aug 2022) -- RELEASE-NOTES: synced +- [Jeremy Maitin-Shepard brought this change] -Marc Hoersken (26 Aug 2022) -- CI/azure: align torture shallowness with GHA + cmake: improve usability of CMake build as a sub-project - There 25 is used with FTP tests skipped, and 20 for FTP tests. - This should make torture tests stay within the 60min timeout. + - Renames `uninstall` -> `curl_uninstall` + - Ensures all export rules are guarded by CURL_ENABLE_EXPORT_TARGET - Reviewed-by: Daniel Stenberg - Closes #9371 + Closes #9638 -- multi_wait: fix and improve Curl_poll error handling on Windows +- [Don J Olmstead brought this change] - First check for errors and return CURLM_UNRECOVERABLE_POLL - before moving forward and waiting on socket readiness events. + easy_lock: check for HAVE_STDATOMIC_H as well - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad + The check for `HAVE_STDATOMIC_H` looks to see if the `stdatomic.h` + header is present. - Reported-by: Daniel Stenberg - Ref: #9361 + Closes #9755 - Follow up to #8961 - Closes #9372 +- RELEASE-NOTES: synced -- multi_wait: fix skipping to populate revents for extra_fds +- [Brad Harder brought this change] - On Windows revents was not populated for extra_fds if - multi_wait had to wait due to the Curl_poll pre-check - not signalling any readiness. This commit fixes that. + CURLMOPT_PIPELINING.3: dedup manpage xref - Reviewed-by: Marcel Raad - Reviewed-by: Jay Satiro + Closes #9776 - Closes #9361 +Marc Hoersken (20 Oct 2022) +- CI: report AppVeyor build status for each job -- CI/appveyor: disable TLS in msys2-native autotools builds + Also give each job on AppVeyor CI a human-readable name. - Schannel cannot be used from msys2-native Linux-emulated builds. + This aims to make job and therefore build failures more visible. Reviewed-by: Marcel Raad + Closes #9769 + +Viktor Szakats (20 Oct 2022) +- amiga: set SIZEOF_CURL_OFF_T=8 by default [ci skip] + Reviewed-by: Daniel Stenberg - Follow up to #9367 - Closes #9370 + Closes #9771 -Jay Satiro (25 Aug 2022) -- tests: fix http2 tests to use CRLF headers +- connect: fix builds without AF_INET6 - Prior to this change some tests that rely on nghttpx proxy did not use - CRLF headers everywhere. A recent change in nghttp2, which updated its - version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to - use CRLF headers. + Regression from 2b309560c1e5d6ed5c0e542e6fdffa968b0521c9 - Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro - Fixes https://github.com/curl/curl/issues/9364 - Closes https://github.com/curl/curl/pull/9365 + Closes #9770 -Daniel Stenberg (25 Aug 2022) -- [rcombs brought this change] +Daniel Stenberg (20 Oct 2022) +- test1105: adjust to work with a hyper build - multi: use a pipe instead of a socketpair on apple platforms + Closes #9767 - Sockets may be shut down by the kernel when the app is moved to the - background, but pipes are not. +- urlapi: fix parsing URL without slash with CURLU_URLENCODE - Removed from KNOWN_BUGS + When CURLU_URLENCODE is set, the parser would mistreat the path + component if the URL was specified without a slash like in + http://local.test:80?-123 - Fixes #6132 - Closes #9368 + Extended test 1560 to reproduce and verify the fix. -- [Somnath Kundu brought this change] + Reported-by: Trail of Bits - libssh2: provide symlink name in SFTP dir listing + Closes #9763 - When reading the symbolic link name for a file, we need to add the file - name to base path name. +Marc Hoersken (19 Oct 2022) +- tests: avoid CreateThread if _beginthreadex is available - Closes #9369 + CreateThread is not threadsafe if mixed with CRT calls. + _beginthreadex on the other hand can be mixed with CRT. -- configure: if asked to use TLS, fail if no TLS lib was detected + Reviewed-by: Marcel Raad + Closes #9705 - Previously the configure script would just warn about this fact and - continue with TLS disabled build which is not always helpful. TLS should - be explicitly disabled if that is what the user wants. +Jay Satiro (19 Oct 2022) +- [Joel Depooter brought this change] - Closes #9367 + schannel: Don't reset recv/send function pointers on renegotiation -- [Dustin Howett brought this change] + These function pointers will have been set when the initial TLS + handshake was completed. If they are unchanged, there is no need to set + them again. If they have been changed, as is the case with HTTP/2, we + don't want to override that change. That would result in the + http22_recv/send functions being completely bypassed. - schannel: when importing PFX, disable key persistence + Prior to this change a connection that uses Schannel with HTTP/2 would + fail on renegotiation with error "Received HTTP/0.9 when not allowed". - By default, the PFXImportCertStore API persists the key in the user's - key store (as though the certificate was being imported for permanent, - ongoing use.) + Fixes https://github.com/curl/curl/issues/9451 + Closes https://github.com/curl/curl/pull/9756 - The documentation specifies that keys that are not to be persisted - should be imported with the flag `PKCS12_NO_PERSIST_KEY`. - NOTE: this flag is only supported on versions of Windows newer than XP - and Server 2003. +Viktor Szakats (18 Oct 2022) +- hostip: guard PF_INET6 use - Fixes #9300 - Closes #9363 + Some platforms (e.g. Amiga OS) do not have `PF_INET6`. Adjust the code + for these. -- unit1303: four tests should have TRUE for 'connecting' + ``` + hostip.c: In function 'fetch_addr': + hostip.c:308:12: error: 'PF_INET6' undeclared (first use in this function) + pf = PF_INET6; + ^~~~~~~~ + ``` - To match the comments. + Regression from 1902e8fc511078fb5e26fc2b907b4cce77e1240d - Reported-by: Wu Zheng + Reviewed-by: Daniel Stenberg - See #9355 - Closes #9356 + Closes #9760 -- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also +- amiga: do not hardcode openssl/zlib into the os config [ci skip] - Closes #9354 + Enable them in `lib/makefile.amiga` and `src/makefile.amiga` instead. -- [Fabian Fischer brought this change] + This allows builds without openssl and/or zlib. E.g. with the + cross-compiler. - HTTP3.md: add missing autoreconf command for building with wolfssl + Reviewed-by: Daniel Stenberg - Closes #9353 + Closes #9762 -- RELEASE-NOTES: synced +- amigaos: add missing curl header [ci skip] -- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer + Without it, `CURLcode` and `CURLE_*` are undefined. `lib/hostip.h` and + conditional local code need them. - Ẃhen it has been used in the multi interface, it is otherwise left in - the connection cache, can't be reused and nothing will close them since - the easy handle loses the association with the multi handle and thus the - connection cache - until the multi handle is closed or it gets pruned - because the cache is full. + Reviewed-by: Daniel Stenberg - Reported-by: Dominik Thalhammer - Fixes #9335 - Closes #9342 + Closes #9761 -- docs/cmdline-opts: remove \& escapes from all .d files +Daniel Stenberg (18 Oct 2022) +- cmdline/docs: add a required 'multi' keyword for each option - gen.pl escapes them itself now + The keyword specifies how option works when specified multiple times: -- docs/cmdline-opts/gen.pl: encode leading single and double quotes + - single: the last provided value replaces the earlier ones + - append: it supports being provided multiple times + - boolean: on/off values + - mutex: flag-like option that disable anoter flag - As "(aq" and "(dq" to prevent them from implying a meaning in the nroff - output. This removes the need for using \& escapes in the .d files' - description parts. + The 'gen.pl' script then outputs the proper and unified language for + each option's multi-use behavior in the generated man page. - Closes #9352 + The multi: header is requires in each .d file and will cause build error + if missing or set to an unknown value. -Marc Hoersken (23 Aug 2022) -- tests/server/sockfilt.c: avoid race condition without a mutex + Closes #9759 - Avoid loosing any triggered handles by first aborting and joining - the waiting threads before evaluating the individual signal state. +- CURLOPT_AUTOREFERER.3: highlight the privacy leak risk - This removes the race condition and therefore need for a mutex. + Closes #9757 - Closes #9023 +- mprintf: reject two kinds of precision for the same argument -Daniel Stenberg (22 Aug 2022) -- [Emil Engler brought this change] + An input like "%.*1$.9999d" would first use the precision taken as an + argument *and* then the precision specified in the string, which is + confusing and wrong. pass1 will now instead return error on this double + use. - url: output the maximum when rejecting a url + Adjusted unit test 1398 to verify - This commit changes the failf message to output the maximum length, when - curl refuses to process a URL because it is too long. + Reported-by: Peter Goodman - See: #9317 - Closes: #9327 + Closes #9754 -- [Chris Paulson-Ellis brought this change] +- ftp: remove redundant if - configure: fix broken m4 syntax in TLS options + Reported-by: Trail of Bits - Commit b589696f added lines to some shell within AC_ARG_WITH macros, but - inadvertently failed to move the final closing ). + Closes #9753 - Quote the script section using braces. +- tool_operate: more transfer cleanup after parallel transfer fail - So, if these problems have been around for a while, how did I find them? - Only because I did a configure including these options: + In some circumstances when doing parallel transfers, the + single_transfer_cleanup() would not be called and then 'inglob' could + leak. - $ ./configure --with-openssl --without-rustls - SSL: enabled (OpenSSL) + Test 496 verifies - Closes #9344 + Reported-by: Trail of Bits + Closes #9749 -- tests/data/CMakeLists: remove making the 'show' makefile target +- mqtt: spell out CONNECT in comments - It is not used by runtests since 3c0f462 + Instead of calling it 'CONN' in several comments, use the full and + correct protocol packet name. - Closes #9333 + Suggested by Trail of Bits -- tests/data/Makefile: remove 'filecheck' target + Closes #9751 - No practical use anymore since 3c0f4622cdfd6 +- CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST - Closes #9332 + Not the deprecated CURLOPT_HTTPPOST option. -- libssh2: make atime/mtime date overflow return error + Also added two see-alsos. - Closes #9328 + Reported-by: Trail of Bits + Closes #9752 -- libssh: make atime/mtime date overflow return error +- RELEASE-NOTES: synced - Closes #9328 +Jay Satiro (17 Oct 2022) +- ngtcp2: Fix build errors due to changes in ngtcp2 library -- examples/curlx.c: remove + ngtcp2/ngtcp2@b0d86f60 changed: - This example is a bit convoluted to use as an example, combined with the - special license for it makes it unsuitable. + - ngtcp2_conn_get_max_udp_payload_size => + ngtcp2_conn_get_max_tx_udp_payload_size - Closes #9330 + - ngtcp2_conn_get_path_max_udp_payload_size => + ngtcp2_conn_get_path_max_tx_udp_payload_size -- [Tobias Nygren brought this change] + ngtcp2/ngtcp2@ec59b873 changed: - curl.h: include on SunOS + - 'early_data_rejected' member added to ng_callbacks. - It is needed for fd_set to be visible to downstream consumers that use - . Header is known to exist at least as far back as Solaris - 2.6. + Assisted-by: Daniel Stenberg + Reported-by: jurisuk@users.noreply.github.com - Closes #9329 + Fixes https://github.com/curl/curl/issues/9747 + Closes https://github.com/curl/curl/pull/9748 -- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 +Daniel Stenberg (16 Oct 2022) +- curl_path: return error if given a NULL homedir - URL: https://curl.se/mail/lib-2022-08/0016.html + Closes #9740 -- libssh2: setting atime or mtime >32bit on 4-bytes-long systems +- libssh: if sftp_init fails, don't get the sftp error code - Since the libssh2 API uses 'long' to store the timestamp, it cannot - transfer >32bit times on Windows and 32bit architecture builds. + This flow extracted the wrong code (sftp code instead of ssh code), and + the code is sometimes (erroneously) returned as zero anyway, so skip + getting it and set a generic error. - Avoid nasty surprises by instead not setting such time. + Reported-by: David McLaughlin + Fixes #9737 + Closes #9740 - Spotted by Coverity +- mqtt: return error for too long topic - Closes #9325 + Closes #9744 -- libssh: setting atime or mtime > 32bit is now just skipped +- [Rickard Hallerbäck brought this change] - The libssh API used caps the time to an unsigned 32bit variable. Avoid - nasty surprises by instead not setting such time. + tool_paramhlp: make the max argument a 'double' - Spotted by Coverity. + To fix compiler warnings "Implicit conversion from 'long' to 'double' + may lose precision" - Closes #9324 + Closes #9700 -Jay Satiro (16 Aug 2022) -- KNOWN_BUGS: Windows Unicode builds use homedir in current locale +Marc Hoersken (15 Oct 2022) +- [Philip Heiduck brought this change] - Bug: https://github.com/curl/curl/pull/7252 - Reported-by: dEajL3kA@users.noreply.github.com + cirrus-ci: add more macOS builds with m1 based on x86_64 builds - Ref: https://github.com/curl/curl/pull/7281 + Also refactor macOS builds to use task matrix. - Closes https://github.com/curl/curl/pull/9305 + Assisted-by: Marc Hörsken + Closes #9565 -Daniel Stenberg (16 Aug 2022) -- test399: switch it to use a config file instead +Viktor Szakats (14 Oct 2022) +- cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows - ... as using a 65535 bytes host name in a URL does not fit on the - command line on some systems - like Windows. + `lib/config-win32.h` enables this configuration option unconditionally. + Make it apply to CMake builds as well. - Reported-by: Marcel Raad - Fixes #9321 - Closes #9322 + While here, delete a broken check for + `HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID` from `CMakeLists.txt`. This came with + the initial commit [1], but did not include the actual verification code + inside `CMake/CurlTests.c`, so it always failed. A later commit [2] + added a second test, for non-Windows platforms. -- RELEASE-NOTES: synced + Enabling this flag causes test 1056 to fail with CMake builds, as they + do with autotools builds. Let's apply the same solution and ignore the + results here as well. -- asyn-ares: make a single alloc out of hostname + async data + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e - This saves one alloc per name resolve and simplifies the exit path. + Reviewed-by: Daniel Stenberg + Assisted-by: Marcel Raad - Closes #9310 + Closes #9726 -- Curl_close: call Curl_resolver_cancel to avoid memory-leak +- cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows - There might be a pending (c-ares) resolve that isn't free'd up yet. + autotools enables this configuration option unconditionally for Windows + [^1]. Do the same in CMake. - Closes #9310 + The above will make this work for all reasonably recent environments. + The logic present in `lib/config-win32.h` [^2] has the following + exceptions which we did not cover in this CMake update: -- asyn-thread: fix socket leak on OOM + - Builds targeting Windows 2000 and earlier + - MS Visual C++ 5.0 (1997) and earlier - Closes #9310 + Also make sure to disable this feature when `HAVE_GETADDRINFO` isn't + set, to avoid a broken build. We might want to handle that in the C + sources in a future commit. -- GHA: mv CI torture test from Zuul + [^1]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/m4/curl-functions.m4#L2067-L2070 - Closes #9310 + [^2]: https://github.com/curl/curl/blob/68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6/lib/config-win32.h#L511-L528 -- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL + Closes #9727 - Closes #9318 +- cmake: sync HAVE_SIGNAL detection with autotools -- test399: verify check of too long host name + `HAVE_SIGNAL` means the availability of the `signal()` function in + autotools, while in CMake it meant the availability of that function + _and_ the symbol `SIGALRM`. -- url: reject URLs with hostnames longer than 65535 bytes + The latter is not available on Windows, but the function is, which means + on Windows, autotools did define `HAVE_SIGNAL`, but CMake did not, + introducing a slight difference into the binaries. - It *probably* causes other problems too since DNS can't resolve such - long names, but the SNI field in TLS is limited to 16 bits length. + This patch syncs CMake behaviour with autotools to look for the function + only. - Closes #9317 + The logic came with the initial commit adding CMake support to curl, so + the commit history doesn't reveal the reason behind it. In any case, + it's best to check the existence of `SIGALRM` directly in the source + before use. For now, curl builds fine with `HAVE_SIGNAL` enabled and + `SIGALRM` missing. -- curl_multi_perform.3: minor language fix + Follow-up to 68fa9bf3f5d7b4fcbb57619f70cb4aabb79a51f6 - Closes #9316 + Closes #9725 -- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC +- cmake: delete duplicate HAVE_GETADDRINFO test - Follow-up to 8a13be227eede2 + A custom `HAVE_GETADDRINFO` check came with the initial CMake commit + [1]. A later commit [2] added a standard check for it as well. The + standard check run before the custom one, so CMake ignored the latter. - Closes #9315 + The custom check was also non-portable, so this patch deletes it in + favor of the standard check. -- ngtcp2: remove leftover variable + [1] 4c5307b45655ba75ab066564afdc0c111a8b9291 + [2] aec7c5a87c8482b6ddffa352d7d220698652262e - Mistake leftover from my edit before push. + Closes #9731 - Follow-up from 8a13be227eede2601c2b3b - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 +Daniel Stenberg (14 Oct 2022) +- tool_formparse: unroll the NULL_CHECK and CONST_FREE macros -Viktor Szakats (15 Aug 2022) -- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] + To make the code read more obvious - Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` - was also enabled. `-ssl` meaning OpenSSL (and its forks). After - 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be - used together with wolfSSL. This patch adds the ability to enable - `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to - use it with wolfSSL or other, future TLS backends. + Assisted-by: Jay Satiro - Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` - unconditionally. After this patch, this is no longer the case, and now - it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only - together with a compatible TLS backend. + Closes #9710 - When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 - library must be configured manually, e.g.: - `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` +- [Christopher Sauer brought this change] - (or via `NGTCP2_LIBS`) + docs/INSTALL: update Android Instructions for newer NDKs - Closes #9314 + Closes #9732 -Daniel Stenberg (15 Aug 2022) -- [Stefan Eissing brought this change] +- markdown-uppercase: ignore quoted sections - quic: add support via wolfSSL + Sections within the markdown ~~~ or ``` are now ignored. - - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 - - configure adapted to build against ngtcp2 wolfssl crypto lib - - quic code added for creation of WOLFSSL* instances + Closes #9733 - Closes #9290 +- RELEASE-NOTES: synced -Marcel Raad (14 Aug 2022) -- [David Carlier brought this change] +- test8: update as cookies no longer can have "embedded" TABs in content - memdebug: add annotation attributes +- test1105: extend to verify TAB in name/content discarding cookies - memory debug tracking annotates whether the returned pointer does not - `alias`, hints where the size required is, for Windows to be better - debugged via Visual Studio. +- cookie: reject cookie names or content with TAB characters - Closes https://github.com/curl/curl/pull/9306 + TABs in name and content seem allowed by RFC 6265: "the algorithm strips + leading and trailing whitespace from the cookie name and value (but + maintains internal whitespace)" -Daniel Stenberg (14 Aug 2022) -- GHA: move libressl CI from zuul to GitHub + Cookies with TABs in the names are rejected by Firefox and Chrome. - Closes #9309 + TABs in content are stripped out by Firefox, while Chrome discards the + whole cookie. -- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel + TABs in cookies also cause issues in saved netscape cookie files. - Closes #9161 + Reported-by: Trail of Bits -- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel + URL: https://curl.se/mail/lib-2022-10/0032.html + URL: https://github.com/httpwg/http-extensions/issues/2262 - Closes #8741 + Closes #9659 -- KNOWN_BUGS: libssh blocking and infinite loop problem +- curl/add_parallel_transfers: better error handling - Closes #8632 + 1 - consider the transfer handled at once when in the function, to avoid + the same list entry to get added more than once in rare error + situations -- RELEASE-NOTES: synced + 2 - set the ERRORBUFFER for the handle first after it has been added + successfully -- msh3: fix the QUIC disconnect function + Reported-by: Trail of Bits - And free request related memory better in 'done'. Fixes a memory-leak. + Closes #9729 - Reported-by: Gisle Vanem - Fixes #8915 - Closes #9304 +- netrc: remove the two 'changed' arguments -- connect: close the happy eyeballs loser connection when using QUIC + As no user of these functions used the returned content. - Reviewed-by: Nick Banks +- test495: verify URL encoded user name + netrc-optional - Closes #9303 + Reproduced issue #9709 -- [Emil Engler brought this change] +- netrc: use the URL-decoded user - refactor: split resolve_server() into functions + When the user name is provided in the URL it is URL encoded there, but + when used for authentication the encoded version should be used. - This commit splits the branch-heavy resolve_server() function into - various sub-functions, in order to reduce the amount of nested - if/else-statements. + Regression introduced after 7.83.0 - Beside this, it also removes many else-sequences, by returning in the - previous if-statement. + Reported-by: Jonas Haag + Fixes #9709 + Closes #9715 - Closes #9283 +- [Shaun Mirani brought this change] -- schannel: re-indent to use curl style better + url: allow non-HTTPS HSTS-matching for debug builds - Only white space changes + Closes #9728 - Closes #9301 +- test1275: remove the check of stderr -- [Emanuele Torre brought this change] + To avoid the mysterious test failures on Windows, instead rely on the + error code returned on failure. - docs/cmdline-opts: fix example and categories for --form-escape + Fixes #9716 + Closes #9723 - The example was missing a "--form" argument - I also replaced "--form" with "-F" to shorten the line a bit since it - was already very long. +Viktor Szakats (13 Oct 2022) +- lib: set more flags in config-win32.h - And I also moved --form-escape from the "post" category to the "upload" - category (this is what I originally wanted to fix, before also noticing - the mistake in the example). + The goal is to add any flag that affect the created binary, to get in + sync with the ones built with CMake and autotools. - Closes #9298 + I took these flags from curl-for-win [0], where they've been tested with + mingw-w64 and proven to work well. -- [Nick Banks brought this change] + This patch brings them to curl as follows: - HTTP3.md: update to msh3 v0.4.0 + - Enable unconditionally those force-enabled via + `CMake/WindowsCache.cmake`: - Closes #9297 + - `HAVE_SETJMP_H` + - `HAVE_STRING_H` + - `HAVE_SIGNAL` (CMake equivalent is `HAVE_SIGNAL_FUNC`) -- hostip: resolve *.localhost to 127.0.0.1/::1 + - Expand existing guards with mingw-w64: - Following the footsteps of other clients like Firefox/Chrome. RFC 6761 - says clients SHOULD do this. + - `HAVE_STDBOOL_H` + - `HAVE_BOOL_T` - Add test 389 to verify. + - Enable Win32 API functions for Windows Vista and later: - Reported-by: TheKnarf on github - Fixes #9192 - Closes #9296 + - `HAVE_INET_NTOP` + - `HAVE_INET_PTON` -Jay Satiro (11 Aug 2022) -- KNOWN_BUGS: long paths are not fully supported on Windows + - Set sizes, if not already set: - Bug: https://github.com/curl/curl/issues/8361 - Reported-by: Gisle Vanem + - `SIZEOF_OFF_T = 8` + - `_FILE_OFFSET_BITS = 64` when `USE_WIN32_LARGE_FILES` is set, + and using mingw-w64. - Closes https://github.com/curl/curl/pull/9288 + - Add the remaining for mingw-w64 only. Feel free to expand as desired: -Daniel Stenberg (11 Aug 2022) -- config: remove the check for and use of SIZEOF_SHORT + - `HAVE_LIBGEN_H` + - `HAVE_FTRUNCATE` + - `HAVE_BASENAME` + - `HAVE_STRTOK_R` - shorts are 2 bytes on all platforms curl runs and have ever run on. + Future TODO: - Closes #9291 + - `HAVE_SIGNAL` has a different meaning in CMake. It's enabled when both + the `signal()` function and the `SIGALRM` macro are found. In + autotools and this header, it means the function only. For the + function alone, CMake uses `HAVE_SIGNAL_FUNC`. -- configure: introduce CURL_SIZEOF + [0] https://github.com/curl/curl-for-win/blob/c9b9a5f273c94c73d2b565ee892c4dff0ca97a8c/curl-m32.sh#L53-L58 - This is a rewrite of the previously used GPLv3+exception licensed - file. With this change, there is no more reference to GPL so we can - remove that from LICENSES/. + Reviewed-by: Daniel Stenberg - Ref: #9220 - Closes #9291 + Closes #9712 -- [Sean McArthur brought this change] +Daniel Stenberg (13 Oct 2022) +- tests: add tests/markdown-uppercase.pl to dist tarball - hyper: customize test1274 to how hyper unfolds headers + Follow-up to aafb06c5928183d - Closes #9217 + Closes #9722 -- [Orgad Shaneh brought this change] +- tool_paramhelp: asserts verify maximum sizes for string loading - curl-config: quote directories with potential space + The two defines MAX_FILE2MEMORY and MAX_FILE2STRING define the largest + strings accepted when loading files into memory, but as the size is + later used as input to functions that take the size as 'int' as + argument, the sizes must not be larger than INT_MAX. - On Windows (at least with CMake), the default prefix is - C:/Program Files (x86)/CURL. + These two new assert()s make the code error out if someone would bump + the sizes without this consideration. - Closes #9253 + Reported-by Trail of Bits -- [Oliver Roberts brought this change] + Closes #9719 - amigaos: fix threaded resolver on AmigaOS 4.x +- http: try parsing Retry-After: as a number first - Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime - feature detection and extra code to make it thread safe. + Since the date parser allows YYYYMMDD as a date format (due to it being + a bit too generic for parsing this particular header), a large integer + number could wrongly match that pattern and cause the parser to generate + a wrong value. - Closes #9265 + No date format accepted for this header starts with a decimal number, so + by reversing the check and trying a number first we can deduct that if + that works, it was not a date. -- [Emil Engler brought this change] + Reported-by Trail of Bits - imap: use ISALNUM() for alphanumeric checks + Closes #9718 - This commit replaces a self-made character check for alphanumeric - characters within imap_is_bchar() with the ISALNUM() macro, as it is - reduces the size of the code and makes the performance better, due to - ASCII arithmetic. +- [Patrick Monnerat brought this change] - Closes #9289 + doc: fix deprecation versions inconsistencies -- RELEASE-NOTES: synced + Ref: https://curl.se/mail/lib-2022-10/0026.html -- [Cering on github brought this change] + Closes #9711 - connect: add quic connection information +- http_aws_sigv4: fix strlen() check - Fixes #9286 - Closes #9287 + The check was off-by-one leading to buffer overflow. -- [Philip H brought this change] + Follow-up to 29c4aa00a16872 - cirrus/freebsd-ci: bootstrap the pip installer + Detected by OSS-Fuzz - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + Closes #9714 - Closes #9213 +- curl/main_checkfds: check the fcntl return code better -- urldata: move smaller fields down in connectdata struct + fcntl() can (in theory) return a non-zero number for success, so a + better test for error is checking for -1 explicitly. - By (almost) sorting the struct fields in connectdata in a decending size - order, having the single char ones last, we reduce the number of holes - in the struct and thus the amount of storage needed. + Follow-up to 41e1b30ea1b77e9ff - Closes #9280 + Mentioned-by: Dominik Klemba -- ldap: adapt to conn->port now being an 'int' + Closes #9708 - Remove typecasts. Fix printf() formats. +Viktor Szakats (12 Oct 2022) +- tidy-up: delete unused HAVE_STRUCT_POLLFD - Follow-up from 764c6bd3bf. - Pointed out by Coverity CID 1507858. + It was only defined in `lib/config-win32.h`, when building for Vista. - Closes #9281 + It was only used in `select.h`, in a condition that also included a + check for `POLLIN` which is a superior choice for this detection and + which was already used by cmake and autotools builds. -- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS + Delete both instances of this macro. - Closes #8264 + Closes #9707 -- [Oliver Roberts brought this change] +Daniel Stenberg (12 Oct 2022) +- test1275: verify upercase after period in markdown - file: add handling of native AmigaOS paths + Script based on the #9474 pull-request logic, but implemented in perl. - On AmigaOS 4.x, handle native absolute paths, whilst blocking relative - paths. Also allow unix style paths if feature enabled at link time. + Updated docs/URL-SYNTAX.md accordingly. - Inspiration-from: Michael Trebilcock + Suggested-by: Dan Fandrich - Closes #9259 + Closes #9697 -- KNOWN_BUGS: cmake build is not thread-safe +- [12932 brought this change] - The cmake build does not check for and verify presence of a working - Atomic type, which then makes curl_global_init() to not build - thread-safe on non-Windows platforms. + misc: nitpick grammar in comments/docs - Closes https://github.com/curl/curl/issues/8973 - Closes https://github.com/curl/curl/pull/8982 + because the 'u' in URL is actually a consonant *sound* it is only + correct to write "a URL" -- [Oliver Roberts brought this change] + sorry this is a bit nitpicky :P - configure: fixup bsdsocket detection code for AmigaOS 4.x + https://english.stackexchange.com/questions/152/when-should-i-use-a-vs-an + https://www.techtarget.com/whatis/feature/Which-is-correct-a-URL-or-an-URL - The code that detects bsdsocket.library for AmigaOS did not work - for AmigaOS 4.x. This has been fixed and also cleaned up a little - to reduce duplication. Wasn't technically necessary before, but is - required when building with AmiSSL instead of OpenSSL. + Closes #9699 - Closes #9268 +Viktor Szakats (11 Oct 2022) +- Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [ci skip] -- [Oliver Roberts brought this change] + This patch aimed to fix a regression [0], where `CC` initialization + moved beyond its first use. But, on closer inspection it turned out that + the `CC` initialization does not work as expected due to GNU Make + filling it with `cc` by default. So unless implicit values were + explicitly disabled via a GNU Make option, the default value of + `$CROSSPREFIX` + `gcc` was never used. At the same time the implicit + value `cc` maps to `gcc` in (most/all?) MinGW envs. - tool: reintroduce set file comment code for AmigaOS + `AR` has the same issue, with a default value of `ar`. - Amiga specific code which put the URL in the file comment was perhaps - accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having - originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. - Reworked to fit the code changes and added it back in. + We could reintroduce a separate variable to fix this without ill + effects, but for simplicity and flexibility, it seems better to drop + support for `CROSSPREFIX`, along with our own `CC`/`AR` init logic, and + require the caller to initialize `CC`, `AR` and `RC` to the full + (prefixed if necessary) names of these tools, as desired. - Reported-by: Michael Trebilcock - Originally-added-by: Chris Young + We keep `RC ?= windres` because `RC` is empty by default. - Closes #9258 + Also fix grammar in a comment. -- urldata: make 'negnpn' use less storage + [0] 10fbd8b4e3f83b967fd9ad9a41ab484c0e7e7ca3 - The connectdata struct field 'negnpn' never holds a value larger than - 30, so an unsigned char saves 3 bytes struct space. + Closes #9698 - Closes #9279 +- smb: replace CURL_WIN32 with WIN32 -- urldata: make three *_proto struct fields smaller + PR #9255 aimed to fix a Cygwin/MSYS issue (#8220). It used the + `CURL_WIN32` macro, but that one is not defined here, while compiling + curl itself. This patch changes this to `WIN32`, assuming this was the + original intent. - Use 'unsigned char' for storage instead of the enum, for three GSSAPI - related fields in the connectdata struct. + Regression from 1c52e8a3795ccdf8ec9c308f4f8f19cf10ea1f1a - Closes #9278 + Reviewed-by: Marcel Raad -- connect: set socktype/protocol correctly + Closes #9701 - So that an address used from the DNS cache that was previously used for - QUIC can be reused for TCP and vice versa. +Daniel Stenberg (11 Oct 2022) +- [Matthias Gatto brought this change] - To make this possible, set conn->transport to "unix" for unix domain - connections ... and store the transport struct field in an unsigned char - to use less space. + aws_sigv4: fix header computation - Reported-by: ウさん - Fixes #9274 - Closes #9276 + Handle canonical headers and signed headers creation as explained here: + https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html -- [Oliver Roberts brought this change] + The algo tells that signed and canonical must contain at last host and + x-amz-date. - amissl: allow AmiSSL to be used with AmigaOS 4.x builds + So we check whatever thoses are present in the curl http headers list. + If they are, we use the one enter by curl user, otherwise we generate + them. then we to lower, and remove space from each http headers plus + host and x-amz-date, then sort them all by alphabetical order. - Enable AmiSSL to be used instead of static OpenSSL link libraries. - for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. + This patch also fix a bug with host header, which was ignoring the port. - Closes #9269 + Closes #7966 -- [opensignature on github brought this change] +Jay Satiro (11 Oct 2022) +- [Aftab Alam brought this change] - openssl: add details to "unable to set client certificate" error + README.md: link the curl logo to the website - from: "curl: (58) unable to set client certificate" + - Link the curl:// image to https://curl.se/ - to: curl: (58) unable to set client certificate [error:0A00018F:SSL - routines::ee key too small] + Closes https://github.com/curl/curl/pull/9675 - Closes #9228 +- [Dustin Howett brought this change] -- [Oliver Roberts brought this change] + schannel: when importing PFX, disable key persistence - amissl: make AmiSSL v5 a minimum requirement + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) - AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. - Support for previous OpenSSL 1.1.x versions has been dropped, so - makes sense to enforce v5 as the minimum requirement. This also - allows all the AmiSSL stub workarounds to be removed as they are - now provided in a link library in the AmiSSL SDK. + The documentation specifies that keys that are not to be persisted + should be imported with the flag PKCS12_NO_PERSIST_KEY. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. - Closes #9267 + -- -- [Oliver Roberts brought this change] + This is take 2 of the original fix. It extends the lifetime of the + client certificate store to that of the credential handle. The original + fix which landed in 70d010d and was later reverted in aec8d30 failed to + work properly because it did not do that. - configure: -pthread not available on AmigaOS 4.x + Minor changes were made to the schannel credential context to support + closing the client certificate store handle at the end of an SSL session. - The most recent GCC builds for AmigaOS 4.x do not allow -pthread and - exit with an error. Instead, need to explictly specify -lpthread. + -- - Closes #9266 + Reported-by: ShadowZzj@users.noreply.github.com -- digest: pass over leading spaces in qop values + Fixes https://github.com/curl/curl/issues/9300 + Supersedes https://github.com/curl/curl/pull/9363 + Closes https://github.com/curl/curl/pull/9460 - When parsing the "qop=" parameter of the digest authentication, and the - value is provided within quotes, the list of values can have leading - white space which the parser previously did not handle correctly. +Viktor Szakats (11 Oct 2022) +- Makefile.m32: support more options [ci skip] - Add test case 388 to verify. + - Add support for these options: + `-wolfssl`, `-wolfssh`, `-mbedtls`, `-libssh`, `-psl` - Reported-by: vlubart on github - Fixes #9264 - Closes #9270 + Caveats: + - `-wolfssh` requires `-wolfssl`. + - `-wolfssl` cannot be used with OpenSSL backends in parallel. + - `-libssh` has build issues with BoringSSL and LibreSSL, and also + what looks like a world-writable-config vulnerability on Windows. + Consider it experimental. + - `-psl` requires `-idn2` and extra libs passed via + `LIBS=-liconv -lunistring`. -- [Evgeny Grin (Karlson2k) brought this change] + - Detect BoringSSL/wolfSSL and set ngtcp2 crypto lib accordingly. + - Generalize MultiSSL detection. + - Use else-if syntax. Requires GNU Make 3.81 (2006-04-01). + - Document more customization options. - digest: reject broken header with session protocol but without qop + This brings over some configuration logic from `curl-for-win`. - Closes #9077 + Closes #9680 -- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples +- cmake: enable more detection on Windows - Reported-by: jvvprasad78 on github - Assisted-by: Jay Satiro - Fixes #9239 - Closes #9241 + Enable `HAVE_UNISTD_H`, `HAVE_STRTOK_R` and `HAVE_STRCASECMP` detection + on Windows, instead of having predefined values. -- [Fabian Keil brought this change] + With these features detected correctly, CMake Windows builds get closer + to the autotools and `config-win32.h` ones. - test44[2-4]: add '--resolve' to the keywords + This also fixes detecting `HAVE_FTRUNCATE` correctly, which required + `unistd.h`. - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. + Fixing `ftruncate()` in turn causes a build warning/error with legacy + MinGW/MSYS1 due to an offset type size mismatch. This env misses to + detect `HAVE_FILE_OFFSET_BITS`, which may be a reason. This patch + force-disables `HAVE_FTRUNCATE` for this platform. - Closes #9250 + Reviewed-by: Daniel Stenberg -- RELEASE-NOTES: synced + Closes #9687 -- CURLOPT_CONNECT_ONLY.3: clarify multi API use +- autotools: allow unix sockets on Windows - Reported-by: Maxim Ivanov - Fixes #9244 - Closes #9262 + Fixes: https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 -- [Andrew Lambert brought this change] + On Windows this feature is present, but not the header used in the + detection logic. It also requires an elaborate enabler logic + (as seen in `lib/curl_setup.h`). Let's always allow it and let the + lib code deal with the details. - curl_easy_header: Add CURLH_PSEUDO to sanity check + Closes #9688 - Fixes #9235 - Closes #9236 +- cmake: add missing inet_ntop check -- [Emil Engler brought this change] + This adds the missing half of the check, next to the other half + already present in `lib/curl_config.h.cmake`. - docs: add dns category to --resolve + Force disable `HAVE_INET_NTOP` for old MSVC where it caused compiler + warnings. - This commit adds the dns category to the --resolve command line option, - because it can be interpreted as both: a low-level connection option and - an option related to the resolving of a hostname. + Reviewed-by: Daniel Stenberg - It is also not common for dns options to belong to the connection - category and vice versa. --ipv4 and --ipv6 are both good examples. + Closes #9689 - Closes #9229 +Daniel Stenberg (11 Oct 2022) +- RELEASE-NOTES: synced -Jay Satiro (2 Aug 2022) -- [Wyatt O'Day brought this change] +- [bsergean on github brought this change] - schannel: Add TLS 1.3 support + asyn-ares: set hint flags when calling ares_getaddrinfo - - Support TLS 1.3 as the default max TLS version for Windows Server 2022 - and Windows 11. + The hint flag is ARES_AI_NUMERICSERV, and it will save a call to + getservbyname or getservbyname_r to set it. - - Support specifying TLS 1.3 ciphers via existing option - CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). + Closes #9694 - Closes https://github.com/curl/curl/pull/8419 +- header.d: add category smtp and imap -Daniel Stenberg (2 Aug 2022) -- [Emil Engler brought this change] + They were previously (erroneously) added manually to tool_listhelp.c + which would make them get removed again when the file is updated next + time, unless added correctly here in header.d - cmdline-opts/gen.pl: improve performance + Follow-up to 2437fac01 - On some systems, the gen.pl script takes nearly two minutes for the - generation of the main-page, which is a completely unacceptable time. + Closes #9690 - The slow performance has two causes: - 1. Use of a regex locale operator - 2. Useless invokations of loops +- curl/get_url_file_name: use libcurl URL parser - The commit addresses the first issue by replacing the "\W" wiht - [^a-zA-Z0-9_], which is, according to regex101.com, functionally - equivalent to the previous operation, except that it is obviously - limited to ASCII only, which is fine, as the curl project is - English-only anyway. + To avoid URL tricks, use the URL parser for this. - The second issue is being addressed by only running the loop if the line - contains a "--" in it. The loop may be completeley removed in the - future. + This update changes curl's behavior slightly in that it will ignore the + possible query part from the URL and only use the file name from the + actual path from the URL. I consider it a bugfix. - Co-authored-by: Emanuele Torre + "curl -O localhost/name?giveme-giveme" will now save the output in the + local file named 'name' - See #8299 - Fixes #9230 - Closes #9232 + Updated test 1210 to verify -- docs/cmdline: mark fail and fail-with-body as mutually exclusive + Assisted-by: Jay Satiro - Reported-by: Andreas Sommer - Fixes #9221 - Closes #9222 + Closes #9684 -- [Nao Yonashiro brought this change] +- [Martin Ågren brought this change] - quiche: fix build failure + docs: fix grammar around needing pass phrase - Reviewed-by: Alessandro Ghedini - Closes #9223 + "You never needed a pass phrase" reads like it's about to be followed by + something like "until version so-and-so", but that is not what is + intended. Change to "You never need a pass phrase". There are two + instances of this text, so make sure to update both. -Viktor Szakats (2 Aug 2022) -- configure.ac: drop references to deleted functions +- [Xiang Xiao brought this change] - follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 + cmake: add the check of HAVE_SOCKETPAIR - Reported-by: Oliver Roberts - Fixes #9238 - Closes #9240 + which is used by Curl_socketpair -Daniel Stenberg (28 Jul 2022) -- [Sean McArthur brought this change] + Signed-off-by: Xiang Xiao - hyper: enable obs-folded multiline headers + Closes #9686 - Closes #9216 +- curl/add_file_name_to_url: use the libcurl URL parser -- connect: revert the use of IP*_RECVERR + instead of the custom error-prone parser, to extract and update the path + of the given URL - The options were added in #6341 and d13179d, but cause problems: Lots of - POLLIN event occurs but recvfrom read nothing. + Closes #9683 - Reported-by: Tatsuhiro Tsujikawa - Fixes #9209 - Closes #9215 +- single_transfer: use the libcurl URL parser when appending query parts -- [Marco Kamner brought this change] + Instead of doing "manual" error-prone parsing in another place. - docs: remove him/her/he/she from documentation + Used when --data contents is added to the URL query when -G is provided. - Closes #9208 + Closes #9681 -- RELEASE-NOTES: synced +- ws: fix buffer pointer use in the callback loop -- tool_getparam: make --doh-url "" switch it off + Closes #9678 - A possible future addition could be to parse the URL first too to verify - that it is valid before trying to use it. +- [Petr Štetiar brought this change] - Assisted-by: Jay Satiro - Closes #9207 + curl-wolfssl.m4: error out if wolfSSL is not usable -- mailmap: add rzrymiak on github + When I explicitly declare, that I would like to have curl built with + wolfSSL support using `--with-wolfssl` configure option, then I would + expect, that either I endup with curl having that support, for example + in form of https support or it wouldn't be available at all. -Jay Satiro (26 Jul 2022) -- ngtcp2: Fix build error due to change in nghttp3 prototypes + Downstream projects like for example OpenWrt build curl wolfSSL variant + with `--with-wolfssl` already, but in certain corner cases it does fail: - ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and - nghttp3_conn_shutdown_stream_write return from int to void. + configure:25299: checking for wolfSSL_Init in -lwolfssl + configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip] + In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33, + from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35, + from target-x86_64_musl/usr/include/wolfssl/ssl.h:35, + from conftest.c:47: + target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory + #include + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + compilation terminated. - Reported-by: jurisuk@users.noreply.github.com + and in the end thus produces curl without https support: - Fixes https://github.com/curl/curl/issues/9204 - Closes https://github.com/curl/curl/pull/9200 + curl: (1) Protocol "https" not supported or disabled in libcurl -Daniel Stenberg (26 Jul 2022) -- [rzrymiak on github brought this change] + So fix it, by making the working wolfSSL mandatory and error out in + configure step when that's not the case: - BUGS.md: improve language + checking for wolfSSL_Init in -lwolfssl... no + configure: error: --with-wolfssl but wolfSSL was not found or doesn't work - Closes #9205 + References: https://github.com/openwrt/packages/issues/19005 + References: https://github.com/openwrt/packages/issues/19547 + Signed-off-by: Petr Štetiar -- [Philip H brought this change] + Closes #9682 - cirrus.yml: replace py38-pip with py39-pip +- tool_getparam: pass in the snprintf("%.*s") string length as 'int' - Reported-by: Jay Satiro - Fixes #9201 - Closes #9202 + Reported by Coverity CID 1515928 -- tool_getparam: fix cleanarg() for unicode builds + Closes #9679 - Use the correct type, and make cleanarg an empty macro if the cleaning - ability is absent. +- [Paul Seligman brought this change] - Fixes #9195 - Closes #9196 + ws: minor fixes for web sockets without the CONNECT_ONLY flag - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad + - Fixed an issue where is_in_callback was getting cleared when using web + sockets with debug logging enabled + - Ensure the handle is is_in_callback when calling out to fwrite_func + - Change the write vs. send_data decision to whether or not the handle + is in CONNECT_ONLY mode. + - Account for buflen not including the header length in curl_ws_send -Marc Hoersken (25 Jul 2022) -- test3026: add support for Windows using native Win32 threads + Closes #9665 - Reviewed-by: Viktor Szakats - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg +Marc Hoersken (8 Oct 2022) +- CI/cirrus: merge existing macOS jobs into a job matrix - Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 - Closes #9012 + Ref: #9627 + Reviewed-by: Philip H. -Jay Satiro (25 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] + Closes #9672 - digest: fix memory leak, fix not quoted 'opaque' +Daniel Stenberg (8 Oct 2022) +- strcase: add and use Curl_timestrcmp - Fix leak regression introduced by 3a6fe0c. + This is a strcmp() alternative function for comparing "secrets", + designed to take the same time no matter the content to not leak + match/non-match info to observers based on how fast it is. - Closes https://github.com/curl/curl/pull/9199 + The time this function takes is only a function of the shortest input + string. -Daniel Stenberg (23 Jul 2022) -- tests: several enumerated type cleanups + Reported-by: Trail of Bits - To please icc + Closes #9658 - Closes #9179 +- tool_getparam: split out data_urlencode() into its own function -- tool_paramhlp: fix "enumerated type mixed with another type" + Closes #9673 - Warning by icc +- connect: fix Curl_updateconninfo for TRNSPRT_UNIX - Closes #9179 + Reported-by: Vasiliy Ulyanov + Fixes #9664 + Closes #9670 -- tool_writeout: fix enumerated type mixed with another type +- ws: fix Coverity complaints - Closes #9179 + Coverity pointed out several flaws where variables remained + uninitialized after forks. -- tool_cfgable: make 'synthetic_error' a plain bool + Follow-up to e3f335148adc6742728f - The specific reason was not used. + Closes #9666 - Closes #9179 +Marc Hoersken (7 Oct 2022) +- CI/GHA: merge msh3 and openssl3 builds into linux workflow -- tool_paramhlp: make check_protocol return ParameterError + Continue work on merging all Linux workflows into one file. - "enumerated type mixed with another type" + Follow up to #9501 + Closes #9646 - Closes #9179 +Daniel Stenberg (7 Oct 2022) +- curl_ws_send.3: call the argument 'fragsize' -- tool_formparse: fix variable may be used before its value is set + Since WebSocket works with "fragments" not "frames" - Warning by icc + Closes #9668 - Closes #9179 +- easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type -- sendf: skip storing HTTP headers if HTTP disabled + Follow-up to e3f335148adc6742728ff8 - Closes #9179 + Closes #9669 -- url: enumerated type mixed with another type +- tool_main: exit at once if out of file descriptors - Follow-up to 1c58e7ae99ce2030213f28b + If the main_checkfds function cannot create new file descriptors in an + attempt to detect of stdin, stdout or stderr are closed. - Closes #9179 + Also changed the check to use fcntl() to check if the descriptors are + open, which avoids superfluously calling pipe() if they all already are. -- urldata: change second proxytype field to unsigned char to match + Follow-up to facfa19cdd4d0094 - To avoid "enumerated type mixed with another type" + Reported-by: Trail of Bits - Closes #9179 + Closes #9663 -- http: typecast the httpreq assignment to avoid icc compiler warning +- websockets: remodeled API to support 63 bit frame sizes - error #188: enumerated type mixed with another type + curl_ws_recv() now receives data to fill up the provided buffer, but can + return a partial fragment. The function now also get a pointer to a + curl_ws_frame struct with metadata that also mentions the offset and + total size of the fragment (of which you might be receiving a smaller + piece). This way, large incoming fragments will be "streamed" to the + application. When the curl_ws_frame struct field 'bytesleft' is 0, the + final fragment piece has been delivered. - Closes #9179 + curl_ws_recv() was also adjusted to work with a buffer size smaller than + the fragment size. (Possibly needless to say as the fragment size can + now be 63 bit large). -- urldata: make state.httpreq an unsigned char + curl_ws_send() now supports sending a piece of a fragment, in a + streaming manner, in addition to sending the entire fragment in a single + call if it is small enough. To send a huge fragment, curl_ws_send() can + be used to send it in many small calls by first telling libcurl about + the total expected fragment size, and then send the payload in N number + of separate invokes and libcurl will stream those over the wire. - To match set.method used for the same purpose. + The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it + has been extended with two new fields: *offset* and *bytesleft*. To help + describe the passed on data chunk when a fragment is delivered in many + smaller pieces. - Closes #9179 + The documentation has been updated accordingly. -- splay: avoid using -1 in unsigned variable + Closes #9636 - To fix icc compiler warning integer conversion resulted in a change of sign +- [Patrick Monnerat brought this change] - Closes #9179 + docs/examples: avoid deprecated options in examples where possible -- sendf: store the header type in an usigned char to avoid icc warnings + Example programs targeting a deprecated feature/option are commented with + a warning about it. + Other examples are adapted to not use deprecated options. - Closes #9179 + Closes #9661 -- multi: fix the return code from Curl_pgrsDone() +Viktor Szakats (6 Oct 2022) +- cmake: fix enabling websocket support - It does not return a CURLcode. Detected by the icc compiler warning - "enumerated type mixed with another type" + Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77 - Closes #9179 + Closes #9660 -- sendf: make Curl_debug a void function +- tidy-up: delete parallel/unused feature flags - As virtually no called checked the return code, and those that did - wrongly treated it as a CURLcode. Detected by the icc compiler warning: - enumerated type mixed with another type + Detecting headers and lib separately makes sense when headers come in + variations or with extra ones, but this wasn't the case here. These were + duplicate/parallel macros that we had to keep in sync with each other + for a working build. This patch leaves a single macro for each of these + dependencies: - Closes #9179 + - Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`. -- http_chunks: remove an assign + typecast + Also delete CMake logic making sure these two were in sync, along with + a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`. - As it caused icc to complain: "pointer cast involving 64-bit pointed-to - type" + Also delete stray `HAVE_ZLIB` defines. - Closes #9179 + There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch + retains it for compatibility and deprecates it. -- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend + - Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`. - To fix the icc warning enumerated type mixed with another type + Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from + `winbuild/MakefileBuild.vc`, these have a role when building libssh2 + itself. And `CURL_USE_LIBSSH`, which had no use at all. - Closes #9179 + Also delete stray `HAVE_LIBSSH2` defines. -- curl-compilers.m4: make icc use -diag* options and disable two warnings + - Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`. - -wd and -we are deprecated and are now -diag-disable and -diag-error + Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from + `winbuild/MakefileBuild.vc`, these were the result of copy-pasting the + libssh2 line, and were not having any use. - Disable warning 1024 and 2259 + - Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`. - Closes #9179 + Reviewed-by: Daniel Stenberg -- [Matthew Thompson brought this change] + Closes #9652 - GHA: add two Intel compiler CI jobs +Daniel Stenberg (6 Oct 2022) +- netrc: compare user name case sensitively - Closes #9179 + User name comparisions in netrc need to match the case. -- [Daniel Katz brought this change] + Closes #9657 - curl-functions.m4: check whether atomics can link rather than just compile +- CURLOPT_COOKIEFILE: insist on "" for enable-without-file - Some build toolchains support C11 atomics (i.e., _Atomic types), but - will not link the associated atomics runtime unless a flag is passed. In - such an environment, linking an application with libcurl.a can fail due - to undefined symbols for atomic load/store functions. + The former way that also suggested using a non-existing file to just + enable the cookie engine could lead to developers maybe a bit carelessly + guessing a file name that will not exist, and then in a future due to + circumstances, such a file could be made to exist and then accidentally + libcurl would read cookies not actually meant to. - I encountered this behavior when upgrading curl to 7.84.0 and attempting - to build with Solaris Studio 12.6. Solaris provides the flag - -xatomic=[gcc | studio], allowing users to link to one of two atomics - runtime implementations. However, if the user does not provide this - flag, then neither runtime is linked. This led to builds failing in CI. + Reported-by: Trail of bits - Closes #9190 + Closes #9654 -- [Rosen Penev brought this change] +- tests/Makefile: remove run time stats from ci-test - curl-wolfssl.m4: add options header when building test code + The ci-test is the normal makefile target invoked in CI jobs. This has + been using the -r option to runtests.pl since a long time, but I find + that it mostly just adds many lines to the test output report without + anyone caring much about those stats. - Needed for certain configurations of wolfSSL. Otherwise, missing header - error may occur. + Remove it. - Tested with OpenWrt. + Closes #9656 - Closes #9187 +- [Patrick Monnerat brought this change] -- ftp: use a correct expire ID for timer expiry + tool: reorganize function c_escape around a dynbuf - This was an accurate error pointed out by the icc warning: enumerated - type mixed with another type + This is a bit shorter and a lot safer. - Ref: #9179 - Closes #9184 + Substrings of unescaped characters are added by a single call to reduce + overhead. -- sendf: fix paused header writes since after the header API + Extend test 1465 to handle more kind of escapes. - Regression since d1e4a67 + Closes #9653 - Reported-by: Sergey Ogryzkov - Fixes #9180 - Closes #9182 +Jay Satiro (5 Oct 2022) +- CURLOPT_HTTPPOST.3: bolden the deprecation notice -- mprintf: fix *dyn_vprintf() when out-of-memory + Ref: https://github.com/curl/curl/pull/9621 - Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory - leak otherwise. + Closes https://github.com/curl/curl/pull/9637 - Closes #9185 +Daniel Stenberg (5 Oct 2022) +- [John Bampton brought this change] -- curl-confopts: remove leftover AC_REQUIREs + misc: fix spelling in docs and comments - configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd - configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd + also: remove outdated sentence - follow-up from 4d73854462f30 + Closes #9644 - Closes #9183 +- [Patrick Monnerat brought this change] -- file: fix icc enumerated type mixed with another type warning + tool: avoid generating ambiguous escaped characters in --libcurl - Ref: #9179 - Closes #9181 + C string hexadecimal-escaped characters may have more than 2 digits. + This results in a wrong C compiler interpretation of a 2-digit escaped + character when followed by an hex digit character. -Viktor Szakats (19 Jul 2022) -- tidy-up: delete unused build configuration macros + The solution retained here is to represent such characters as 3-digit + octal escapes. - Most of them feature guards: + Adjust and extend test 1465 for this case. - - `CURL_INCLUDES_SYS_UIO` [1] - - `HAVE_ALLOCA_H` [2] - - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) - - `HAVE_DLFCN_H` - - `HAVE_DLOPEN` - - `HAVE_DOPRNT` - - `HAVE_FCNTL` - - `HAVE_GETHOSTBYNAME` [3] - - `HAVE_GETOPT_H` - - `HAVE_GETPASS` - - `HAVE_GETPROTOBYNAME` - - `HAVE_GETSERVBYNAME` - - `HAVE_IDN_FREE*` - - `HAVE_INET_ADDR` - - `HAVE_IOCTL` - - `HAVE_KRB4` - - `HAVE_KRB_GET_OUR_IP_FOR_REALM` - - `HAVE_KRB_H` - - `HAVE_LDAPSSL_H` - - `HAVE_LDAP_INIT_FD` - - `HAVE_LIBDL` - - `HAVE_LIBNSL` - - `HAVE_LIBRESOLV*` - - `HAVE_LIBUCB` - - `HAVE_LL` - - `HAVE_LOCALTIME_R` - - `HAVE_MALLOC_H` - - `HAVE_MEMCPY` - - `HAVE_MEMORY_H` - - `HAVE_NETINET_IF_ETHER_H` - - `HAVE_NI_WITHSCOPEID` - - `HAVE_OPENSSL_CRYPTO_H` - - `HAVE_OPENSSL_ERR_H` - - `HAVE_OPENSSL_PEM_H` - - `HAVE_OPENSSL_PKCS12_H` - - `HAVE_OPENSSL_RAND_H` - - `HAVE_OPENSSL_RSA_H` - - `HAVE_OPENSSL_SSL_H` - - `HAVE_OPENSSL_X509_H` - - `HAVE_PEM_H` - - `HAVE_POLL` - - `HAVE_RAND_SCREEN` - - `HAVE_RAND_STATUS` - - `HAVE_RECVFROM` - - `HAVE_SETSOCKOPT` - - `HAVE_SETVBUF` - - `HAVE_SIZEOF_LONG_DOUBLE` - - `HAVE_SOCKIO_H` - - `HAVE_SOCK_OPTS` - - `HAVE_STDIO_H` - - `HAVE_STRCASESTR` - - `HAVE_STRFTIME` - - `HAVE_STRLCAT` - - `HAVE_STRNCMPI` - - `HAVE_STRNICMP` - - `HAVE_STRSTR` - - `HAVE_STRUCT_IN6_ADDR` - - `HAVE_TLD_H` - - `HAVE_TLD_STRERROR` - - `HAVE_UNAME` - - `HAVE_USLEEP` - - `HAVE_WINBER_H` - - `HAVE_WRITEV` - - `HAVE_X509_H` - - `LT_OBJDIR` - - `NEED_BASENAME_PROTO` - - `NOT_NEED_LIBNSL` - - `OPENSSL_NO_KRB5` - - `RECVFROM_TYPE*` - - `SIZEOF_LONG_DOUBLE` - - `STRERROR_R_TYPE_ARG3` - - `USE_YASSLEMUL` - - `_USRDLL` (from CMake) [4] + Closes #9643 - [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might - also be deleted. +- configure: the ngtcp2 option should default to 'no' - [2] Related comment can possibly be deleted in - `packages/vms/generate_config_vms_h_curl.com`. + While still experimental. - [3] There are more instances of this in autotools, but I did not dare to - touch those. Looked like it's used to detect socket support. + Bug: https://curl.se/mail/lib-2022-10/0007.html + Reported-by: Daniel Hallberg - [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to - force linking MFC components statically to the DLL. `libcurl.dll` - does not use MFC, so we can delete this define. - Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc + Closes #9650 - Script that can help finding unused settings like above: - ```shell +- CURLOPT_MIMEPOST.3: add an (inline) example - autoheader configure.ac # generate lib/curl_config.h.in + Reported-by: Jay Satiro + Bug: https://github.com/curl/curl/pull/9637#issuecomment-1268070723 - { - grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' - grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' - grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' - grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' - } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do - c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" - if [ "${c}" = '0' ]; then - echo "${def}" - fi - done - ``` + Closes #9649 - Reviewed-by: Daniel Stenberg - Closes #9044 +Viktor Szakats (5 Oct 2022) +- Makefile.m32: exclude libs & libpaths for shared mode exes [ci skip] -Daniel Stenberg (19 Jul 2022) -- RELEASE-NOTES: synced + Exclude linker flags specifying depedency libs and libpaths, when + building against `libcurl.dll`. In such case these options are not + necessary (but may cause errors if not/wrongly configured.) -- cookie: treat a blank domain in Set-Cookie: as non-existing + Also move and reword a comment on `CPPFLAGS` to not apply to + `UNICODE` options. These are necessary for all build targets. - This matches what RFC 6265 section 5.2.3 says. + Closes #9651 - Extended test 31 to verify. +Jay Satiro (5 Oct 2022) +- runtests: fix uninitialized value on ignored tests - Fixes #9164 - Reported-by: Gwen Shapira - Closes #9177 + - Don't show TESTFAIL message (ie tests failed which aren't ignored) if + only ignored tests failed. -- [Patrick Monnerat brought this change] + Before: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% + Use of uninitialized value $failed in concatenation (.) or string at + ./runtests.pl line 6290. + TESTFAIL: These test cases failed: - base64: base64url encoding has no padding + After: + IGNORED: failed tests: 571 612 1056 + TESTDONE: 1214 tests out of 1217 reported OK: 99% - See RFC4648 section 5 and RFC7540 section 3.2.1. + Closes https://github.com/curl/curl/pull/9648 - Suppress generation of '=' padding of base64url encoding. This is - accomplished by considering the string beginning at offset 64 in the - character table as the padding: this is "=" for base64, "" for base64url. +- cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS - Also use strchr() to replace character search loops where possible. + - Correct the use of -all-static for static Windows CI builds. - Suppress erroneous comments about empty encoding results. + curl_LDFLAGS was removed from the makefile when metalink support was + removed. LDFLAGS=-all-static is passed to make only, because it is not a + valid option for configure compilation tests. - Adjust unit test 1302 to unpadded base64url encoding and add tests for - empty results. + Closes https://github.com/curl/curl/pull/9633 - Closes #9139 +Viktor Szakats (4 Oct 2022) +- Makefile.m32: fix regression with tool_hugehelp [ci skip] -- easyoptions: fix icc warning + In a recent commit I mistakenly deleted this logic, after seeing a + reference to a filename ending with `.cvs` and thinking it must have + been long gone. Turns out this is an existing file. Restore the rule + and the necessary `COPY` definitions with it. - easyoptions.c(360): error #188: enumerated type mixed with another type + The restored logic is required for a successful build on a bare source + tree (as opposed to a source release tarball). - Ref: #9156 - Reported-by: Matthew Thompson - Closes #9176 + Also shorten an existing condition similar to the one added in this + patch. -- [lwthiker brought this change] + Regression since 07a0047882dd3f1fbf73486c5dd9c15370877ad6 - h2h3: fix overriding the 'TE: Trailers' header + Closes #9645 - A 'TE: Trailers' header is explicitly replaced by 'te: trailers' - (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or - HTTP/3 headers. However, this is then replaced again by the original - value due to a bug, resulting in the uppercased version being sent. Some - HTTP/2 servers reject the whole HTTP/2 stream when this is the case. +- Makefile.m32: deduplicate build rules [ci skip] - Closes #9170 + After this patch, we reduce the three copies of most `Makefile.m32` + logic to one. This now resides in `lib/Makefile.m32`. It makes future + updates easier, the code shorter, with a small amount of added + complexity. -- lib3026: reduce the number of threads to 100 + `Makefile.m32` reduction: - Down from 1000, to make it run and work in more systems. + | | bytes | LOC total | blank | comment | code | + |-------------------|-------:|----------:|-------:|---------:|------:| + | 7.85.0 | 34772 | 1337 | 79 | 192 | 1066 | + | before this patch | 17601 | 625 | 62 | 106 | 457 | + | after this patch | 11680 | 392 | 52 | 104 | 236 | - Fixes #9172 - Reported-by: Érico Nogueira Rolim - Closes #9173 + Details: -- doh: move doh related struct definitions to doh.h + - Change rules to create objects for the `v*` subdirs in the `lib` dir. + This allows to use a shared compile rule and assumes that filenames + are not (and will not be) colliding across these directories. + `Makefile.m32` now also stores a list of these subdirs. They are + changing rarely though. - and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: + - Sync as much as possible between the three `Makefile.m32` scripts' + rules and their source/target sections. - doh.c(924): error #188: enumerated type mixed with another type + - After this patch `CPPFLAGS` are all applied to the `src` sources once + again. This matches the behaviour of cmake/autotools. Only zlib ones + are actually required there. - Reported-by: Matthew Thompson - Ref #9156 - Closes #9174 + - Use `.rc` names from `Makefile.inc` instead of keeping a duplicate. -Viktor Szakats (17 Jul 2022) -- Makefile.m32: stop trying to build libcares.a [ci skip] + - Change examples to link `libcurl.dll` by default. This makes building + trivial, even as a cross-build: + `CC=x86_64-w64-mingw32-gcc make -f Makefile.m32` + To run them, you need to move/copy or add-to-path `libcurl.dll`. + You can select static mode via `CFG=-static`. - Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in - `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in - 2007 [1]. The commit message doesn't specifically address this particular - change. This logic comes from the times when c-ares was part of the curl - source tree, hence the special treatment. + - List more of the `Makefile.m32` config variables. - This feature creates problems when building c-ares first, using CMake - and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` - is missing in such case. A sub-build for c-ares is undesired also when - c-ares had already been build via its own `Makefile.m32`. + - Drop `.rc` support from examples. It made it fragile without much + benefit. - To avoid the sub-build, this patch deletes its Makefile rule. After this - patch `libcares.a` needs to be manually built before using it in - `Makefile.m32`. Aligning it with the rest of dependencies. + - Include a necessary system lib for the `externalsocket.c` example. - [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 + - Exclude unnecessary systems libs when building in `-dyn` mode. - Reviewed-by: Daniel Stenberg - Closes #9169 + Closes #9642 -Daniel Stenberg (17 Jul 2022) -- curl: writeout: fix repeated header outputs +Daniel Stenberg (4 Oct 2022) +- RELEASE-NOTES: synced - The function stored a terminating zero into the buffer for convenience, - but when on repeated calls that would cause problems. Starting now, the - passed in buffer is not modified. +- CURLOPT_COOKIELIST.3: fix formatting mistake - Reported-by: highmtworks on github - Fixes #9150 - Closes #9152 + Also, updated manpage-syntax.pl to make it detect this error in test + 1173. -- curl_multi_timeout.3: clarify usage + Reported-by: ProceduralMan on github + Fixes #9639 + Closes #9640 - Fixes #9155 - Closes #9157 - Reported-by: jvvprasad78 on github +- [Jay Satiro brought this change] -- mprintf: make dprintf_formatf never return negative + connect: change verbose IPv6 address:port to [address]:port + + - Use brackets for the IPv6 address shown in verbose message when the + format is address:port so that it is less confusing. + + Before: Trying 2606:4700:4700::1111:443... + After: Trying [2606:4700:4700::1111]:443... + + Bug: https://curl.se/mail/archive-2022-02/0041.html + Reported-by: David Hu + + Closes #9635 + +Viktor Szakats (3 Oct 2022) +- Makefile.m32: major rework [ci skip] + + This patch overhauls `Makefile.m32` scripts, fixing a list of quirks, + making its behaviour and customization envvars align better with other + build systems, aiming for less code, that is easier to read, use and + maintain. + + Details: + - Rename customization envvars: + `CURL_CC` -> `CC` + `CURL_RC` -> `RC` + `CURL_AR` -> `AR` + `CURL_LDFLAG_EXTRAS_DLL` -> `CURL_LDFLAGS_LIB` + `CURL_LDFLAG_EXTRAS_EXE` -> `CURL_LDFLAGS_BIN` + - Drop `CURL_STRIP` and `CURL_RANLIB`. These tools are no longer used. + - Accept `CFLAGS`, `CPPFLAGS`, `RCFLAGS`, `LDFLAGS` and `LIBS` envvars. + - Drop `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, `CURL_RCFLAG_EXTRAS` in + favor of the above. + - Do not automatically enable `zlib` with `libssh2`. `zlib` is optional + with `libssh2`. + - Omit unnecessary `CPPFLAGS` options when building `curl.exe` and + examples. + - Drop support for deprecated `-winssl` `CFG` option. Use `-schannel` + instead. + - Avoid late evaluation where not necessary (`=` -> `:=`). + - Drop support for `CURL_DLL_A_SUFFIX` to override the implib suffix. + Instead, use the standard naming scheme by default: `libcurl.dll.a`. + The toolchain recognizes the name, and selects it automatically when + asking for a `-shared` vs. `-static` build. + - Stop applying `strip` to `libcurl.a`. Follow-up from + 16a58e9f93c7e89e1f87720199388bcfcfa148a4. There was no debug info to + strip since then. + - Stop setting `-O3`, `-W`, `-Wall` options. You can add these to + `CFLAGS` as desired. + - Always enable `-DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG` with OpenSSL, + to avoid that vulnerability on Windows. + - Add `-lbrotlicommon` to `LIBS` when using `brotli`. + - Do not enable `-nghttp3` without `-ngtcp2`. + - `-ssh2` and `-rtmp` options no longer try to auto-select a TLS-backend. + You need to set the backend explicitly. This scales better and avoids + issues with certain combinations (e.g. `libssh2` + `wolfssl` with no + `schannel`). + - Default to OpenSSL TLS-backend with `ngtcp2`. Possible to override via + `NGTCP2_LIBS`. + - Old, alternate method of enabling components (e.g. `SSH2=1`) no longer + supported. + - Delete `SPNEGO` references. They were no-ops. + - Drop support for Win9x environments. + - Allow setting `OPENSSL_LIBS` independently from `OPENSSL_LIBPATH`. + - Support autotools/CMake `libssh2` builds by default. + - Respect `CURL_DLL_SUFFIX` in `-dyn` mode when building `curl.exe` and + examples. + - Assume standard directory layout with `LIBCARES_PATH`. (Instead of the + long gone embedded one.) + - Stop static linking with c-ares by default. Add + `CPPFLAGS=-DCARES_STATICLIB` to enable it. + - Reorganize internal layout to avoid redundancy and emit clean diffs + between src/lib and example make files. + - Delete unused variables. + - Code cleanups/rework. + - Comment and indentation fixes. + + Closes #9632 + +- scripts/release-notes.pl: strip ci skip tag [ci skip] + + Ref: https://github.com/curl/curl/commit/e604a82cae922bf86403a94f5803ac5e4303ae97#commitcomment-85637701 - This function no longer returns a negative value if the formatting - string is bad since the return value would sometimes be propagated as a - return code from the mprintf* functions and they are documented to - return the length of the output. Which cannot be negative. + Reviewed-by: Daniel Stenberg - Fixes #9149 - Closes #9151 - Reported-by: yiyuaner on github + Closes #9634 -Viktor Szakats (17 Jul 2022) -- trace: 0x7F character is non-printable +- Makefile.m32: delete legacy component bits [ci skip] - `0x7F` is `DEL`, a non-printable symbol, so print it as - `UNPRINTABLE_CHAR`. + - Drop auto-detection of OpenSSL 1.0.2 and earlier. Now always defaulting + to OpenSSL 1.1.0 and later, LibreSSL and BoringSSL. - Reported-by: MasterInQuestion on github - Fixes #9162 - Closes #9166 + - Drop `Invalid path to OpenSSL package` detection. OpenSSL has been + using a standard file layout since 1.1.0, so this seems unnecessary + now. -- doh: use https protocol by default + - Drop special logic to enable Novell LDAP SDK support. - The only allowed protocol is https, so it makes sense to use that - by default if not passed explicitly by the user. + - Drop special logic to enable OpenLDAP LDAP SDK support. This seems + to be distinct from native OpenLDAP, with support implemented inside + `lib/ldap.c` (vs. `lib/openldap.c`) back when the latter did not exist + yet in curl. - Reported-by: MasterInQuestion on github - Reviewed-by: Jay Satiro - Fixes #9163 - Closes #9165 + - Add `-lwldap32` only if there is no other LDAP library (either native + OpenLDAP, or SDKs above) present. -- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel + - Update `doc/INSTALL.md` accordingly. - Same issue as here [1], but this time when building curl with BoringSSL - for Windows with LDAP(S) or Schannel support enabled. + After this patch, it's necessary to make configration changes when using + OpenSSL 1.0.2 or earlier, or the two LDAP SDKs. - Apply the same fix [2] for these source files as well. + OpenSSL 1.0.2 and earlier: + ``` + export OPENSSL_INCLUDE = /outinc + export OPENSSL_LIBPATH = /out + export OPENSSL_LIBS = -lssl32 -leay32 -lgdi32 + ``` - This can also be fixed by moving `#include "urldata.h"` _before_ - including `winldap.h` and `schnlsp.h` respectively. This seems like - a cleaner fix, though I'm not sure why it works and if it has any - downside. + Novell LDAP SDK, previously enabled via `USE_LDAP_NOVELL=1`: + ``` + export CURL_CFLAG_EXTRAS = -I/inc -DCURL_HAS_NOVELL_LDAPSDK + export CURL_LDFLAG_EXTRAS = -L/lib/mscvc -lldapsdk -lldapssl -lldapx + ``` - [1] https://github.com/curl/curl/issues/5669 - [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 + OpenLDAP LDAP SDK, previously enabled via `USE_LDAP_OPENLDAP=1`: + ``` + export CURL_CFLAG_EXTRAS = -I/include -DCURL_HAS_OPENLDAP_LDAPSDK + export CURL_LDFLAG_EXTRAS = -L/lib -lldap -llber + ``` - Co-authored-by: Jay Satiro - Closes #9110 + I haven't tested these scenarios, and in general we recommend using + a recent OpenSSL release. Also, WinLDAP (the Windows default) and + OpenLDAP (via `-DUSE_OPENLDAP`) are the LDAP options actively worked on + in curl. + + Closes #9631 + +Daniel Stenberg (2 Oct 2022) +- vauth/ntlm.h: make line shorter than 80 columns + + Follow-up from 265fbd937 + +Viktor Szakats (1 Oct 2022) +- docs: update sourceforge project links [ci skip] + + SourceForge projects can now choose between two hostnames, with .io and + .net ending. Both support HTTPS by default now. Opening the other variant + will perm-redirected to the one chosen by the project. + + The .io -> .net redirection is done insecurely. + + Let's update the URLs to point to the current canonical endpoints to + avoid any redirects. + + Closes #9630 + +Daniel Stenberg (1 Oct 2022) +- curl_url_set.3: document CURLU_APPENDQUERY proper + + Listed among the other supported flags. + + Reported-by: Robby Simpson + Fixes #9628 + Closes #9629 + +Viktor Szakats (1 Oct 2022) +- Makefile.m32: cleanups and fixes [ci skip] + + - Add `-lcrypt32` once, and add it always for simplicity. + - Delete broken link and reference to the pre-Vista WinIDN add-on. + MS no longer distribute it. + - Delete related `WINIDN_PATH` option. IDN is a system lib since Vista. + - Sync `LIBCARES_PATH` default with the rest of dependencies. + - Delete version numbers from dependency path defaults. + - `libgsasl` package is now called `gsasl`. + - Delete `libexpat` and `libxml2` references. No longer used by curl. + - Delete `Edit the path below...` comments. We recommend to predefine + those envvars instead. + - `libcares.a` is not an internal dependency anymore. Stop using it as + such. + - `windres` `--include-dir` -> `-I`, `-F` -> `--target=` for readability. + - Delete `STRIP`, `CURL_STRIP`, `AR` references from `src/Makefile.m32`. + They were never used. + - Stop to `clean` some objects twice in `src/Makefile.m32`. + - Delete cvs-specific leftovers. + - Finish resource support in examples make file. + - Delete `-I/lib` from examples make file. + - Fix copyright start year in examples make file. + - Delete duplicate `ftpuploadresume` input in examples make file. + - Sync OpenSSL lib order, `SYNC` support, `PROOT` use, dependency path + defaults, variables names and other internal bits between the three + make files. + - `lib/Makefile.m32` accepted custom options via `DLL_LIBS` envvar. This + was lib-specific and possibly accidental. Use `CURL_LDFLAG_EXTRAS_DLL` + envvar for the same effect. + - Fix linking `curl.exe` and examples to wrong static libs with + auto-detected OpenSSL 1.0.2 or earlier. + - Add `-lgdi32` for OpenSSL 1.0.2 and earlier only. + - Add link to Novell LDAP SDK and use a relative default path. Latest + version is from 2016, linked to an outdated OpenSSL 1.0.1. + - Whitespace and comment cleanups. + + TODO in a next commit: + + Delete built-in detection/logic for OpenSSL 1.0.2 and earlier, the Novell + LDAP SDK and the other LDAP SDK (which is _not_ OpenLDAP). Write up the + necessary custom envvars to configure them. + + Closes #9616 + +Daniel Stenberg (30 Sep 2022) +- RELEASE-NOTES: synced -Daniel Stenberg (13 Jul 2022) -- asyn-thread: make getaddrinfo_complete return CURLcode +- [Matt Holt brought this change] - ... as the only caller that cares about what it returns assumes that - anyway. This caused icc to warn: + HTTP3.md: update Caddy example - asyn-thread.c(505): error #188: enumerated type mixed with another type - result = getaddrinfo_complete(data); + Closes #9623 - Repoorted-by: Matthew Thompson - Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 - Closes #9146 +- easy: fix the altsvc init for curl_easy_duphandle -- easy_lock: fix build with icc + It was using the old #ifdef which nothing sets anymore - The Intel compiler tries to look like GCC *and* clang *and* it lies in - its __has_builtin() function (returns true when it should return false), - so override it. + Closes #9624 - Reported-by: Matthew Thompson - Fixes #9081 - Closes #9144 +- GHA: build tests in a separate step from the running of them -- configure: fix --disable-headers-api + ... to make the output smaller for when you want to look at test + failures. - Reported-by: Michał Antoniak - Fixes #9134 - Closes #9143 + Removed the examples build from msh3 -- test3026: require 'threadsafe' + Closes #9619 - Reported-by: Sukanya Hanumanthu - Fixes #9141 - Closes #9142 +Viktor Szakats (29 Sep 2022) +- ldap: delete stray CURL_HAS_MOZILLA_LDAP reference -- [Even Rouault brought this change] + Added in 68b215157fdf69612edebdb220b3804822277822, while adding openldap + support. This is also the single mention of this constant in the source + tree and also in that commit. Based on these, it seems like an accident. - CMake: link curl to its dependencies with PRIVATE + Delete this reference. - The current PUBLIC visibility causes issues for downstream users. - Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 + Reviewed-by: Daniel Stenberg - Reviewed-by: Jakub Zakrzewski - Closes #9125 + Closes #9625 -- [Even Rouault brought this change] +- docs: spelling nits - CMake: remove APPEND in export(TARGETS) + - MingW -> MinGW (Minimalist GNU for Windows) + - f.e. -> e.g. + - some whitespace and punctuation. - When running cmake several times, new content was appended to already - existing generated files, which is not appropriate + Reviewed-by: Daniel Stenberg - Reviewed-by: Jakub Zakrzewski - Closes #9124 + Closes #9622 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (29 Sep 2022) +- [Philip Heiduck brought this change] - ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks + cirrus-ci: add macOS build with m1 - Closes #9135 + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> -- RELEASE-NOTES: synced + Closes #9565 -Viktor Szakats (11 Jul 2022) -- build: improve OS string in CMake and `config-win32.h` +- [Patrick Monnerat brought this change] - This patch makes CMake fill the "OS string" with the value of - `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, - the same we can pass to `./configure` via `--host=`. + lib: sanitize conditional exclusion around MIME - For non-CMake, non-autotools, Windows builds, this patch adds the ability - to override the default `OS` value in `lib/config-win32.h`. + The introduction of CURL_DISABLE_MIME came with some additional bugs: + - Disabled MIME is compiled-in anyway if SMTP and/or IMAP is enabled. + - CURLOPT_MIMEPOST, CURLOPT_MIME_OPTIONS and CURLOPT_HTTPHEADER are + conditioned on HTTP, although also needed for SMTP and IMAP MIME mail + uploads. - With these its possible to get the same OS string across the three build - systems. + In addition, the CURLOPT_HTTPHEADER and --header documentation does not + mention their use for MIME mail. - This patch supersedes the earlier, partial, CMake-only solution: - 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the - `CURL_OS_SUFFIX` CMake option. + This commit fixes the problems above. - Reviewed-by: Jay Satiro - Closes #9117 + Closes #9610 -- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] +- [Thiago Suchorski brought this change] - They allow to override the hardcoded values for the `windres` and `strip` - tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. + docs: minor grammar fixes - `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and - `CURL_CC=clang` set on current latest debian:unstable or earlier, where - `llvm-windres` is missing, and a `CURL_RC=-windres` fixes it. - Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` - does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. + Closes #9609 - Reviewed-by: Daniel Stenberg - Closes #9132 +- CURLSHOPT_UNLOCKFUNC.3: the callback as no 'access' argument -Daniel Stenberg (10 Jul 2022) -- [Tatsuhiro Tsujikawa brought this change] + Probably a copy and paste error from the lock function man page. - ngtcp2: fix stall or busy loop on STOP_SENDING with upload data + Reported-by: Robby Simpson + Fixes #9612 + Closes #9613 - Fixes #9122 - Closes #9123 +- CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five -- [Xiaoke Wang brought this change] + ... instead just list the supported encodings. - tool_operate: better cleanup of easy handle in exit path + Reported-by: ProceduralMan on github + Fixes #9614 + Closes #9615 - Closes #9114 +Dan Fandrich (28 Sep 2022) +- tests: Remove a duplicated keyword -- [Xiaoke Wang brought this change] +- docs: document more server names for test files - getinfo: return better error on NULL as first argument +Daniel Stenberg (28 Sep 2022) +- altsvc: reject bad port numbers - Closes #9114 + The existing code tried but did not properly reject alternative services + using negative or too large port numbers. -- tool_getparam: repair cleanarg + With this fix, the logic now also flushes the old entries immediately + before adding a new one, making a following header with an illegal entry + not flush the already stored entry. - Regression since 9e5669f. + Report from the ongoing source code audit by Trail of Bits. - Make sure the "cleaning" of command line arguments is done on the - original argv[] pointers. As a bonus, it also exits better on out of - memory error. + Adjusted test 356 to verify. - Reported-by: Litter White - Fixes #9128 - Closes #9130 + Closes #9607 -Jay Satiro (10 Jul 2022) -- docs: explain curl_easy_escape/unescape curl handle is ignored +- functypes: provide the recv and send arg and return types - 26101421 (precedes 7.82.0) removed character conversion support used by - very old legacy operating systems and since then the curl handle passed - to curl_easy_escape/unescape is always ignored. + This header is for providing the argument types for recv() and send() + when built to not use a dedicated config-[platfor].h file. - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo + Remove the slow brute-force checks from configure and cmake. - Closes https://github.com/curl/curl/pull/9121 + This change also removes the use of the types for select, as they were + not used in code. -Viktor Szakats (8 Jul 2022) -- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL + Closes #9592 - BoringSSL doesn't keep a version number, and doesn't self-identify itself - via any other revision number via its own headers. We can identify - BoringSSL revisions by their commit hash. This hash is typically known by - the builder. This patch adds a way to pass this hash to libcurl, so that - it can display in the curl version string: +- urlapi: reject more bad characters from the host name field - For example: + Extended test 1560 to verify - `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` + Report from the ongoing source code audit by Trail of Bits. - ``` - curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] - Release-Date: 2022-06-27 - Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] - Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] - ``` + Closes #9608 - The setting is optional, and if not passed, BoringSSL will appear without - a version number, like before this patch. +- configure: deprecate builds with small curl_off_t - Closes #9113 + If curl_off_t turns out to be smaller than 8 bytes, + --with-n64-deprecated needs to be used to allow the build to + continue. This is to highlight the fact that support for such builds is + going away next year. -Jay Satiro (8 Jul 2022) -- escape: remove outdated comment + Also mentioned in DEPRECATED.md - Bug: https://github.com/curl/curl/discussions/9115 - Reported-by: Ted Lyngmo + Closes #9605 -- [Tatsuhiro Tsujikawa brought this change] +- [Patrick Monnerat brought this change] - ngtcp2: Fix missing initialization of nghttp3_nv.flags + http, vauth: always provide Curl_allow_auth_to_host() functionality - Closes https://github.com/curl/curl/pull/9118 + This function is currently located in the lib/http.c module and is + therefore disabled by the CURL_DISABLE_HTTP conditional token. -Daniel Stenberg (6 Jul 2022) -- [Brad Forschinger brought this change] + As it may be called by TLS backends, disabling HTTP results in an + undefined reference error at link time. - netrc.d: remove spurious quote + Move this function to vauth/vauth.c to always provide it and rename it + as Curl_auth_allowed_to_host() to respect the vauth module naming + convention. - Closes #9111 + Closes #9600 -Viktor Szakats (6 Jul 2022) -- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] +- ngtcp2: fix C89 compliance nit - Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. - Add `NGTCP2_LIBS` envvar to override them with a custom list, - making it possible to use BoringSSL, or any other backend. +- openssl: make certinfo available for QUIC - Closes #9109 + Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that + can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC + connections as well. -Jay Satiro (6 Jul 2022) -- [Evgeny Grin (Karlson2k) brought this change] + The *certchain function was moved to the top of the file for this reason. - digest: fix missing increment of 'nc' value for auth-int + Reported-by: Eloy Degen + Fixes #9584 + Closes #9597 - - Increment nc regardless of qop type. +- RELEASE-NOTES: synced - Prior to this change nc was only incremented for qop type auth even - though libcurl sends nc with any qop. +- DEPRECATE.md: Support for systems without 64 bit data types - Closes https://github.com/curl/curl/pull/9090 + Closes #9604 -Daniel Stenberg (5 Jul 2022) -- RELEASE-NOTES: synced +- [Patrick Monnerat brought this change] - Bumped to 7.85.0 + tests: skip mime/form tests when mime is not built-in -- urldata: reduce size of four ftp related members + Closes #9596 - ftp_filemethod, ftpsslauth and ftp_ccc are now uchars +- url: rename function due to name-clash in Watt-32 - accepttimeout is now unsigned int - almost 50 days ought to be enough - for this value. + Follow-up to 2481dbe5f4f58 and applies the change the way it was + intended. - Closes #9106 +Viktor Szakats (26 Sep 2022) +- windows: adjust name of two internal public functions -- urldata: reduce three type-members from int to uchar + According to `docs/INTERNALS.md`, internal function names spanning source + files start with uppercase `Curl_`. Bring these two functions in + alignment with this. - - timecondition - - proxytype - - method + This also stops exporting them from `libcurl.dll` in autotools builds. - ... previously used their enum type in the struct, which made them - unnecesarily large. + Reviewed-by: Daniel Stenberg - Closes #9105 + Closes #9598 -- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name +Daniel Stenberg (26 Sep 2022) +- [Gisle Vanem brought this change] - Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the - other way around. + url: rename function due to name-clash in Watt-32 - Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias - but since the option is for more protocols than FTP the more "correct" - version of the option is the "server" one so now we switch. + Since the commit 764c958c52edb427f39, there was a new function called + resolve_ip(). This clashes with an internal function in Watt-32. - Closes #9104 + Closes #9585 -- urldata: make 'ftp_create_missing_dirs' a uchar +Jay Satiro (26 Sep 2022) +- schannel: ban server ALPN change during recv renegotiation - It only ever holds the values 0-2. + By the time schannel_recv is renegotiating the connection, libcurl has + already decided on a protocol and it is too late for the server to + select a protocol via ALPN except for the originally selected protocol. - Closes #9103 + Ref: https://github.com/curl/curl/issues/9451 -- [Don J Olmstead brought this change] + Closes https://github.com/curl/curl/pull/9463 - cmake: support ngtcp2 boringssl backend +Daniel Stenberg (26 Sep 2022) +- url: a zero-length userinfo part in the URL is still a (blank) user - Update the ngtcp2 find module to detect the boringssl backend. Determine - if the underlying OpenSSL implementation is BoringSSL and if so use that - as the ngtcp2 backend. + Adjusted test 1560 to verify - Reviewed-by: Jakub Zakrzewski - Closes #9065 + Reported-by: Jay Satiro -- urldata: change 4 timeouts to unsigned int from long + Fixes #9088 + Closes #9590 - They're not used for that long times anyway, 32 bit milliseconds is long - enough. +Viktor Szakats (25 Sep 2022) +- autotools: allow --enable-symbol-hiding with windows - Closes #9101 + This local autotools logic was put in place in + 9e24b9c7afbcb81120af4cf3f6cdee49a06d8224 (in 2012) which disabled it for + Windows unconditionally. Testing reveals that it actually works with + tested toolchains (mingw-w64 and CI ones), so let's allow this build + feature on that platform. Bringing this in sync with CMake, which already + supported this. -- urldata: make 'use_netrc' a uchar + Reviewed-by: Jay Satiro - Closes #9102 + Closes #9586 -- urldata: make 'buffer_size' an unsigned int +- autotools: reduce brute-force when detecting recv/send arg list - It is already capped at READBUFFER_MAX which fits easily in 32 bits. + autotools uses brute-force to detect `recv`/`send`/`select` argument + lists, by interating through _all_ argument type combinations on each + `./configure` run. This logic exists since + 01fa02d0b545e1433dced2430561f8c0c72b74a9 (from 2006) and was a bit later + extended with Windows support. - Closes #9098 + This results in a worst-case number of compile + link cycles as below: + - `recv`: 96 + - `send`: 192 + - `select`: 60 + Total: 348 (the number of curl C source files is 195, for comparison) -- urldata: remove the unused 'rtspversion' struct member + Notice that e.g. curl-for-win autotools builds require two `./configure` + invocations, doubling these numbers. - Closes #9100 + `recv` on Windows was especially unlucky because `SOCKET` (the correct + choice there) was listed _last_ in one of the outer trial loops. This + resulted in lengthy waits while autotools was trying all invalid + combinations first, wasting cycles, disk writes and slowing down + iteration. -- urldata: make 'use_port' an usigned short + This patch reduces the amount of idle work by reordering the tests in + a way to succeed first on a well-known platform such as Windows, and + also on non-Windows by testing for POSIX prototypes first, on the + assumption that these are the most likely candidates these days. (We do + not touch `select`, where the order was already optimal for these + platforms.) - ... instead of a long. It is already enforced to not attempt to set any - value outside of 16 bits unsigned. + For non-Windows, this means to try a return value of `ssize_t` first, + then `int`, reordering the buffer argument type to try `void *` first, + then `byte *`, and prefer the `const` flavor with `send`. If we are + here, also stop testing for `SOCKET` type in non-Windows builds. - Closes #9099 + After the patch, detection on Windows is instantaneous. It should also be + faster on popular platforms such as Linux and BSD-based ones. -- urldata: store dns cache timeout in an int + If there are known-good variations for other platforms, they can also be + fast-tracked like above, given a way to check for that platform inside + the autotools logic. - 68 years ought to be enough for most. + Reviewed-by: Daniel Stenberg - Closes #9097 + Closes #9591 -- curl: proto2num: make sure obuf is inited +Daniel Stenberg (23 Sep 2022) +- TODO: Provide the error body from a CONNECT response - Detected by Coverity. CID 1507052. + Spellchecked-by: Jay Satiro - Closes #9096 + Closes #9513 + Closes #9581 -- cookie: use %zu to infof() for size_t values +Viktor Szakats (23 Sep 2022) +- windows: autotools .rc warnings fixup - Detected by Coverity. CID 1507051 - Closes #9095 + Move `LT_LANG([Windows Resource])` after `XC_LIBTOOL`, fixing: -Viktor Szakats (4 Jul 2022) -- makefile.m32: add support for custom ARCH [ci skip] + - Warnings when running `autoreconf -fi`. - When building curl for target platform other than x64 and x86, it is now - possible to pass `ARCH=custom`, that will omit all hardcoded logic for - setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be - customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly - added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. + - Warning when compiling .rc files: + libtool: compile: unable to infer tagged configuration + libtool: error: specify a tag with '--tag' - This makes it possible to use `makefile.m32` to build for ARM64 for - example. + Follow up to 6de7322c03d5b4d91576a7d9fc893e03cc9d1057 + Ref: https://github.com/curl/curl/pull/9521#issuecomment-1256291156 - Reviewed-by: Daniel Stenberg - Closes #9092 + Suggested-by: Patrick Monnerat + Closes #9582 -- cmake: do not force Windows target versions +Daniel Stenberg (23 Sep 2022) +- [Randall S. Becker brought this change] - The goal of this patch is to avoid CMake forcing specific Windows - versions and rely on toolchain defaults or manual selection instead. - This gives back control to the user. This also brings CMake closer to - how autotools and `Makefile.m32` behaves in this regard. + curl_setup: disable use of FLOSS for 64-bit NonStop builds - - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did - nothing else than fixing the Windows build target to Vista. This also - happened when the toolchain did not have Vista support (e.g. original - MinGW), breaking such builds. + Older 32-bit builds currently need FLOSS. This dependency may be removed + in future OS releases. - In other environments it did not make a user-facing difference, - because libcurl has its own pton() implementation, so it works well - with or without Vista's inet_pton(). + Signed-off-by: Randall S. Becker - This patch drops this setting. inet_pton() is now used whenever - building for Vista or newer, either when requested manually or by - default with modern toolchains (e.g. mingw-w64). Older envs will fall - back to curl's pton(). + Closes #9575 - Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 - Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 +- [Patrick Monnerat brought this change] - - When the user did no select a Windows target version manually, stop - explicitly targeting Windows XP, and instead use the toolchain default. + tool: remove dead code - This may pose an issue with old toolchains defaulting to pre-XP - targets. In such case you must manually target Windows XP via: - `-DCURL_TARGET_WINDOWS_VERSION=0x0501` - or - `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` + Add a debug assertion to verify protocols included/excluded in a set + are always tokenized. - Reviewed-by: Jay Satiro - Reviewed-by: Marcel Raad - Closes #9046 + Follow-up to commit 677266c. -- windows: improve random source + Closes #9576 - - Use the Windows API to seed the fallback random generator. +- [Patrick Monnerat brought this change] - This ensures to always have a random seed, even when libcurl is built - with a vtls backend lacking a random generator API, such as rustls - (experimental), GSKit and certain mbedTLS builds, or, when libcurl is - built without a TLS backend. We reuse the Windows-specific random - function from the Schannel backend. + lib: prepare the incoming of additional protocols - - Implement support for `BCryptGenRandom()` [1] on Windows, as a - replacement for the deprecated `CryptGenRandom()` [2] function. + Move the curl_prot_t to its own conditional block. Introduce symbol + PROTO_TYPE_SMALL to control it. - It is used as the secure random generator for Schannel, and also to - provide entropy for libcurl's fallback random generator. The new - function is supported on Vista and newer via its `bcrypt.dll`. It is - used automatically when building for supported versions. It also works - in UWP apps (the old function did not). + Fix a cast in a curl_prot_t assignment. + Remove an outdated comment. - - Clear entropy buffer before calling the Windows random generator. + Follow-up to cd5ca80. - This avoids using arbitrary application memory as entropy (with - `CryptGenRandom()`) and makes sure to return in a predictable state - when an API call fails. + Closes #9534 - [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom - [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom +- msh3: change the static_assert to make the code C89 - Closes #9027 +- bearssl: make it proper C89 compliant -Daniel Stenberg (4 Jul 2022) -- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR +- curl-compilers.m4: for gcc + want warnings, set gnu89 standard - ... as replacements for deprecated CURLOPT_PROTOCOLS and - CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the - 32 bit limit the old ones are facing. + To better verify that the code is C89 - CURLINFO_PROTCOOL is now deprecated. + Closes #9542 - The curl tool is updated to use the new options. +- [Patrick Monnerat brought this change] - Added test 1597 to verify the libcurl protocol parser. + lib517: fix C89 constant signedness - Closes #8992 + In C89, positive integer literals that overflow an int but not an + unsigned int may be understood as a negative int. -- digest: simplify a switch() to a simple if + lib517.c:129:3: warning: this decimal constant is unsigned only in ISO C90 + {"Sun, 06 Nov 2044 08:49:37 GMT", 2362034977 }, + ^ -- digest: provide a special bit for "sess" algos + Closes #9572 - Also shortened the names and moved them to the .c file since they are - private for this source file only. Also made them #defines instead of - enum. +- mprintf: use snprintf if available - Closes #9079 + This is the single place in libcurl code where it uses the "native" + s(n)printf() function. Used for writing floats. The use has been + reviewed and vetted and uses a HUGE target buffer, but switching to + snprintf() still makes this safer and removes build-time warnings. -Jay Satiro (4 Jul 2022) -- [Thomas Weißschuh brought this change] + Reported-by: Philip Heiduck - select: do not return fatal error on EINTR from poll() + Fixes #9569 + Closes #9570 - The same was done for select() in 5912da25 but poll() was missed. +- docs: tag curl options better in man pages - Bug: https://bugs.archlinux.org/task/75201 - Reported-by: Alexandre Bury (gyscos at archlinux) + As it makes them links in the HTML versions. - Ref: https://github.com/curl/curl/issues/8921 - Ref: https://github.com/curl/curl/pull/8961 - Ref: https://github.com/curl/curl/commit/5912da25#r77584294 + Verified by the extended test 1176 - Closes https://github.com/curl/curl/pull/9091 +- symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 -- [Kai Pastor brought this change] +- manpage-syntax.pl: all libcurl option symbols should be \fI-tagged - cmake: fix build for mingw cross compile + ... as that makes them links to their corresponding man page. - - Change normaliz lib name to all lowercase. + This script is used for test 1173. - This is from a standing patch in vcpkg: - Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross - builds from Linux), the spelling must match exactly. + Closes #9574 - Closes https://github.com/curl/curl/pull/9084 +- RELEASE-NOTES: synced -- easy_lock: fix build for mingw +- [Patrick Monnerat brought this change] - - Define SRWLOCK symbols missing in some mingw environments. + tool: remove protocol count limitation - Closes https://github.com/curl/curl/pull/8997 + Replace bit mask protocol sets by null-terminated arrays of protocol + tokens. These are the addresses of the protocol names returned by + curl_version_info(). -Daniel Stenberg (2 Jul 2022) -- tool_progress: avoid division by zero in parallel progress meter + Protocol names are sorted case-insensitively before output to satisfy CI + tests matches consistency. - Reported-by: Brian Carpenter - Fixes #9082 - Closes #9083 + The protocol list returned by curl_version_info() is augmented with all + RTMP protocol variants. -- http_aws_sigv4.c: remove two unusued includes + Test 1401 adjusted for new alpha ordered output. - Closes #9080 + Closes #9546 -- .mailmap: additional edit +- test972: verify the output without using external tool - Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git - logs even when using old email. + It seems too restrictive to assume and use an external tool to verify + the JSON. This now verifies the outut byte per byte. We could consider + building a local "JSON verifyer" in a future. -- RELEASE-NOTES: synced + Remove 'jsonlint' from the CI job. - bumped to 7.84.1 + Reported-by: Marcel Raad + Fixes #9563 + Closes #9564 -- [Evgeny Grin (Karlson2k) brought this change] +- hostip: lazily wait to figure out if IPv6 works until needed - .mailmap: updated + The check may take many milliseconds, so now it is performed once the + value is first needed. Also, this change makes sure that the value is + not used if the resolve is set to be IPv4-only. -- [Evgeny Grin (Karlson2k) brought this change] + Closes #9553 - THANKS: merged two entries for Evgeny Grin +- curl.h: fix mention of wrong error code in comment - Also updated THANKS-filter file + The same error and comment were also used and is now corrected in + CURLOPT_SSH_KEYFUNCTION.3 - Closes #9076 +- symbol-scan.pl: scan and verify .3 man pages -- [Jilayne Lovejoy brought this change] + This script now also finds all .3 man pages in docs/include and + docs/include/opts, extracts all uses of CURL* symbols and verifies that all + symbols mentioned in docs are defined in public headers. - lib/curl_path.c: add ISC to license expression + A "global symbol" is one of those matching a known prefix and the script makes + an attempt to check all/most of them. Just using *all* symbols that match + CURL* proved matching a little too many other references as well and turned + difficult turning into something useful. - THe text of the ISC license is in this file, so the SPDX license - expression should be updated + Closes #9544 - Closes #9073 +- symbols-in-versions: add missing LIBCURL* symbols -- [Sean McArthur brought this change] +- symbol-scan.pl: also check for LIBCURL* symbols - hyper: use wakers for curl pause/resume + Closes #9544 - Closes #9070 +- docs/libcurl/symbols-in-versions: add several missing symbols -Viktor Szakats (30 Jun 2022) -- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] +- test1119: scan all public headers - Delete `-DDEBUGBUILD=0` windres option. This was likely meant to - disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled - it instead. Delete this unnecessary option and thus sync up with - how CMake compiles libcurl.rc by default. + Previously this test only scanned a subset of the headers, which made us + accidentally miss symbols that were provided in the others. Now, the script + iterates over all headers present in include/curl. - Reviewed-by: Jay Satiro - Closes #9069 + Closes #9544 -Daniel Stenberg (29 Jun 2022) -- curl.h: CURLE_CONV_FAILED is obsoleted +- [Patrick Monnerat brought this change] - The last use was removed in 7.82.0. Updated some docs too to reflect the - current error code situation. + examples/chkspeed: improve portability - Closes #9067 + The example program chkspeed uses strncasecmp() which is not portable + across systems. Replace calls to this function by tests on characters. -- curl: output warning when a cookie is dropped due to size + Closes #9562 - Dropped from the request, that is. +- easy: fix the #include order - Closes #9064 + The mentioned "last 3 includes" order should be respected. easy_lock.h should + be included before those three. -- curl_mime_data.3: polish the wording + Reported-by: Yuriy Chernyshov + Fixes #9560 + Closes #9561 - Closes #9063 +- docs: spellfixes -- configure: check for the stdatomic.h header in configure + Pointed by the new CI job - ... and only set HAVE_ATOMIC if that header exists since we use - typedefes set in it. +- GHA: spellcheck - Reported-by: Ryan Schmidt - Fixes #9059 - Closes #9060 + This spellchecker checks markdown files. For this reason this job + converts all man pages in the repository to markdown with pandoc before + the check runs. -- easy_lock: fix the #ifdef conditional for ia32_pause + The perl script 'cleanspell' filters out details from the man page in + the process, to avoid the spellchecker trying to spellcheck things it + can't. Like curl specific symbols and the SYNOPSIS and EXAMPLE sections + of libcurl man pages. - To work better with new and old clang compilers. + The spell checker does not check words in sections that are within pre, + strong and em tags. - Reported-by: Ryan Schmidt - Assisted-by: Joshua Root + 'spellcheck.words' is a custom word list with additional accepted words. - Fixes #9058 - Closes #9062 + Closes #9523 -- easy_lock: switch to using atomic_int instead of bool +- connect: fix the wrong error message on connect failures - To work with more compilers without requiring separate libs to - link. Like with gcc-12 for RISC-V on Linux. + The "Failed to connect to" message after a connection failure would + include the strerror message based on the presumed previous socket + error, but in times it seems that error number is not set when reaching + this code and therefore it would include the wrong error message. - Reported-by: Adam Sampson - Fixes #9055 - Closes #9061 + The strerror message is now removed from here and the curl_easy_strerror + error is used instead. -- [vvb2060 brought this change] + Reported-by: Edoardo Lolletti + Fixes #9549 + Closes #9554 - ngtcp2: fix incompatible function pointer types +- httpput-postfields.c: shorten string for C89 compliance - Closes #9056 + httpput-postfields.c:41:3: error: string length ‘522’ is greater than the length ‘509’ ISO C90 compilers are required to support [-Woverlength-strings] + 41 | "this chapter."; + | ^~~~~~~~~~~~~~~ -- [vvb2060 brought this change] + Closes #9555 - easy_lock.h: use __asm__ instead of asm to fix build +- ws: fix a C89 compliance nit - Closes #9056 + Closes #9541 -- [Samuel Henrique brought this change] +- [Patrick Monnerat brought this change] - libcurl-security.3: fix typo on macro "SH_" + unit test 1655: make it C89-compliant - During the packaging of the latest curl release for Debian, Lintian - warned me about a typo which causes the section name "Secrets in memory" - to not be rendered in the manpage due to "SH_" not being recognized as a - header. + Initializations performed in unit test 1655 use automatic variables in + aggregates and thus can only be computed at run-time. Using gcc in C89 + dialect mode produces warning messages like: - Closes #9057 + unit1655.c:96:7: warning: initializer element is not computable at load time [-Wpedantic] + 96 | { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */ + | ^~~~~~~ -- easy_lock.h: include sched.h if available to fix build + Fix the problem by converting these automatic pointer variables to + static arrays. - Patched-by: Harry Sintonen + Closes #9551 - Closes #9054 +- [Tobias Schaefer brought this change] -Version 7.84.0 (27 Jun 2022) + curl_strequal.3: fix typo -Daniel Stenberg (27 Jun 2022) -- RELEASE-NOTES: synced + Closes #9548 - Version 7.84.0 release +- [Dmitry Karpov brought this change] -- THANKS: contributors from 7.84.0 release notes + resolve: make forced IPv4 resolve only use A queries -- hsts: use Curl_fopen() + This protects IPv4-only transfers from undesired bad IPv6-related side + effects and make IPv4 transfers in dual-stack libcurl behave the same + way as in IPv4 single-stack libcurl. -- altsvc: use Curl_fopen() + Closes #9540 -- fopen: add Curl_fopen() for better overwriting of files +- RELEASE-NOTES: synced - Bug: https://curl.se/docs/CVE-2022-32207.html - CVE-2022-32207 - Reported-by: Harry Sintonen - Closes #9050 +- winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths -- test444: test many received Set-Cookie: + Patched-by: Mark Itzcovitz + Bug: https://curl.se/mail/lib-2022-09/0038.html - The amount of sent cookies in the test is limited to 80 because hyper - has its own strict limits in how many headers it allows to be received - which triggers at some point beyond this number. + Closes #9536 -- test442/443: test cookie caps +- TODO: Reduce CA certificate bundle reparsing - 442 - verify that only 150 cookies are sent - 443 - verify that the cookie: header remains less than 8K in size + By adding some sort of cache. -- cookie: apply limits + Reported-by: Michael Drake + Closes #9379 + Closes #9538 - - Send no more than 150 cookies per request - - Cap the max length used for a cookie: header to 8K - - Cap the max number of received Set-Cookie: headers to 50 +Marc Hoersken (19 Sep 2022) +- CI/GHA: cancel outdated CI runs on new PR changes - Bug: https://curl.se/docs/CVE-2022-32205.html - CVE-2022-32205 - Reported-by: Harry Sintonen - Closes #9048 + Avoid letting outdated CI runs continue if a PR receives + new changes. Outside a PR we let them continue running + by tying the concurrency to the commit hash instead. -- test387: verify rejection of compression chain attack + Also only let one CodeQL or Hacktoberfest job run at a time. -- content_encoding: return error on too many compression steps + Other CI platforms we use have this build in, but GitHub + unfortunately neither by default nor with a simple option. - The max allowed steps is arbitrarily set to 5. + This saves CI resources and therefore a little energy. - Bug: https://curl.se/docs/CVE-2022-32206.html - CVE-2022-32206 - Reported-by: Harry Sintonen - Closes #9049 + Approved-by: Daniel Stenberg + Approved-by: Max Dymond + Closes #9533 -- krb5: return error properly on decode errors +Daniel Stenberg (19 Sep 2022) +- docs: fix proselint complaints - Bug: https://curl.se/docs/CVE-2022-32208.html - CVE-2022-32208 - Reported-by: Harry Sintonen - Closes #9051 +- GHA: run proselint on markdown files -- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro + Co-authored-by: Marc Hörsken - clang 14 warns about its use. It is being deprecated by the working - group for the programming language C: "The macro ATOMIC_VAR_INIT is - basically useless for the purpose for which it was designed" + Closes #9520 - Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm +- lib: the number four in a sequence is the "fourth" - Reported-by: Tatsuhiro Tsujikawa - Fixes #9041 - Closes #9042 + Spelling is hard -- [Stefan Eissing brought this change] + Closes #9535 - ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() +- [John Bampton brought this change] - Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control - buffer is provided in sengmsg(), even though msg_controllen was set to - 0. + misc: fix spelling in two source files - Initialize msg.msg_controllen just as needed and also perform the size - assertion only when needed. + Closes #9529 - Closes #9039 +Viktor Szakats (18 Sep 2022) +- windows: add .rc support to autotools builds -- [Tom Eccles brought this change] + After this update autotools builds will compile and link `.rc` resources + to Windows executables. Bringing this feature on par with CMake and + Makefile.m32 builds. And also making it unnecessary to improvise these + steps manually, while monkey patching build files, e.g. [0]. - ftp: restore protocol state after http proxy CONNECT + You can customize the resource compiler via the `RC` envvar, and its + options via `RCFLAGS`. - connect_init() (lib/http_proxy.c) swaps out the protocol state while - working on the proxy connection, this is then restored by - Curl_connect_done() after the connection completes. + This harmless warning may appear throughout the build, even though the + autotools manual documents [1] `RC` as a valid tag, and it fails when + omitting one: + `libtool: error: ignoring unknown tag RC` - ftp_do_more() extracted the protocol state pointer to a local variable - at the start of the function then calls Curl_proxy_connect(). If the proxy - connection completes, Curl_proxy_connect() will call Curl_connect_done() - (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp - protocol state instead of the http proxy protocol state, but the local - variable in ftp_do_more still pointed to the old value. + [0] https://github.com/curl/curl-for-win/blob/535f19060d4b708f72e75dd849409ce50baa1b84/curl-autotools.sh#L376-L382 + [1] https://www.gnu.org/software/libtool/manual/html_node/Tags.html - Ultimately this meant that the state worked on by ftp_do_more() was the - http proxy state not the ftp state initialised by ftp_connect(), but - subsequent calls to any ftp_ function would use the original state. + Closes #9521 - For my use-case, the visible consequence was that ftp->downloadsize was - never set and so downloaded data was never returned to the application. +Marc Hoersken (18 Sep 2022) +- CI/linkcheck: only run if a Markdown file is changed - This commit updates the ftp protocol state pointer in ftp_do_more() after - Curl_proxy_connect() returns, ensuring that the correct state pointer is - used. + This saves CI resources and therefore a little energy. - Fixes #8737 - Closes #9043 + Reviewed-by: Max Dymond + Closes #9531 -Jay Satiro (23 Jun 2022) -- THANKS: add contributor missing from aea8ac1 +- README.md: add GHA status badges for Linux and macOS builds - aea8ac1 fixed #8980 which was reported by Sgharat on github, but that - info was not included in the commit message. + This makes sense now that Linux builds are being consolidated. -- curl_setup: include _mingw.h + Approved-by: Daniel Stenberg + Closes #9530 - Prior to this change _mingw.h needed to be included in each unit before - evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It - is included only in some mingw headers (eg stdio.h) and not others - (eg windows.h) so it's better to explicitly include it once. + [skip ci] - Closes https://github.com/curl/curl/pull/9036 +Daniel Stenberg (17 Sep 2022) +- misc: null-terminate -Viktor Szakats (22 Jun 2022) -- rand: stop detecting /dev/urandom in cross-builds + Make use of this term consistently. - - Prevent CMake to auto-detect /dev/urandom when cross-building. - Before this patch, it would detect it in a cross-build scenario on *nix - hosts with this device present. This was a problem for example with - Windows builds, but it could affect any target system with this device - missing. This also syncs detection behaviour with autotools, which also - skips it for cross-builds. - - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's - fallback random number generator on Windows. Windows does not have the - concept of reading a random stream from a filename, nor any guaranteed - non-world-writable path on disk. With this, a manual misconfiguration or - an overeager auto-detection can no longer result in a user-controllable - seed source. + Closes #9527 - Reviewed-by: Daniel Stenberg - Closes #9038 +Marc Hoersken (17 Sep 2022) +- CI/GHA: merge intel CC and more TLS libs into linux workflow -Daniel Stenberg (22 Jun 2022) -- [Emanuele Torre brought this change] + Continue work on merging all Linux workflows into one file. - ci: avoid `cmake -Hpath` + Reviewed-by: Max Dymond + Follow up to #9501 + Closes #9514 - This is an undocumented option similar to the `-Spath' option introduced - in cmake 3.13. - Replace all instances of `-Hpath' with `-Spath' in macos workflow. - Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul - scripts since it runs an older version of cmake. +Daniel Stenberg (17 Sep 2022) +- [Patrick Monnerat brought this change] - Fixes #9008 - Closes #9014 + lib1597: make it C89-compliant again -- INTERNALS: bring back the "Library symbols" section + Automatic variable addresses cannot be used in an initialisation + aggregate. - Most contents was moved, but this text should remain here. + Follow-up to 9d51329 - Follow-up to: d324ac8 - Reported-by: Viktor Szakats - Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 - Closes #9037 + Reported-by: Daniel Stenberg + Fixes: #9524 + Closes #9525 -Viktor Szakats (22 Jun 2022) -- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] +- tool_libinfo: silence "different 'const' qualifiers" in qsort() - Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows - XP when the `-ipv6` option is selected. Maybe this was added to support - pre-XP Windows versions (?). These days libcurl builds fine for both XP - and post-XP versions with IPv6 support enabled. The relevance of pre-XP - version is also low by now. Other build methods also do not impose such - limitation for a similar configuration. So, drop this hard-wired - `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default - Windows version set by the compiler. This is Vista for recent MinGW - versions. + MSVC 15.0.30729.1 warned about it - Old behaviour can be restored by setting this envvar: - export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 + Follow-up to dd2a024323dcc - [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 + Closes #9522 - Closes #9035 +- [Patrick Monnerat brought this change] -Daniel Stenberg (21 Jun 2022) -- CONTRIBUTE: mention how we maintain REUSE compliance + docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. - for copyright and license information of all files stored in git + Disabled protocols are now handled as if they were unknown. + Also update the possible protocol list. - Closes #9032 +- [Patrick Monnerat brought this change] -- CURLOPT_ALTSVC.3: document the file format + cli tool: do not use disabled protocols - Closes #9033 + As they are now rejected by the library, take care of not passing + disabled protocol names to CURLOPT_PROTOCOLS_STR and + CURLOPT_REDIR_PROTOCOLS_STR. -Jay Satiro (21 Jun 2022) -- runtests: add "threadsafe" to detected features + Rather than using the CURLPROTO_* constants, dynamically assign protocol + numbers based on the order they are listed by curl_version_info(). - Follow-up to recent commits which added thread-safety support. + New type proto_set_t implements prototype bit masks: it should therefore + be large enough to accomodate all library-enabled protocols. If not, + protocol numbers beyond the bit count of proto_set_t are recognized but + "inaccessible": when used, a warning is displayed and the value is + ignored. Should proto_set_t overflows, enabled protocols are reordered to + force those having a public CURLPROTO_* representation to be accessible. - Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 - Reported-by: Marc Hörsken + Code has been added to subordinate RTMP?* protocols to the presence of + RTMP in the enabled protocol list, being returned by curl_version_info() + or not. - Closes https://github.com/curl/curl/pull/9030 +- [Patrick Monnerat brought this change] -Daniel Stenberg (20 Jun 2022) -- easy: remove dead code + setopt: use the handler table for protocol name to number conversions - Follow-up from 5912da253b64d + This also returns error CURLE_UNSUPPORTED_PROTOCOL rather than + CURLE_BAD_FUNCTION_ARGUMENT when a listed protocol name is not found. - Detected by Coverity (CID 1506519) + A new schemelen parameter is added to Curl_builtin_scheme() to support + this extended use. - Closes #9029 + Note that disabled protocols are not recognized anymore. -- [Glenn Strauss brought this change] + Tests adapted accordingly. - transfer: upload performance; avoid tiny send + Closes #9472 - Append to the upload buffer when only small amount remains in buffer - rather than performing a separate tiny send to empty buffer. +- altsvc: use 'h3' for h3 - Avoid degenerative upload behavior which might cause curl to send mostly - 1-byte DATA frames after exhausing the h2 send window size + Since the official and real version has been out for a while now and servers + are deployed out there using it, there is no point in sticking to h3-29. - Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 + Reported-by: ウさん + Fixes #9515 + Closes #9516 - Signed-off-by: Glenn Strauss - Closes #8965 +Jay Satiro (16 Sep 2022) +- [chemodax brought this change] -- [Steve Holme brought this change] + winbuild: Use NMake batch-rules for compilation - projects: fix third-party SSL library build paths for Visual Studio + - Invoke cl compiler once for each group of .c files. - The paths used by the build batch files were inconsistent with those in - the Visual Studio project files. + This is significantly improves compilation time. For example in my + environment: 40 s --> 20 s. - Closes #8991 + Prior to this change cl was invoked per .c file. -- [Pierrick Charron brought this change] + Closes https://github.com/curl/curl/pull/9512 - urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts +Daniel Stenberg (16 Sep 2022) +- ws: the infof() flags should be %zu - As per the documentation : + Follow-up to e5e9e0c5e49ae0 - > Setting a part to a NULL pointer will effectively remove that - > part's contents from the CURLU handle. + Closes #9518 - But currently clearing CURLUPART_URL does nothing and returns - CURLUE_OK. This change will clear all parts of the URL at once. +- curl: warn for --ssl use, considered insecure - Closes #9028 + Closes #9519 -- [Philip H brought this change] +- [Sergey Bronnikov brought this change] - CI: bump FreeBSD 13.0 to 13.1 + curl_escape.3: fix typo - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8815 + lengthf -> length -- RELEASE-NOTES: synced + Closes #9517 - and updated release date in RELEASE-PROCEDURE.md +- mailmap: merge Philip Heiduck's two addresses into one -- [divinity76 brought this change] +- test1948: verify PUT + POST reusing the same handle - CURLOPT_HTTPHEADER.3: improve comment in example + Reproduced #9507, verifies the fix - Closes #9025 +- setopt: when POST is set, reset the 'upload' field -Marc Hoersken (16 Jun 2022) -- CI/azure: reduce flakiness by retrying install/prepare steps + Reported-by: RobBotic1 on github + Fixes #9507 + Closes #9511 - Closes #9010 +Marc Hoersken (15 Sep 2022) +- github: initial CODEOWNERS setup for CI configuration -- CI/cirrus: align Windows timeout with Azure CI at 120 minutes + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad + Reviewed-by: Max Dymond - Closes #9009 + Closes #9505 -Jay Satiro (16 Jun 2022) -- vtls: make curl_global_sslset thread-safe + [skip ci] - .. and update some docs to explain curl_global_* is now thread-safe. +- [Philip Heiduck brought this change] - Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. + CI: optimize some more dependencies install - Closes https://github.com/curl/curl/pull/9016 + Signed-off-by: Philip Heiduck -- curl_easy_pause.3: remove explanation of progress function + Closes #9500 - - Remove misleading text that says progress function "gets called at - least once per second, even if the connection is paused." +- CI/GHA: merge event-based and NSS into new linux workflow - The progress function behavior is more nuanced and the user is better - served reading the progress function doc rather than attempt to explain - it in the curl_easy_pause doc. + Continue work on merging all Linux workflows into one file. - The progress function can only be called at least once per second if an - appropriate multi transfer function is called (eg curl_multi_perform) in - that time. For a paused transfer there may not be such a call. Rather - than explain this in detail in the curl_easy_pause doc, rely on the user - reading the CURLOPT_PROGRESSFUNCTION doc. + Follow up to #9501 + Closes #9506 - Ref: https://github.com/curl/curl/issues/8983 +Daniel Stenberg (15 Sep 2022) +- include/curl/websockets.h: add extern "C" for C++ - Closes https://github.com/curl/curl/pull/9015 + Reported-by: n0name321 on github + Fixes #9509 + Closes #9510 -Daniel Stenberg (15 Jun 2022) -- libssh: skip the fake-close when libssh does the right thing +- lib1560: extended to verify detect/reject of unknown schemes - Starting in libssh 0.10.0 ssh_disconnect() will no longer close our - socket. Instead it will be kept alive as we want it, and it is our - responsibility to close it later. + ... when no guessing is allowed. - Ref: #8718 - Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 - Closes #9021 +- urlapi: detect scheme better when not guessing -- configure: warn about rustls being experimental + When the parser is not allowed to guess scheme, it should consider the + word ending at the first colon to be the scheme, independently of number + of slashes. - Right now a dozen test cases are disabled because they don't work with - rustls. + The parser now checks that the scheme is known before it counts slashes, + to improve the error messge for URLs with unknown schemes and maybe no + slashes. - Closes #9019 + When following redirects, no scheme guessing is allowed and therefore + this change effectively prevents redirects to unknown schemes such as + "data". -- runtests: skip starting the ssh server if user name is lacking + Fixes #9503 - Because the ssh server startup script *requires* a user name there's no - point in invoking it if no name was found. +- strerror: improve two URL API error messages - Reported-by: Ricardo M. Correia - Ref: #9007 - Closes #9013 +Marc Hoersken (14 Sep 2022) +- CI/GHA: merge bearssl and hyper into initial linux workflow -- copyright.pl: parse and use .reuse/dep5 for skips + Begin work on merging all Linux workflows into one file. - Also scan skipped files to be able to find superfluous ignores, shown with -v. + Closes #9501 - Closes #9006 +Daniel Stenberg (14 Sep 2022) +- RELEASE-NOTES: synced -- reuse/dep5: adjusted to parse better +- cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h - ... adjusted a few files to contain copyright and license info. + Since the config file might also get included by the tool code at times. + This syncs with how other builds do it. - Closes #9006 + Closes #9498 -- buildconf.bat: update copyright year range +- tool_hugehelp: make hugehelp a blank macro when disabled - Closes #9006 + Closes #9485 -- README.md: use the common "Copyright" style formatting +- getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled - Closes #9006 + ... to improve the output in this situation. Now it doesn't say "option + unknown" anymore. -- reuse: move license info from .mailmap.license to .reuse/dep5 + Closes #9485 - Closes #9006 +- setopt: fix compiler warning -- README.md: add a REUSE badge + Follow-up to cd5ca80f00d2 - Closes #9004 + closes #9502 -- .reuse/dep5: remove recursive docs ignore, only skip markdown files +- [Philip Heiduck brought this change] - ... and some additional non-markdown individual files in docs/ + CI: skip make, do make install at once for dependencies - Closes #9005 + Signed-off-by: Philip Heiduck -- docs/cmdline-opts: add copyright and license identifier to each file + Closes #9477 - gen.pl now insists on C: and SPDX-License-Identifier: fields to be - present in all files. +- formdata: typecast the va_arg return value - Closes #9002 + To avoid "enumerated type mixed with another type" warnings -- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md + Follow-up from 0f52dd5fd5aa3592691a - Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that - file broke site functionality. + Closes #9499 - Closes #9001 +- RELEASE-PROCEDURE.md: mention patch releases -- bug_report.md: revert the REUSE template to see if it works again + - When to make them and how to argue for them + - Refreshed the release date list -Viktor Szakats (13 Jun 2022) -- version: rename threadsafe-init to threadsafe + Closes #9495 - Referring to Daniel's article [1], making the init function thread-safe - was the last bit to make libcurl thread-safe as a whole. So the name of - the feature may as well be the more concise 'threadsafe', also telling - the story that libcurl is now fully thread-safe, not just its init - function. Chances are high that libcurl wants to remain so in the - future, so there is little likelihood of ever needing any other distinct - `threadsafe-` feature flags. +- urldata: use a curl_prot_t type for storing protocol bits - For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to - `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's - thread safety documentation. + This internal-use-only storage type can be bumped to a curl_off_t once + we need to use bit 32 as the previous 'unsigned int' can no longer hold + them all then. - [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/ + The websocket protocols take bit 30 and 31 so they are the last ones + that fit within 32 bits - but cannot properly be exported through APIs + since those use *signed* 32 bit types (long) in places. - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro - Closes #8989 + Closes #9481 -Daniel Stenberg (13 Jun 2022) -- test3026: disable on win32 +- [zhanghu on xiaomi brought this change] - ... as it's not likely to have working pthreads + formdata: fix warning: 'CURLformoption' is promoted to 'int' - Closes #8996 + curl/lib/formdata.c: In function 'FormAdd': + curl/lib/formdata.c:249:31: warning: 'CURLformoption' is promoted to 'int' when passed through '...' + 249 | option = va_arg(params, CURLformoption); + | ^ + curl/lib/formdata.c:249:31: note: (so you should pass 'int' not 'CURLformoption' to 'va_arg') + curl/lib/formdata.c:249:31: note: if this code is reached, the program will abort -- GHA: shorten the reuse CI job name + Closes #9484 - "REUSE compliance / check" should be good enough +- CURLOPT_CONNECT_ONLY.3: for ws(s) as well - Closes #9000 + and correct the version number for when that support comes. Even if it + is still experimental for WebSocket. -- misc: add missing SPDX-License-Identifier info + Closes #9487 - For some reason the REUSE CI job did not find these. +- tool_operate: avoid a few #ifdefs for disabled-libcurl builds - Closes #8999 + By providing empty macros in the header file instead, the code gets + easier to read and yet is disabled on demand. -- copyright: verify SPDX-License-Identifier presence as well + Closes #9486 -- easy_lock: add SPDX license identifier +- [a1346054 on github brought this change] - Closes #8998 + scripts: use `grep -E` instead of `egrep` -- mailmap: Max Mehl + egrep is deprecated -- [Max Mehl brought this change] + Closes #9491 - git: ignore large commit making the curl REUSE compliant +- [Hayden Roche brought this change] -- [Max Mehl brought this change] + wolfSSL: fix session management bug. - copyright: make repository REUSE compliant + Prior to this commit, non-persistent pointers were being used to store + sessions. When a WOLFSSL object was then freed, that freed the session + it owned, and thus invalidated the pointer held in curl's cache. This + commit makes it so we get a persistent (deep copied) session pointer + that we then add to the cache. Accordingly, wolfssl_session_free, which + was previously a no-op, now needs to actually call SSL_SESSION_free. - Add licensing and copyright information for all files in this repository. This - either happens in the file itself as a comment header or in the file - `.reuse/dep5`. + This bug was discovered by a wolfSSL customer. - This commit also adds a Github workflow to check pull requests and adapts - copyright.pl to the changes. + Closes #9492 - Closes #8869 +- docs: use "WebSocket" in singular -- curl_url_set.3: clarify by default using known schemes only + This is how the RFC calls the protocol. Also rename the file in docs/ to + WEBSOCKET.md in uppercase to match how we have done it for many other + protocol docs in similar fashion. - Closes #8994 + Add the WebSocket docs to the tarball. -- scripts/copyright.pl: ignore leading spaces + Closes #9496 -Viktor Szakats (10 Jun 2022) -- ngtcp2: fix typo in preprocessor condition +Marcel Raad (12 Sep 2022) +- ws: fix build without `USE_WEBSOCKETS` - Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 + The curl.h include is required unconditionally. - Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 - Reported-by: Emil Engler - Closes #8987 +- ws: add missing curl.h include -Daniel Stenberg (10 Jun 2022) -- RELEASE-NOTES: synced + A conflict between commits 664249d0952 and e5839f4ee70 broke the build. -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (12 Sep 2022) +- ws: fix an infof() call to use %uz for size_t output - ngtcp2: build without sendmsg + Detected by Coverity, CID 1514665. - Closes #8981 + Closes #9480 -- [Tatsuhiro Tsujikawa brought this change] +Marcel Raad (12 Sep 2022) +- curl_setup: include only system.h instead of curl.h - ngtcp2: use handshake helper funcs to simplify TLS handshake integration + As done before commit 9506d01ee50. - Closes #8968 + Ref: https://github.com/curl/curl/pull/9375#discussion_r957010158 + Closes https://github.com/curl/curl/pull/9453 -- test390: verify --parallel +- lib: add missing limits.h includes - Closes #8985 + Closes https://github.com/curl/curl/pull/9453 -- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set +- lib and tests: add missing curl.h includes - Triggered by a bug report from Adam Light: - https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly - a misunderstanding of how CURLINFO_EFFECTIVE_URL works. + Closes https://github.com/curl/curl/pull/9453 - Closes #8971 +- curl_setup: include curl.h after platform setup headers -- url: URL encode the path when extracted, if spaces were set + The platform setup headers might set definitions required for the + includes in curl.h. -- urlapi: support CURLU_URLENCODE for curl_url_get() + Ref: https://github.com/curl/curl/pull/9375#discussion_r956998269 + Closes https://github.com/curl/curl/pull/9453 -- server/sws: support spaces in the HTTP request path +Daniel Stenberg (12 Sep 2022) +- [Benjamin Loison brought this change] -- tests/getpart: fix getpartattr to work with "data" and "data2" + docs: correct missing uppercase in Markdown files -- select: return error from "lethal" poll/select errors + To detect these typos I used: - Adds two new error codes: CURLE_UNRECOVERABLE_POLL and - CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. + ``` + clear && grep -rn '\. [a-z]' . | uniq | grep -v '\. lib' | grep -v '[0-9]\. [a-z]' | grep -v '\.\. [a-z]' | grep -v '\. curl' | grep -v 'e.g. [a-z]' | grep -v 'eg. [a-z]' | grep -v '\etc. [a-z]' | grep -v 'i.e\. [a-z]' | grep --color=always '\. [a-z]' | grep '\.md' + ``` - Reported-by: Harry Sintonen - Fixes #8921 - Closes #8961 + Closes #9474 -- test3026: add missing control file +- tool_setopt: use better English in --libcurl source comments - Follow-up from 2ed101256414ea5 + Like this: - Makes the test run, makes 'make dist' work + XYZ was set to an object pointer + ABC was set to a function pointer - This single test takes 24-25 seconds on my machine (with valgrind). For - this reason I tag it with a "slow" keyword. + Closes #9475 - Closes #8976 +- setopt: make protocol2num use a curl_off_t for the protocol bit -- runtests: fix skipping tests not done event-based + ... since WSS does not fit within 32 bit. - ... and call timestampskippedevents() to avoid the flood of - uninitialized variable warnings. + Bug: https://github.com/curl/curl/pull/9467#issuecomment-1243014887 + Closes #9476 - Closes #8977 +- RELEASE-NOTES: synced -- transfer: maintain --path-as-is after redirects +- configure: polish the grep -E message a bit further - Reported-by: Marcus T - Fixes #8974 - Closes #8975 + Suggested-by: Emanuele Torre + Closes #9473 -- test391: verify --path-as-is with redirect +- GHA: add a gcc-11 -O3 build using OpenSSL -Jay Satiro (8 Jun 2022) -- curl_global_init.3: Separate the Windows loader lock warning + Since -O3 might trigger other warnings - This is a slight correction of the parent commit which implied the - loader lock warning only applied if not thread-safe. In fact the loader - lock warning applies either way. + Closes #9454 - Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 +- [Patrick Monnerat brought this change] -Daniel Stenberg (8 Jun 2022) -- curl_global_init.3: this is now (usually) thread-safe + content_encoding: use writer struct subclasses for different encodings - Follow-up to 23af112f5556 + The variable-sized encoding-specific storage of a struct contenc_writer + currently relies on void * alignment that may be insufficient with + regards to the specific storage fields, although having not caused any + problems yet. - Closes #8972 + In addition, gcc 11.3 issues a warning on access to fields of partially + allocated structures that can occur when the specific storage size is 0: -Jay Satiro (8 Jun 2022) -- [Haxatron brought this change] + content_encoding.c: In function ‘Curl_build_unencoding_stack’: + content_encoding.c:980:21: warning: array subscript ‘struct contenc_writer[0]’ is partly outside array bounds of ‘unsigned char[16]’ [-Warray-bounds] + 980 | writer->handler = handler; + | ~~~~~~~~~~~~~~~~^~~~~~~~~ + In file included from content_encoding.c:49: + memdebug.h:115:29: note: referencing an object of size 16 allocated by ‘curl_dbg_calloc’ + 115 | #define calloc(nbelem,size) curl_dbg_calloc(nbelem, size, __LINE__, __FILE__) + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + content_encoding.c:977:60: note: in expansion of macro ‘calloc’ + 977 | struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); - libcurl-security.3: Document CRLF header injection + To solve both these problems, the current commit replaces the + contenc_writer/params structure pairs by "subclasses" of struct + contenc_writer. These are structures that contain a contenc_writer at + offset 0. Proper field alignment is therefore handled by the compiler and + full structure allocation is performed, silencing the warnings. - - Document that user input to header options is not sanitized, which - could result in CRLF used to modify the request in a way other than - what was intended. + Closes #9455 - Ref: https://hackerone.com/reports/1589877 - Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 +- configure: correct the wording when checking grep -E - Closes https://github.com/curl/curl/pull/8964 + The check first checks that grep -E works, and only as a fallback tries + to find and use egrep. egrep is deprecated. -- CURLOPT_RANGE.3: remove ranged upload advice + This change only corrects the output wording, not the checks themselves. - The e-mail link in the advice contains instructions that are prone to - error. We need an example that works and can demonstrate how to properly - perform a ranged upload, and then we can refer to that example instead. + Closes #9471 - Bug: https://github.com/curl/curl/issues/8969 - Reported-by: Simon Berger +Viktor Szakats (10 Sep 2022) +- websockets: sync prototypes in docs with implementation [ci skip] - Closes https://github.com/curl/curl/pull/8970 + Docs for the new send/recv functions synced with the committed versions + of these. -Daniel Stenberg (7 Jun 2022) -- [Thomas Guillem brought this change] + Closes #9470 - curl_version_info: add CURL_VERSION_THREADSAFE_INIT +Daniel Stenberg (10 Sep 2022) +- setopt: make protocols2num() work with websockets - This flag can be used to make sure that curl_global_init() is - thread-safe. + So that CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR can + specify those as well. - This can be useful for libraries that can't control what other - dependencies are doing with Curl. + Reported-by: Patrick Monnerat + Bug: https://curl.se/mail/lib-2022-09/0016.html + Closes #9467 - Closes #8680 +- curl/websockets.h: remove leftover bad typedef -- [Thomas Guillem brought this change] + Just a leftover trace of a development thing that did not stay like + that. - lib: make curl_global_init() threadsafe when possible + Reported-by: Marc Hörsken + Fixes #9465 + Cloes #9466 - Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and - curl_global_cleanup(). +Marcel Raad (10 Sep 2022) +- [Orgad Shaneh brought this change] - Closes #8680 + fix Cygwin/MSYS compilation -- RELEASE-NOTES: synced + _getpid is Windows API. On Cygwin variants it should remain getpid. -- [Fabian Keil brought this change] + Fixes #8220 + Closes #9255 - test414: add the '--resolve' keyword +Marc Hoersken (10 Sep 2022) +- GHA: prepare workflow merge by aligning structure again - ... so the test can be automatically skipped when - using an external proxy like Privoxy. + Closes #9413 - Closes #8959 +Daniel Stenberg (9 Sep 2022) +- docs: the websockets symbols are added in 7.86.0 -- [Fabian Keil brought this change] + Nothing else - test{440,441,493,977}: add "HTTP proxy" keywords + Closes #9459 - ... so the tests can be automatically skipped when - using an external proxy like Privoxy. +- tests/libtest/Makefile.inc: fixup merge conflict mistake - Closes #8959 +- EXPERIMENTAL.md: add WebSockets -- [Fabian Keil brought this change] +- appveyor: enable websockets - runtests.pl: add the --repeat parameter to the --help output +- cirrus: enable websockets in the windows builds - Closes #8959 +- GHA: add websockets to macos, openssl3 and hyper builds -- [Fabian Keil brought this change] +- tests: add websockets tests - test 2081: add a valid reply for the second request + - add websockets support to sws + - 2300: first very basic websockets test + - 2301: first libcurl test for ws (not working yet) + - 2302: use the ws callback + - 2303: test refused upgrade - ... so the test works when using a HTTP proxy like - Privoxy that sends an error message if the server - doesn't send data. - - Closes #8959 +- curl_ws_meta: initial implementation -- [Fabian Keil brought this change] +- curl_ws_meta.3: added docs - test 675: add missing CR so the test passes when run through Privoxy +- ws: initial websockets support - Closes #8959 + Closes #8995 -- ftp: when failing to do a secure GSSAPI login, fail hard +- version: add ws + wss - ... instead of switching to cleartext. For the sake of security. +- libtest/lib1560: test basic websocket URL parsing - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1590102 - Closes #8963 +- configure: add --enable-websockets -- http2: reject overly many push-promise headers +- docs/WebSockets.md: docs - Getting more than a thousand of them is rather a sign of some kind of - attack. +- test415: verify Content-Length parser with control code + negative value - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1589847 - Closes #8962 +- strtoofft: after space, there cannot be a control code -- [Fabian Keil brought this change] + With the change from ISSPACE() to ISBLANK() this function no longer + deals with (ignores) control codes the same way, which could lead to + this function returning unexpected values like in the case of + "Content-Length: \r-12354". - misc: spelling improvements + Follow-up to 6f9fb7ec2d7cb389a0da5 - Closes #8956 + Detected by OSS-fuzz + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51140 + Assisted-by: Max Dymond + Closes #9458 -- [Tatsuhiro Tsujikawa brought this change] +- headers: reset the requests counter at transfer start - ngtcp2: fix assertion failure on EMSGSIZE + If not, reusing an easy handle to do a subsequent transfer would + continue the counter from the previous invoke, which then would make use + of the header API difficult/impossible as the request counter + mismatched. - Closes #8958 + Add libtest 1947 to verify. -- easy/transfer: fix cookie-disabled build + Reported-by: Andrew Lambert + Fixes #9424 + Closes #9447 - Follow-up from 45de940cebf6a - Reported-by: Marcel Raad - Fixes #8953 - Closes #8954 +Jay Satiro (8 Sep 2022) +- header: define public API functions as extern c -- examples/crawler.c: use the curl license + Prior to this change linker errors would occur if curl_easy_header or + curl_easy_nextheader was called from a C++ unit. - With permission from Jeroen Ooms + Bug: https://github.com/curl/curl/issues/9424#issuecomment-1238818007 + Reported-by: Andrew Lambert - URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 - Closes #8950 + Closes https://github.com/curl/curl/pull/9446 -- speed-limit/time.d: mention these affect transfers in either direction +Daniel Stenberg (8 Sep 2022) +- http2: make nghttp2 less picky about field whitespace - Reported-by: Ladar Levison - Fixes #8948 - Closes #8951 + In nghttp2 1.49.0 it returns error on leading and trailing whitespace in + header fields according to language in the recently shipped RFC 9113. -- scripts/copyright.pl: fix the exclusion to not ignore man pages + nghttp2 1.50.0 introduces an option to switch off this strict check and + this change enables this option by default which should make curl behave + more similar to how it did with nghttp2 1.48.0 and earlier. - Ref: #8869 - Closes #8952 + We might want to consider making this an option in the future. -- examples: remove fopen.c and rtsp.c + Closes #9448 - To simplify the license situation, as they were the only files in the - source tree using these specific BSD-3 clause licenses. +- RELEASE-NOTES: synced - For an fopen style API, we recommend instead going - https://github.com/curl/fcurl + And bump to 7.86.0 for the pending next release - Ref: #8869 - Closes #8949 +- [Michael Heimpold brought this change] -- [Wolf Vollprecht brought this change] + ftp: ignore a 550 response to MDTM - netrc: check %USERPROFILE% as well on Windows + The 550 is overused as a return code for multiple error case, e.g. + file not found and/or insufficient permissions to access the file. - Closes #8855 + So we cannot fail hard in this case. -- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish + Adjust test 511 since we now fail later. + Add new test 3027 which check that when MDTM failed, but the file could + actually be retrieved, that in this case no filetime is provided. -- [michael musset brought this change] + Reported-by: Michael Heimpold + Fixes #9357 + Closes #9387 - libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION +- urlapi: leaner with fewer allocs - The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check - wether or not the connection should continue. + Slightly faster with more robust code. Uses fewer and smaller mallocs. - The host key is passed in argument with a custom handle for the - application. + - remove two fields from the URL handle struct + - reduce copies and allocs + - use dynbuf buffers more instead of custom malloc + copies + - uses dynbuf to build the host name in reduces serial alloc+free within + the same function. + - move dedotdotify into urlapi.c and make it static, not strdup the input + and optimize it by checking for . and / before using strncmp + - remove a few strlen() calls + - add Curl_dyn_setlen() that can "trim" an existing dynbuf - It overrides CURLOPT_SSH_KNOWNHOSTS + Closes #9408 - Closes #7959 +Jay Satiro (7 Sep 2022) +- setup-win32: no longer define UNICODE/_UNICODE implicitly -- docs/CONTRIBUTE.md: document the 'needs-votes' concept + - If UNICODE or _UNICODE is defined but the other isn't then error + instead of implicitly defining it. - A pull request sent to the project might get labeled `needs-votes` by a - project maintainer. This label means that in addition to meeting all - other checks and qualifications this pull request must also receive - proven support/thumbs-ups from more community members to be considered - for merging. + As Marcel pointed out it is too late at this point to make such a define + because Windows headers may already be included, so likely it never + worked. We never noticed because build systems that can make Windows + Unicode builds always define both. If one is defined but not the other + then something went wrong during the build configuration. - Closes #8910 + Bug: https://github.com/curl/curl/pull/9375#discussion_r956545272 + Reported-by: Marcel Raad -- [Evgeny Grin (Karlson2k) brought this change] + Closes https://github.com/curl/curl/pull/9384 - digest: tolerate missing "realm" +Dan Fandrich (6 Sep 2022) +- tests: fix tag syntax errors in test files - Server headers may not define "realm", avoid NULL pointer dereference - in such cases. +Marc Hoersken (6 Sep 2022) +- lib: add required Win32 setup definitions in setup-win32.h - Closes #8912 + Assisted-by: Jay Satiro + Reviewed-by: Marcel Raad -- [Evgeny Grin (Karlson2k) brought this change] + Follow up to #9312 + Closes #9375 - digest: added detection of more syntax error in server headers +Daniel Stenberg (6 Sep 2022) +- pingpong: extend the response reading error with errno - Invalid headers should not be processed otherwise they may create - a security risk. + To help diagnosing the cause of the problem. - Closes #8912 + See #9380 + Closes #9443 -- [Evgeny Grin (Karlson2k) brought this change] +- curl-compilers.m4: use -O2 as default optimize for clang - digest: unquote realm and nonce before processing + Not -Os - RFC 7616 (and 2617) requires values to be "unquoted" before used for - digest calculations. The only place where unquoting can be done - correctly is header parsing function (realm="DOMAIN\\host" and - realm=DOMAN\\host are different realms). + Closes #9444 - This commit adds unquoting (de-escaping) of all values during header - parsing and quoting of the values during header forming. This approach - should be most straightforward and easy to read/maintain as all values - are processed in the same way as required by RFC. +- tool_operate: fix msnprintfing the error message - Closes #8912 + Follow-up to 7be53774c41c59b47075fba -- headers: handle unfold of space-cleansed headers + Coverity CID 1513717 pointed out that we cannot use sizeof() on the + error buffer anymore. - Detected by OSS-fuzz + Closes #9440 - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 +- [Emanuele Torre brought this change] - Updated test 1274 + curl_ctype: add space around <= operator in ISSPACE macro - Closes #8947 + Follow-up to f65f750 -- lib: make more protocol specific struct fields #ifdefed + Closes #9441 - ... so that they don't take up space if the protocols are disabled in - the build. +- CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies - Closes #8944 + The 'protocols' listed were previously wrong. -- DISABLED: disable 1021 for hyper again + Reported-by: ProceduralMan on github + Fixes #9434 + Closes #9435 - due to flakiness in the CI builds +- curl_ctype: convert to macros-only -- urldata: store tcp_keepidle and tcp_keepintvl as ints + This no longer provide functions, only macros. Runs faster and produces + smaller output. - They can't be set larger than INT_MAX in the setsocket API calls. + The biggest precaution this change brings: - Also document the max values in their respective man pages. + DO NOT use post/pre-increments when passing arguments to the macros. - Closes #8940 + Closes #9429 -- urldata: reduce size of a few struct fields +- misc: ISSPACE() => ISBLANK() - When the values are never larger than 32 bit, ints are better than longs. + Instances of ISSPACE() use that should rather use ISBLANK(). I think + somewhat carelessly used because it sounds as if it checks for space or + whitespace, but also includes %0a to %0d. - Closes #8940 + For parsing purposes, we should only accept what we must and not be + overly liberal. It leads to surprises and surprises lead to bad things. -- urldata: remove three unused booleans from struct UserDefined + Closes #9432 - - is_fwrite_set - - free_referer - - strip_path_slash +- ctype: remove all use of , use our own versions - Closes #8940 + Except in the test servers. -- remote-name.d: mention --output-dir + Closes #9433 - plus add two see-alsos +Marc Hoersken (5 Sep 2022) +- cmake: skip superfluous hex2dec conversion using math expr - Closes #8945 + CMake seems to be able to compare two hex values just fine. + Also make sure CURL_TARGET_WINDOWS_VERSION is respected. -Jay Satiro (1 Jun 2022) -- configure: skip libidn2 detection when winidn is used + Assisted-by: Marcel Raad + Reviewed-by: Viktor Szakats + Reported-by: Keitagit-kun on github - Prior to this change --with-winidn could be overridden by libidn2 - detection. + Follow up to #9312 + Fixes #9406 + Closes #9411 - Closes https://github.com/curl/curl/pull/8934 +Daniel Stenberg (5 Sep 2022) +- curl_easy_pause.3: unpausing is as fast as possible -Daniel Stenberg (31 May 2022) -- CURLOPT_FILETIME.3: fix the protocols this works with + Reported-by: ssdbest on github + Fixes #9410 + Closes #9430 -- test681: verify --no-remote-name +- CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols - Follow-up to 83ee5c428d960 (from #8931) + Except file. - Closes #8942 + Reported-by: ProceduralMan on github + Fixes #9427 + Closes #9428 -- [Tatsuhiro Tsujikawa brought this change] +- NPN: remove support for and use of - ngtcp2: enable Linux GSO + Next Protocol Negotiation is a TLS extension that was created and used + for agreeing to use the SPDY protocol (the precursor to HTTP/2) for + HTTPS. In the early days of HTTP/2, before the spec was finalized and + shipped, the protocol could be enabled using this extension with some + servers. - Enable Linux GSO in ngtcp2 QUIC. In order to recover from the - EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, - packet buffer is now held by struct quicsocket. GSO write might fail in - runtime depending on NIC. Disable GSO if sendmsg returns EIO. + curl supports the NPN extension with some TLS backends since then, with + a command line option `--npn` and in libcurl with + `CURLOPT_SSL_ENABLE_NPN`. - Closes #8909 + HTTP/2 proper is made to use the ALPN (Application-Layer Protocol + Negotiation) extension and the NPN extension has no purposes + anymore. The HTTP/2 spec was published in May 2015. -- CURLOPT_PORT.3: We discourage using this option + Today, use of NPN in the wild should be extremely rare and most likely + totally extinct. Chrome removed NPN support in Chrome 51, shipped in + June 2016. Removed in Firefox 53, April 2017. - Closes #8941 + Closes #9307 - RELEASE-NOTES: synced -- headers_push: error out if a folded header has no previous header + and bump the tentative next release version to 7.85.1 - As that would indicate an illegal header. The fuzzer reached the assert - in unfold_value() proving that this case can happen. +- [Samuel Henrique brought this change] - Follow-up to c9b60f005358a364 + configure: fail if '--without-ssl' + explicit parameter for an ssl lib - Closes #8939 + A side effect of a previous change to configure (576e507c78bdd2ec88) + exposed a non-critical issue that can happen if configure is called with + both '--without-ssl' and some parameter setting the use of a ssl library + (e.g. --with-gnutls). The configure script would end up assuming this is + a MultiSSL build, due to the way the case statement is written. -- [Boris Verkhovskiy brought this change] + I have changed the order of the variables in the string concatenation + for the case statement and also tweaked the options so that + --without-ssl never turns the build into a MultiSSL one and also clearly + stating that there are conflicting parameters if the user sets it like + described above. - curl: re-enable --no-remote-name + Closes #9414 - Closes #8931 +- tests/certs/scripts: insert standard curl source headers -- test680: require 'http' since it uses such a URL + ... including the SPDX-License-Identifier. - Follow-up to d1b376c03524 + These omissions were not detected by the RUEUSE CI job nor the copyright.pl + scanners because we have a general wildcard in .reuse/dep5 for + "tests/certs/*". -- CURLOPT_NETRC.3: document the .netrc file format + Reported-by: Samuel Henrique + Fixes #9417 + Closes #9420 -- test680: verify rejection of malformatted .netrc quoted password +- [Samuel Henrique brought this change] -- test679: verify netrc quoted string + docs: remove mentions of deprecated '--without-openssl' config parameter -- netrc: support quoted strings + Closes #9415 - The .netrc parser now accepts strings within double-quotes in order to - deal with for example passwords containing white space - which - previously was not possible. +- [Samuel Henrique brought this change] - A password that starts with a double-quote also ends with one, and - double-quotes themselves are escaped with backslashes, like \". It also - supports \n, \r and \t for newline, carriage return and tabs - respectively. + manpages: Fix spelling of "allows to" -> "allows one to" - If the password does not start with a double quote, it will end at first - white space and no escaping is performed. + References: + https://salsa.debian.org/lintian/lintian/-/blob/master/tags/t/typo-in-manual-page.tag + https://english.stackexchange.com/questions/60271/grammatical-complements-for-allow/60285#60285 - WARNING: this change is not entirely backwards compatible. If anyone - previously used a double-quote as the first letter of their password, - the parser will now get it differently compared to before. This is - highly unfortunate but hard to avoid. + Closes #9419 - Reported-by: ImpatientHippo on GitHub - Fixes #8908 - Closes #8937 +- [Samuel Henrique brought this change] -- curl_getdate.3: document that some illegal dates pass through + CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes - Closes #8938 + Lintian (on Debian) has been complaining about this for a while but + I didn't bother initially as the groff parser that we use is not + affected by this. -- CI: remove configure --enable-headers-api flags + But I have now noticed that the online manpage is affected by it: + https://curl.se/libcurl/c/CURLOPT_WILDCARDMATCH.html -- headers api: remove EXPERIMENTAL tag + (I'm using double quotes for quoting-only down below) - Closes #8900 + The section that should be parsed as "'\'" ends up being parsed as + "'´". -Daniel Gustafsson (30 May 2022) -- cookies: fix documentation comment + This is due to roffit not parsing "'\\'" correctly, which is fine + as the "correct" way of writing "'\'" is "'\e'" instead. - Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but - missed updating the documentation comment at the head of the file. + Note that this fix is not enough to fix the online manpage at + curl's website, as roffit seems to parse it wrongly either way. -Daniel Stenberg (30 May 2022) -- [Marc Hoersken brought this change] + My intent is to at least fix the manpage so that roffit can + be changed to parse "'\e'" correctly (although I suggest making + roffit parse both ways correctly, since that's what groff does). - tests/data/test1940: use binary mode for expected stdout + More details at: + https://bugs.debian.org/966803 + https://salsa.debian.org/lintian/lintian/-/blob/930b18e4b28b7540253f458ef42a884cca7965c3/tags/a/acute-accent-in-manual-page.tag - The generated stdout data is written in binary mode with [LF] - line endings, therefore we also need to do a binary comparison. + Closes #9418 - Assisted-by: Jay Satiro - Assisted-by: Daniel Stenberg +- tool_operate: reduce errorbuffer allocs - Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 - Fixes #8920 - Closes #8936 + - parallel transfers: only alloc and keep errorbuffers in memory for + actual "live" transfers and not for the ones in the pending queue -- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation + - serial transfers: reuse the same fixed buffer for all transfers, not + allocated at all. - Spell out the multi-TLS situation. + Closes #9394 - Reported-by: Dan Fandrich - Fixes #8926 - Closes #8932 +Viktor Szakats (31 Aug 2022) +- misc: spelling fixes -Jay Satiro (28 May 2022) -- [JustAnotherArchivist brought this change] + Found using codespell 2.2.1. - tool_getparam: fix --parallel-max maximum value constraint + Also delete the redundant protocol designator from an archive.org URL. - - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to - default value. + Reviewed-by: Daniel Stenberg + Closes #9403 - Previously, --parallel-max 300 would use 300 concurrent transfers, but - --parallel-max 301 would unexpectedly use only 50. This change clamps - higher values to the maximum (ie --parallel-max 301 would use 300). +Daniel Stenberg (31 Aug 2022) +- tool_progress: remove 'Qd' from the parallel progress bar - Closes https://github.com/curl/curl/pull/8930 + The "queued" value is no longer showing anything useful to the user. It + is an internal number of transfers waiting at that moment. -Daniel Stenberg (27 May 2022) -- curl.1: add a few see also --tls-max + Closes #9389 - Closes #8929 +- tool_operate: prevent over-queuing in parallel mode -Viktor Szakats (26 May 2022) -- cmake: do not add libcurl.rc to the static libcurl library + When doing a huge amount of parallel transfers, we must not add them to + the per_transfer list frivolously since they all use memory after all. + This was previous done without really considering millions or billions + of transfers. Massive parallelism would use a lot of memory for no good + purpose. - Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 + The queue is now limited to twice the paralleism number. - Reviewed-By: Karlson2k@users.noreply.github.com - Closes #8923 + This makes the 'Qd' value in the parallel progress meter mostly useless + for users, but works for now for us as a debug display. -- cmake: support adding a suffix to the OS value + Reported-by: justchen1369 on github + Fixes #8933 + Closes #9389 - CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS - string appearing in the --version output after the curl version number, - for example: +Viktor Szakats (31 Aug 2022) +- cmake: fix original MinGW builds - 'curl 7.83.1 (Windows)' + 1. Re-enable `HAVE_GETADDRINFO` detection on Windows - This patchs adds the ability to pass a suffix that is appended to this - value. It's useful to add CPU info or other platform details, - for example: + Commit d08ee3c83d6bd416aef62ff844c98e47c4682429 (in 2013) added logic + that automatically assumed `getaddrinfo()` to be present for builds + with IPv6 enabled. As it turns out, certain toolchains (e.g. original + MinGW) by default target older Windows versions, and thus do not + support `getaddrinfo()` out of the box. The issue was masked for + a while by CMake builds forcing a newer Windows version, but that + logic got deleted in commit 8ba22ffb2030ed91312fc8634e29516cdf0a9761. + Since then, some CI builds started failing due to IPv6 enabled, + `HAVE_GETADDRINFO` set, but `getaddrinfo()` in fact missing. - 'curl 7.83.1 (Windows-x64)' + It also turns out that IPv6 works without `getaddrinfo()` since commit + 67a08dca27a6a07b36c7f97252e284ca957ff1a5 (from 2019, via #4662). So, + to resolve all this, we can now revert the initial commit, thus + restoring `getaddrinfo()` detection and support IPv6 regardless of its + outcome. - Closes #8919 + Reported-by: Daniel Stenberg -- cmake: enable curl.rc for all Windows targets + 2. Omit `bcrypt` with original MinGW - Before this patch, it was only enabled for MSVC. This syncs this - configuration with libcurl.rc, which was already included with - every Windows compiler. + Original (aka legacy/old) MinGW versions do not support `bcrypt` + (introduced with Vista). We already have logic to handle that in + `lib/rand.c` and autotools builds, where we do not call the + unsupported API and do not link `bcrypt`, respectively, when using + original MinGW. - Closes #8918 + This patch ports that logic to CMake, fixing the link error: + `c:/mingw/bin/../lib/gcc/mingw32/9.2.0/../../../../mingw32/bin/ld.exe: cannot find -lbcrypt` -- cmake: fix detecting libidn2 + Ref: https://ci.appveyor.com/project/curlorg/curl/builds/44624888/job/40vle84cn4vle7s0#L508 + Regression since 76172511e7adcf720f4c77bd91f49278300ec97e - Without this patch, libidn2 detection doesn't even seem to be - attempted. With this patch, cmake can be configured to pick it - up and enable it. Necessary configuration remains manual and - differs from most other dependencies. + Fixes #9214 + Fixes #9393 + Fixes #9395 + Closes #9396 - If you are aware of a better fix, we're glad hearing about it - in a new Issue. +Version 7.85.0 (31 Aug 2022) - Closes #8917 +Daniel Stenberg (31 Aug 2022) +- RELEASE-NOTES: synced -- version: allow stricmp() for sorting the feature list + curl 7.85.0 release - In CMakeLists.txt there is an attempt to detect `stricmp()`, and in - certain cases, this attempt is the only successful one to detect a - case-insensitive comparison function. `HAVE_STRICMP` is defined as - a result, but this macro wasn't used anywhere in the source. This - patch makes use of it as an alternative when alpha-sorting the - `--version` feature list. +- THANKS: add contributors from the 7.85.0 release - Reviewed-by: Daniel Stenberg - Closes #8916 +- getparam: correctly clean args -Daniel Stenberg (25 May 2022) -- DISABLED: add six tests that fail with hyper + Follow-up to bf7e887b2442783ab52 - 1117 1274 1940 1941 1942 1943 + The previous fix for #9128 was incomplete and caused #9397. -- c-hyper: mark status line as status for Curl_client_write() + Fixes #9397 + Closes #9399 - To make sure the headers API can filter it out as not a regular header. +- zuul: remove the clang-tidy job - Reported-by: Gisle Vanem - Fixes #8894 - Closes #8914 + Turns out we don't see the warnings, but the warnings right now are + plain ridiculous and unhelpful so we can just as well just kill this + job. -Marc Hoersken (25 May 2022) -- tests/data/test1501: kill ftp server after slow LIST response + Closes #9390 - This test is contributing to flakiness on the Windows CI runs. - Killing the ftp server after the test run like other slowness - tests already do may help resolve or reduce the flakiness. +- cmake: set feature PSL if present - Closes #8907 + ... make test 1014 pass when libpsl is used. -Daniel Stenberg (25 May 2022) -- headers: fix the unfold realloc to use proper new size + Closes #9391 - Previously it didn't take the old name length into acount +- lib530: simplify realloc failure exit path - Follow-up to: c9b60f005358a364 - Closes #8913 + To make code analyzers happier -Marc Hoersken (25 May 2022) -- GHA: align all install, configure and build steps again + Closes #9392 - First step towards more unified build steps on GitHub Actions. +- [Orgad Shaneh brought this change] - Closes #8873 + tests: add tests for netrc login/password combinations -- CI/azure: remove obsolete strategy for single builds + Covers the following PRs: - This shortens these CI job names on GitHub even more. - Follow up to #8906 which also increased their timeout. + - #9066 + - #9247 + - #9248 - Closes #8911 + Closes #9256 -- CI/azure: shorten names of Windows CI jobs +- [Orgad Shaneh brought this change] - Suggested-by: Daniel Stenberg - Closes #8906 + url: really use the user provided in the url when netrc entry exists -Daniel Stenberg (24 May 2022) -- http: restore header folding behavior + If the user is specified as part of the URL, and the same user exists + in .netrc, Authorization header was not sent at all. - Folded header lines will now get passed through like before. The headers - API is adapted and will provide the content unfolded. + The user and password fields were assigned in conn->user and password + but the user was not assigned to data->state.aptr, which is the field + that is used in output_auth_headers and friends. - Added test 1274 and extended test 1940 to verify. + Fix by assigning the user also to aptr. - Reported-by: Petr Pisar - Fixes #8844 - Closes #8899 + Amends commit d1237ac906ae7e3cd7a22c3a2d3a135a97edfbf5. -Viktor Szakats (24 May 2022) -- Makefile.m32: delete obsolete options, improve -On [ci skip] + Fixes #9243 - - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now. - - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and - I used this with VxWorks in another project, but otherwise this isn't - necessary anymore as a default. If a target still needs it, it can be - added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` - - bump up default optimization level to `-O3` (from `-O2`), and also rearrange - option order so the default can now be overridden via - `CURL_CFLAG_EXTRAS`. - - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` - (strip debug info). They were working against each other. Now, if someone - needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` +- [Orgad Shaneh brought this change] - Closes #8904 + netrc: Use the password from lines without login -Daniel Gustafsson (24 May 2022) -- ntlm: fix one more hostname test fallout + If netrc entry has password with empty login, use it for any username. - This fixup was missed in commit 5a41abef6dca19. + Example: + .netrc: + machine example.com password 123456 - Closes: #8901 - Reviewed-by: Daniel Stenberg + curl -vn http://user@example.com/ -- doh: remove UNITTEST macro definition + Fix it by initializing state_our_login to TRUE, and reset it only when + finding an entry with the same host and different login. - The UNITTEST macro is defined by curl_setup.h so there is no use in - carry a local copy of the logic. + Closes #9248 - Closes: #8902 - Reviewed-by: Daniel Stenberg +- [Jay Satiro brought this change] -Daniel Stenberg (24 May 2022) -- cookie: fix false positive "potentially uninitialized local variable" + url: treat missing usernames in netrc as empty - Reviewed-by: Daniel Gustafsson - Closes #8903 + - If, after parsing netrc, there is a password with no username then + set a blank username. -- curl: add --rate to set max request rate per time unit + This used to be the case prior to 7d600ad (precedes 7.82). Note + parseurlandfillconn already does the same thing for URLs. - --rate "12/m" - for 12 per minute or - --rate "5/h" - for 5 per hour + Reported-by: Raivis + Testing-by: Domen Kožar - Removed from TODO + Fixes https://github.com/curl/curl/issues/8653 + Closes #9334 + Closes #9066 - Closes #8671 +- test8: verify that "ctrl-byte cookies" are ignored -- [Jay Satiro brought this change] +- cookie: reject cookies with "control bytes" - max-time.d: clarify max-time sets max transfer time + Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - Prior to this change the doc said --max-time set the maximum time of the - 'whole operation' which is not accurate. The option maps to - CURLOPT_TIMEOUT_MS which sets maximum transfer time. + Reported-by: Axel Chong - For example, the maximum time on a transfer is reset if the transfer is - retried (--retry). + Bug: https://curl.se/docs/CVE-2022-35252.html - Reported-by: Nuru@users.noreply.github.com + CVE-2022-35252 - Fixes https://github.com/curl/curl/issues/8877 - Closes #8879 + Closes #9381 -- GHA/hyper: enable debug in the build +- libssh: ignore deprecation warnings -- hyper: use 'alt-used' + libssh 0.10.0 marks all SCP functions as "deprecated" which causes + compiler warnings and errors in our CI jobs and elsewhere. Ignore + deprecation warnings if 0.10.0 or later is found in the build. - Makes test 412+413 work + If they actually remove the functions at a later point, then someone can + deal with that pain and functionality break then. - Closes #8898 + Fixes #9382 + Closes #9383 -- RELEASE-NOTES: synced +- Revert "schannel: when importing PFX, disable key persistence" -- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl + This reverts commit 70d010d285315e5f1cad6bdb4953e167b069b692. - Closes #8888 + Due to further reports in #9300 that indicate this commit might + introduce problems. -- links: update dead links +- multi: use larger dns hash table for multi interface - The wiki pages are gone, remove and link to more long-living docs. + Have curl_multi_init() use a much larger DNS hash table than used for + the easy interface to scale and perform better when used with _many_ + host names. - Closes #8897 + curl_share_init() sets an in-between size. -- ntlm: (void) typecast msnprintf() where we ignore return code + Inspired-by: Ivan Tsybulin + See #9340 + Closes #9376 - Follow-up to 5a41abef6, to please Coverity +Marc Hoersken (28 Aug 2022) +- CI/runtests.pl: add param for dedicated curl to talk to APIs -Daniel Gustafsson (22 May 2022) -- ntlm: copy NTLM_HOSTNAME to host buffer + This should make it possible to also report test failures + if our freshly build curl binary is not fully functional. - Commit 709ae2454f43 added a fake hostname to avoid leaking the local - hostname, but omitted copying it to the host buffer. Fix by copying - and adjust the test fallout. + Reviewed-by: Daniel Stenberg + Closes #9360 - Closes: #8895 - Fixes: #8893 - Reported-by: Patrick Monnerat - Reviewed-by: Daniel Stenberg +Daniel Stenberg (27 Aug 2022) +- [Jacob Tolar brought this change] -- configure: use the SED value to invoke sed + openssl: add cert path in error message - Rather than assuming sed in PATH, use the resolved $SED variable - like in all other invocations of sed in configure. + Closes #9349 - Closes: #8891 - Reviewed-by: Daniel Stenberg - Reviewed-by: Marcel Raad +- [Jacob Tolar brought this change] -Daniel Stenberg (20 May 2022) -- [Tatsuhiro Tsujikawa brought this change] + cert.d: clarify that escape character works for file paths - ngtcp2: Allow curl to send larger UDP datagrams + Closes #9349 - Allow curl to send larger UDP datagram if Path MTU Discovery finds the - availability of larger path MTU. To make it work and not to send - fragmented packet, we need to set DF bit. That makes send(2) fail with - EMSGSIZE if UDP datagram is too large. In that case, just let it be - lost. This patch enables DF bit for Linux only. +- gha: move over ngtcp2-gnutls CI job from zuul - Closes #8883 + Closes #9331 -- libcurl-security.3: add "Secrets in memory" +Marc Hoersken (26 Aug 2022) +- cmake: add detection of threadsafe feature - Closes #8881 + Avoids failing test 1014 by replicating configure checks + for HAVE_ATOMIC and _WIN32_WINNT with custom CMake tests. -- tests: update NTLM tests to use new host name + Reviewed-by: Marcel Raad - Also drop the debug requirement, remove the setenv sections, remove - prechecks and add NTLM to the top keywords. + Follow up to #8680 + Closes #9312 - Closes #8889 +Daniel Stenberg (26 Aug 2022) +- RELEASE-NOTES: synced -- ntlm: provide a fixed fake host name +Marc Hoersken (26 Aug 2022) +- CI/azure: align torture shallowness with GHA - The NTLM protocol includes providing the local host name, but apparently - other implementations already provide a fixed fake name instead to avoid - leaking the real local name. + There 25 is used with FTP tests skipped, and 20 for FTP tests. + This should make torture tests stay within the 60min timeout. - The exact name used is 'WORKSTATION', because Firefox uses that. + Reviewed-by: Daniel Stenberg + Closes #9371 - The change is written to allow someone to "back-pedal" fairly easy in - case of need. +- multi_wait: fix and improve Curl_poll error handling on Windows - Reported-by: Carlo Alberto - Fixes #8859 - Closes #8889 + First check for errors and return CURLM_UNRECOVERABLE_POLL + before moving forward and waiting on socket readiness events. -Daniel Gustafsson (20 May 2022) -- KNOWN_BUGS: fix typo in problem description + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad - s/TSL/TLS/ + Reported-by: Daniel Stenberg + Ref: #9361 -- FEATURES: remove yassl as TLS library for NTLM + Follow up to #8961 + Closes #9372 - yassl was added in commit 9d904ee41b880b but is no longer available - and is thus not a library to use for NTLM. This aligns the FEATURES - doc with the FAQ. +- multi_wait: fix skipping to populate revents for extra_fds - Closes: #8886 - Reviewed-by: Daniel Stenberg + On Windows revents was not populated for extra_fds if + multi_wait had to wait due to the Curl_poll pre-check + not signalling any readiness. This commit fixes that. -- FEATURES: reorder footnotes + Reviewed-by: Marcel Raad + Reviewed-by: Jay Satiro - The empty left-behind footnote confused the website rendering into - creating a nested emoty list, making the resulting page look quite - odd. Remove and re-order the remaining ones to avoid a gap in the - sequence. + Closes #9361 - Closes: #8886 - Reviewed-by: Daniel Stenberg +- CI/appveyor: disable TLS in msys2-native autotools builds -- FAQ: remove opinionated sentence on NTLM + Schannel cannot be used from msys2-native Linux-emulated builds. - curl is a tool that support many different things, and it doesn't - really seem like our job to tell other what to use (as they might - not have much say in the matter even). Also tidy up wording. + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg - Closes: #8886 - Reviewed-by: Daniel Stenberg + Follow up to #9367 + Closes #9370 -Viktor Szakats (20 May 2022) -- log2changes: do not indent empty lines [ci skip] +Jay Satiro (25 Aug 2022) +- tests: fix http2 tests to use CRLF headers - This will omit two spaces of indentation from lines with no content, - thus avoiding 'spaces @ EOL'. + Prior to this change some tests that rely on nghttpx proxy did not use + CRLF headers everywhere. A recent change in nghttp2, which updated its + version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to + use CRLF headers. - Reviewed-by: Daniel Stenberg - Closes #8887 + Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 -Daniel Stenberg (19 May 2022) -- wolfssl: correct the failf() message when a handle can't be made + Fixes https://github.com/curl/curl/issues/9364 + Closes https://github.com/curl/curl/pull/9365 - Closes #8885 +Daniel Stenberg (25 Aug 2022) +- [rcombs brought this change] -Viktor Szakats (19 May 2022) -- Makefile.m32: delete two obsolete OpenSSL options [ci skip] + multi: use a pipe instead of a socketpair on apple platforms - - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL 3.5.x, yet it collides with the latter, which defines - it unconditionally, resulting in this warning: - ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined] - It was originally added to curl in 2004. + Sockets may be shut down by the kernel when the app is moved to the + background, but pipes are not. - - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or - LibreSSL back to at least 2.5.5. Originally added in the same - commit as the above, in 2004. + Removed from KNOWN_BUGS - Closes #8884 + Fixes #6132 + Closes #9368 -Daniel Stenberg (19 May 2022) -- RELEASE-NOTES: synced +- [Somnath Kundu brought this change] - bump to 7.84.0 + libssh2: provide symlink name in SFTP dir listing -- [Christian Weisgerber via curl-library brought this change] + When reading the symbolic link name for a file, we need to add the file + name to base path name. - Makefile.am: fix portability issues + Closes #9369 - Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that - there is a portability issue in curl's top-level Makefile.am. +- configure: if asked to use TLS, fail if no TLS lib was detected - $< can only be used in rules that deal with .SUFFIXES. Its use - for general prerequisites is a GNU make extension. + Previously the configure script would just warn about this fact and + continue with TLS disabled build which is not always helpful. TLS should + be explicitly disabled if that is what the user wants. - $< could be replaced by $?, but I think in an autotools context, - something like this is better: + Closes #9367 - Bug: https://curl.se/mail/lib-2022-05/0024.html - Closes #8861 +- [Dustin Howett brought this change] -- [Balakrishnan Balasubramanian brought this change] + schannel: when importing PFX, disable key persistence - socks: support unix sockets for socks proxy + By default, the PFXImportCertStore API persists the key in the user's + key store (as though the certificate was being imported for permanent, + ongoing use.) - Usage: - curl -x "socks5h://localhost/run/tor/socks" "https://example.com" + The documentation specifies that keys that are not to be persisted + should be imported with the flag `PKCS12_NO_PERSIST_KEY`. + NOTE: this flag is only supported on versions of Windows newer than XP + and Server 2003. - Updated runtests.pl to run a socksd server listening on unix socket + Fixes #9300 + Closes #9363 - Added tests test1467 test1468 +- unit1303: four tests should have TRUE for 'connecting' - Added documentation for proxy command line option and socks proxy - options + To match the comments. - Closes #8668 + Reported-by: Wu Zheng -- [Vincent Torri brought this change] + See #9355 + Closes #9356 - cmake: add libpsl support +- CURLOPT_BUFFERSIZE.3: add upload buffersize to see also - Fixes #8865 - Closes #8867 + Closes #9354 -- [Tatsuhiro Tsujikawa brought this change] +- [Fabian Fischer brought this change] - ngtcp2: extend QUIC transport parameters buffer + HTTP3.md: add missing autoreconf command for building with wolfssl - Extend QUIC transport parameters buffer because 64 bytes are too - short for the ever increasing parameters. + Closes #9353 - Closes #8872 +- RELEASE-NOTES: synced -- [Tatsuhiro Tsujikawa brought this change] +- multi: have curl_multi_remove_handle close CONNECT_ONLY transfer - ngtcp2: handle error from ngtcp2_conn_submit_crypto_data + Ẃhen it has been used in the multi interface, it is otherwise left in + the connection cache, can't be reused and nothing will close them since + the easy handle loses the association with the multi handle and thus the + connection cache - until the multi handle is closed or it gets pruned + because the cache is full. - Closes #8871 + Reported-by: Dominik Thalhammer + Fixes #9335 + Closes #9342 -- [Tatsuhiro Tsujikawa brought this change] +- docs/cmdline-opts: remove \& escapes from all .d files - ngtcp2: send appropriate connection close error code + gen.pl escapes them itself now - Closes #8870 +- docs/cmdline-opts/gen.pl: encode leading single and double quotes -- test1561: adjusted for the cookie fix + As "(aq" and "(dq" to prevent them from implying a meaning in the nroff + output. This removes the need for using \& escapes in the .d files' + description parts. -- test414: verify secure cookie domain overlay + Closes #9352 -- [Harry Sintonen brought this change] +Marc Hoersken (23 Aug 2022) +- tests/server/sockfilt.c: avoid race condition without a mutex - cookie: address secure domain overlay + Avoid loosing any triggered handles by first aborting and joining + the waiting threads before evaluating the individual signal state. - Bug: https://hackerone.com/reports/1560324 - Co-authored-by: Daniel Stenberg - Closes #8840 + This removes the race condition and therefore need for a mutex. -- [Frank Gevaerts brought this change] + Closes #9023 - strcase: some optimisations +Daniel Stenberg (22 Aug 2022) +- [Emil Engler brought this change] - Lookup tables for toupper() and tolower() make Curl_strcasecompare() - about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit - early then also allows simplifying the check at the end, for another - 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 - times faster. + url: output the maximum when rejecting a url - Note that these optimisation assume ASCII. The original - Curl_raw_toupper() and raw_tolower() look like they already made that - assumption. + This commit changes the failf message to output the maximum length, when + curl refuses to process a URL because it is too long. - Closes #8875 + See: #9317 + Closes: #9327 -- BUG-BOUNTY.md: mention the audit exception +- [Chris Paulson-Ellis brought this change] - Dedicated - paid for - security audits that are performed in - collaboration with curl developers are not eligible for bounties. + configure: fix broken m4 syntax in TLS options - (plus I changed the sub-titles to use ## instead of # in the markdown) + Commit b589696f added lines to some shell within AC_ARG_WITH macros, but + inadvertently failed to move the final closing ). - Closes #8880 + Quote the script section using braces. -- lib/vssh/wolfssh.h: removed + So, if these problems have been around for a while, how did I find them? + Only because I did a configure including these options: - Unused header file + $ ./configure --with-openssl --without-rustls + SSL: enabled (OpenSSL) - Reported-by: Illarion Taev - Fixes #8863 - Closes #8866 + Closes #9344 -- [Elms brought this change] +- tests/data/CMakeLists: remove making the 'show' makefile target - wolfSSL: explicitly use compatibility layer + It is not used by runtests since 3c0f462 - This change removes adding an include `$prefix/wolfssl` or similar to - allow for openssl include aliasing. Include paths of `wolfssl/openssl/` - are used to explicitly use wolfSSL includes. This fixes cmake builds as - well as avoiding potentially using openSSL headers since include path - order is not guaranteed. + Closes #9333 - Closes #8864 +- tests/data/Makefile: remove 'filecheck' target -- curl: deprecate --random-file and --egd-file + No practical use anymore since 3c0f4622cdfd6 - As libcurl no longer has any functionality for them, the tool now does - nothing with them. + Closes #9332 - Closes #8670 +- libssh2: make atime/mtime date overflow return error -- opts: deprecate RANDOM_FILE and EGDSOCKET + Closes #9328 - These two options were only ever used for the OpenSSL backend for - versions before 1.1.0. They were never used for other backends and they - are not used with recent OpenSSL versions. They were never used much by - applications. +- libssh: make atime/mtime date overflow return error - The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time - for ancient EOL OpenSSL versions. + Closes #9328 - Closes #8670 +- examples/curlx.c: remove -- [Harry Sintonen brought this change] + This example is a bit convoluted to use as an example, combined with the + special license for it makes it unsuitable. - bindlocal: don't use a random port if port number would wrap + Closes #9330 - Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port - 65535 the code would fall back to random port rather than giving up. +- [Tobias Nygren brought this change] - Closes #8862 + curl.h: include on SunOS -Daniel Gustafsson (16 May 2022) -- transfer: Fix potential NULL pointer dereference + It is needed for fd_set to be visible to downstream consumers that use + . Header is known to exist at least as far back as Solaris + 2.6. - Commit 0ef54abf5208 accidentally used the conn variable before the - assertion for it being NULL. Fix by moving the assignment which use - conn to after the assertion. + Closes #9329 - Closes: #8857 - Reviewed-by: Daniel Stenberg +- DEPRECATE.md: push the NSS deprecation date forward one year to 2023 -- docs: clarify data replacement policy for MIME API - - The API documentation for the MIME functions specify that the parts - can be set twice, with the last call winning. While true, the user - can set the parts n times for n > 2, reword to specify multiple API - calls instead. + URL: https://curl.se/mail/lib-2022-08/0016.html - Closes: #8860 - Reviewed-by: Daniel Stenberg +- libssh2: setting atime or mtime >32bit on 4-bytes-long systems -Daniel Stenberg (16 May 2022) -- [vvb2060 on github brought this change] + Since the libssh2 API uses 'long' to store the timestamp, it cannot + transfer >32bit times on Windows and 32bit architecture builds. - ngtcp2: support boringssl crypto backend + Avoid nasty surprises by instead not setting such time. - Closes #8789 + Spotted by Coverity -- [Tatsuhiro Tsujikawa brought this change] + Closes #9325 - quic: add Curl_quic_idle +- libssh: setting atime or mtime > 32bit is now just skipped - Add Curl_quic_idle which is called when no HTTP level read or write is - performed. It is a good place to handle timer expiry for QUIC transport - (.e.g, retransmission). + The libssh API used caps the time to an unsigned 32bit variable. Avoid + nasty surprises by instead not setting such time. - Closes #8698 + Spotted by Coverity. -- [Gregor Jasny brought this change] + Closes #9324 - mprintf: ignore clang non-literal format string +Jay Satiro (16 Aug 2022) +- KNOWN_BUGS: Windows Unicode builds use homedir in current locale - Closes #8740 + Bug: https://github.com/curl/curl/pull/7252 + Reported-by: dEajL3kA@users.noreply.github.com -- [Nick Zitzmann brought this change] + Ref: https://github.com/curl/curl/pull/7281 - sectransp: check for a function defined when __BLOCKS__ is undefined + Closes https://github.com/curl/curl/pull/9305 - SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it - requires Grand Central Dispatch to be supported by the compiler, and - some third-party macOS compilers do not support Grand Central Dispatch. - SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't - adversely affect anything. +Daniel Stenberg (16 Aug 2022) +- test399: switch it to use a config file instead - Fixes #8846 - Reported-by: Egor Pugin - Closes #8854 + ... as using a 65535 bytes host name in a URL does not fit on the + command line on some systems - like Windows. -Daniel Gustafsson (16 May 2022) -- test412/413: Use version macro for User-Agent + Reported-by: Marcel Raad + Fixes #9321 + Closes #9322 - Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test - output file which breaks when curlver is updated. Shift to using - the %VERSION macro instead. +- RELEASE-NOTES: synced - Closes: #8856 +- asyn-ares: make a single alloc out of hostname + async data -- macos9: remove partial support + This saves one alloc per name resolve and simplifies the exit path. - The support for compiling on Mac OS 9 hasn't been modified since 2001 - and has no active maintainer or packager, so it's time to remove it as - it's incredibly unlikely to work. If a maintainer re-emerges it can be - resurrected from Git history. + Closes #9310 - Closes: #8836 - Reviewed-by: Daniel Stenberg +- Curl_close: call Curl_resolver_cancel to avoid memory-leak -Daniel Stenberg (16 May 2022) -- test1635: verify --fail-with-body with --retry + There might be a pending (c-ares) resolve that isn't free'd up yet. - Almost a dupe of 1634 + Closes #9310 - Closes #8847 +- asyn-thread: fix socket leak on OOM -- tool_operate: make sure --fail-with-body works with --retry + Closes #9310 - ... in the same way --fail already does. +- GHA: mv CI torture test from Zuul - Reported-by: Jakub Bochenski - Fixes #8845 - Closes #8847 + Closes #9310 -- [Tatsuhiro Tsujikawa brought this change] +- ngtcp2-wolfssl.yml: add GHA to build ngtcp2 + wolfSSL - ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types + Closes #9318 - Closes #8851 +- test399: verify check of too long host name -- [Tatsuhiro Tsujikawa brought this change] +- url: reject URLs with hostnames longer than 65535 bytes - ngtcp2: Fix alert_read_func return value + It *probably* causes other problems too since DNS can't resolve such + long names, but the SNI field in TLS is limited to 16 bits length. - Closes #8852 + Closes #9317 -- [Harry Sintonen brought this change] +- curl_multi_perform.3: minor language fix - Curl_parsenetrc: don't access local pwbuf outside of scope + Closes #9316 - Accessing local variables outside of the scope is forbidden and - depending on the compiler can result in the value being - overwritten. Fixed by moving the pwbuf to be in scope. +- ngtcp2: fix picky compiler warnings with wolfSSL for QUIC - Closes #8850 + Follow-up to 8a13be227eede2 -- RELEASE-NOTES: synced + Closes #9315 - and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) +- ngtcp2: remove leftover variable -- [Frazer Smith brought this change] + Mistake leftover from my edit before push. - ci: update github actions + Follow-up from 8a13be227eede2601c2b3b + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/pull/9290#issuecomment-1214569167 - - bump actions/checkout from 2 to 3 - - bump actions/upload-artifact from 1 to 3 - - bump github/codeql-actions from 1 to 2 - - use version tag for actions/checkout +Viktor Szakats (15 Aug 2022) +- Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] - Closes #8843 + Before this patch `-nghttp3`/`-ngtcp2` had an effect only when `-ssl` + was also enabled. `-ssl` meaning OpenSSL (and its forks). After + 8a13be227eede2601c2b3b1c63e08b3dc9b35dd5 nghttp3/ngtcp2 can also be + used together with wolfSSL. This patch adds the ability to enable + `-nghttp3`/`-ngtcp2` independently from `-ssl` (OpenSSL), allowing to + use it with wolfSSL or other, future TLS backends. -- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix + Before this patch, it was fine to enable `-nghttp3`/`-ngtcp2` + unconditionally. After this patch, this is no longer the case, and now + it's the user's responsibility to enable `-nghttp3`/`-ngtcp2` only + together with a compatible TLS backend. -- url: free old conn better on reuse + When using a TLS backend other than OpenSSL, the TLS-specific ngtcp2 + library must be configured manually, e.g.: + `export CURL_LDFLAG_EXTRAS=-lngtcp2_crypto_wolfssl` - Make use of conn_free() better and avoid duplicate code. + (or via `NGTCP2_LIBS`) - Reported-by: Andrea Pappacoda - Fixes #8841 - Closes #8842 + Closes #9314 -Jay Satiro (14 May 2022) -- FAQ: Clarify Windows double quote usage +Daniel Stenberg (15 Aug 2022) +- [Stefan Eissing brought this change] - - Windows command prompt doesn't use literal quoting via single quotes. + quic: add support via wolfSSL - - Windows command prompt inner double quotes are escaped with a - backslash. + - based on ngtcp2 PR https://github.com/ngtcp2/ngtcp2/pull/505 + - configure adapted to build against ngtcp2 wolfssl crypto lib + - quic code added for creation of WOLFSSL* instances - - Windows powershell does use single quotes but curl is not a powershell - script so the arguments may not be passed on correctly. + Closes #9290 - - Windows powershell inner double quotes seems can be passed to curl if - the outer quotes are double quotes and an escape of backslash-backtick - is used. +Marcel Raad (14 Aug 2022) +- [David Carlier brought this change] - Command prompt example: + memdebug: add annotation attributes - ~~~ - getargs -v -d "\"a\"" + memory debug tracking annotates whether the returned pointer does not + `alias`, hints where the size required is, for Windows to be better + debugged via Visual Studio. - argv[0]: getargs - argv[1]: -v - argv[2]: -d - argv[3]: "a" - ~~~ + Closes https://github.com/curl/curl/pull/9306 - Ref: https://github.com/curl/curl/issues/8818 - Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c +Daniel Stenberg (14 Aug 2022) +- GHA: move libressl CI from zuul to GitHub - Reported-by: KotlinIsland@users.noreply.github.com + Closes #9309 - Closes https://github.com/curl/curl/pull/8823 +- KNOWN_BUGS: FTPS directory listing hangs on Windows with Schannel -Daniel Stenberg (12 May 2022) -- github/workflows/nss: apt update first + Closes #9161 - Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" +- KNOWN_BUGS: CURLOPT_CERTINFO results in CURLE_OUT_OF_MEMORY with Schannel - Closes #8837 + Closes #8741 -- page-footer: mention exit code zero too +- KNOWN_BUGS: libssh blocking and infinite loop problem - Success (zero) is also an "exit code" worth mentioning. + Closes #8632 - Closes #8833 +- RELEASE-NOTES: synced -Daniel Gustafsson (12 May 2022) -- gssapi: initialize gss_buffer_desc strings +- msh3: fix the QUIC disconnect function - Explicitly initialize gss_buffer_desc strings such that a call to - freeing resources will succeed even if no data has been allocated - to it. + And free request related memory better in 'done'. Fixes a memory-leak. - Reported-by: Jay Satiro + Reported-by: Gisle Vanem + Fixes #8915 + Closes #9304 -- gssapi: improve handling of errors from gss_display_status +- connect: close the happy eyeballs loser connection when using QUIC - In case gss_display_status() returns an error, avoid trying to add - it to the buffer as the message may well be a NULL pointer. + Reviewed-by: Nick Banks - Originally this fix comes from a discussion in issue #8816. + Closes #9303 - Closes: #8832 - Reviewed-by: Jay Satiro +- [Emil Engler brought this change] -Jay Satiro (12 May 2022) -- [steini2000 brought this change] + refactor: split resolve_server() into functions - http2: always debug print stream id in decimal with %u + This commit splits the branch-heavy resolve_server() function into + various sub-functions, in order to reduce the amount of nested + if/else-statements. - Prior to this change the stream id shown could be hex or decimal which - was inconsistent and confusing. + Beside this, it also removes many else-sequences, by returning in the + previous if-statement. - Closes https://github.com/curl/curl/pull/8808 + Closes #9283 -Kamil Dudka (11 May 2022) -- url: remove redundant #ifdefs in allocate_conn() +- schannel: re-indent to use curl style better - No change in behavior intended by this commit. + Only white space changes -Daniel Stenberg (11 May 2022) -- [Fabian Keil brought this change] + Closes #9301 - tests 266, 116 and 1540: add a small write delay +- [Emanuele Torre brought this change] - This makes it more likely that the trailer is received - seperately from the last-chunk. + docs/cmdline-opts: fix example and categories for --form-escape - curl doesn't seem to care about this but it makes the tests - more useful when testing external proxies like Privoxy. + The example was missing a "--form" argument + I also replaced "--form" with "-F" to shorten the line a bit since it + was already very long. -- [Fabian Keil brought this change] - - tests 1117,1238,1523: adjust writedelay servercmds + And I also moved --form-escape from the "post" category to the "upload" + category (this is what I originally wanted to fix, before also noticing + the mistake in the example). - ... so the delays are the same now that the unit - is in milliseconds. + Closes #9298 -- [Fabian Keil brought this change] +- [Nick Banks brought this change] - tests/server/sws.c: change the HTTP writedelay unit to milliseconds + HTTP3.md: update to msh3 v0.4.0 - This allows to use write delays for large responses without - resulting in the test taking an unreasonable amount of time. + Closes #9297 - In many cases delaying writes by a whole second or more isn't - necessary for the desired effect. +- hostip: resolve *.localhost to 127.0.0.1/::1 - Closes #8827 + Following the footsteps of other clients like Firefox/Chrome. RFC 6761 + says clients SHOULD do this. -Daniel Gustafsson (11 May 2022) -- aws-sigv4: fix potentional NULL pointer arithmetic + Add test 389 to verify. - We need to check if the strchr() call returns NULL (due to missing - char) before we use the returned value in arithmetic. There is no - live bug here, but fixing it before it can become for hygiene. + Reported-by: TheKnarf on github + Fixes #9192 + Closes #9296 - Closes: #8814 - Reviewed-by: Daniel Stenberg +Jay Satiro (11 Aug 2022) +- KNOWN_BUGS: long paths are not fully supported on Windows -Daniel Stenberg (11 May 2022) -- quiche: support ca-fallback + Bug: https://github.com/curl/curl/issues/8361 + Reported-by: Gisle Vanem - Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl + Closes https://github.com/curl/curl/pull/9288 - Removed from KNOWN_BUGS +Daniel Stenberg (11 Aug 2022) +- config: remove the check for and use of SIZEOF_SHORT - Fixes #8696 - Closes #8830 + shorts are 2 bytes on all platforms curl runs and have ever run on. -Daniel Gustafsson (11 May 2022) -- x509asn1: mark msnprintf return as unchecked + Closes #9291 - We have lots of unchecked msnprintf calls, and this particular msnprintf - call isn't more interesting than the others, but this one yields a Coverity - warning so let's implicitly silence it. Going over the other invocations - is probably a worthwhile project, but for now let's keep the static - analyzers happy. +- configure: introduce CURL_SIZEOF - Closes: #8831 - Reviewed-by: Daniel Stenberg + This is a rewrite of the previously used GPLv3+exception licensed + file. With this change, there is no more reference to GPL so we can + remove that from LICENSES/. -Version 7.83.1 (11 May 2022) + Ref: #9220 + Closes #9291 -Daniel Stenberg (11 May 2022) -- RELEASE-NOTES: synced +- [Sean McArthur brought this change] - curl 7.83.1 release + hyper: customize test1274 to how hyper unfolds headers -- THANKS: added contributors from 7.83.1 + Closes #9217 -- zuul: fix the ngtcp2-gnutls build +- [Orgad Shaneh brought this change] - Add packages and tweak the configure options. + curl-config: quote directories with potential space - Use the GnuTLS 3.7.4 branch (not main). + On Windows (at least with CMake), the default prefix is + C:/Program Files (x86)/CURL. - Closes #8829 + Closes #9253 -- [Tatsuhiro Tsujikawa brought this change] +- [Oliver Roberts brought this change] - ngtcp2: add ca-fallback support for OpenSSL backend + amigaos: fix threaded resolver on AmigaOS 4.x - Closes #8828 + Replace ip4 resolution function on AmigaOS 4.x, as it requires runtime + feature detection and extra code to make it thread safe. -- url: check SSH config match on connection reuse + Closes #9265 - CVE-2022-27782 +- [Emil Engler brought this change] - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 + imap: use ISALNUM() for alphanumeric checks -- tls: check more TLS details for connection reuse + This commit replaces a self-made character check for alphanumeric + characters within imap_is_bchar() with the ISALNUM() macro, as it is + reduces the size of the code and makes the performance better, due to + ASCII arithmetic. - CVE-2022-27782 + Closes #9289 - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27782.html - Closes #8825 +- RELEASE-NOTES: synced -- cookies: make bad_domain() not consider a trailing dot fine +- [Cering on github brought this change] - The check for a dot in the domain must not consider a single trailing - dot to be fine, as then TLD + trailing dot is fine and curl will accept - setting cookies for it. + connect: add quic connection information - CVE-2022-27779 + Fixes #9286 + Closes #9287 - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27779.html - Closes #8820 +- [Philip Heiduck brought this change] -- test977: reproduce ability to set cookie on TLD + cirrus/freebsd-ci: bootstrap the pip installer - When PSL is not enabled + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> -- scripts/contributors.sh: correct the copyright range + Closes #9213 -- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates +- urldata: move smaller fields down in connectdata struct -- test379: verify --remove-on-error with --no-clobber + By (almost) sorting the struct fields in connectdata in a decending size + order, having the single char ones last, we reduce the number of holes + in the struct and thus the amount of storage needed. -- post_per_transfer: remove the updated file name + Closes #9280 - When --remove-on-error is used with --no-clobber, it might have an - updated file name to remove. +- ldap: adapt to conn->port now being an 'int' - Bug: https://curl.se/docs/CVE-2022-27778.html + Remove typecasts. Fix printf() formats. - CVE-2022-27778 + Follow-up from 764c6bd3bf. + Pointed out by Coverity CID 1507858. - Reported-by: Harry Sintonen + Closes #9281 - Closes #8824 +- KNOWN_BUGS: Negotiate authentication against Hadoop HDFS -- hsts: ignore trailing dots when comparing hosts names + Closes #8264 - CVE-2022-30115 +- [Oliver Roberts brought this change] - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-30115.html - Closes #8821 + file: add handling of native AmigaOS paths -- test440/441: verify HSTS with trailing dots + On AmigaOS 4.x, handle native absolute paths, whilst blocking relative + paths. Also allow unix style paths if feature enabled at link time. -- libtest/lib1560: verify the host name percent decode fix + Inspiration-from: Michael Trebilcock -- urlapi: reject percent-decoding host name into separator bytes + Closes #9259 - CVE-2022-27780 +- KNOWN_BUGS: cmake build is not thread-safe - Reported-by: Axel Chong - Bug: https://curl.se/docs/CVE-2022-27780.html - Closes #8826 + The cmake build does not check for and verify presence of a working + Atomic type, which then makes curl_global_init() to not build + thread-safe on non-Windows platforms. -- nss: return error if seemingly stuck in a cert loop + Closes https://github.com/curl/curl/issues/8973 + Closes https://github.com/curl/curl/pull/8982 - CVE-2022-27781 +- [Oliver Roberts brought this change] - Reported-by: Florian Kohnhäuser - Bug: https://curl.se/docs/CVE-2022-27781.html - Closes #8822 + configure: fixup bsdsocket detection code for AmigaOS 4.x -- test412/413: verify alt-svc with trailing dots + The code that detects bsdsocket.library for AmigaOS did not work + for AmigaOS 4.x. This has been fixed and also cleaned up a little + to reduce duplication. Wasn't technically necessary before, but is + required when building with AmiSSL instead of OpenSSL. -- altsvc: fix host name matching for trailing dots + Closes #9268 - Closes #8819 +- [Oliver Roberts brought this change] -- [Garrett Squire brought this change] + tool: reintroduce set file comment code for AmigaOS - hyper: fix test 357 + Amiga specific code which put the URL in the file comment was perhaps + accidentally removed in b88940850002a3f1c25bc6488b95ad30eb80d696 having + originally been added in 5c215bdbdfde8b2350cdcbac82aae0c914da5314. + Reworked to fit the code changes and added it back in. - This change fixes the hyper API such that PUT requests that receive a - 417 response can retry without the Expect header. + Reported-by: Michael Trebilcock + Originally-added-by: Chris Young - Closes #8811 + Closes #9258 -- [Harry Sintonen brought this change] +- urldata: make 'negnpn' use less storage - sectransp: bail out if SSLSetPeerDomainName fails + The connectdata struct field 'negnpn' never holds a value larger than + 30, so an unsigned char saves 3 bytes struct space. - Before the code would just warn about SSLSetPeerDomainName() errors. + Closes #9279 - Closes #8798 +- urldata: make three *_proto struct fields smaller -- http_proxy/hyper: handle closed connections + Use 'unsigned char' for storage instead of the enum, for three GSSAPI + related fields in the connectdata struct. - Enable test 1021 for hyper builds. + Closes #9278 - Patched-by: Prithvi MK - Fixes #8700 - Closes #8806 +- connect: set socktype/protocol correctly -- KNOWN_BUGS: timeout when reusing a http3 connection + So that an address used from the DNS cache that was previously used for + QUIC can be reused for TCP and vice versa. - Closes #8764 + To make this possible, set conn->transport to "unix" for unix domain + connections ... and store the transport struct field in an unsigned char + to use less space. -- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 + Reported-by: ウさん + Fixes #9274 + Closes #9276 - Closes #8696 +- [Oliver Roberts brought this change] -- [Ryan Schmidt brought this change] + amissl: allow AmiSSL to be used with AmigaOS 4.x builds - Makefile: fix "make ca-firefox" + Enable AmiSSL to be used instead of static OpenSSL link libraries. + for AmigaOS 4.x, as it already is in the AmigaOS 3.x build. - Closes #8804 + Closes #9269 -Daniel Gustafsson (5 May 2022) -- tests: fix markdown formatting in README +- [opensignature on github brought this change] - The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be - escaped to not mean start of italic formatting. This is consistent - with docs/RELEASE-PROCEDURE.md. + openssl: add details to "unable to set client certificate" error - Closes: #8802 - Reviewed-by: Daniel Stenberg + from: "curl: (58) unable to set client certificate" -Daniel Stenberg (5 May 2022) -- TODO: expand on "Expose tried IP addresses that failed" + to: curl: (58) unable to set client certificate [error:0A00018F:SSL + routines::ee key too small] - Ref: #8794 + Closes #9228 -Daniel Gustafsson (5 May 2022) -- [Fabian Keil brought this change] +- [Oliver Roberts brought this change] - tests/server: declare variable 'reqlogfile' static + amissl: make AmiSSL v5 a minimum requirement - Silences the warning: + AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0. + Support for previous OpenSSL 1.1.x versions has been dropped, so + makes sense to enforce v5 as the minimum requirement. This also + allows all the AmiSSL stub workarounds to be removed as they are + now provided in a link library in the AmiSSL SDK. - CC socksd-socksd.o - socksd.c:143:13: warning: no previous extern declaration for - non-static variable 'reqlogfile' [-Wmissing-variable-declarations] - const char *reqlogfile = DEFAULT_REQFILE; - ^ - socksd.c:143:7: note: declare 'static' if the variable is not - intended to be used outside of this translation unit - const char *reqlogfile = DEFAULT_REQFILE; - ^ - 1 warning generated. + Closes #9267 - ... when compiling with clang 13. +- [Oliver Roberts brought this change] - Closes: #8799 - Reviewed-by: Daniel Gustafsson + configure: -pthread not available on AmigaOS 4.x -- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION + The most recent GCC builds for AmigaOS 4.x do not allow -pthread and + exit with an error. Instead, need to explictly specify -lpthread. - Commit 980a47b42 added support for ignoring session cookies, but it - was never added to the documentation. + Closes #9266 - Closes: #8795 - Reviewed-by: Daniel Stenberg +- digest: pass over leading spaces in qop values -Daniel Stenberg (5 May 2022) -- docs/THANKS: remove name duplicate + When parsing the "qop=" parameter of the digest authentication, and the + value is provided within quotes, the list of values can have leading + white space which the parser previously did not handle correctly. -- [Philip H brought this change] + Add test case 388 to verify. - .mailmap: update + Reported-by: vlubart on github + Fixes #9264 + Closes #9270 - Closes #8800 +- [Evgeny Grin (Karlson2k) brought this change] -Jay Satiro (5 May 2022) -- mbedtls: fix some error messages + digest: reject broken header with session protocol but without qop - Prior to this change some of the error messages misidentified the - function that failed. + Closes #9077 -Daniel Stenberg (5 May 2022) -- RELEASE-NOTES: synced +- CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples -- [Sergey Markelov brought this change] + Reported-by: jvvprasad78 on github + Assisted-by: Jay Satiro + Fixes #9239 + Closes #9241 - x509asn1: make do_pubkey handle EC public keys +- [Fabian Keil brought this change] - Closes #8757 + test44[2-4]: add '--resolve' to the keywords -- [Harry Sintonen brought this change] + ... so the tests can be automatically skipped when + using an external proxy like Privoxy. - mbedtls: bail out if rng init fails + Closes #9250 - There was a failf() call but no actual error return. +- RELEASE-NOTES: synced - Closes #8796 +- CURLOPT_CONNECT_ONLY.3: clarify multi API use -- [Sergey Markelov brought this change] + Reported-by: Maxim Ivanov + Fixes #9244 + Closes #9262 - urlapi: address (harmless) UndefinedBehavior sanitizer warning +- [Andrew Lambert brought this change] - `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1 - cannot be represented in type 'size_t' (aka 'unsigned long') + curl_easy_header: Add CURLH_PSEUDO to sanity check - Closes #8797 + Fixes #9235 + Closes #9236 -- [Fabian Keil brought this change] +- [Emil Engler brought this change] - test{898,974,976}: add 'HTTP proxy' keywords + docs: add dns category to --resolve - ... so the tests can be automatically skipped when - testing external HTTP proxies like Privoxy. + This commit adds the dns category to the --resolve command line option, + because it can be interpreted as both: a low-level connection option and + an option related to the resolving of a hostname. - Closes #8791 + It is also not common for dns options to belong to the connection + category and vice versa. --ipv4 and --ipv6 are both good examples. -- [Harry Sintonen brought this change] + Closes #9229 - gskit_connect_step1: fixed bogus setsockopt calls +Jay Satiro (2 Aug 2022) +- [Wyatt O'Day brought this change] - setsockopt takes a reference to value, not value. With the current - code this just leads to -1 return value with errno EFAULT. + schannel: Add TLS 1.3 support - Closes #8793 + - Support TLS 1.3 as the default max TLS version for Windows Server 2022 + and Windows 11. -- CURLOPT_SSH_AUTH_TYPES.3: fix the default + - Support specifying TLS 1.3 ciphers via existing option + CURLOPT_TLS13_CIPHERS (tool: --tls13-ciphers). - The default is all possible methods. + Closes https://github.com/curl/curl/pull/8419 - Closes #8792 +Daniel Stenberg (2 Aug 2022) +- [Emil Engler brought this change] -- CURLOPT_DOH_URL.3: mention the known bug + cmdline-opts/gen.pl: improve performance - It is mostly duplicating info from KNOWN_BUGS but make it easier to find - for users of this option. + On some systems, the gen.pl script takes nearly two minutes for the + generation of the main-page, which is a completely unacceptable time. - Closes #8790 + The slow performance has two causes: + 1. Use of a regex locale operator + 2. Useless invokations of loops -- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well + The commit addresses the first issue by replacing the "\W" wiht + [^a-zA-Z0-9_], which is, according to regex101.com, functionally + equivalent to the previous operation, except that it is obviously + limited to ASCII only, which is fine, as the curl project is + English-only anyway. - Reviewed-By: Daniel Gustafsson - Closes #8788 + The second issue is being addressed by only running the loop if the line + contains a "--" in it. The loop may be completeley removed in the + future. -- docs/SECURITY-PROCESS.md: "Visible command line arguments" + Co-authored-by: Emanuele Torre -- SECURITY-PROCESS: mention "URL inconsistencies" + See #8299 + Fixes #9230 + Closes #9232 - ... as common problems that are *not* vulns. +- docs/cmdline: mark fail and fail-with-body as mutually exclusive -Daniel Gustafsson (2 May 2022) -- contributors: strip off final comma + Reported-by: Andreas Sommer + Fixes #9221 + Closes #9222 - The final row of contributors should not end with a comma as it's the - end of the list. +- [Nao Yonashiro brought this change] - Closes: #8785 - Reviewed-by: Daniel Stenberg + quiche: fix build failure -Daniel Stenberg (2 May 2022) -- [Philip H brought this change] + Reviewed-by: Alessandro Ghedini + Closes #9223 - misc: use "autoreconf -fi" instead buildconf +Viktor Szakats (2 Aug 2022) +- configure.ac: drop references to deleted functions - Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> - Closes #8777 + follow-up from 4d73854462f30948acab12984b611e9e33ee41e6 -Daniel Gustafsson (2 May 2022) -- [Philip H brought this change] + Reported-by: Oliver Roberts + Fixes #9238 + Closes #9240 - cirrus: Use pip for Python packages on FreeBSD +Daniel Stenberg (28 Jul 2022) +- [Sean McArthur brought this change] - Using pip instead of easy_install is more in line with how other - CI images are being maintained. + hyper: enable obs-folded multiline headers - Closes: #8783 - Reviewed-by: Daniel Gustafsson + Closes #9216 -- [Philip H brought this change] +- connect: revert the use of IP*_RECVERR - cirrus: Update to FreeBSD 12.3 + The options were added in #6341 and d13179d, but cause problems: Lots of + POLLIN event occurs but recvfrom read nothing. - Closes: #8783 - Reviewed-by: Daniel Gustafsson + Reported-by: Tatsuhiro Tsujikawa + Fixes #9209 + Closes #9215 -- tool_getparam: simplify conditional statement +- [Marco Kamner brought this change] - param_place cannot be NULL here since we immediately efter this block - perform arithmetic on it (and use it in order to get here) so there is - little reason to check. + docs: remove him/her/he/she from documentation - Closes: #8786 - Reviewed-by: Daniel Stenberg + Closes #9208 - RELEASE-NOTES: synced -- gskit: remove unused function set_callback +- tool_getparam: make --doh-url "" switch it off - This function has been unused since the initial commit of the GSKit - backend in 0eba02fd4. The motivation for the code was getting the - whole certificate chain: the only place where the latter is available - is as a callback parameter. Unfortunately it is not possible to pass - a user pointer to this callback, which precludes the possibility to - associate the cert chain with a data/conn structure. + A possible future addition could be to parse the URL first too to verify + that it is valid before trying to use it. - For further information, search for pgsk_cert_validation_callback on: - https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm + Assisted-by: Jay Satiro + Closes #9207 - As the upstream library never added a parameter like that to the API, - we give up the wait and remove the dead code. +- mailmap: add rzrymiak on github - Closes: #8782 - Reviewed-by: Patrick Monnerat +Jay Satiro (26 Jul 2022) +- ngtcp2: Fix build error due to change in nghttp3 prototypes -- curl: free resource in error path + ngtcp2/nghttp3@4a066b2 changed nghttp3_conn_block_stream and + nghttp3_conn_shutdown_stream_write return from int to void. - If the new filename cannot be generated due to memory pressure, free - the allocated aname on the way out to avoid a small leak. + Reported-by: jurisuk@users.noreply.github.com - Closes: #8770 - Reviewed-by: Daniel Stenberg + Fixes https://github.com/curl/curl/issues/9204 + Closes https://github.com/curl/curl/pull/9200 -- curl: guard against size_t wraparound in no-clobber code +Daniel Stenberg (26 Jul 2022) +- [rzrymiak on github brought this change] - When generating the new filename, make sure we aren't overflowing the - size_t limit when calculating the new length. This is mostly academic - but good code hygeine nonetheless. + BUGS.md: improve language - Closes: #8771 - Reviewed-by: Daniel Stenberg + Closes #9205 -Daniel Stenberg (30 Apr 2022) -- gha: build msh3 +- [Philip Heiduck brought this change] - Closes #8779 + cirrus.yml: replace py38-pip with py39-pip -- scripts/cijobs.pl: try "current branch" first then "master" + Reported-by: Jay Satiro + Fixes #9201 + Closes #9202 -- [Yusuke Nakamura brought this change] +- tool_getparam: fix cleanarg() for unicode builds - msh3: get msh3 version from MsH3Version + Use the correct type, and make cleanarg an empty macro if the cleaning + ability is absent. - Closes #8762 + Fixes #9195 + Closes #9196 -- [Yusuke Nakamura brought this change] + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad - msh3: psss remote_port to MsH3ConnectionOpen +Marc Hoersken (25 Jul 2022) +- test3026: add support for Windows using native Win32 threads - MsH3 supported additional "Port" parameter to connect not hosted on - 443 port QUIC website. - - * https://github.com/nibanks/msh3/releases/tag/v0.3.0 - * https://github.com/nibanks/msh3/pull/37 - - Closes #8762 - -- [Christian Weisgerber brought this change] - - openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - - SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3, - released five years ago. + Reviewed-by: Viktor Szakats + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Bug: https://curl.se/mail/lib-2022-04/0059.html - Closes #8773 + Follow up to 7ade9c50b35d95d47a43880c3097bebab7a7e690 + Closes #9012 -- http: move Curl_allow_auth_to_host() +Jay Satiro (25 Jul 2022) +- [Evgeny Grin (Karlson2k) brought this change] - It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef + digest: fix memory leak, fix not quoted 'opaque' - Reported-by: Michael Olbrich - Fixes #8772 - Closes #8775 + Fix leak regression introduced by 3a6fe0c. -Daniel Gustafsson (29 Apr 2022) -- msh3: print boolean value as text representation + Closes https://github.com/curl/curl/pull/9199 - Print the boolean value as its string representation instead of with - %hhu which isn't a format we typically use. +Daniel Stenberg (23 Jul 2022) +- tests: several enumerated type cleanups - Closes: #8763 - Reviewed-by: Nick Banks + To please icc -Daniel Stenberg (29 Apr 2022) -- data/test376: set a proper name + Closes #9179 -- GHA/mbedtls: enabled nghttp2 in the build +- tool_paramhlp: fix "enumerated type mixed with another type" - Closes #8767 + Warning by icc -- mbedtls: fix compile when h2-enabled + Closes #9179 - Fixes #8766 - Reported-by: LigH-de on github - Closes #8768 +- tool_writeout: fix enumerated type mixed with another type -- RELEASE-NOTES: synced + Closes #9179 - bumped curlver to 7.83.1-dev +- tool_cfgable: make 'synthetic_error' a plain bool -- SECURITY-PROCESS: extended + The specific reason was not used. - Also clarify BUG-BOUNTY.md with IBB details. + Closes #9179 - Closes #8754 +- tool_paramhlp: make check_protocol return ParameterError -- [Adam Rosenfield brought this change] + "enumerated type mixed with another type" - conn: fix typo 'connnection' -> 'connection' in two function names + Closes #9179 - Closes #8759 +- tool_formparse: fix variable may be used before its value is set -Version 7.83.0 (27 Apr 2022) + Warning by icc -Daniel Stenberg (27 Apr 2022) -- RELEASE-NOTES: synced + Closes #9179 - The 7.83.0 release +- sendf: skip storing HTTP headers if HTTP disabled -- docs/THANKS: contributors from 7.83.0 + Closes #9179 -- test 898/974/976: require proxy to run +- url: enumerated type mixed with another type - Fixes #8755 - Reported-by: Marc Hörsken - Closes #8756 + Follow-up to 1c58e7ae99ce2030213f28b -- gnutls: don't leak the SRP credentials in redirects + Closes #9179 - Follow-up to 620ea21410030 and 139a54ed0a172a +- urldata: change second proxytype field to unsigned char to match - Reported-by: Harry Sintonen - Closes #8752 + To avoid "enumerated type mixed with another type" -- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS + Closes #9179 - Closes #8753 +- http: typecast the httpreq assignment to avoid icc compiler warning -- openssl: don't leak the SRP credentials in redirects either + error #188: enumerated type mixed with another type - Follow-up to 620ea21410030 + Closes #9179 - Reported-by: Harry Sintonen - Closes #8751 +- urldata: make state.httpreq an unsigned char -- [Liam Warfield brought this change] + To match set.method used for the same purpose. - hyper: fix tests 580 and 581 for hyper + Closes #9179 - Hyper now has the ability to preserve header order. This commit adds a - few lines setting the connection options for this feature. +- splay: avoid using -1 in unsigned variable - Related to issue #8617 - Closes #8707 + To fix icc compiler warning integer conversion resulted in a change of sign -- conncache: remove name arg from Curl_conncache_find_bundle + Closes #9179 - To simplify, and also since the returned name is not the full actual - name used for the check. The port number and zone id is also involved, - so just showing the name is misleading. +- sendf: store the header type in an usigned char to avoid icc warnings - Closes #8750 + Closes #9179 -- tests: verify the fix for CVE-2022-27774 +- multi: fix the return code from Curl_pgrsDone() - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth + It does not return a CURLcode. Detected by the icc compiler warning + "enumerated type mixed with another type" -- transfer: redirects to other protocols or ports clear auth + Closes #9179 - ... unless explicitly permitted. +- sendf: make Curl_debug a void function - Bug: https://curl.se/docs/CVE-2022-27774.html - Reported-by: Harry Sintonen - Closes #8748 + As virtually no called checked the return code, and those that did + wrongly treated it as a CURLcode. Detected by the icc compiler warning: + enumerated type mixed with another type -- connect: store "conn_remote_port" in the info struct + Closes #9179 - To make it available after the connection ended. +- http_chunks: remove an assign + typecast -- cookie.d: clarify when cookies are always sent + As it caused icc to complain: "pointer cast involving 64-bit pointed-to + type" -- test898: verify the fix for CVE-2022-27776 + Closes #9179 - Do not pass on Authorization headers on redirects to another port +- vtls: make Curl_ssl_backend() return the enum type curl_sslbackend -- http: avoid auth/cookie on redirects same host diff port + To fix the icc warning enumerated type mixed with another type - CVE-2022-27776 + Closes #9179 - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27776.html - Closes #8749 +- curl-compilers.m4: make icc use -diag* options and disable two warnings -- libssh2: make the md5 comparison fail if wrong length + -wd and -we are deprecated and are now -diag-disable and -diag-error - Making it just skip the check unless exactly 32 is too brittle. Even if - the docs says it needs to be exactly 32, it is be safer to make the - comparison fail here instead. + Disable warning 1024 and 2259 - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549461 - Closes #8745 + Closes #9179 -- conncache: include the zone id in the "bundle" hashkey +- [Matthew Thompson brought this change] - Make connections to two separate IPv6 zone ids create separate - connections. + GHA: add two Intel compiler CI jobs - Reported-by: Harry Sintonen - Bug: https://curl.se/docs/CVE-2022-27775.html - Closes #8747 + Closes #9179 -- [Patrick Monnerat brought this change] +- [Daniel Katz brought this change] - url: check sasl additional parameters for connection reuse. + curl-functions.m4: check whether atomics can link rather than just compile - Also move static function safecmp() as non-static Curl_safecmp() since - its purpose is needed at several places. + Some build toolchains support C11 atomics (i.e., _Atomic types), but + will not link the associated atomics runtime unless a flag is passed. In + such an environment, linking an application with libcurl.a can fail due + to undefined symbols for atomic load/store functions. - Bug: https://curl.se/docs/CVE-2022-22576.html + I encountered this behavior when upgrading curl to 7.84.0 and attempting + to build with Solaris Studio 12.6. Solaris provides the flag + -xatomic=[gcc | studio], allowing users to link to one of two atomics + runtime implementations. However, if the user does not provide this + flag, then neither runtime is linked. This led to builds failing in CI. - CVE-2022-22576 + Closes #9190 - Closes #8746 +- [Rosen Penev brought this change] -- libssh2: compare sha256 strings case sensitively + curl-wolfssl.m4: add options header when building test code - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1549435 - Closes #8744 + Needed for certain configurations of wolfSSL. Otherwise, missing header + error may occur. -- tool_getparam: error out on missing -K file + Tested with OpenWrt. - Add test 411 to verify. + Closes #9187 - Reported-by: Median Median Stride - Bug: https://hackerone.com/reports/1542881 - Closes #8731 +- ftp: use a correct expire ID for timer expiry -- [Tatsuhiro Tsujikawa brought this change] + This was an accurate error pointed out by the icc warning: enumerated + type mixed with another type - ngtcp2: deal with sub-millisecond timeout + Ref: #9179 + Closes #9184 - Closes #8738 +- sendf: fix paused header writes since after the header API -- misc: update copyright year ranges + Regression since d1e4a67 -- c_escape: escape '?' in generated --libcurl code + Reported-by: Sergey Ogryzkov + Fixes #9180 + Closes #9182 - In order to avoid the risk of it being used in an accidental trigraph in - the generated code. +- mprintf: fix *dyn_vprintf() when out-of-memory - Reported-by: Harry Sintonen - Bug: https://hackerone.com/reports/1548535 - Closes #8742 + Follow-up to 0e48ac1f99a. Torture-testing 1455 would lead to a memory + leak otherwise. -- [Philip H brought this change] + Closes #9185 - mlc: curl.zuul.vexxhost.dev is reachable again +- curl-confopts: remove leftover AC_REQUIREs - remove it from ignorelist for linkcheck + configure.ac:3488: warning: CURL_CHECK_FUNC_IOCTL is m4_require'd but not m4_defun'd + configure.ac:3488: warning: CURL_CHECK_FUNC_SETSOCKOPT is m4_require'd but not m4_defun'd - Closes #8736 + follow-up from 4d73854462f30 -- [Tatsuhiro Tsujikawa brought this change] + Closes #9183 - ngtcp2: avoid busy loop in low CWND situation +- file: fix icc enumerated type mixed with another type warning - Closes #8739 + Ref: #9179 + Closes #9181 -- TODO: telnet - exit immediately upon connection if stdin is /dev/null +Viktor Szakats (19 Jul 2022) +- tidy-up: delete unused build configuration macros - Suggested-by: Robin A. Meade - URL: https://curl.se/mail/archive-2022-04/0027.html + Most of them feature guards: -- [Kushal Das brought this change] + - `CURL_INCLUDES_SYS_UIO` [1] + - `HAVE_ALLOCA_H` [2] + - `HAVE_CRYPTO_CLEANUP_ALL_EX_DATA` (unused since de71e68000c8624ea13f90b136f8734dd0fb1bdc) + - `HAVE_DLFCN_H` + - `HAVE_DLOPEN` + - `HAVE_DOPRNT` + - `HAVE_FCNTL` + - `HAVE_GETHOSTBYNAME` [3] + - `HAVE_GETOPT_H` + - `HAVE_GETPASS` + - `HAVE_GETPROTOBYNAME` + - `HAVE_GETSERVBYNAME` + - `HAVE_IDN_FREE*` + - `HAVE_INET_ADDR` + - `HAVE_IOCTL` + - `HAVE_KRB4` + - `HAVE_KRB_GET_OUR_IP_FOR_REALM` + - `HAVE_KRB_H` + - `HAVE_LDAPSSL_H` + - `HAVE_LDAP_INIT_FD` + - `HAVE_LIBDL` + - `HAVE_LIBNSL` + - `HAVE_LIBRESOLV*` + - `HAVE_LIBUCB` + - `HAVE_LL` + - `HAVE_LOCALTIME_R` + - `HAVE_MALLOC_H` + - `HAVE_MEMCPY` + - `HAVE_MEMORY_H` + - `HAVE_NETINET_IF_ETHER_H` + - `HAVE_NI_WITHSCOPEID` + - `HAVE_OPENSSL_CRYPTO_H` + - `HAVE_OPENSSL_ERR_H` + - `HAVE_OPENSSL_PEM_H` + - `HAVE_OPENSSL_PKCS12_H` + - `HAVE_OPENSSL_RAND_H` + - `HAVE_OPENSSL_RSA_H` + - `HAVE_OPENSSL_SSL_H` + - `HAVE_OPENSSL_X509_H` + - `HAVE_PEM_H` + - `HAVE_POLL` + - `HAVE_RAND_SCREEN` + - `HAVE_RAND_STATUS` + - `HAVE_RECVFROM` + - `HAVE_SETSOCKOPT` + - `HAVE_SETVBUF` + - `HAVE_SIZEOF_LONG_DOUBLE` + - `HAVE_SOCKIO_H` + - `HAVE_SOCK_OPTS` + - `HAVE_STDIO_H` + - `HAVE_STRCASESTR` + - `HAVE_STRFTIME` + - `HAVE_STRLCAT` + - `HAVE_STRNCMPI` + - `HAVE_STRNICMP` + - `HAVE_STRSTR` + - `HAVE_STRUCT_IN6_ADDR` + - `HAVE_TLD_H` + - `HAVE_TLD_STRERROR` + - `HAVE_UNAME` + - `HAVE_USLEEP` + - `HAVE_WINBER_H` + - `HAVE_WRITEV` + - `HAVE_X509_H` + - `LT_OBJDIR` + - `NEED_BASENAME_PROTO` + - `NOT_NEED_LIBNSL` + - `OPENSSL_NO_KRB5` + - `RECVFROM_TYPE*` + - `SIZEOF_LONG_DOUBLE` + - `STRERROR_R_TYPE_ARG3` + - `USE_YASSLEMUL` + - `_USRDLL` (from CMake) [4] + + [1] Related parts in `m4/curl-functions.m4` and `configure.ac` might + also be deleted. + + [2] Related comment can possibly be deleted in + `packages/vms/generate_config_vms_h_curl.com`. + + [3] There are more instances of this in autotools, but I did not dare to + touch those. Looked like it's used to detect socket support. + + [4] This is necessary for MFC (Microsoft Foundation Class) DLLs to + force linking MFC components statically to the DLL. `libcurl.dll` + does not use MFC, so we can delete this define. + Ref: https://docs.microsoft.com/cpp/build/regular-dlls-statically-linked-to-mfc + + Script that can help finding unused settings like above: + ```shell + + autoheader configure.ac # generate lib/curl_config.h.in + + { + grep -o -E 'set\([A-Z][A-Z0-9_]{3,}' CMake/Platforms/WindowsCache.cmake | sed -E 's|set\(||g' + grep -o -E -h '#define +[A-Z][A-Z0-9_]{3,}' lib/config-*.h | sed -E 's|#define +||g' + grep -o -E '#cmakedefine +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.cmake | sed -E 's|#cmakedefine +||g' + grep -o -E '#undef +[A-Z][A-Z0-9_]{3,}' lib/curl_config.h.in | sed -E 's|#undef +||g' + } | sort -u | grep -v -F 'HEADER_CURL_' | while read -r def; do + c="$(git grep -w -F "${def}" | grep -v -E -c '(/libcurl\.tmpl|^lib/config-|^lib/curl_config\.h\.cmake|^CMakeLists\.txt|^CMake/Platforms/WindowsCache\.cmake|^packages/vms/config_h\.com|^m4/curl-functions\.m4|^acinclude\.m4|^configure\.ac)')" + if [ "${c}" = '0' ]; then + echo "${def}" + fi + done + ``` + + Reviewed-by: Daniel Stenberg + Closes #9044 + +Daniel Stenberg (19 Jul 2022) +- RELEASE-NOTES: synced + +- cookie: treat a blank domain in Set-Cookie: as non-existing + + This matches what RFC 6265 section 5.2.3 says. + + Extended test 31 to verify. + + Fixes #9164 + Reported-by: Gwen Shapira + Closes #9177 + +- [Patrick Monnerat brought this change] + + base64: base64url encoding has no padding + + See RFC4648 section 5 and RFC7540 section 3.2.1. + + Suppress generation of '=' padding of base64url encoding. This is + accomplished by considering the string beginning at offset 64 in the + character table as the padding: this is "=" for base64, "" for base64url. + + Also use strchr() to replace character search loops where possible. + + Suppress erroneous comments about empty encoding results. + + Adjust unit test 1302 to unpadded base64url encoding and add tests for + empty results. + + Closes #9139 + +- easyoptions: fix icc warning + + easyoptions.c(360): error #188: enumerated type mixed with another type + + Ref: #9156 + Reported-by: Matthew Thompson + Closes #9176 + +- [lwthiker brought this change] + + h2h3: fix overriding the 'TE: Trailers' header + + A 'TE: Trailers' header is explicitly replaced by 'te: trailers' + (lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or + HTTP/3 headers. However, this is then replaced again by the original + value due to a bug, resulting in the uppercased version being sent. Some + HTTP/2 servers reject the whole HTTP/2 stream when this is the case. + + Closes #9170 + +- lib3026: reduce the number of threads to 100 + + Down from 1000, to make it run and work in more systems. + + Fixes #9172 + Reported-by: Érico Nogueira Rolim + Closes #9173 + +- doh: move doh related struct definitions to doh.h + + and make 'dnstype' in 'struct dnsprobe' use the DNStype to fix the icc compiler warning: + + doh.c(924): error #188: enumerated type mixed with another type + + Reported-by: Matthew Thompson + Ref #9156 + Closes #9174 + +Viktor Szakats (17 Jul 2022) +- Makefile.m32: stop trying to build libcares.a [ci skip] + + Before this patch, `lib/Makefile.m32` had a rule to build `libcares.a` in + `-cares`-enabled builds, via c-ares's own `Makefile.m32`. Committed in + 2007 [1]. The commit message doesn't specifically address this particular + change. This logic comes from the times when c-ares was part of the curl + source tree, hence the special treatment. + + This feature creates problems when building c-ares first, using CMake + and pointing `LIBCARES_PATH` to its install prefix, where `Makefile.m32` + is missing in such case. A sub-build for c-ares is undesired also when + c-ares had already been build via its own `Makefile.m32`. + + To avoid the sub-build, this patch deletes its Makefile rule. After this + patch `libcares.a` needs to be manually built before using it in + `Makefile.m32`. Aligning it with the rest of dependencies. + + [1] 46c92c0b806da041d7a5c6fb64dbcdc474d99b31 + + Reviewed-by: Daniel Stenberg + Closes #9169 + +Daniel Stenberg (17 Jul 2022) +- curl: writeout: fix repeated header outputs + + The function stored a terminating zero into the buffer for convenience, + but when on repeated calls that would cause problems. Starting now, the + passed in buffer is not modified. + + Reported-by: highmtworks on github + Fixes #9150 + Closes #9152 + +- curl_multi_timeout.3: clarify usage + + Fixes #9155 + Closes #9157 + Reported-by: jvvprasad78 on github + +- mprintf: make dprintf_formatf never return negative + + This function no longer returns a negative value if the formatting + string is bad since the return value would sometimes be propagated as a + return code from the mprintf* functions and they are documented to + return the length of the output. Which cannot be negative. + + Fixes #9149 + Closes #9151 + Reported-by: yiyuaner on github + +Viktor Szakats (17 Jul 2022) +- trace: 0x7F character is non-printable + + `0x7F` is `DEL`, a non-printable symbol, so print it as + `UNPRINTABLE_CHAR`. + + Reported-by: MasterInQuestion on github + Fixes #9162 + Closes #9166 + +- doh: use https protocol by default + + The only allowed protocol is https, so it makes sense to use that + by default if not passed explicitly by the user. + + Reported-by: MasterInQuestion on github + Reviewed-by: Jay Satiro + Fixes #9163 + Closes #9165 + +- openssl: fix BoringSSL symbol conflicts with LDAP and Schannel + + Same issue as here [1], but this time when building curl with BoringSSL + for Windows with LDAP(S) or Schannel support enabled. + + Apply the same fix [2] for these source files as well. + + This can also be fixed by moving `#include "urldata.h"` _before_ + including `winldap.h` and `schnlsp.h` respectively. This seems like + a cleaner fix, though I'm not sure why it works and if it has any + downside. + + [1] https://github.com/curl/curl/issues/5669 + [2] https://github.com/curl/curl/commit/fbe07c6829ba8c5793c84c2856526e19e9029ab9 + + Co-authored-by: Jay Satiro + Closes #9110 + +Daniel Stenberg (13 Jul 2022) +- asyn-thread: make getaddrinfo_complete return CURLcode + + ... as the only caller that cares about what it returns assumes that + anyway. This caused icc to warn: + + asyn-thread.c(505): error #188: enumerated type mixed with another type + result = getaddrinfo_complete(data); + + Repoorted-by: Matthew Thompson + Bug: https://github.com/curl/curl/issues/9081#issuecomment-1182143076 + Closes #9146 + +- easy_lock: fix build with icc + + The Intel compiler tries to look like GCC *and* clang *and* it lies in + its __has_builtin() function (returns true when it should return false), + so override it. + + Reported-by: Matthew Thompson + Fixes #9081 + Closes #9144 + +- configure: fix --disable-headers-api + + Reported-by: Michał Antoniak + Fixes #9134 + Closes #9143 + +- test3026: require 'threadsafe' + + Reported-by: Sukanya Hanumanthu + Fixes #9141 + Closes #9142 + +- [Even Rouault brought this change] + + CMake: link curl to its dependencies with PRIVATE + + The current PUBLIC visibility causes issues for downstream users. + Cf https://github.com/OSGeo/PROJ/pull/3172#issuecomment-1157942986 + + Reviewed-by: Jakub Zakrzewski + Closes #9125 + +- [Even Rouault brought this change] + + CMake: remove APPEND in export(TARGETS) + + When running cmake several times, new content was appended to already + existing generated files, which is not appropriate + + Reviewed-by: Jakub Zakrzewski + Closes #9124 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks + + Closes #9135 + +- RELEASE-NOTES: synced + +Viktor Szakats (11 Jul 2022) +- build: improve OS string in CMake and `config-win32.h` + + This patch makes CMake fill the "OS string" with the value of + `CMAKE_C_COMPILER_TARGET`, if passed. This typically contains a triplet, + the same we can pass to `./configure` via `--host=`. + + For non-CMake, non-autotools, Windows builds, this patch adds the ability + to override the default `OS` value in `lib/config-win32.h`. + + With these its possible to get the same OS string across the three build + systems. + + This patch supersedes the earlier, partial, CMake-only solution: + 435f395f3f8c11eebfcc243ca55ebcc11a19b8b8, thus retiring the + `CURL_OS_SUFFIX` CMake option. + + Reviewed-by: Jay Satiro + Closes #9117 + +- Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] + + They allow to override the hardcoded values for the `windres` and `strip` + tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables. + + `CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and + `CURL_CC=clang` set on current latest debian:unstable or earlier, where + `llvm-windres` is missing, and a `CURL_RC=-windres` fixes it. + Hopefully this will be fixed in the llvm package. FWIW `llvm-windres` + does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw. + + Reviewed-by: Daniel Stenberg + Closes #9132 + +Daniel Stenberg (10 Jul 2022) +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: fix stall or busy loop on STOP_SENDING with upload data + + Fixes #9122 + Closes #9123 + +- [Xiaoke Wang brought this change] + + tool_operate: better cleanup of easy handle in exit path + + Closes #9114 + +- [Xiaoke Wang brought this change] + + getinfo: return better error on NULL as first argument + + Closes #9114 + +- tool_getparam: repair cleanarg + + Regression since 9e5669f. + + Make sure the "cleaning" of command line arguments is done on the + original argv[] pointers. As a bonus, it also exits better on out of + memory error. + + Reported-by: Litter White + Fixes #9128 + Closes #9130 + +Jay Satiro (10 Jul 2022) +- docs: explain curl_easy_escape/unescape curl handle is ignored + + 26101421 (precedes 7.82.0) removed character conversion support used by + very old legacy operating systems and since then the curl handle passed + to curl_easy_escape/unescape is always ignored. + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + + Closes https://github.com/curl/curl/pull/9121 + +Viktor Szakats (8 Jul 2022) +- openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL + + BoringSSL doesn't keep a version number, and doesn't self-identify itself + via any other revision number via its own headers. We can identify + BoringSSL revisions by their commit hash. This hash is typically known by + the builder. This patch adds a way to pass this hash to libcurl, so that + it can display in the curl version string: + + For example: + + `CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"` + + ``` + curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...] + Release-Date: 2022-06-27 + Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...] + Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...] + ``` + + The setting is optional, and if not passed, BoringSSL will appear without + a version number, like before this patch. + + Closes #9113 + +Jay Satiro (8 Jul 2022) +- escape: remove outdated comment + + Bug: https://github.com/curl/curl/discussions/9115 + Reported-by: Ted Lyngmo + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Fix missing initialization of nghttp3_nv.flags + + Closes https://github.com/curl/curl/pull/9118 + +Daniel Stenberg (6 Jul 2022) +- [Brad Forschinger brought this change] + + netrc.d: remove spurious quote + + Closes #9111 + +Viktor Szakats (6 Jul 2022) +- Makefile.m32: add `NGTCP2_LIBS` option [ci skip] + + Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL. + Add `NGTCP2_LIBS` envvar to override them with a custom list, + making it possible to use BoringSSL, or any other backend. + + Closes #9109 + +Jay Satiro (6 Jul 2022) +- [Evgeny Grin (Karlson2k) brought this change] + + digest: fix missing increment of 'nc' value for auth-int + + - Increment nc regardless of qop type. + + Prior to this change nc was only incremented for qop type auth even + though libcurl sends nc with any qop. + + Closes https://github.com/curl/curl/pull/9090 + +Daniel Stenberg (5 Jul 2022) +- RELEASE-NOTES: synced + + Bumped to 7.85.0 + +- urldata: reduce size of four ftp related members + + ftp_filemethod, ftpsslauth and ftp_ccc are now uchars + + accepttimeout is now unsigned int - almost 50 days ought to be enough + for this value. + + Closes #9106 + +- urldata: reduce three type-members from int to uchar + + - timecondition + - proxytype + - method + + ... previously used their enum type in the struct, which made them + unnecesarily large. + + Closes #9105 + +- CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name + + Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the + other way around. + + Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias + but since the option is for more protocols than FTP the more "correct" + version of the option is the "server" one so now we switch. + + Closes #9104 + +- urldata: make 'ftp_create_missing_dirs' a uchar + + It only ever holds the values 0-2. + + Closes #9103 + +- [Don J Olmstead brought this change] + + cmake: support ngtcp2 boringssl backend + + Update the ngtcp2 find module to detect the boringssl backend. Determine + if the underlying OpenSSL implementation is BoringSSL and if so use that + as the ngtcp2 backend. + + Reviewed-by: Jakub Zakrzewski + Closes #9065 + +- urldata: change 4 timeouts to unsigned int from long + + They're not used for that long times anyway, 32 bit milliseconds is long + enough. + + Closes #9101 + +- urldata: make 'use_netrc' a uchar + + Closes #9102 + +- urldata: make 'buffer_size' an unsigned int + + It is already capped at READBUFFER_MAX which fits easily in 32 bits. + + Closes #9098 + +- urldata: remove the unused 'rtspversion' struct member + + Closes #9100 + +- urldata: make 'use_port' an usigned short + + ... instead of a long. It is already enforced to not attempt to set any + value outside of 16 bits unsigned. + + Closes #9099 + +- urldata: store dns cache timeout in an int + + 68 years ought to be enough for most. + + Closes #9097 + +- curl: proto2num: make sure obuf is inited + + Detected by Coverity. CID 1507052. + + Closes #9096 + +- cookie: use %zu to infof() for size_t values + + Detected by Coverity. CID 1507051 + Closes #9095 + +Viktor Szakats (4 Jul 2022) +- makefile.m32: add support for custom ARCH [ci skip] + + When building curl for target platform other than x64 and x86, it is now + possible to pass `ARCH=custom`, that will omit all hardcoded logic for + setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be + customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly + added one for the resource compiler: `CURL_RCFLAG_EXTRAS`. + + This makes it possible to use `makefile.m32` to build for ARM64 for + example. + + Reviewed-by: Daniel Stenberg + Closes #9092 + +- cmake: do not force Windows target versions + + The goal of this patch is to avoid CMake forcing specific Windows + versions and rely on toolchain defaults or manual selection instead. + This gives back control to the user. This also brings CMake closer to + how autotools and `Makefile.m32` behaves in this regard. + + - CMake had a setting `ENABLE_INET_PTON` defaulting to `ON`, which did + nothing else than fixing the Windows build target to Vista. This also + happened when the toolchain did not have Vista support (e.g. original + MinGW), breaking such builds. + + In other environments it did not make a user-facing difference, + because libcurl has its own pton() implementation, so it works well + with or without Vista's inet_pton(). + + This patch drops this setting. inet_pton() is now used whenever + building for Vista or newer, either when requested manually or by + default with modern toolchains (e.g. mingw-w64). Older envs will fall + back to curl's pton(). + + Ref: https://github.com/curl/curl/pull/9027#issuecomment-1164157604 + Ref: https://github.com/curl/curl/pull/8997#issuecomment-1164344155 + + - When the user did no select a Windows target version manually, stop + explicitly targeting Windows XP, and instead use the toolchain default. + + This may pose an issue with old toolchains defaulting to pre-XP + targets. In such case you must manually target Windows XP via: + `-DCURL_TARGET_WINDOWS_VERSION=0x0501` + or + `-DCMAKE_C_FLAGS=-D_WIN32_WINNT=0x0501` + + Reviewed-by: Jay Satiro + Reviewed-by: Marcel Raad + Closes #9046 + +- windows: improve random source + + - Use the Windows API to seed the fallback random generator. + + This ensures to always have a random seed, even when libcurl is built + with a vtls backend lacking a random generator API, such as rustls + (experimental), GSKit and certain mbedTLS builds, or, when libcurl is + built without a TLS backend. We reuse the Windows-specific random + function from the Schannel backend. + + - Implement support for `BCryptGenRandom()` [1] on Windows, as a + replacement for the deprecated `CryptGenRandom()` [2] function. + + It is used as the secure random generator for Schannel, and also to + provide entropy for libcurl's fallback random generator. The new + function is supported on Vista and newer via its `bcrypt.dll`. It is + used automatically when building for supported versions. It also works + in UWP apps (the old function did not). + + - Clear entropy buffer before calling the Windows random generator. + + This avoids using arbitrary application memory as entropy (with + `CryptGenRandom()`) and makes sure to return in a predictable state + when an API call fails. + + [1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom + [2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom + + Closes #9027 + +Daniel Stenberg (4 Jul 2022) +- setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR + + ... as replacements for deprecated CURLOPT_PROTOCOLS and + CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the + 32 bit limit the old ones are facing. + + CURLINFO_PROTCOOL is now deprecated. + + The curl tool is updated to use the new options. - docs: updates spellings with full words + Added test 1597 to verify the libcurl protocol parser. - Closes #8730 + Closes #8992 -- tests/FILEFORMAT.md: spellfix +- digest: simplify a switch() to a simple if -Daniel Gustafsson (21 Apr 2022) -- misc: fix typos +- digest: provide a special bit for "sess" algos - Fix a few random typos is comments and workflow names. + Also shortened the names and moved them to the .c file since they are + private for this source file only. Also made them #defines instead of + enum. -- macos: fix .plist installation into framework + Closes #9079 - The copy command introduced in e498a9b1f had leftover '>' from the - previous sed command it replaced, which broke its syntax. Fix by - removing. +Jay Satiro (4 Jul 2022) +- [Thomas Weißschuh brought this change] - Reported-by: Emanuele Torre + select: do not return fatal error on EINTR from poll() -Daniel Stenberg (21 Apr 2022) -- [Christopher Degawa brought this change] + The same was done for select() in 5912da25 but poll() was missed. - Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved + Bug: https://bugs.archlinux.org/task/75201 + Reported-by: Alexandre Bury (gyscos at archlinux) - The script was moved in 8e22fc68e7dda43e9f but the lines that called it - was not changed to reflect it's new position + Ref: https://github.com/curl/curl/issues/8921 + Ref: https://github.com/curl/curl/pull/8961 + Ref: https://github.com/curl/curl/commit/5912da25#r77584294 - Signed-off-by: Christopher Degawa + Closes https://github.com/curl/curl/pull/9091 - Closes #8728 +- [Kai Pastor brought this change] -Daniel Gustafsson (20 Apr 2022) -- macos: set .plist version in autoconf + cmake: fix build for mingw cross compile - Set the libcurl version in libcurl.plist like how libcurl.vers is - created. + - Change normaliz lib name to all lowercase. - Closes: #8692 - Reviewed-by: Daniel Stenberg - Reviewed-by: Nick Zitzmann + This is from a standing patch in vcpkg: + Mingw has libnormaliz.a. For case-sensitive file systems (e.g. cross + builds from Linux), the spelling must match exactly. -- cookies: Improve errorhandling for reading cookiefile + Closes https://github.com/curl/curl/pull/9084 - The existing programming had some issues with errorhandling for reading - the cookie file. If the file failed to open, we would silently ignore it - and continue as if there was no file (or stdin) passed. In this case, we - would also call fclose() on the NULL FILE pointer, which is undefined - behavior. Fix by ensuring that the FILE pointer is set before calling - fclose on it, and issue a warning in case the file cannot be opened. - Erroring out on nonexisting file would break backwards compatibility of - very old behavior so we can't really go there. +- easy_lock: fix build for mingw - Closes: #8699 - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + - Define SRWLOCK symbols missing in some mingw environments. -Daniel Stenberg (20 Apr 2022) -- libcurl-tutorial.3: spellfix and minor polish + Closes https://github.com/curl/curl/pull/8997 -- CURLINFO_PRIMARY_PORT.3: spellfix +Daniel Stenberg (2 Jul 2022) +- tool_progress: avoid division by zero in parallel progress meter - Reported-by: Patrick Monnerat + Reported-by: Brian Carpenter + Fixes #9082 + Closes #9083 -- [Jay Dommaschk brought this change] +- http_aws_sigv4.c: remove two unusued includes - libssh: fix double close + Closes #9080 - libssh closes the socket in ssh_diconnect() so make sure that libcurl - does not also close it. +- .mailmap: additional edit - Fixes #8708 - Closes #8718 + Follow-up to 861e2a8aca6c7 so that Evgeny appears with the same in git + logs even when using old email. -Jay Satiro (20 Apr 2022) -- [Gisle Vanem brought this change] +- RELEASE-NOTES: synced + + bumped to 7.84.1 + +- [Evgeny Grin (Karlson2k) brought this change] + + .mailmap: updated + +- [Evgeny Grin (Karlson2k) brought this change] + + THANKS: merged two entries for Evgeny Grin + + Also updated THANKS-filter file + + Closes #9076 + +- [Jilayne Lovejoy brought this change] + + lib/curl_path.c: add ISC to license expression + + THe text of the ISC license is in this file, so the SPDX license + expression should be updated + + Closes #9073 + +- [Sean McArthur brought this change] + + hyper: use wakers for curl pause/resume + + Closes #9070 + +Viktor Szakats (30 Jun 2022) +- Makefile.m32: do not set the libcurl.rc debug flag [ci skip] + + Delete `-DDEBUGBUILD=0` windres option. This was likely meant to + disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled + it instead. Delete this unnecessary option and thus sync up with + how CMake compiles libcurl.rc by default. + + Reviewed-by: Jay Satiro + Closes #9069 + +Daniel Stenberg (29 Jun 2022) +- curl.h: CURLE_CONV_FAILED is obsoleted + + The last use was removed in 7.82.0. Updated some docs too to reflect the + current error code situation. + + Closes #9067 + +- curl: output warning when a cookie is dropped due to size + + Dropped from the request, that is. + + Closes #9064 + +- curl_mime_data.3: polish the wording + + Closes #9063 + +- configure: check for the stdatomic.h header in configure + + ... and only set HAVE_ATOMIC if that header exists since we use + typedefes set in it. + + Reported-by: Ryan Schmidt + Fixes #9059 + Closes #9060 + +- easy_lock: fix the #ifdef conditional for ia32_pause + + To work better with new and old clang compilers. + + Reported-by: Ryan Schmidt + Assisted-by: Joshua Root + + Fixes #9058 + Closes #9062 + +- easy_lock: switch to using atomic_int instead of bool + + To work with more compilers without requiring separate libs to + link. Like with gcc-12 for RISC-V on Linux. + + Reported-by: Adam Sampson + Fixes #9055 + Closes #9061 + +- [vvb2060 brought this change] + + ngtcp2: fix incompatible function pointer types + + Closes #9056 + +- [vvb2060 brought this change] + + easy_lock.h: use __asm__ instead of asm to fix build + + Closes #9056 + +- [Samuel Henrique brought this change] + + libcurl-security.3: fix typo on macro "SH_" + + During the packaging of the latest curl release for Debian, Lintian + warned me about a typo which causes the section name "Secrets in memory" + to not be rendered in the manpage due to "SH_" not being recognized as a + header. + + Closes #9057 + +- easy_lock.h: include sched.h if available to fix build + + Patched-by: Harry Sintonen + + Closes #9054 + +Version 7.84.0 (27 Jun 2022) + +Daniel Stenberg (27 Jun 2022) +- RELEASE-NOTES: synced + + Version 7.84.0 release + +- THANKS: contributors from 7.84.0 release notes + +- hsts: use Curl_fopen() + +- altsvc: use Curl_fopen() + +- fopen: add Curl_fopen() for better overwriting of files + + Bug: https://curl.se/docs/CVE-2022-32207.html + CVE-2022-32207 + Reported-by: Harry Sintonen + Closes #9050 + +- test444: test many received Set-Cookie: + + The amount of sent cookies in the test is limited to 80 because hyper + has its own strict limits in how many headers it allows to be received + which triggers at some point beyond this number. + +- test442/443: test cookie caps + + 442 - verify that only 150 cookies are sent + 443 - verify that the cookie: header remains less than 8K in size + +- cookie: apply limits + + - Send no more than 150 cookies per request + - Cap the max length used for a cookie: header to 8K + - Cap the max number of received Set-Cookie: headers to 50 + + Bug: https://curl.se/docs/CVE-2022-32205.html + CVE-2022-32205 + Reported-by: Harry Sintonen + Closes #9048 + +- test387: verify rejection of compression chain attack + +- content_encoding: return error on too many compression steps + + The max allowed steps is arbitrarily set to 5. + + Bug: https://curl.se/docs/CVE-2022-32206.html + CVE-2022-32206 + Reported-by: Harry Sintonen + Closes #9049 - unit1620: call global_init before calling Curl_open +- krb5: return error properly on decode errors - Curl_open calls the resolver init and on Windows if the resolver backend - is c-ares then the Windows sockets library (winsock) must already have - been initialized (via global init). + Bug: https://curl.se/docs/CVE-2022-32208.html + CVE-2022-32208 + Reported-by: Harry Sintonen + Closes #9051 - Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800 +- easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro - Closes https://github.com/curl/curl/pull/8719 + clang 14 warns about its use. It is being deprecated by the working + group for the programming language C: "The macro ATOMIC_VAR_INIT is + basically useless for the purpose for which it was designed" -Daniel Stenberg (19 Apr 2022) -- CURLINFO_PRIMARY_PORT.3: clarify which port this is + Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm - As it was not entirely clear previously. + Reported-by: Tatsuhiro Tsujikawa + Fixes #9041 + Closes #9042 - Closes #8725 +- [Stefan Eissing brought this change] -- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation + ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() - Include details about Authentication headers. + Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control + buffer is provided in sengmsg(), even though msg_controllen was set to + 0. - Reported-by: Brad Spencer - Fixes #8724 - Closes #8726 + Initialize msg.msg_controllen just as needed and also perform the size + assertion only when needed. -- .github/workflows/macos.yml: add a libssh job with c-ares + Closes #9039 - ... to enable the memdebug system +- [Tom Eccles brought this change] - Closes #8720 + ftp: restore protocol state after http proxy CONNECT -- RELEASE-NOTES: synced + connect_init() (lib/http_proxy.c) swaps out the protocol state while + working on the proxy connection, this is then restored by + Curl_connect_done() after the connection completes. -Jay Satiro (17 Apr 2022) -- [Gisle Vanem brought this change] + ftp_do_more() extracted the protocol state pointer to a local variable + at the start of the function then calls Curl_proxy_connect(). If the proxy + connection completes, Curl_proxy_connect() will call Curl_connect_done() + (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp + protocol state instead of the http proxy protocol state, but the local + variable in ftp_do_more still pointed to the old value. - docs/HTTP3.md: fix typo + Ultimately this meant that the state worked on by ftp_do_more() was the + http proxy state not the ftp state initialised by ftp_connect(), but + subsequent calls to any ftp_ function would use the original state. - also fix msh3 section formatting + For my use-case, the visible consequence was that ftp->downloadsize was + never set and so downloaded data was never returned to the application. - Ref: https://github.com/curl/curl/commit/37492ebb#r70980087 + This commit updates the ftp protocol state pointer in ftp_do_more() after + Curl_proxy_connect() returns, ensuring that the correct state pointer is + used. -Marc Hoersken (17 Apr 2022) -- timediff.[ch]: add curlx helper functions for timeval conversions + Fixes #8737 + Closes #9043 - Also move timediff_t definitions from timeval.h to timediff.h and - then make timeval.h include the new standalone-capable timediff.h. +Jay Satiro (23 Jun 2022) +- THANKS: add contributor missing from aea8ac1 - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg + aea8ac1 fixed #8980 which was reported by Sgharat on github, but that + info was not included in the commit message. - Supersedes #5888 - Closes #8595 +- curl_setup: include _mingw.h -Daniel Stenberg (17 Apr 2022) -- [Balakrishnan Balasubramanian brought this change] + Prior to this change _mingw.h needed to be included in each unit before + evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It + is included only in some mingw headers (eg stdio.h) and not others + (eg windows.h) so it's better to explicitly include it once. - tests: refactor server/socksd.c to support --unix-socket + Closes https://github.com/curl/curl/pull/9036 - Closes #8687 +Viktor Szakats (22 Jun 2022) +- rand: stop detecting /dev/urandom in cross-builds -- [Emanuele Torre brought this change] + - Prevent CMake to auto-detect /dev/urandom when cross-building. + Before this patch, it would detect it in a cross-build scenario on *nix + hosts with this device present. This was a problem for example with + Windows builds, but it could affect any target system with this device + missing. This also syncs detection behaviour with autotools, which also + skips it for cross-builds. + - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's + fallback random number generator on Windows. Windows does not have the + concept of reading a random stream from a filename, nor any guaranteed + non-world-writable path on disk. With this, a manual misconfiguration or + an overeager auto-detection can no longer result in a user-controllable + seed source. - tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) + Reviewed-by: Daniel Stenberg + Closes #9038 - This loop was using the number of bytes read from the file as condition - to keep reading. +Daniel Stenberg (22 Jun 2022) +- [Emanuele Torre brought this change] - From Linux's fread(3) man page: - > On success, fread() and fwrite() return the number of items read or - > written. This number equals the number of bytes transferred only when - > size is 1. If an error occurs, or the end of the file is reached, the - > return value is a short item count (or zero). - > - > The file position indicator for the stream is advanced by the number - > of bytes successfully read or written. - > - > fread() does not distinguish between end-of-file and error, and - > callers must use feof(3) and ferror(3) to determine which occurred. + ci: avoid `cmake -Hpath` - This means that nread!=0 doesn't make much sense as an end condition for - the loop: nread==0 doesn't necessarily mean that EOF has been reached or - an error has occured (but that is usually the case) and nread!=0 doesn't - necessarily mean that EOF has not been reached or that no read errors - have occured. feof(3) and ferror(3) should be uses when using fread(3). + This is an undocumented option similar to the `-Spath' option introduced + in cmake 3.13. + Replace all instances of `-Hpath' with `-Spath' in macos workflow. + Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul + scripts since it runs an older version of cmake. - Currently curl has to performs an extra fread(3) call to get a return - value equal to 0 to stop looping. + Fixes #9008 + Closes #9014 - This usually "works" (even though nread==0 shouldn't be interpreted as - EOF) if stdin is a pipe because EOF usually marks the "real" end of the - stream, so the extra fread(3) call will return immediately and the extra - read syscall won't be noticeable: +- INTERNALS: bring back the "Library symbols" section - bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 | - > tail -n 5 - read(0, "a\n", 4096) = 2 - read(0, "", 4096) = 0 - read(0, "", 4096) = 0 - http://0x0.st/oRs.txt - +++ exited with 0 +++ - bash-5.1$ + Most contents was moved, but this text should remain here. - But this doesn't work if curl is reading from stdin, stdin is a - terminal, and the EOF is being emulated using a shell with ^D. Two - consecutive ^D will be required in this case to actually make curl stop - reading: + Follow-up to: d324ac8 + Reported-by: Viktor Szakats + Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 + Closes #9037 - bash-5.1$ curl -F file=@- 0x0.st - a - ^D^D - http://0x0.st/oRs.txt - bash-5.1$ +Viktor Szakats (22 Jun 2022) +- Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] - A possible workaround to this issue is to use a program that handles EOF - correctly to indirectly send data to curl's stdin: + Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows + XP when the `-ipv6` option is selected. Maybe this was added to support + pre-XP Windows versions (?). These days libcurl builds fine for both XP + and post-XP versions with IPv6 support enabled. The relevance of pre-XP + version is also low by now. Other build methods also do not impose such + limitation for a similar configuration. So, drop this hard-wired + `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default + Windows version set by the compiler. This is Vista for recent MinGW + versions. - bash-5.1$ cat - | curl -F file=@- 0x0.st - a - ^D - http://0x0.st/oRs.txt - bash-5.1$ + Old behaviour can be restored by setting this envvar: + export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 - This patch makes curl handle EOF properly when using fread(3) in - file2memory() so that the workaround is not necessary. + [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 - Since curl was previously ignoring read errors caused by this fread(3), - ferror(3) is also used in the condition of the loop: read errors and EOF - will have the same meaning; this is done to somewhat preserve the old - behaviour instead of making the command fail when a read error occurs. + Closes #9035 - Closes #8701 +Daniel Stenberg (21 Jun 2022) +- CONTRIBUTE: mention how we maintain REUSE compliance -- gen.pl: change wording for mutexed options + for copyright and license information of all files stored in git - Instead of saying "This option overrides NNN", now say "This option is - mutually exclusive to NNN" in the generated man page ouput, as the - option does not in all cases actually override the others but they are - always mutually exclusive. + Closes #9032 - Ref: #8704 - Closes #8716 +- CURLOPT_ALTSVC.3: document the file format -- curl: error out if -T and -d are used for the same URL + Closes #9033 - As one implies PUT and the other POST, both cannot be used - simultaneously. +Jay Satiro (21 Jun 2022) +- runtests: add "threadsafe" to detected features - Add test 378 to verify. + Follow-up to recent commits which added thread-safety support. - Reported-by: Boris Verkhovskiy - Fixes #8704 - Closes #8715 + Bug: https://github.com/curl/curl/pull/9012#discussion_r902018782 + Reported-by: Marc Hörsken -- lib: remove exclamation marks + Closes https://github.com/curl/curl/pull/9030 - ... from infof() and failf() calls. Make them less attention seeking. +Daniel Stenberg (20 Jun 2022) +- easy: remove dead code - Closes #8713 + Follow-up from 5912da253b64d -- fail.d: tweak the description + Detected by Coverity (CID 1506519) - Reviewed-by: Daniel Gustafsson - Suggested-by: Robert Charles Muir - Ref: https://twitter.com/rcmuir/status/1514915401574010887 + Closes #9029 - Closes #8714 +- [Glenn Strauss brought this change] -Daniel Gustafsson (15 Apr 2022) -- docs: Fix missing semicolon in example code + transfer: upload performance; avoid tiny send - Multiple share examples were missing a semicolon on the line defining - the CURLSHcode variable. + Append to the upload buffer when only small amount remains in buffer + rather than performing a separate tiny send to empty buffer. - Closes: #8697 - Reported-by: Michael Kaufmann - Reviewed-by: Daniel Stenberg + Avoid degenerative upload behavior which might cause curl to send mostly + 1-byte DATA frames after exhausing the h2 send window size -- infof: consistent capitalization of warning messages + Related discussion: https://github.com/nghttp2/nghttp2/issues/1722 - Ensure that all infof calls with a warning message are capitalized - in the same way. At some point we should probably set up a style- - guide for infof but until then let's aim for a little consistenncy - where we can. + Signed-off-by: Glenn Strauss + Closes #8965 - Closes: #8711 - Reviewed-by: Daniel Stenberg +- [Steve Holme brought this change] -- RELEASE-NOTES: synced + projects: fix third-party SSL library build paths for Visual Studio -- [Matteo Baccan brought this change] + The paths used by the build batch files were inconsistent with those in + the Visual Studio project files. - perl: removed a double semicolon at end of line + Closes #8991 - Remove double semicolons at end of line in Perl code. +- [Pierrick Charron brought this change] - Closes: #8709 - Reviewed-by: Daniel Gustafsson + urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts -- curl_easy_header: fix typos in documentation + As per the documentation : - Closes: #8694 - Reviewed-by: Daniel Stenberg + > Setting a part to a NULL pointer will effectively remove that + > part's contents from the CURLU handle. -Marcel Raad (11 Apr 2022) -- appveyor: add Cygwin build + But currently clearing CURLUPART_URL does nothing and returns + CURLUE_OK. This change will clear all parts of the URL at once. - Closes https://github.com/curl/curl/pull/8693 + Closes #9028 -- appveyor: only add MSYS2 to PATH where required +- [Philip Heiduck brought this change] - Closes https://github.com/curl/curl/pull/8693 + CI: bump FreeBSD 13.0 to 13.1 -Daniel Stenberg (10 Apr 2022) -- [Tatsuhiro Tsujikawa brought this change] + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + Closes #8815 - ngtcp2: fix memory leak +- RELEASE-NOTES: synced - Closes #8691 + and updated release date in RELEASE-PROCEDURE.md -- [Tatsuhiro Tsujikawa brought this change] +- [divinity76 brought this change] - ngtcp2: remove remote_addr which is not used in a meaningful way + CURLOPT_HTTPHEADER.3: improve comment in example - Closes #8689 + Closes #9025 -- [Tatsuhiro Tsujikawa brought this change] +Marc Hoersken (16 Jun 2022) +- CI/azure: reduce flakiness by retrying install/prepare steps - ngtcp2: enlarge H3_SEND_SIZE + Closes #9010 - Make h3_SEND_SIZE larger because current value (20KiB) is too small - for the high latency environment. +- CI/cirrus: align Windows timeout with Azure CI at 120 minutes - Closes #8690 + Closes #9009 -- [Tatsuhiro Tsujikawa brought this change] +Jay Satiro (16 Jun 2022) +- vtls: make curl_global_sslset thread-safe - ngtcp2: fix HTTP/3 upload stall and avoid busy loop + .. and update some docs to explain curl_global_* is now thread-safe. - This commit fixes HTTP/3 upload stall if upload data is larger than - H3_SEND_SIZE. Only check writability of socket if a stream is - writable to avoid busy loop when QUIC flow control window is filled - up, or upload buffer is full. + Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. - Closes #8688 + Closes https://github.com/curl/curl/pull/9016 -- [Nick Banks brought this change] +- curl_easy_pause.3: remove explanation of progress function - msh3: add support for QUIC and HTTP/3 using msh3 + - Remove misleading text that says progress function "gets called at + least once per second, even if the connection is paused." - Considered experimental, as the other HTTP/3 backends. + The progress function behavior is more nuanced and the user is better + served reading the progress function doc rather than attempt to explain + it in the curl_easy_pause doc. - Closes #8517 + The progress function can only be called at least once per second if an + appropriate multi transfer function is called (eg curl_multi_perform) in + that time. For a paused transfer there may not be such a call. Rather + than explain this in detail in the curl_easy_pause doc, rely on the user + reading the CURLOPT_PROGRESSFUNCTION doc. -- TODO: "SFTP with SCP://" + Ref: https://github.com/curl/curl/issues/8983 -- GHA: move bearssl jobs over from zuul + Closes https://github.com/curl/curl/pull/9015 - Closes #8684 +Daniel Stenberg (15 Jun 2022) +- libssh: skip the fake-close when libssh does the right thing -- data/DISABLED: disable test 313 on bearssl builds + Starting in libssh 0.10.0 ssh_disconnect() will no longer close our + socket. Instead it will be kept alive as we want it, and it is our + responsibility to close it later. - Closes #8684 + Ref: #8718 + Ref: https://gitlab.com/libssh/libssh-mirror/-/merge_requests/240 + Closes #9021 -- runtests: add 'bearssl' as testable feature +- configure: warn about rustls being experimental - Closes #8684 + Right now a dozen test cases are disabled because they don't work with + rustls. -- GHA: add openssl3 jobs moved over from zuul + Closes #9019 - Closes #8683 +- runtests: skip starting the ssh server if user name is lacking -- schannel: remove dead code that will never run + Because the ssh server startup script *requires* a user name there's no + point in invoking it if no name was found. - As the condition can't ever evaluate true + Reported-by: Ricardo M. Correia + Ref: #9007 + Closes #9013 - Reported-by: Andrey Alifanov - Ref: #8675 - Closes #8677 +- copyright.pl: parse and use .reuse/dep5 for skips -- connecache: remove duplicate connc->closure_handle check + Also scan skipped files to be able to find superfluous ignores, shown with -v. - The superfluous extra check could cause analyzer false positives - and doesn't serve any purpose. + Closes #9006 - Closes #8676 +- reuse/dep5: adjusted to parse better -- [Michał Antoniak brought this change] + ... adjusted a few files to contain copyright and license info. - mbedtls: remove server_fd from backend + Closes #9006 - Closes #8682 +- buildconf.bat: update copyright year range -- [Tatsuhiro Tsujikawa brought this change] + Closes #9006 - ngtcp2: use token when detecting :status header field +- README.md: use the common "Copyright" style formatting - Closes #8679 + Closes #9006 -- [Tatsuhiro Tsujikawa brought this change] +- reuse: move license info from .mailmap.license to .reuse/dep5 - ngtcp2: make curl 1ms faster + Closes #9006 - Pass 0 for an already expired timer. +- README.md: add a REUSE badge - Closes #8678 + Closes #9004 -- [Tatsuhiro Tsujikawa brought this change] +- .reuse/dep5: remove recursive docs ignore, only skip markdown files - ngtcp2: fix QUIC_IDLE_TIMEOUT + ... and some additional non-markdown individual files in docs/ - QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is - nanoseconds resolution. + Closes #9005 - Closes #8678 +- docs/cmdline-opts: add copyright and license identifier to each file -- English: use American spelling consistently + gen.pl now insists on C: and SPDX-License-Identifier: fields to be + present in all files. - Authorization, Initialization, Organization etc. + Closes #9002 - Closes #8673 +- copyright: info for/ignore .github/ISSUE_TEMPLATE/bug_report.md -Daniel Gustafsson (5 Apr 2022) -- [Sascha Zengler brought this change] + Follow-up from 448f7ef9ab2afb7. The adding of the copyright text in that + file broke site functionality. - BUGS: Fix incorrect punctuation + Closes #9001 - Closes #8672 - Reviewed-by: Daniel Gustafsson +- bug_report.md: revert the REUSE template to see if it works again -Daniel Stenberg (4 Apr 2022) -- tool_listhelp.c: uppercase URL +Viktor Szakats (13 Jun 2022) +- version: rename threadsafe-init to threadsafe -- RELEASE-NOTES: synced + Referring to Daniel's article [1], making the init function thread-safe + was the last bit to make libcurl thread-safe as a whole. So the name of + the feature may as well be the more concise 'threadsafe', also telling + the story that libcurl is now fully thread-safe, not just its init + function. Chances are high that libcurl wants to remain so in the + future, so there is little likelihood of ever needing any other distinct + `threadsafe-` feature flags. -- http: streamclose "already downloaded" + For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to + `CURL_VERSION_THREADSAFE`, update its description and reference libcurl's + thread safety documentation. - Instead of connclose()ing, since when HTTP/2 is used it doesn't need to - close the connection as stopping the current transfer is enough. + [1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/ - Reported-by: Evangelos Foutras - Closes #8665 + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro + Closes #8989 -Jay Satiro (1 Apr 2022) -- ftp: fix error message for partial file upload +Daniel Stenberg (13 Jun 2022) +- test3026: disable on win32 - - Show the count of bytes written on partial file upload. + ... as it's not likely to have working pthreads - Prior to this change the error message mistakenly showed the count of - bytes read, not written. + Closes #8996 - Bug: https://github.com/curl/curl/discussions/8637 - Reported-by: Taras Kushnir +- GHA: shorten the reuse CI job name - Closes https://github.com/curl/curl/pull/8649 + "REUSE compliance / check" should be good enough -Daniel Stenberg (1 Apr 2022) -- http: correct the header error message to say colon + Closes #9000 - Not semicolon +- misc: add missing SPDX-License-Identifier info - Reported-by: Gisle Vanem - Ref: #8666 - Closes #8667 + For some reason the REUSE CI job did not find these. -- lib: #ifdef on USE_HTTP2 better + Closes #8999 - ... as nghttp2 might not be the library that provides HTTP/2 support. +- copyright: verify SPDX-License-Identifier presence as well - Closes #8661 +- easy_lock: add SPDX license identifier -- [Michał Antoniak brought this change] + Closes #8998 - mbedtls: remove 'protocols' array from backend when ALPN is not used +- mailmap: Max Mehl - Closes #8663 +- [Max Mehl brought this change] -- http2: RST the stream if we stop it on our own will + git: ignore large commit making the curl REUSE compliant - For the "simulated 304" case the done-call isn't considered "premature" - but since the server didn't close the stream it needs to be reset to - stop delivering data. +- [Max Mehl brought this change] - Closes #8664 + copyright: make repository REUSE compliant -- http: close the stream (not connection) on time condition abort + Add licensing and copyright information for all files in this repository. This + either happens in the file itself as a comment header or in the file + `.reuse/dep5`. - Closes #8664 + This commit also adds a Github workflow to check pull requests and adapts + copyright.pl to the changes. -- http2: handle DONE called for the paused stream + Closes #8869 - As it could otherwise stall all streams on the connection +- curl_url_set.3: clarify by default using known schemes only - Reported-by: Evangelos Foutras - Fixes #8626 - Closes #8664 + Closes #8994 -- tls: make mbedtls and NSS check for h2, not nghttp2 +- scripts/copyright.pl: ignore leading spaces - This makes them able to also negotiate HTTP/2 even when built to use - hyper for h2. +Viktor Szakats (10 Jun 2022) +- ngtcp2: fix typo in preprocessor condition - Closes #8656 + Ref: 927ede7edcb7b05b8e8bbf9ced6aed523ae594a7 -- tests/libtest/lib670.c: fixup the copyright year range + Bug: https://github.com/curl/curl/pull/8981#discussion_r894312185 + Reported-by: Emil Engler + Closes #8987 - follow-up to b54e18640ea4b7 +Daniel Stenberg (10 Jun 2022) +- RELEASE-NOTES: synced -- [Leandro Coutinho brought this change] +- [Tatsuhiro Tsujikawa brought this change] - lib670: avoid double check result + ngtcp2: build without sendmsg - Closes #8660 + Closes #8981 -- vtls: use a generic "ALPN, server accepted" message +- [Tatsuhiro Tsujikawa brought this change] - Closes #8657 + ngtcp2: use handshake helper funcs to simplify TLS handshake integration -- vtls: use a backend standard message for "ALPN: offers %s" + Closes #8968 - I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the - infof() call also needs a string argument: the ALPN ID. +- test390: verify --parallel - Closes #8657 + Closes #8985 -- [Christian Schmitz brought this change] +- test1543: verify CURLINFO_EFFECTIVE_URL with CURLOPT_CURLU set - strcase.h: add comment about the return code + Triggered by a bug report from Adam Light: + https://curl.se/mail/lib-2022-06/0013.html - which ended up being mostly + a misunderstanding of how CURLINFO_EFFECTIVE_URL works. - Tool often we run into expecting this to work like strcmp, but it - returns 1 instead of 0 for match. + Closes #8971 - Closes #8658 +- url: URL encode the path when extracted, if spaces were set -- vtls: provide a unified APLN-disagree string for all backends +- urlapi: support CURLU_URLENCODE for curl_url_get() - Also rephrase to make it sound less dangerous: +- server/sws: support spaces in the HTTP request path - "ALPN: server did not agree on a protocol. Uses default." +- tests/getpart: fix getpartattr to work with "data" and "data2" - Reported-by: Nick Coghlan - Fixes #8643 - Closes #8651 +- select: return error from "lethal" poll/select errors -- projects/README: converted to markdown + Adds two new error codes: CURLE_UNRECOVERABLE_POLL and + CURLM_UNRECOVERABLE_POLL one each for the easy and the multi interfaces. - Closes #8652 + Reported-by: Harry Sintonen + Fixes #8921 + Closes #8961 -- misc: spelling fixes +- test3026: add missing control file - Mostly in comments but also in the -w documentation for headers_json. + Follow-up from 2ed101256414ea5 - Closes #8647 + Makes the test run, makes 'make dist' work -- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read + This single test takes 24-25 seconds on my machine (with valgrind). For + this reason I tag it with a "slow" keyword. - "HTTP/3 does not support client certs" considered fixed, at least with - the ngtcp2 backend. + Closes #8976 - Closes #8523 +- runtests: fix skipping tests not done event-based -- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs + ... and call timestampskippedevents() to avoid the flood of + uninitialized variable warnings. - Also add to quote.d. Add to TODO as something to add in a future. + Closes #8977 - Reported-by: anon00000000 on github - Closes #8602 - Closes #8648 +- transfer: maintain --path-as-is after redirects -- RELEASE-NOTES: synced + Reported-by: Marcus T + Fixes #8974 + Closes #8975 -- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood +- test391: verify --path-as-is with redirect - This leaves the CURLE_RECV_ERROR error code for explicit failure to - receive network data and allows users to better separate the problems. +Jay Satiro (8 Jun 2022) +- curl_global_init.3: Separate the Windows loader lock warning - Ref #8356 - Reported-by: Rianov Viacheslav - Closes #8506 + This is a slight correction of the parent commit which implied the + loader lock warning only applied if not thread-safe. In fact the loader + lock warning applies either way. -- docs: lots of minor language polish + Ref: https://github.com/curl/curl/pull/8972#discussion_r891987030 - Mostly based on recent language decisions from "everything curl": +Daniel Stenberg (8 Jun 2022) +- curl_global_init.3: this is now (usually) thread-safe - - remove contractions (isn't => is not) - - *an* HTTP (consistency) - - runtime (no hyphen) - - backend (no hyphen) - - URL is uppercase + Follow-up to 23af112f5556 - Closes #8646 + Closes #8972 -Jay Satiro (29 Mar 2022) -- projects: Update VC version names for VS2017, VS2022 +Jay Satiro (8 Jun 2022) +- [Haxatron brought this change] - - Rename VC15 -> VC14.10, VC17 -> VC14.30. + libcurl-security.3: Document CRLF header injection - The projects directory that holds the pre-generated Visual Studio - project files uses VC to indicate the MSVC version. At some point - support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC - 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17 - which uses MSVC 14.30) project files were recently added and followed - that same format using VC17. + - Document that user input to header options is not sanitized, which + could result in CRLF used to modify the request in a way other than + what was intended. - There is no such MSVC version (yet) as VC15 or VC17. + Ref: https://hackerone.com/reports/1589877 + Ref: https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 - For VS 2017 for example, the name we use is correct as either VS17, - VS2017, VC14.10. I opted for the latter since we use VC for earlier - versions (eg VC10, VC12, etc). + Closes https://github.com/curl/curl/pull/8964 - Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192 +- CURLOPT_RANGE.3: remove ranged upload advice - Closes https://github.com/curl/curl/pull/8447 + The e-mail link in the advice contains instructions that are prone to + error. We need an example that works and can demonstrate how to properly + perform a ranged upload, and then we can refer to that example instead. -Daniel Stenberg (29 Mar 2022) -- mqtt: better handling of TCP disconnect mid-message + Bug: https://github.com/curl/curl/issues/8969 + Reported-by: Simon Berger - Reported-by: Jenny Heino - Bug: https://hackerone.com/reports/1521610 - Closes #8644 + Closes https://github.com/curl/curl/pull/8970 -- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL +Daniel Stenberg (7 Jun 2022) +- [Thomas Guillem brought this change] -- [Ian Blanes brought this change] + curl_version_info: add CURL_VERSION_THREADSAFE_INIT - docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr + This flag can be used to make sure that curl_global_init() is + thread-safe. - Closes #8606 + This can be useful for libraries that can't control what other + dependencies are doing with Curl. -- [Ian Blanes brought this change] + Closes #8680 - curl: fix segmentation fault for empty output file names. +- [Thomas Guillem brought this change] - Function glob_match_url set *result to NULL when called with filename = - "", producing an indirect NULL pointer dereference. + lib: make curl_global_init() threadsafe when possible - Closes #8606 + Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and + curl_global_cleanup(). -- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519 + Closes #8680 - It would be nice to expand the list of key locations curl uses for the - newer key types supported by libssh2. +- RELEASE-NOTES: synced - Closes #8586 +- [Fabian Keil brought this change] -- ngtcp2: update to work after recent ngtcp2 updates + test414: add the '--resolve' keyword - Assisted-by: Tatsuhiro Tsujikawa - Reported-by: jurisuk on github - Fixes #8638 - Closes #8639 + ... so the test can be automatically skipped when + using an external proxy like Privoxy. -- [Farzin brought this change] + Closes #8959 - CURLOPT_PROGRESSFUNCTION.3: fix typo in example +- [Fabian Keil brought this change] - Closes #8636 + test{440,441,493,977}: add "HTTP proxy" keywords -- curl/header_json: output the header names in lowercase + ... so the tests can be automatically skipped when + using an external proxy like Privoxy. - To better allow json[“header”]. + Closes #8959 - Reported-by: Peter Korsgaard - Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878 - Closes #8633 +- [Fabian Keil brought this change] -- RELEASE-NOTES: synced + runtests.pl: add the --repeat parameter to the --help output -- headers.h: make Curl_headers_push() be CURLE_OK when not built + Closes #8959 - ... to avoid errors when the function isn't there. +- [Fabian Keil brought this change] - Reported-by: Marcel Raad - Fixes #8627 - Closes #8628 + test 2081: add a valid reply for the second request -- scripts: move three scripts from lib/ to scripts/ + ... so the test works when using a HTTP proxy like + Privoxy that sends an error message if the server + doesn't send data. - Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't - particularly belong in lib/ + Closes #8959 - Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying - those files in the root Makefile.am +- [Fabian Keil brought this change] - Closes #8625 + test 675: add missing CR so the test passes when run through Privoxy -Marc Hoersken (23 Mar 2022) -- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 + Closes #8959 - curl_setup.h automatically defines WIN32 if just _WIN32 is defined. +- ftp: when failing to do a secure GSSAPI login, fail hard - Therefore make sure curl_setup.h is included through warnless.h. + ... instead of switching to cleartext. For the sake of security. - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1590102 + Closes #8963 - Closes #8594 +- http2: reject overly many push-promise headers -- tests/server/util.h: align WIN32 condition with util.c + Getting more than a thousand of them is rather a sign of some kind of + attack. - There is no need to test for both _WIN32 and WIN32 as curl_setup.h - automatically defines the later if the first one is defined. + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1589847 + Closes #8962 - Also tests/server/util.c is only checking for WIN32 arouund the - implementation of win32_perror, so just defining _WIN32 - would not be sufficient for a successful compilation. +- [Fabian Keil brought this change] - Reviewed-by: Daniel Stenberg - Reviewed-by: Jay Satiro + misc: spelling improvements - Closes #8594 + Closes #8956 -Daniel Stenberg (22 Mar 2022) -- [Philip H brought this change] +- [Tatsuhiro Tsujikawa brought this change] - firefox-db2pem.sh: make the shell script safer + ngtcp2: fix assertion failure on EMSGSIZE - Reported by lift + Closes #8958 - Closes #8616 +- easy/transfer: fix cookie-disabled build -Jay Satiro (22 Mar 2022) -- gtls: fix build for disabled TLS-SRP + Follow-up from 45de940cebf6a + Reported-by: Marcel Raad + Fixes #8953 + Closes #8954 - Prior to this change if, at build time, the GnuTLS backend was found to - have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl - via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. +- examples/crawler.c: use the curl license - Bug: https://curl.se/mail/lib-2022-03/0046.html - Reported-by: Robert Brose + With permission from Jeroen Ooms - Closes https://github.com/curl/curl/pull/8604 + URL: https://github.com/curl/curl/pull/8869#issuecomment-1144742731 + Closes #8950 -- winbuild: Add a Visual Studio example to the README +- speed-limit/time.d: mention these affect transfers in either direction - - Add an example that explains in detail how the user can add libcurl to - their Visual Studio project. + Reported-by: Ladar Levison + Fixes #8948 + Closes #8951 - Ref: https://github.com/curl/curl/issues/8591 +- scripts/copyright.pl: fix the exclusion to not ignore man pages - Closes https://github.com/curl/curl/pull/8592 + Ref: #8869 + Closes #8952 -- docs/opts: Mention Schannel client cert type is P12 +- examples: remove fopen.c and rtsp.c - Schannel backend code behaves same as Secure Transport, it expects a P12 - certificate file or the name of a certificate already in the user's OS - key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key) - because they expect the private key to already be available from the - keystore or P12 certificate. + To simplify the license situation, as they were the only files in the + source tree using these specific BSD-3 clause licenses. - Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260 + For an fopen style API, we recommend instead going + https://github.com/curl/fcurl - Closes https://github.com/curl/curl/pull/8587 + Ref: #8869 + Closes #8949 -Daniel Stenberg (22 Mar 2022) -- lib1945: fix compiler warning 4706 on MSVC +- [Wolf Vollprecht brought this change] - Follow-up from d1e4a677340c + netrc: check %USERPROFILE% as well on Windows - Closes #8623 + Closes #8855 -- [Philip H brought this change] +- CURLOPT_SSH_HOSTKEYDATA/FUNCTION.3: minor polish - ci/event-based.yml: improve impacket install +- [michael musset brought this change] - skip python3-pip - install impacket with library module + libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION - Closes #8621 + The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check + wether or not the connection should continue. -- test1459: disable for oldlibssh + The host key is passed in argument with a custom handle for the + application. - This test with libssh 0.9.3 works fine on github but fails on circleci. - Might as well disable this test for oldlibssh installations. + It overrides CURLOPT_SSH_KNOWNHOSTS - Closes #8622 + Closes #7959 -- test1135: sync with recent API updates +- docs/CONTRIBUTE.md: document the 'needs-votes' concept - This test verifies that the order of functions in public headers remain - the same but hasn't been updated to care for recently added header - files. The order is important for some few platforms - or VERSIONINFO - needs to updated. + A pull request sent to the project might get labeled `needs-votes` by a + project maintainer. This label means that in addition to meeting all + other checks and qualifications this pull request must also receive + proven support/thumbs-ups from more community members to be considered + for merging. - This fix also updates VERSIONINFO to be sure. + Closes #8910 - Closes #8620 +- [Evgeny Grin (Karlson2k) brought this change] -- curl_easy_nextheader.3: fix two typos + digest: tolerate missing "realm" - Reported-by: Timothe Litt - Bug: https://curl.se/mail/lib-2022-03/0060.html + Server headers may not define "realm", avoid NULL pointer dereference + in such cases. -- options: remove mistaken space before paren in prototype + Closes #8912 -- cirrus: add --enable-headers-api for some windows builds +- [Evgeny Grin (Karlson2k) brought this change] -- GHA: --enable-headers-api in all workflows + digest: added detection of more syntax error in server headers -- lib: make the headers API depend on --enable-headers-api + Invalid headers should not be processed otherwise they may create + a security risk. -- configure: add --enable-headers-api to enable the headers API + Closes #8912 - Defaults to disabled while labeled EXPERIMENTAL. +- [Evgeny Grin (Karlson2k) brought this change] - Make all the headers API tests require 'headers-api' to run. + digest: unquote realm and nonce before processing -- test1671: verify -w '%{header_json} + RFC 7616 (and 2617) requires values to be "unquoted" before used for + digest calculations. The only place where unquoting can be done + correctly is header parsing function (realm="DOMAIN\\host" and + realm=DOMAN\\host are different realms). -- test1670: verify -w %header{} + This commit adds unquoting (de-escaping) of all values during header + parsing and quoting of the values during header forming. This approach + should be most straightforward and easy to read/maintain as all values + are processed in the same way as required by RFC. -- curl: add %{header_json} support in -w handling + Closes #8912 - Outputs all response headers as a JSON object. +- headers: handle unfold of space-cleansed headers -- curl: add %header{name} support in -w handling + Detected by OSS-fuzz - Outputs the response header 'name' + Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767 -- header api: add curl_easy_header and curl_easy_nextheader + Updated test 1274 - Add test 1940 to 1946 to verify. + Closes #8947 - Closes #8593 +- lib: make more protocol specific struct fields #ifdefed -- test1459: remove the different exit code for oldlibssh + ... so that they don't take up space if the protocols are disabled in + the build. - When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right" - error code. + Closes #8944 - Closes #8490 +- DISABLED: disable 1021 for hyper again -- libssh: unstick SFTP transfers when done event-based + due to flakiness in the CI builds - Test 604 and 606 (at least). +- urldata: store tcp_keepidle and tcp_keepintvl as ints - Closes #8490 + They can't be set larger than INT_MAX in the setsocket API calls. -- gha: move the event-based test over from Zuul + Also document the max values in their respective man pages. - Switched libssh2 to libssh + Closes #8940 - Closes #8490 +- urldata: reduce size of a few struct fields -- RELEASE-NOTES: synced + When the values are never larger than 32 bit, ints are better than longs. -- http: return error on colon-less HTTP headers + Closes #8940 - It's a protocol violation and accepting them leads to no good. +- urldata: remove three unused booleans from struct UserDefined - Add test case 398 to verify + - is_fwrite_set + - free_referer + - strip_path_slash - Closes #8610 + Closes #8940 -- test718: edited slightly to return better HTTP +- remote-name.d: mention --output-dir - Since hyper is picky and won't play ball otherwise. + plus add two see-alsos - Bug: https://github.com/hyperium/hyper/issues/2783 - Reported-by: Daniel Valenzuela - Closes #8614 + Closes #8945 -- hyper: no h2c support +Jay Satiro (1 Jun 2022) +- configure: skip libidn2 detection when winidn is used - Make tests require h2c feature present to run, and only set h2c if - nghttp2 is used in the build. Hyper does not support it. + Prior to this change --with-winidn could be overridden by libidn2 + detection. - Remove those tests from DISABLED + Closes https://github.com/curl/curl/pull/8934 - Fixes #8605 - Closes #8613 +Daniel Stenberg (31 May 2022) +- CURLOPT_FILETIME.3: fix the protocols this works with -- configure: bump the copyright year range int the generated output +- test681: verify --no-remote-name -- [Andreas Falkenhahn brought this change] + Follow-up to 83ee5c428d960 (from #8931) - BINDINGS.md: add Hollywood binding + Closes #8942 - Closes #8609 +- [Tatsuhiro Tsujikawa brought this change] -- HISTORY: add some 2022 data + ngtcp2: enable Linux GSO -- scripts/copyright.pl: ignore the new mlc_config.json file + Enable Linux GSO in ngtcp2 QUIC. In order to recover from the + EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write, + packet buffer is now held by struct quicsocket. GSO write might fail in + runtime depending on NIC. Disable GSO if sendmsg returns EIO. -- [Philip H brought this change] + Closes #8909 - mlc_config.json: add file to ignore known troublesome URLs +- CURLOPT_PORT.3: We discourage using this option - This is the config file for the CI markdown link checker and lets us - filter URLs that are known to cause problems. Like - https://curl.zuul.vexxhost.dev/ for now. + Closes #8941 - Closes #8597 +- RELEASE-NOTES: synced -- [Philip H brought this change] +- headers_push: error out if a folded header has no previous header - winbuild/README.md: fixup dead link + As that would indicate an illegal header. The fuzzer reached the assert + in unfold_value() proving that this case can happen. - Closes #8597 + Follow-up to c9b60f005358a364 -Jay Satiro (18 Mar 2022) -- rtsp: don't let CSeq error override earlier errors + Closes #8939 - - When done, if an error has already occurred then don't check the - sequence numbers for mismatch. +- [Boris Verkhovskiy brought this change] - A sequence number may not have been received if an error occurred. + curl: re-enable --no-remote-name - Prior to this change a sequence mismatch error would override earlier - errors. For example, a server that returns nothing would cause error - CURLE_GOT_NOTHING in Curl_http_done which was then overridden by - CURLE_RTSP_CSEQ_ERROR in rtsp_done. + Closes #8931 - Closes https://github.com/curl/curl/pull/8525 +- test680: require 'http' since it uses such a URL -- lib: fix some misuse of curlx_convert_wchar_to_UTF8 + Follow-up to d1b376c03524 - curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but - prior to this change some uses mistakenly called free. +- CURLOPT_NETRC.3: document the .netrc file format - I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and - curlx_convert_UTF8_to_wchar. +- test680: verify rejection of malformatted .netrc quoted password - Ref: https://github.com/curl/curl/commit/1d5d0ae +- test679: verify netrc quoted string - Closes https://github.com/curl/curl/pull/8521 +- netrc: support quoted strings -- mk-ca-bundle.pl: Use stricter logic to process the certificates + The .netrc parser now accepts strings within double-quotes in order to + deal with for example passwords containing white space - which + previously was not possible. - .. and bump version to 1.29. + A password that starts with a double-quote also ends with one, and + double-quotes themselves are escaped with backslashes, like \". It also + supports \n, \r and \t for newline, carriage return and tabs + respectively. - This change makes the script properly ignore unknown blocks and - otherwise fail when Mozilla changes the certdata format in ways we - don't expect. Though this is less flexible behavior it makes it far less - likely that an invalid certificate can slip through. + If the password does not start with a double quote, it will end at first + white space and no escaping is performed. - Prior to this change the state machine did not always properly reset, - and it was possible that a certificate marked as invalid could then - later be marked as valid when there was conflicting trust info or - an unknown block was erroneously processed as part of the certificate. + WARNING: this change is not entirely backwards compatible. If anyone + previously used a double-quote as the first letter of their password, + the parser will now get it differently compared to before. This is + highly unfortunate but hard to avoid. - Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569 + Reported-by: ImpatientHippo on GitHub + Fixes #8908 + Closes #8937 - Closes https://github.com/curl/curl/pull/8411 +- curl_getdate.3: document that some illegal dates pass through -Marcel Raad (17 Mar 2022) -- test375: fix line endings on Windows + Closes #8938 - Closes https://github.com/curl/curl/pull/8599 +- CI: remove configure --enable-headers-api flags -Daniel Stenberg (17 Mar 2022) -- http: reject header contents with nul bytes +- headers api: remove EXPERIMENTAL tag - They are not allowed by the protocol and allowing them risk that curl - misbehaves somewhere where C functions are used but won't work on the - full contents. Further, they are not supported by hyper and they cause - problems for the new coming headers API work. + Closes #8900 - Updated test 262 to verify and enabled it for hyper as well +Daniel Gustafsson (30 May 2022) +- cookies: fix documentation comment - Closes #8601 + Commit 4073cd83b2 added the noexpire parameter to Curl_cookie_add but + missed updating the documentation comment at the head of the file. -- [Philip H brought this change] +Daniel Stenberg (30 May 2022) +- [Marc Hoersken brought this change] - CI: Do not use buildconf. Instead, just use: autoreconf -fi + tests/data/test1940: use binary mode for expected stdout - Closes #8596 + The generated stdout data is written in binary mode with [LF] + line endings, therefore we also need to do a binary comparison. -- RELEASE-NOTES: synced + Assisted-by: Jay Satiro + Assisted-by: Daniel Stenberg -Jay Satiro (14 Mar 2022) -- libssh: Improve fix for missing SSH_S_ stat macros + Follow up to c9b60f005358a364cbcddbebd8d12593acffdd84 + Fixes #8920 + Closes #8936 - - If building libcurl against an old libssh version missing SSH_S_IFMT - and SSH_S_IFLNK then use the values from a supported version. +- CURLINFO_CAINFO/PATH.3: clarify the multiple TLS situation - Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK - then S_IFMT and S_IFLNK, respectively, were used instead. The problem - with that is the user's S_ stat macros don't have the same values across - platforms. For example Windows has values different from Linux. + Spell out the multi-TLS situation. - Follow-up to 7b0fd39. + Reported-by: Dan Fandrich + Fixes #8926 + Closes #8932 - Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391 - Ref: https://github.com/curl/curl/pull/8574 +Jay Satiro (28 May 2022) +- [JustAnotherArchivist brought this change] - Closes https://github.com/curl/curl/pull/8588 + tool_getparam: fix --parallel-max maximum value constraint -Marc Hoersken (13 Mar 2022) -- tool and tests: force flush of all buffers at end of program + - Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to + default value. - On Windows data can be lost in buffers in case of abnormal program - termination, especially in process chains as seen due to flaky tests. - Therefore flushing all buffers manually should avoid this data loss. + Previously, --parallel-max 300 would use 300 concurrent transfers, but + --parallel-max 301 would unexpectedly use only 50. This change clamps + higher values to the maximum (ie --parallel-max 301 would use 300). - In the curl tool we play the safe game by only flushing write buffers, - but in the testsuite where we manage all buffers, we flush everything. + Closes https://github.com/curl/curl/pull/8930 - This should drastically reduce Windows CI and testsuite flakiness. +Daniel Stenberg (27 May 2022) +- curl.1: add a few see also --tls-max - Reviewed-by: Daniel Stenberg + Closes #8929 - Supersedes #7833 and #6064 - Closes #8516 +Viktor Szakats (26 May 2022) +- cmake: do not add libcurl.rc to the static libcurl library -Daniel Stenberg (12 Mar 2022) -- [Jan Venekamp brought this change] + Fixes: https://github.com/curl/curl/pull/8918#issuecomment-1138263855 - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support + Reviewed-By: Karlson2k@users.noreply.github.com + Closes #8923 - Closes #8478 +- cmake: support adding a suffix to the OS value -- [Jan Venekamp brought this change] + CMake automatically uses the `CMAKE_SYSTEM_NAME` value to fill the OS + string appearing in the --version output after the curl version number, + for example: - BearSSL: add CURLOPT_SSL_CIPHER_LIST support + 'curl 7.83.1 (Windows)' - Closes #8477 + This patchs adds the ability to pass a suffix that is appended to this + value. It's useful to add CPU info or other platform details, + for example: -Dan Fandrich (11 Mar 2022) -- tool_cb_hdr: Turn the Location: into a terminal hyperlink + 'curl 7.83.1 (Windows-x64)' - This turns even relative URLs into clickable hyperlinks in a supported - terminal when --styled-output is enabled. Many terminals already turn - URLs into clickable links but there is not enough information in a - relative URL to do this automatically otherwise. + Closes #8919 -- keepalive-time.d: It takes many probes to detect brokenness +- cmake: enable curl.rc for all Windows targets -Daniel Stenberg (11 Mar 2022) -- [HexTheDragon brought this change] + Before this patch, it was only enabled for MSVC. This syncs this + configuration with libcurl.rc, which was already included with + every Windows compiler. - curl: add --no-clobber + Closes #8918 - Does not overwrite output files if they already exist +- cmake: fix detecting libidn2 - Closes #7708 - Co-authored-by: Daniel Stenberg + Without this patch, libidn2 detection doesn't even seem to be + attempted. With this patch, cmake can be configured to pick it + up and enable it. Necessary configuration remains manual and + differs from most other dependencies. -- RELEASE-NOTES: synced + If you are aware of a better fix, we're glad hearing about it + in a new Issue. - also bump next pending version to become 7.83.0 + Closes #8917 -- [Jean-Philippe Menil brought this change] +- version: allow stricmp() for sorting the feature list - openssl: check SSL_get_peer_cert_chain return value + In CMakeLists.txt there is an attempt to detect `stricmp()`, and in + certain cases, this attempt is the only successful one to detect a + case-insensitive comparison function. `HAVE_STRICMP` is defined as + a result, but this macro wasn't used anywhere in the source. This + patch makes use of it as an alternative when alpha-sorting the + `--version` feature list. - Signed-off-by: Jean-Philippe Menil - Closes #8579 + Reviewed-by: Daniel Stenberg + Closes #8916 -- [Jay Satiro brought this change] +Daniel Stenberg (25 May 2022) +- DISABLED: add six tests that fail with hyper - mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl + 1117 1274 1940 1941 1942 1943 - mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate - extraction, similar to mk-ca-bundle.pl which runs on any platform. The - vbs version has not been maintained while the perl version has been - maintained with improvements and security fixes. I don't think it's - worth the work to maintain both versions. Windows users should be able - to use mk-ca-bundle.pl without any problems, as long as they have perl. +- c-hyper: mark status line as status for Curl_client_write() - Closes #8412 + To make sure the headers API can filter it out as not a regular header. -- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype + Reported-by: Gisle Vanem + Fixes #8894 + Closes #8914 - Copy and paste error +Marc Hoersken (25 May 2022) +- tests/data/test1501: kill ftp server after slow LIST response - Reported-by: Francisco Olarte - Fixes #8573 - Closes #8577 + This test is contributing to flakiness on the Windows CI runs. + Killing the ftp server after the test run like other slowness + tests already do may help resolve or reduce the flakiness. -- remove-on-error.d: typo + Closes #8907 - Reported-by: Colin Leroy - Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081 +Daniel Stenberg (25 May 2022) +- headers: fix the unfold realloc to use proper new size -- curl: add --remove-on-error + Previously it didn't take the old name length into acount - If a transfer returns an error, using this option makes curl remove the - leftover downloded (partial) local file before exiting. + Follow-up to: c9b60f005358a364 + Closes #8913 - Added test 376 to verify +Marc Hoersken (25 May 2022) +- GHA: align all install, configure and build steps again - Closes #8503 + First step towards more unified build steps on GitHub Actions. -- libssh: fix build with old libssh versions + Closes #8873 - ... that don't have the SSH_S_* defines. Spotted on a machine using - libssh 0.7.3 +- CI/azure: remove obsolete strategy for single builds - Closes #8574 + This shortens these CI job names on GitHub even more. + Follow up to #8906 which also increased their timeout. -- hyper: fix status_line() return code + Closes #8911 - Detected while working on #7708 that happened to trigger an error here - with a new test case. +- CI/azure: shorten names of Windows CI jobs - Closes #8572 + Suggested-by: Daniel Stenberg + Closes #8906 -- [Alejandro R. Sedeño brought this change] +Daniel Stenberg (24 May 2022) +- http: restore header folding behavior - configure.ac: move -pthread CFLAGS setting back where it used to be + Folded header lines will now get passed through like before. The headers + API is adapted and will provide the content unfolded. - The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"` - earlier than it used to be set, applying it in cases where it should not - have been applied. + Added test 1274 and extended test 1940 to verify. - This moves the AIX XLC check to a new `case $host in` block inside of - the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS - -pthead"` used to happen. + Reported-by: Petr Pisar + Fixes #8844 + Closes #8899 - Fixes #8541 - Closes #8542 +Viktor Szakats (24 May 2022) +- Makefile.m32: delete obsolete options, improve -On [ci skip] -- [Tatsuhiro Tsujikawa brought this change] + - `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now. + - `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and + I used this with VxWorks in another project, but otherwise this isn't + necessary anymore as a default. If a target still needs it, it can be + added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing` + - bump up default optimization level to `-O3` (from `-O2`), and also rearrange + option order so the default can now be overridden via + `CURL_CFLAG_EXTRAS`. + - delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS` + (strip debug info). They were working against each other. Now, if someone + needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g` - ngtcp2: add client certificate authentication for OpenSSL + Closes #8904 - Closes #8522 +Daniel Gustafsson (24 May 2022) +- ntlm: fix one more hostname test fallout -- tool_operate: fix a scan-build warning + This fixup was missed in commit 5a41abef6dca19. - ... and avoid the temp storing of the return code in a diff variable. + Closes: #8901 + Reviewed-by: Daniel Stenberg - Closes #8565 +- doh: remove UNITTEST macro definition -- test375: verify that --proxy errors out if proxy is disabled in the build + The UNITTEST macro is defined by curl_setup.h so there is no use in + carry a local copy of the logic. - Closes #8565 + Closes: #8902 + Reviewed-by: Daniel Stenberg -- curl: error out when options need features not present in libcurl +Daniel Stenberg (24 May 2022) +- cookie: fix false positive "potentially uninitialized local variable" - Trying to use a proxy when libcurl was built with proxy support disabled - should make curl error out properly. + Reviewed-by: Daniel Gustafsson + Closes #8903 - Remove knowledge of disabled features from the tool code and instead - make it properly respond to what libcurl returns. Update all tests to - properly require the necessary features to be present/absent so that the - test suite can still be run even with libcurl builds with disabled - features. +- curl: add --rate to set max request rate per time unit - Ref: https://curl.se/mail/archive-2022-03/0013.html - Closes #8565 + --rate "12/m" - for 12 per minute or + --rate "5/h" - for 5 per hour -- ngtcp2: disconnect the QUIC connection proper + Removed from TODO - Reported-by: mehatzri on github - Reviewed-by: Tatsuhiro Tsujikawa - Fixes #8534 - closes #8569 + Closes #8671 -Dan Fandrich (9 Mar 2022) -- test386: Fix an incorrect test markup tag +- [Jay Satiro brought this change] -Daniel Stenberg (9 Mar 2022) -- [Don J Olmstead brought this change] + max-time.d: clarify max-time sets max transfer time - nonblock: restore setsockopt method to curlx_nonblock + Prior to this change the doc said --max-time set the maximum time of the + 'whole operation' which is not accurate. The option maps to + CURLOPT_TIMEOUT_MS which sets maximum transfer time. - The implementation using setsockopt was removed when BeOS support was - purged. However this functionality wasn't BeOS specific, it is still - used by for example Orbis OS (Playstation 4/5 OS). + For example, the maximum time on a transfer is reset if the transfer is + retried (--retry). - Closes #8562 + Reported-by: Nuru@users.noreply.github.com -- openssl: fix CN check error code + Fixes https://github.com/curl/curl/issues/8877 + Closes #8879 - Due to a missing 'else' this returns error too easily. +- GHA/hyper: enable debug in the build - Regressed in: d15692ebb +- hyper: use 'alt-used' - Reported-by: Kristoffer Gleditsch - Fixes #8559 - Closes #8560 + Makes test 412+413 work -- [Frank Meier brought this change] + Closes #8898 - connect: make Curl_getconnectinfo work with conn cache from share handle +- RELEASE-NOTES: synced - Closes #8524 +- CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl -- [lwthiker brought this change] + Closes #8888 - openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL +- links: update dead links - The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag) in - libcurl was ignored when compiling with BoringSSL because - HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was - detected. However, this feature is supported in BoringSSL since - 5fd1807d. This commit enables it, and also reduces the required minimal - OpenSSL version to 1.0.2 as per OpenSSL's official documentation. + The wiki pages are gone, remove and link to more long-living docs. - Fixes #8553 - Closes #8556 + Closes #8897 -- [Samuel Henrique brought this change] +- ntlm: (void) typecast msnprintf() where we ignore return code - json.d: fix typo (overriden -> overridden) + Follow-up to 5a41abef6, to please Coverity - Closes #8557 +Daniel Gustafsson (22 May 2022) +- ntlm: copy NTLM_HOSTNAME to host buffer -- wolfssl: fix compiler error without IPv6 + Commit 709ae2454f43 added a fake hostname to avoid leaking the local + hostname, but omitted copying it to the host buffer. Fix by copying + and adjust the test fallout. - Reported-by: Joseph Chen - Fixes #8550 - Closes #8552 + Closes: #8895 + Fixes: #8893 + Reported-by: Patrick Monnerat + Reviewed-by: Daniel Stenberg -- RELEASE-NOTES: synced +- configure: use the SED value to invoke sed - and bump pending version to 7.82.1 + Rather than assuming sed in PATH, use the resolved $SED variable + like in all other invocations of sed in configure. -- [Paul Howarth brought this change] + Closes: #8891 + Reviewed-by: Daniel Stenberg + Reviewed-by: Marcel Raad - runtests: make 'oldlibssh' be before 0.9.4 +Daniel Stenberg (20 May 2022) +- [Tatsuhiro Tsujikawa brought this change] - The 'oldlibssh' feature indicates that the error code returned by libssh - for a broken known_hosts file should be 67 rather than 60 (test1459). - This feature was added as part of #8444 with 'oldlibssh' mapping to - libssh versions prior to 0.9.6, and then refined as part of #8511 to map - to versions prior to 0.9.5. + ngtcp2: Allow curl to send larger UDP datagrams - In Red Hat Enterprise Linux 8.5 there is a patched version of libssh - version 0.9.4 (https://git.centos.org/rpms/libssh/blob/c8/f/SOURCES) in - which test1459 fails because it returns the "new" value rather than the - "old" one. It's plausible that one of the patches is responsible for - this rather than the underlying code but I don't think so. + Allow curl to send larger UDP datagram if Path MTU Discovery finds the + availability of larger path MTU. To make it work and not to send + fragmented packet, we need to set DF bit. That makes send(2) fail with + EMSGSIZE if UDP datagram is too large. In that case, just let it be + lost. This patch enables DF bit for Linux only. - This change therefore drops the 'oldlibssh' version check to map to - libssh versions older than 0.9.4, which fixes builds on RHEL-8. + Closes #8883 - Closes #8548 +- libcurl-security.3: add "Secrets in memory" -- ipv4/6.d: clarify that they are about using IP addresses + Closes #8881 - ... they may still *resolve* other families, but not use those - addresses. +- tests: update NTLM tests to use new host name - Ref: #8530 - Closes #8543 + Also drop the debug requirement, remove the setenv sections, remove + prechecks and add NTLM to the top keywords. -- [r-a-sattarov brought this change] + Closes #8889 - curl/system.h: update ifdef condition for MCST-LCC compiler +- ntlm: provide a fixed fake host name - in mcst-lcc compiler => 1.25 added a new macro definition to determine - compiler + The NTLM protocol includes providing the local host name, but apparently + other implementations already provide a fixed fake name instead to avoid + leaking the real local name. - Closes #8546 + The exact name used is 'WORKSTATION', because Firefox uses that. -Marc Hoersken (6 Mar 2022) -- CI: install Python package impacket to run SMB test 1451 + The change is written to allow someone to "back-pedal" fairly easy in + case of need. - Install Python package impacket in relevant CI workflows. + Reported-by: Carlo Alberto + Fixes #8859 + Closes #8889 - Follow up to #7935 - Supersedes #7940 - Closes #8544 +Daniel Gustafsson (20 May 2022) +- KNOWN_BUGS: fix typo in problem description -Daniel Stenberg (5 Mar 2022) -- [Michał Antoniak brought this change] + s/TSL/TLS/ - connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined +- FEATURES: remove yassl as TLS library for NTLM - Closes #8539 + yassl was added in commit 9d904ee41b880b but is no longer available + and is thus not a library to use for NTLM. This aligns the FEATURES + doc with the FAQ. -- docs/HYPER.md: updated to reflect current hyper build needs + Closes: #8886 + Reviewed-by: Daniel Stenberg -- GHA: build hyper with nightly rustc +- FEATURES: reorder footnotes - Closes #8545 + The empty left-behind footnote confused the website rendering into + creating a nested emoty list, making the resulting page look quite + odd. Remove and re-order the remaining ones to avoid a gap in the + sequence. -Version 7.82.0 (5 Mar 2022) + Closes: #8886 + Reviewed-by: Daniel Stenberg -Daniel Stenberg (5 Mar 2022) -- RELEASE-NOTES: synced +- FAQ: remove opinionated sentence on NTLM - The 7.82.0 release + curl is a tool that support many different things, and it doesn't + really seem like our job to tell other what to use (as they might + not have much say in the matter even). Also tidy up wording. -- THANKS: updates from the 7.82.0 release notes + Closes: #8886 + Reviewed-by: Daniel Stenberg -- misc: update copyright year ranges +Viktor Szakats (20 May 2022) +- log2changes: do not indent empty lines [ci skip] -Jay Satiro (5 Mar 2022) -- unit1610: init SSL library before calling SHA256 functions + This will omit two spaces of indentation from lines with no content, + thus avoiding 'spaces @ EOL'. - The SSL library must be initialized (via global initialization) because - libcurl's SHA256 functions may call SHA256 functions in the SSL library. + Reviewed-by: Daniel Stenberg + Closes #8887 - Reported-by: Gisle Vanem +Daniel Stenberg (19 May 2022) +- wolfssl: correct the failf() message when a handle can't be made - Fixes https://github.com/curl/curl/issues/8538 - Closes https://github.com/curl/curl/pull/8540 + Closes #8885 -- examples/curlx: support building with OpenSSL 1.1.0+ +Viktor Szakats (19 May 2022) +- Makefile.m32: delete two obsolete OpenSSL options [ci skip] - - Access members of X509_STORE_CTX in OpenSSL 1.1.0+ by using API - functions. + - -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or + LibreSSL 3.5.x, yet it collides with the latter, which defines + it unconditionally, resulting in this warning: + ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined] + It was originally added to curl in 2004. - The X509_STORE_CTX struct has been opaque since OpenSSL 1.1.0. + - -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or + LibreSSL back to at least 2.5.5. Originally added in the same + commit as the above, in 2004. - Ref: https://curl.se/mail/lib-2022-03/0004.html + Closes #8884 - Closes https://github.com/curl/curl/pull/8529 +Daniel Stenberg (19 May 2022) +- RELEASE-NOTES: synced -- h2h3: fix typo + bump to 7.84.0 - Bug: https://github.com/curl/curl/issues/8381#issuecomment-1055440241 - Reported-by: Michael Kaufmann +- [Christian Weisgerber via curl-library brought this change] -- [Farzin brought this change] + Makefile.am: fix portability issues - CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment + Commit a04f0b961333e1a19848d073d8c7db9c20b2a371 made me notice that + there is a portability issue in curl's top-level Makefile.am. - Closes https://github.com/curl/curl/pull/8519 + $< can only be used in rules that deal with .SUFFIXES. Its use + for general prerequisites is a GNU make extension. -Daniel Stenberg (26 Feb 2022) -- azure-pipelines: add a build on Windows with libssh + $< could be replaced by $?, but I think in an autotools context, + something like this is better: - Closes #8511 + Bug: https://curl.se/mail/lib-2022-05/0024.html + Closes #8861 -- runtests: make 'oldlibssh' be before 0.9.5 +- [Balakrishnan Balasubramanian brought this change] - Closes #8511 + socks: support unix sockets for socks proxy -- libssh: fix include files and defines use for Windows builds + Usage: + curl -x "socks5h://localhost/run/tor/socks" "https://example.com" - Reported-by: 梦终无痕 - Bug: https://curl.se/mail/lib-2022-02/0131.html - Closes #8511 + Updated runtests.pl to run a socksd server listening on unix socket -- RELEASE-NOTES: synced + Added tests test1467 test1468 -- [illusory-dream brought this change] + Added documentation for proxy command line option and socks proxy + options - winbuild: add parameter WITH_SSH + Closes #8668 - For building with libssh - Closes #8514 +- [Vincent Torri brought this change] -- configure: change output for cross-compiled alt-svc support + cmake: add libpsl support - It said 'no', while it actually is 'yes' + Fixes #8865 + Closes #8867 - Closes #8512 +- [Tatsuhiro Tsujikawa brought this change] -- gha: add a macOS CI job with libssh + ngtcp2: extend QUIC transport parameters buffer - Closes #8513 + Extend QUIC transport parameters buffer because 64 bytes are too + short for the ever increasing parameters. -- TODO: remove "Bring back libssh tests on Travis" + Closes #8872 - The job was added to Circle CI in d8ddd0e7536 +- [Tatsuhiro Tsujikawa brought this change] -- TODO: remove "better persistency for HTTP/1.0" + ngtcp2: handle error from ngtcp2_conn_submit_crypto_data - Let's not bother. + Closes #8871 -- TODO: remove "Option to ignore private IP" +- [Tatsuhiro Tsujikawa brought this change] - ... as curl ignores the IP entirely by default these days. + ngtcp2: send appropriate connection close error code -- TODO: remove "hardcode the "localhost" addresses" + Closes #8870 - This is implmented since 1a0ebf6632f88 +- test1561: adjusted for the cookie fix -- TODO: 1.24 was a dupe of 1.1 +- test414: verify secure cookie domain overlay -- TODO: remove "Typesafe curl_easy_setopt()" +- [Harry Sintonen brought this change] - I don't consider this a serious TODO item + cookie: address secure domain overlay -- KNOWN_BUGS: remove "Uploading HTTP/3 files gets interrupted" + Bug: https://hackerone.com/reports/1560324 + Co-authored-by: Daniel Stenberg + Closes #8840 - This works now +- [Frank Gevaerts brought this change] -- KNOWN_BUGS: remove "HTTP/3 multipart POST with quiche fails" + strcase: some optimisations - It works now + Lookup tables for toupper() and tolower() make Curl_strcasecompare() + about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit + early then also allows simplifying the check at the end, for another + 15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7 + times faster. -- quiche: remove two leftover debug infof() outputs + Note that these optimisation assume ASCII. The original + Curl_raw_toupper() and raw_tolower() look like they already made that + assumption. -- [Tatsuhiro Tsujikawa brought this change] + Closes #8875 - ngtcp2: Reset dynbuf when it is fully drained +- BUG-BOUNTY.md: mention the audit exception - Reported-by: vl409 on github - Fixes #7351 - Closes #8504 + Dedicated - paid for - security audits that are performed in + collaboration with curl developers are not eligible for bounties. -- [Stewart Gebbie brought this change] + (plus I changed the sub-titles to use ## instead of # in the markdown) - hostip: avoid unused parameter error in Curl_resolv_check + Closes #8880 - When built without DNS-over-HTTP and without asynchronous resolvers, - neither the dns nor the data parameters are used. +- lib/vssh/wolfssh.h: removed - That is Curl_resolv_check appears to call - Curl_resolver_is_resolved(data, dns). But, - with CURL_DISABLE_DOH without CURLRES_ASYNCH, the call is actually - elided via a macro definition. + Unused header file - This fix resolves the resultant: "unused parameter 'data'" error. + Reported-by: Illarion Taev + Fixes #8863 + Closes #8866 - Closes #8505 +- [Elms brought this change] -- http2: move two infof calls to debug-h2-only + wolfSSL: explicitly use compatibility layer - and remove a superflous one + This change removes adding an include `$prefix/wolfssl` or similar to + allow for openssl include aliasing. Include paths of `wolfssl/openssl/` + are used to explicitly use wolfSSL includes. This fixes cmake builds as + well as avoiding potentially using openSSL headers since include path + order is not guaranteed. - Ref: https://github.com/curl/curl/discussions/8498 - Closes #8502 + Closes #8864 -- [Jean-Philippe Menil brought this change] +- curl: deprecate --random-file and --egd-file - quiche: fix upload for bigger content-length + As libcurl no longer has any functionality for them, the tool now does + nothing with them. - Signed-off-by: Jean-Philippe Menil - Closes #8421 + Closes #8670 -Jay Satiro (23 Feb 2022) -- [Farzin brought this change] +- opts: deprecate RANDOM_FILE and EGDSOCKET - CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment + These two options were only ever used for the OpenSSL backend for + versions before 1.1.0. They were never used for other backends and they + are not used with recent OpenSSL versions. They were never used much by + applications. - Closes https://github.com/curl/curl/pull/8500 + The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time + for ancient EOL OpenSSL versions. -Daniel Stenberg (22 Feb 2022) -- [Rob Boeckermann brought this change] + Closes #8670 - OS400/README: clarify compilation steps +- [Harry Sintonen brought this change] - Closes #8494 + bindlocal: don't use a random port if port number would wrap -- [Rob Boeckermann brought this change] + Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port + 65535 the code would fall back to random port rather than giving up. - OS400: fix typos in rpg include file + Closes #8862 - This resolves issues compiling rpg code that includes the curl header - file. +Daniel Gustafsson (16 May 2022) +- transfer: Fix potential NULL pointer dereference - Closes #8494 + Commit 0ef54abf5208 accidentally used the conn variable before the + assertion for it being NULL. Fix by moving the assignment which use + conn to after the assertion. -- [Michał Antoniak brought this change] + Closes: #8857 + Reviewed-by: Daniel Stenberg - vtls: fix socket check conditions +- docs: clarify data replacement policy for MIME API - fix condition to check the second socket during associate and - disassociate connection + The API documentation for the MIME functions specify that the parts + can be set twice, with the last call winning. While true, the user + can set the parts n times for n > 2, reword to specify multiple API + calls instead. - Closes #8493 + Closes: #8860 + Reviewed-by: Daniel Stenberg -- libssh2: don't typecast socket to int for libssh2_session_handshake +Daniel Stenberg (16 May 2022) +- [vvb2060 on github brought this change] - Since libssh2_socket_t uses SOCKET on windows which can be larger than - int. + ngtcp2: support boringssl crypto backend - Closes #8492 + Closes #8789 -- RELEASE-NOTES: fix typo and make one desc shorter +- [Tatsuhiro Tsujikawa brought this change] -- RELEASE-NOTES: synced + quic: add Curl_quic_idle -- CURLOPT_XFERINFOFUNCTION.3: fix typo in example + Add Curl_quic_idle which is called when no HTTP level read or write is + performed. It is a good place to handle timer expiry for QUIC transport + (.e.g, retransmission). - Reported-by: coralw on github - Fixes #8487 - Closes #8488 + Closes #8698 -- README: disable linkchecks for the sponsor links +- [Gregor Jasny brought this change] - Closes #8489 + mprintf: ignore clang non-literal format string -Jay Satiro (21 Feb 2022) -- openssl: check if sessionid flag is enabled before retrieving session + Closes #8740 - Ideally, Curl_ssl_getsessionid should not be called unless sessionid - caching is enabled. There is a debug assertion in the function to help - ensure that. Therefore, the pattern in all vtls is basically: +- [Nick Zitzmann brought this change] - if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();} + sectransp: check for a function defined when __BLOCKS__ is undefined - There was one instance in openssl.c where sessionid was not checked - beforehand and this change fixes that. + SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it + requires Grand Central Dispatch to be supported by the compiler, and + some third-party macOS compilers do not support Grand Central Dispatch. + SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't + adversely affect anything. - Prior to this change an assertion would occur in openssl debug builds - during connection stage if session caching was disabled. + Fixes #8846 + Reported-by: Egor Pugin + Closes #8854 - Reported-by: Jim Beveridge +Daniel Gustafsson (16 May 2022) +- test412/413: Use version macro for User-Agent - Fixes https://github.com/curl/curl/issues/8472 - Closes https://github.com/curl/curl/pull/8484 + Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test + output file which breaks when curlver is updated. Shift to using + the %VERSION macro instead. -- multi: allow user callbacks to call curl_multi_assign + Closes: #8856 - Several years ago a change was made to block user callbacks from calling - back into the API when not supported (recursive calls). One of the calls - blocked was curl_multi_assign. Recently the blocking was extended to the - multi interface API, however curl_multi_assign may need to be called - from within those user callbacks (eg CURLMOPT_SOCKETFUNCTION). +- macos9: remove partial support - I can't think of any callback where it would be unsafe to call - curl_multi_assign so I removed the restriction entirely. + The support for compiling on Mac OS 9 hasn't been modified since 2001 + and has no active maintainer or packager, so it's time to remove it as + it's incredibly unlikely to work. If a maintainer re-emerges it can be + resurrected from Git history. - Reported-by: Michael Wallner + Closes: #8836 + Reviewed-by: Daniel Stenberg - Ref: https://github.com/curl/curl/commit/b46cfbc - Ref: https://github.com/curl/curl/commit/340bb19 +Daniel Stenberg (16 May 2022) +- test1635: verify --fail-with-body with --retry - Fixes https://github.com/curl/curl/issues/8480 - Closes https://github.com/curl/curl/pull/8483 + Almost a dupe of 1634 -Daniel Stenberg (21 Feb 2022) -- [Michał Antoniak brought this change] + Closes #8847 - ssl: reduce allocated space for ssl backend when FTP is disabled +- tool_operate: make sure --fail-with-body works with --retry - Add assert() for the backend pointer in many places + ... in the same way --fail already does. - Closes #8471 + Reported-by: Jakub Bochenski + Fixes #8845 + Closes #8847 -- [Michał Antoniak brought this change] +- [Tatsuhiro Tsujikawa brought this change] - checkprefix: remove strlen calls + ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types - Closes #8481 + Closes #8851 -Jay Satiro (20 Feb 2022) -- [1337vt brought this change] +- [Tatsuhiro Tsujikawa brought this change] - curl.h: fix typo + ngtcp2: Fix alert_read_func return value - Closes https://github.com/curl/curl/pull/8482 + Closes #8852 -- [Jan Venekamp brought this change] +- [Harry Sintonen brought this change] - sectransp: mark a 3DES cipher as weak + Curl_parsenetrc: don't access local pwbuf outside of scope - - Change TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA strength to weak. + Accessing local variables outside of the scope is forbidden and + depending on the compiler can result in the value being + overwritten. Fixed by moving the pwbuf to be in scope. - All other 3DES ciphers are already marked as weak. + Closes #8850 - Closes https://github.com/curl/curl/pull/8479 +- RELEASE-NOTES: synced -- [Jan Venekamp brought this change] + and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon) - bearssl: fix EXC_BAD_ACCESS on incomplete CA cert +- [Frazer Smith brought this change] - - Do not create trust anchor object for a CA certificate until after it - is processed. + ci: update github actions - Prior to this change the object was created at state BR_PEM_BEGIN_OBJ - (certificate processing begin state). An incomplete certificate (for - example missing a newline at the end) never reaches BR_PEM_END_OBJ - (certificate processing end state) and therefore the trust anchor data - was not set in those objects, which caused EXC_BAD_ACCESS. + - bump actions/checkout from 2 to 3 + - bump actions/upload-artifact from 1 to 3 + - bump github/codeql-actions from 1 to 2 + - use version tag for actions/checkout - Ref: https://github.com/curl/curl/pull/8106 + Closes #8843 - Closes https://github.com/curl/curl/pull/8476 +- test1919: verify CURLOPT_XOAUTH2_BEARER leak fix -- [Jan Venekamp brought this change] +- url: free old conn better on reuse - bearssl: fix connect error on expired cert and no verify + Make use of conn_free() better and avoid duplicate code. - - When peer verification is disabled use the x509_decode engine instead - of the x509_minimal engine to parse and extract the public key from - the first cert of the chain. + Reported-by: Andrea Pappacoda + Fixes #8841 + Closes #8842 - Prior to this change in such a case no key was extracted and that caused - CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if - any validity check fails but the x509_decode won't. +Jay Satiro (14 May 2022) +- FAQ: Clarify Windows double quote usage - Ref: https://github.com/curl/curl/pull/8106 + - Windows command prompt doesn't use literal quoting via single quotes. - Closes https://github.com/curl/curl/pull/8475 + - Windows command prompt inner double quotes are escaped with a + backslash. -- [Jan Venekamp brought this change] + - Windows powershell does use single quotes but curl is not a powershell + script so the arguments may not be passed on correctly. - bearssl: fix session resumption (session id) + - Windows powershell inner double quotes seems can be passed to curl if + the outer quotes are double quotes and an escape of backslash-backtick + is used. - Prior to this change br_ssl_client_reset was mistakenly called with - resume_session param set to 0, which disabled session resumption. + Command prompt example: - Ref: https://github.com/curl/curl/pull/8106 + ~~~ + getargs -v -d "\"a\"" - Closes https://github.com/curl/curl/pull/8474 + argv[0]: getargs + argv[1]: -v + argv[2]: -d + argv[3]: "a" + ~~~ -Daniel Stenberg (18 Feb 2022) -- [Michał Antoniak brought this change] + Ref: https://github.com/curl/curl/issues/8818 + Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c - openssl: fix build for version < 1.1.0 + Reported-by: KotlinIsland@users.noreply.github.com - Closes #8470 + Closes https://github.com/curl/curl/pull/8823 -- [Joel Depooter brought this change] +Daniel Stenberg (12 May 2022) +- github/workflows/nss: apt update first - schannel: move the algIds array out of schannel.h + Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found" - This array is only used by the SCHANNEL_CRED struct in the - schannel_acquire_credential_handle function. It can therefore be kept as - a local variable. This is a minor update to - bbb71507b7bab52002f9b1e0880bed6a32834511. + Closes #8837 - This change also updates the NUM_CIPHERS value to accurately count the - number of ciphers options listed in schannel.c, which is 47 instead of - 45. It is unlikely that anyone tries to set all 47 values, but if they - had tried, the last two would not have been set. +- page-footer: mention exit code zero too - Closes #8469 + Success (zero) is also an "exit code" worth mentioning. -- [Alejandro R. Sedeño brought this change] + Closes #8833 - configure.ac: use user-specified gssapi dir when using pkg-config +Daniel Gustafsson (12 May 2022) +- gssapi: initialize gss_buffer_desc strings - Using the system pkg-config path in the face of a user-specified - library path is asking to link the wrong library. + Explicitly initialize gss_buffer_desc strings such that a call to + freeing resources will succeed even if no data has been allocated + to it. - Reported-by: Michael Kaufmann - Fixes #8289 - Closes #8456 + Reported-by: Jay Satiro -- [Kevin Adler brought this change] +- gssapi: improve handling of errors from gss_display_status - os400: Add link to QADRT devkit to README.OS400 + In case gss_display_status() returns an error, avoid trying to add + it to the buffer as the message may well be a NULL pointer. - Closes #8455 + Originally this fix comes from a discussion in issue #8816. -- [Kevin Adler brought this change] + Closes: #8832 + Reviewed-by: Jay Satiro - os400: Add function wrapper for system command +Jay Satiro (12 May 2022) +- [steini2000 brought this change] - The wrapper will exit if the system command failed instead of blindly - continuing on. + http2: always debug print stream id in decimal with %u - In addition, only copy docs which exist, since now the copy failure will - cause the build to stop. + Prior to this change the stream id shown could be hex or decimal which + was inconsistent and confusing. - Closes #8455 + Closes https://github.com/curl/curl/pull/8808 -- [Kevin Adler brought this change] +Kamil Dudka (11 May 2022) +- url: remove redundant #ifdefs in allocate_conn() - os400: Default build to target current release + No change in behavior intended by this commit. - V6R1M0 is not available as a target release since IBM i 7.2. To keep - from having to keep this up to date in git, default to the current - release. Users can configure this to whatever release they want to - actually build for. +Daniel Stenberg (11 May 2022) +- [Fabian Keil brought this change] - Closes #8455 + tests 266, 116 and 1540: add a small write delay -- docs/INTERNALS.md: clean up, refer to the book + This makes it more likely that the trailer is received + seperately from the last-chunk. - The explanatory parts are now in the everything curl book (which can - also use images etc). This document now refers to that resource and only - leaves listings of supported versions of libs, tools and operating - systems. See https://everything.curl.dev/internals + curl doesn't seem to care about this but it makes the tests + more useful when testing external proxies like Privoxy. - Closes #8467 +- [Fabian Keil brought this change] -Marcel Raad (17 Feb 2022) -- des: fix compile break for OpenSSL without DES + tests 1117,1238,1523: adjust writedelay servercmds - When `USE_OPENSSL` was defined but OpenSSL had no DES support and a - different crypto library was used for that, `Curl_des_set_odd_parity` - was called but not defined. This could for example happen on Windows - and macOS when using OpenSSL v3 with deprecated features disabled. + ... so the delays are the same now that the unit + is in milliseconds. - Use the same condition for the function definition as used at the - caller side, but leaving out the OpenSSL part to avoid including - OpenSSL headers. +- [Fabian Keil brought this change] - Closes https://github.com/curl/curl/pull/8459 + tests/server/sws.c: change the HTTP writedelay unit to milliseconds -Daniel Stenberg (17 Feb 2022) -- RELEASE-NOTES: synced + This allows to use write delays for large responses without + resulting in the test taking an unreasonable amount of time. -- docs/DEPRECATE: remove NPN support in August 2022 + In many cases delaying writes by a whole second or more isn't + necessary for the desired effect. - Closes #8458 + Closes #8827 -- ftp: provide error message for control bytes in path +Daniel Gustafsson (11 May 2022) +- aws-sigv4: fix potentional NULL pointer arithmetic - Closes #8460 + We need to check if the strchr() call returns NULL (due to missing + char) before we use the returned value in arithmetic. There is no + live bug here, but fixing it before it can become for hygiene. -- http: fix "unused parameter ‘conn’" warning + Closes: #8814 + Reviewed-by: Daniel Stenberg - Follow-up from 7d600ad1c395 +Daniel Stenberg (11 May 2022) +- quiche: support ca-fallback - Spotted on appveyor + Follow-up to b01f3e679f4c1ea3 which added this for ngtcp2/openssl - Closes #8465 + Removed from KNOWN_BUGS -Jay Satiro (17 Feb 2022) -- [Alejandro R. Sedeño brought this change] + Fixes #8696 + Closes #8830 - sha256: Fix minimum OpenSSL version +Daniel Gustafsson (11 May 2022) +- x509asn1: mark msnprintf return as unchecked - - Change the minimum OpenSSL version for using their SHA256 - implementation from 0.9.7 to 0.9.8. + We have lots of unchecked msnprintf calls, and this particular msnprintf + call isn't more interesting than the others, but this one yields a Coverity + warning so let's implicitly silence it. Going over the other invocations + is probably a worthwhile project, but for now let's keep the static + analyzers happy. - EVP_sha256() does not appear in the OpenSSL source before 0.9.7h, and - does not get built by default until 0.9.8, so trying to use it for all - 0.9.7 is wrong, and before 0.9.8 is unreliable. + Closes: #8831 + Reviewed-by: Daniel Stenberg - Closes https://github.com/curl/curl/pull/8464 +Version 7.83.1 (11 May 2022) -Daniel Stenberg (16 Feb 2022) -- KNOWN_BUGS: remove "slow connect to localhost on Windows" +Daniel Stenberg (11 May 2022) +- RELEASE-NOTES: synced - localhost is not resolved anymore since 1a0ebf6632f88 + curl 7.83.1 release -- KNOWN_BUGS: remove "HTTP/3 download is 5x times slower than HTTP/2" +- THANKS: added contributors from 7.83.1 - It's not actually a bug. More like room for improvement. +- zuul: fix the ngtcp2-gnutls build -- KNOWN_BUGS: remove "HTTP/3 download with quiche halts after a while" + Add packages and tweak the configure options. - Follow-up to 96f85a0fef694 + Use the GnuTLS 3.7.4 branch (not main). -- KNOWN_BUGS: remove "pulseUI vpn" as a problem + Closes #8829 - We haven't heard about this for a long time and rumours have it they - might have fixed it. +- [Tatsuhiro Tsujikawa brought this change] -- urldata: remove conn->bits.user_passwd + ngtcp2: add ca-fallback support for OpenSSL backend - The authentication status should be told by the transfer and not the - connection. + Closes #8828 - Reported-by: John H. Ayad - Fixes #8449 - Closes #8451 +- url: check SSH config match on connection reuse -- [Kevin Adler brought this change] + CVE-2022-27782 - gskit: Convert to using Curl_poll + Reported-by: Harry Sintonen + Bug: https://curl.se/docs/CVE-2022-27782.html + Closes #8825 - As mentioned in 32766cb, gskit was the last user of Curl_select which is - now gone. Convert to using Curl_poll to allow build to work on IBM i. +- tls: check more TLS details for connection reuse - Closes #8454 + CVE-2022-27782 -- [Kevin Adler brought this change] + Reported-by: Harry Sintonen + Bug: https://curl.se/docs/CVE-2022-27782.html + Closes #8825 - gskit: Fix initialization of Curl_ssl_gskit struct +- cookies: make bad_domain() not consider a trailing dot fine - In c30bf22, Curl_ssl_getsock was factored out in to a member of - struct Curl_ssl but the gskit initialization was not updated to reflect - this new member. + The check for a dot in the domain must not consider a single trailing + dot to be fine, as then TLD + trailing dot is fine and curl will accept + setting cookies for it. - Closes #8454 + CVE-2022-27779 -- [Kevin Adler brought this change] + Reported-by: Axel Chong + Bug: https://curl.se/docs/CVE-2022-27779.html + Closes #8820 - gskit: Fix errors from Curl_strerror refactor +- test977: reproduce ability to set cookie on TLD - 2f0bb864c1 replaced sterror with Curl_strerror, but the strerror buffer - shadows the set_buffer "buffer" parameter. To keep consistency with the - other functions that use Curl_strerror, rename the parameter. + When PSL is not enabled - In addition, strerror.h is needed for the definition of STRERROR_LEN. +- scripts/contributors.sh: correct the copyright range - Closes #8454 +- docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates -Marcel Raad (15 Feb 2022) -- ntlm: remove unused feature defines +- test379: verify --remove-on-error with --no-clobber - They're not used anymore and always supported. +- post_per_transfer: remove the updated file name - Closes https://github.com/curl/curl/pull/8453 + When --remove-on-error is used with --no-clobber, it might have an + updated file name to remove. -Daniel Stenberg (15 Feb 2022) -- [Kantanat Wannapaka brought this change] + Bug: https://curl.se/docs/CVE-2022-27778.html - README.md: fix link and layout + CVE-2022-27778 - replace tags and tags + Reported-by: Harry Sintonen - Closes #8448 + Closes #8824 -- KNOWN_BUGS: fix typo "libpsl" +- hsts: ignore trailing dots when comparing hosts names -Jay Satiro (14 Feb 2022) -- h2h3: fix compiler warning due to function prototype mismatch + CVE-2022-30115 - - Add missing const qualifier in Curl_pseudo_headers declaration. + Reported-by: Axel Chong + Bug: https://curl.se/docs/CVE-2022-30115.html + Closes #8821 -Daniel Stenberg (14 Feb 2022) -- [Stefan Eissing brought this change] +- test440/441: verify HSTS with trailing dots - urlapi: handle "redirects" smarter +- libtest/lib1560: verify the host name percent decode fix - - avoid one malloc when setting a new url via curl_url_set() - and CURLUPART_URL. - - extract common pattern into a new static function. +- urlapi: reject percent-decoding host name into separator bytes - Closes #8450 + CVE-2022-27780 -- cijobs: pick up circleci configure lines better + Reported-by: Axel Chong + Bug: https://curl.se/docs/CVE-2022-27780.html + Closes #8826 -- circleci: add a job using wolfSSH +- nss: return error if seemingly stuck in a cert loop - Build only, no tests. + CVE-2022-27781 - Closes #8445 + Reported-by: Florian Kohnhäuser + Bug: https://curl.se/docs/CVE-2022-27781.html + Closes #8822 -- scripts/ciconfig.pl: show used options not available +- test412/413: verify alt-svc with trailing dots -- circleci: add a job using libssh +- altsvc: fix host name matching for trailing dots - Closes #8444 + Closes #8819 -- runtests: set 'oldlibssh' for libssh versions before 0.9.6 +- [Garrett Squire brought this change] - ... and make test 1459 check for the different return code then. + hyper: fix test 357 - Closes #8444 + This change fixes the hyper API such that PUT requests that receive a + 417 response can retry without the Expect header. -Jay Satiro (13 Feb 2022) -- Makefile.am: Generate VS 2022 projects + Closes #8811 - Follow-up to f13d4d0 which added VS 2022 project support. +- [Harry Sintonen brought this change] - Ref: https://github.com/curl/curl/pull/8438 + sectransp: bail out if SSLSetPeerDomainName fails -- [Daniel Stenberg brought this change] + Before the code would just warn about SSLSetPeerDomainName() errors. - projects: remove support for MSVC before VC10 (Visual Studio 2010) + Closes #8798 - - Remove Visual Studio project files for VC6, VC7, VC7.1, VC8 and VC9. +- http_proxy/hyper: handle closed connections - Those versions are too old to be maintained any longer. + Enable test 1021 for hyper builds. - Closes https://github.com/curl/curl/pull/8442 + Patched-by: Prithvi MK + Fixes #8700 + Closes #8806 -- [Stav Nir brought this change] +- KNOWN_BUGS: timeout when reusing a http3 connection - projects: add support for Visual Studio 17 (2022) + Closes #8764 - Closes https://github.com/curl/curl/pull/8438 +- KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 -Daniel Stenberg (13 Feb 2022) -- RELEASE-NOTES: synced + Closes #8696 -- connect: follow-up fix the copyright year +- [Ryan Schmidt brought this change] -- [Michał Antoniak brought this change] + Makefile: fix "make ca-firefox" - misc: remove unused data when IPv6 is not supported + Closes #8804 - Closes #8430 +Daniel Gustafsson (5 May 2022) +- tests: fix markdown formatting in README -- scripts/ciconfig: show CI job config info + The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be + escaped to not mean start of italic formatting. This is consistent + with docs/RELEASE-PROCEDURE.md. - Closes #8446 + Closes: #8802 + Reviewed-by: Daniel Stenberg -- quiche: handle stream reset +Daniel Stenberg (5 May 2022) +- TODO: expand on "Expose tried IP addresses that failed" - A stream reset now causes a CURLE_PARTIAL_FILE error. I'm not convinced - this is the right action nor the right error code. + Ref: #8794 - Reported-by: Lucas Pardue - Fixes #8437 - Closes #8440 +Daniel Gustafsson (5 May 2022) +- [Fabian Keil brought this change] -- mime: use a define instead of the magic number 24 + tests/server: declare variable 'reqlogfile' static - MIME_BOUNDARY_DASHES is now the number of leading dashes in the - generated boundary string. + Silences the warning: - Closes #8441 + CC socksd-socksd.o + socksd.c:143:13: warning: no previous extern declaration for + non-static variable 'reqlogfile' [-Wmissing-variable-declarations] + const char *reqlogfile = DEFAULT_REQFILE; + ^ + socksd.c:143:7: note: declare 'static' if the variable is not + intended to be used outside of this translation unit + const char *reqlogfile = DEFAULT_REQFILE; + ^ + 1 warning generated. -- [Henrik Holst brought this change] + ... when compiling with clang 13. - hostcheck: reduce strlen calls on chained certificates + Closes: #8799 + Reviewed-by: Daniel Gustafsson - Closes #8428 +- HTTP-COOKIES: add missing CURLOPT_COOKIESESSION -- [Patrick Monnerat brought this change] + Commit 980a47b42 added support for ignoring session cookies, but it + was never added to the documentation. - mime: some more strlen() call removals. + Closes: #8795 + Reviewed-by: Daniel Stenberg - Closes #8423 +Daniel Stenberg (5 May 2022) +- docs/THANKS: remove name duplicate -- scripts/cijobs.pl: detect zuul cmake jobs better +- [Philip Heiduck brought this change] -- url: exclude zonefrom_url when no ipv6 is available + .mailmap: update - Closes #8439 + Closes #8800 -- if2ip: make Curl_ipv6_scope a blank macro when IPv6-disabled +Jay Satiro (5 May 2022) +- mbedtls: fix some error messages - Closes #8439 + Prior to this change some of the error messages misidentified the + function that failed. -- [Henrik Holst brought this change] +Daniel Stenberg (5 May 2022) +- RELEASE-NOTES: synced - mprintf: remove strlen calls on empty strings in dprintf_formatf +- [Sergey Markelov brought this change] - Turns out that in dprintf_formatf we did a strlen on empty strings, a - bit strange is how common this actually is, 24 alone when doing a simple - GET from https://curl.se + x509asn1: make do_pubkey handle EC public keys - Closes #8427 + Closes #8757 -- wolfssl: return CURLE_AGAIN for the SSL_ERROR_NONE case +- [Harry Sintonen brought this change] - Closes #8431 + mbedtls: bail out if rng init fails -- wolfssl: when SSL_read() returns zero, check the error + There was a failf() call but no actual error return. - Returning zero indicates end of connection, so if there's no data read - but the connection is alive, it needs to return -1 with CURLE_AGAIN. + Closes #8796 - Closes #8431 +- [Sergey Markelov brought this change] -- quiche: after leaving h3_recving state, poll again + urlapi: address (harmless) UndefinedBehavior sanitizer warning - This could otherwise easily leave libcurl "hanging" after the entire - transfer is done but without noticing the end-of-transfer signal. + `while(i--)` causes runtime error: unsigned integer overflow: 0 - 1 + cannot be represented in type 'size_t' (aka 'unsigned long') - Assisted-by: Lucas Pardue - Closes #8436 + Closes #8797 -- quiche: when *recv_body() returns data, drain it before polling again +- [Fabian Keil brought this change] - Assisted-by: Lucas Pardue + test{898,974,976}: add 'HTTP proxy' keywords - Closes #8429 + ... so the tests can be automatically skipped when + testing external HTTP proxies like Privoxy. -- [gaoxingwang on github brought this change] + Closes #8791 - configure: fix '--enable-code-coverage' typo +- [Harry Sintonen brought this change] - Fixes #8425 - Closes #8426 + gskit_connect_step1: fixed bogus setsockopt calls -- lib/h2h3: #ifdef on ENABLE_QUIC, not the wrong define + setsockopt takes a reference to value, not value. With the current + code this just leads to -1 return value with errno EFAULT. - Otherwise the build fails when H3 is enabled but the build doesn't - include nghttp2. + Closes #8793 - Closes #8424 +- CURLOPT_SSH_AUTH_TYPES.3: fix the default -- hostcheck: pass in pattern length too, to avoid a strlen call + The default is all possible methods. - Removes one strlen() call per SAN name in a cert-check. + Closes #8792 - Closes #8418 +- CURLOPT_DOH_URL.3: mention the known bug -- [Henrik Holst brought this change] + It is mostly duplicating info from KNOWN_BUGS but make it easier to find + for users of this option. - misc: remove strlen for Curl_checkheaders + Curl_checkProxyheaders + Closes #8790 - Closes #8409 +- CURLOPT_HSTS*FUNCTION.3: document the involved structs as well -- configure: requires --with-nss-deprecated to build with NSS + Reviewed-By: Daniel Gustafsson + Closes #8788 - Add deprecation plans to docs/DEPRECATE.md +- docs/SECURITY-PROCESS.md: "Visible command line arguments" - Closes #8395 +- SECURITY-PROCESS: mention "URL inconsistencies" -- mqtt: free 'sendleftovers' in disconnect + ... as common problems that are *not* vulns. - Fix a memory-leak +Daniel Gustafsson (2 May 2022) +- contributors: strip off final comma - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43646 - Closes #8415 + The final row of contributors should not end with a comma as it's the + end of the list. -- [Patrick Monnerat brought this change] + Closes: #8785 + Reviewed-by: Daniel Stenberg - openldap: pass string length arguments to client_write() +Daniel Stenberg (2 May 2022) +- [Philip Heiduck brought this change] - This uses the new STRCONST() macro and saves 2 strlen() calls on short - string constants per LDIF output line. + misc: use "autoreconf -fi" instead buildconf - Closes #8404 + Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com> + Closes #8777 -- [Henrik Holst brought this change] +Daniel Gustafsson (2 May 2022) +- [Philip Heiduck brought this change] - misc: reduce strlen() calls with Curl_dyn_add() + cirrus: Use pip for Python packages on FreeBSD - Use STRCONST() to switch from Curl_dyn_add() to Curl_dyn_addn() for - string literals. + Using pip instead of easy_install is more in line with how other + CI images are being maintained. - Closes #8398 + Closes: #8783 + Reviewed-by: Daniel Gustafsson -- http2: fix the array copy to nghttp2_nv +- [Philip Heiduck brought this change] - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=44517 - Follow-up to 9f985a11e794 - Closes #8414 + cirrus: Update to FreeBSD 12.3 -- RELEASE-NOTES: synced + Closes: #8783 + Reviewed-by: Daniel Gustafsson -- scripts/cijobs.pl: output data about all currect CI jobs +- tool_getparam: simplify conditional statement - This script parses the config files for all the CI services currently in - use and output the information in a uniform way. The idea is that the - output from this script should be possible to massage into informational - tables or graphs to help us visualize what they are all testing and NOT - testing. + param_place cannot be NULL here since we immediately efter this block + perform arithmetic on it (and use it in order to get here) so there is + little reason to check. - Closes #8408 + Closes: #8786 + Reviewed-by: Daniel Stenberg -- maketgz: return error if 'make dist' fails +- RELEASE-NOTES: synced - To better detect this problem in CI jobs +- gskit: remove unused function set_callback - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8402 + This function has been unused since the initial commit of the GSKit + backend in 0eba02fd4. The motivation for the code was getting the + whole certificate chain: the only place where the latter is available + is as a callback parameter. Unfortunately it is not possible to pass + a user pointer to this callback, which precludes the possibility to + associate the cert chain with a data/conn structure. -- h2h3: pass correct argument types to infof() + For further information, search for pgsk_cert_validation_callback on: + https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm - Detected by Coverity. CID 1497993 + As the upstream library never added a parameter like that to the API, + we give up the wait and remove the dead code. - Closes #8401 + Closes: #8782 + Reviewed-by: Patrick Monnerat -- lib/Makefile: remove config-tpf.h from the dist +- curl: free resource in error path - Follow-up from da15443dddea2bfb. Missed before because the 'distcheck' - CI job was not working as intended. + If the new filename cannot be generated due to memory pressure, free + the allocated aname on the way out to avoid a small leak. - Reported-by: Marcel Raad - Bug: https://curl.se/mail/lib-2022-02/0070.html - Closes #8403 + Closes: #8770 + Reviewed-by: Daniel Stenberg -- configure: remove support for "embedded ares" +- curl: guard against size_t wraparound in no-clobber code - In March 2010 (commit 4259d2df7dd) we removed the embedded 'ares' - directory from the curl source tree but we have since supported - especially detecting and using that build directory. The time has come - to remove that kludge and ask users to specify the c-ares dir correctly - with --enable-ares. + When generating the new filename, make sure we aren't overflowing the + size_t limit when calculating the new length. This is mostly academic + but good code hygeine nonetheless. - Closes #8397 + Closes: #8771 + Reviewed-by: Daniel Stenberg -- [Sebastian Sterk brought this change] +Daniel Stenberg (30 Apr 2022) +- gha: build msh3 - github/workflows/mbedtls: fix indent & remove unnecessary line breaks + Closes #8779 - Closes #8399 +- scripts/cijobs.pl: try "current branch" first then "master" -- CI: move the NSS job from zuul to GHA +- [Yusuke Nakamura brought this change] - Closes #8396 + msh3: get msh3 version from MsH3Version -- tests/unit/Makefile.am: add NSS_LIBS to build with NSS fine + Closes #8762 - Closes #8396 +- [Yusuke Nakamura brought this change] -Marcel Raad (7 Feb 2022) -- curl-openssl: fix SRP check for OpenSSL 3.0 + msh3: psss remote_port to MsH3ConnectionOpen - When OpenSSL 3.0 is built with `--api=3.0` and `no-deprecated`, the SRP - functions exist in the library, but are disabled for user code. Check - if they are actually usable instead of only if they exist. Also, check - for the functions actually required for TLS-SRP. + MsH3 supported additional "Port" parameter to connect not hosted on + 443 port QUIC website. - TLS-SRP support is still enabled if OpenSSL is configured with just - `--api=3.0` or with `--api=1.1.1 no-deprecated`. + * https://github.com/nibanks/msh3/releases/tag/v0.3.0 + * https://github.com/nibanks/msh3/pull/37 - Closes https://github.com/curl/curl/pull/8394 + Closes #8762 -Daniel Stenberg (7 Feb 2022) -- [Henrik Holst brought this change] +- [Christian Weisgerber brought this change] - http: make Curl_compareheader() take string length arguments too + openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl - Also add STRCONST, a macro that returns a string literal and it's length - for functions that take "string,len" + SSL_CTX_set1_curves_list() has been available since LibreSSL 2.5.3, + released five years ago. - Removes unnecesary calls to strlen(). + Bug: https://curl.se/mail/lib-2022-04/0059.html + Closes #8773 - Closes #8391 +- http: move Curl_allow_auth_to_host() -- vquic/vquic.h: removed the unused H3 psuedo defines + It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef -- ngtcp2: use Curl_pseudo_headers + Reported-by: Michael Olbrich + Fixes #8772 + Closes #8775 -- quiche: use Curl_pseudo_headers +Daniel Gustafsson (29 Apr 2022) +- msh3: print boolean value as text representation -- http2: use Curl_pseudo_headers + Print the boolean value as its string representation instead of with + %hhu which isn't a format we typically use. -- h2h3: added Curl_pseudo_headers() + Closes: #8763 + Reviewed-by: Nick Banks - For use with both http2 and http3 requests. +Daniel Stenberg (29 Apr 2022) +- data/test376: set a proper name -- ngtcp2/quiche: make :scheme possible to set +- GHA/mbedtls: enabled nghttp2 in the build -- http2: allow CURLOPT_HTTPHEADER change ":scheme" + Closes #8767 - The only h2 psuedo header that wasn't previously possible to change by a - user. This change also makes it impossible to send a HTTP/1 header that - starts with a colon, which I don't think anyone does anyway. +- mbedtls: fix compile when h2-enabled - The other pseudo headers are possible to change indirectly by doing the - rightly crafted request. + Fixes #8766 + Reported-by: LigH-de on github + Closes #8768 - Reported-by: siddharthchhabrap on github - Fixes #8381 - Closes #8393 +- RELEASE-NOTES: synced -- h2/h3: provide and refer to pseudo headers as defines + bumped curlver to 7.83.1-dev - ... and do sizeof() on the defines to use constants better. +- SECURITY-PROCESS: extended - Closes #8389 + Also clarify BUG-BOUNTY.md with IBB details. -- [Michał Antoniak brought this change] + Closes #8754 - smb: passing a socket for writing and reading data instead of FIRSTSOCKET +- [Adam Rosenfield brought this change] - Closes #8383 + conn: fix typo 'connnection' -> 'connection' in two function names -- x509asn1: toggle off functions not needed for diff tls backends + Closes #8759 - ... and clean the header file from private defines/structs (move to C - file) and unused function prototypes. +Version 7.83.0 (27 Apr 2022) - Closes #8386 +Daniel Stenberg (27 Apr 2022) +- RELEASE-NOTES: synced -- lib: move hostcheck and x509sn1 sources to vtls/ + The 7.83.0 release - ... since they are used strictly by TLS code. +- docs/THANKS: contributors from 7.83.0 - Closes #8386 +- test 898/974/976: require proxy to run -Marcel Raad (4 Feb 2022) -- version_win32: fix warning for `CURL_WINDOWS_APP` + Fixes #8755 + Reported-by: Marc Hörsken + Closes #8756 - The build version is not supported by the UWP code. +- gnutls: don't leak the SRP credentials in redirects - Closes https://github.com/curl/curl/pull/8385 + Follow-up to 620ea21410030 and 139a54ed0a172a -Daniel Stenberg (4 Feb 2022) -- tests/disable-scan.pl: properly detect multiple symbols per line + Reported-by: Harry Sintonen + Closes #8752 - Test 1165 would fail on some systems because it didn't detect - CURL_DISABLE_* symbols that were used to the right of another one on the - same line! The script would only detect and extract the first one. +- CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS - Reported-by: Marcel Raad - Fixes #8384 - Closes #8388 + Closes #8753 -Jay Satiro (4 Feb 2022) -- config.d: Clarify _curlrc filename is still valid on Windows +- openssl: don't leak the SRP credentials in redirects either - Recent changes added support for filename .curlrc on Windows, and - when it's not found curl falls back on the original Windows filename - _curlrc. _curlrc was removed from the doc, however it is still valid. + Follow-up to 620ea21410030 - Closes https://github.com/curl/curl/pull/8382 + Reported-by: Harry Sintonen + Closes #8751 -Daniel Stenberg (4 Feb 2022) -- lib: remove support for CURL_DOES_CONVERSIONS +- [Liam Warfield brought this change] - TPF was the only user and support for that was dropped. + hyper: fix tests 580 and 581 for hyper - Closes #8378 + Hyper now has the ability to preserve header order. This commit adds a + few lines setting the connection options for this feature. -- TPF: drop support + Related to issue #8617 + Closes #8707 - There has been no TPF related changes done since September 2010 (commit - 7e1a45e224e57) and since this is a platform that is relatively different - than many others (== needs attention), I draw the conclusion that this - build is broken since a long time. +- conncache: remove name arg from Curl_conncache_find_bundle - Closes #8378 + To simplify, and also since the returned name is not the full actual + name used for the check. The port number and zone id is also involved, + so just showing the name is misleading. -- scripts/delta: check the file delta for current branch + Closes #8750 - ... also polish the output style a little bit +- tests: verify the fix for CVE-2022-27774 -Jay Satiro (3 Feb 2022) -- [Fabian Keil brought this change] + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth - runtests.pl: tolerate test directories without Makefile.inc +- transfer: redirects to other protocols or ports clear auth - Silences the following warnings when using a Makefile.inc-free - TESTDIR using the "-o" argument: + ... unless explicitly permitted. - readline() on closed filehandle D at ./runtests.pl line 592. - Use of uninitialized value $disttests in pattern match (m//) at - ./runtests.pl line 3602. + Bug: https://curl.se/docs/CVE-2022-27774.html + Reported-by: Harry Sintonen + Closes #8748 - Closes https://github.com/curl/curl/pull/8379 +- connect: store "conn_remote_port" in the info struct -Daniel Stenberg (3 Feb 2022) -- [Henrik Holst brought this change] + To make it available after the connection ended. - setopt: do bounds-check before strdup +- cookie.d: clarify when cookies are always sent - Curl_setstropt() allocated memory for the string before checking if the - string was within bounds. The bounds check should be done first. +- test898: verify the fix for CVE-2022-27776 - Closes #8377 + Do not pass on Authorization headers on redirects to another port -- [Michał Antoniak brought this change] +- http: avoid auth/cookie on redirects same host diff port - mbedtls: enable use of mbedtls without filesystem functions support + CVE-2022-27776 - Closes #8376 + Reported-by: Harry Sintonen + Bug: https://curl.se/docs/CVE-2022-27776.html + Closes #8749 -- [Bernhard Walle brought this change] +- libssh2: make the md5 comparison fail if wrong length - configure: support specification of a nghttp2 library path + Making it just skip the check unless exactly 32 is too brittle. Even if + the docs says it needs to be exactly 32, it is be safer to make the + comparison fail here instead. - This enables using --with-nghttp2= on systems without pkg-config. + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1549461 + Closes #8745 - Closes #8375 +- conncache: include the zone id in the "bundle" hashkey -- scripts/release-notes.pl: remove leftover debug output + Make connections to two separate IPv6 zone ids create separate + connections. -- RELEASE-NOTES: synced + Reported-by: Harry Sintonen + Bug: https://curl.se/docs/CVE-2022-27775.html + Closes #8747 -- scripts/release-notes.pl: fix number extraction for full URLs +- [Patrick Monnerat brought this change] -- [Leah Neukirchen brought this change] + url: check sasl additional parameters for connection reuse. - scripts/completion.pl: improve zsh completion + Also move static function safecmp() as non-static Curl_safecmp() since + its purpose is needed at several places. - - Detect all spellings of , etc as well as . - - Only complete directories for . - - Complete URLs for . - - Complete --request and --ftp-method. + Bug: https://curl.se/docs/CVE-2022-22576.html - Closes #8363 + CVE-2022-22576 -- [Davide Cassioli brought this change] + Closes #8746 - configure: use correct CFLAGS for threaded resolver with xlC on AIX +- libssh2: compare sha256 strings case sensitively - Fixes #8276 - Closes #8374 + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1549435 + Closes #8744 -- mailmap: Henrik Holst +- tool_getparam: error out on missing -K file -Jay Satiro (2 Feb 2022) -- build: fix ngtcp2 crypto library detection + Add test 411 to verify. - - Change library link check for ngtcp2_crypto_{gnutls,openssl} to - to use function ngtcp2_crypto_recv_client_initial_cb instead of - ngtcp2_crypto_ctx_initial. + Reported-by: Median Median Stride + Bug: https://hackerone.com/reports/1542881 + Closes #8731 - The latter function is no longer external since two days ago in - ngtcp2/ngtcp2@533451f. curl HTTP/3 CI builds have been failing since - then because they would not link to the ngtcp2 crypto library. +- [Tatsuhiro Tsujikawa brought this change] - Ref: https://github.com/ngtcp2/ngtcp2/pull/356 + ngtcp2: deal with sub-millisecond timeout - Closes https://github.com/curl/curl/pull/8372 + Closes #8738 -- [Henrik Holst brought this change] +- misc: update copyright year ranges - urlapi: remove an unnecessary call to strlen +- c_escape: escape '?' in generated --libcurl code - - Use strcpy instead of strlen+memcpy to copy the url path. + In order to avoid the risk of it being used in an accidental trigraph in + the generated code. - Ref: https://curl.se/mail/lib-2022-02/0006.html + Reported-by: Harry Sintonen + Bug: https://hackerone.com/reports/1548535 + Closes #8742 - Closes https://github.com/curl/curl/pull/8370 +- [Philip Heiduck brought this change] -Daniel Stenberg (1 Feb 2022) -- scripts/copyright.pl: fix for handling removed files better + mlc: curl.zuul.vexxhost.dev is reachable again -- vxworks: drop support + remove it from ignorelist for linkcheck - No changes or fixes in vxworks related code since 2009 leads me to - believe that this doesn't work anymore. + Closes #8736 - Closes #8362 +- [Tatsuhiro Tsujikawa brought this change] -- [Henrik Holst brought this change] + ngtcp2: avoid busy loop in low CWND situation - base64: remove an unnecessary call to strlen + Closes #8739 - Closes #8369 +- TODO: telnet - exit immediately upon connection if stdin is /dev/null -- tool_getparam: initial --json support + Suggested-by: Robin A. Meade + URL: https://curl.se/mail/archive-2022-04/0027.html - Adds these test cases: +- [Kushal Das brought this change] - 383 - simple single command line option - 384 - reading it from stdin - 385 - getting two --json options on command line - 386 - --next works after --json + docs: updates spellings with full words - Closes #8314 + Closes #8730 -- [Bjarni Ingi Gislason brought this change] +- tests/FILEFORMAT.md: spellfix - curl_getdate.3: remove pointless .PP line +Daniel Gustafsson (21 Apr 2022) +- misc: fix typos - mandoc: WARNING: skipping paragraph macro: PP empty + Fix a few random typos is comments and workflow names. - Reported-by: Samuel Henrique - Closes #8365 +- macos: fix .plist installation into framework -- [Sebastian Sterk brought this change] + The copy command introduced in e498a9b1f had leftover '>' from the + previous sed command it replaced, which broke its syntax. Fix by + removing. - multi: grammar fix in comment + Reported-by: Emanuele Torre - After 'must', the verb is used without 'to'. Correct: "must" or "have - to" +Daniel Stenberg (21 Apr 2022) +- [Christopher Degawa brought this change] - Closes #8368 + Makefile: fix ca-bundle due to mk-ca-bundle.pl being moved -- openldap: fix compiler warning when built without SSL support + The script was moved in 8e22fc68e7dda43e9f but the lines that called it + was not changed to reflect it's new position - openldap.c:841:52: error: unused parameter ‘data’ [-Werror=unused-parameter] + Signed-off-by: Christopher Degawa - Closes #8367 + Closes #8728 -- [Samuel Henrique brought this change] +Daniel Gustafsson (20 Apr 2022) +- macos: set .plist version in autoconf - CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released" + Set the libcurl version in libcurl.plist like how libcurl.vers is + created. - Found when packaging 7.81.0 for Debian. + Closes: #8692 + Reviewed-by: Daniel Stenberg + Reviewed-by: Nick Zitzmann - Closes #8364 +- cookies: Improve errorhandling for reading cookiefile -- netware: remove support + The existing programming had some issues with errorhandling for reading + the cookie file. If the file failed to open, we would silently ignore it + and continue as if there was no file (or stdin) passed. In this case, we + would also call fclose() on the NULL FILE pointer, which is undefined + behavior. Fix by ensuring that the FILE pointer is set before calling + fclose on it, and issue a warning in case the file cannot be opened. + Erroring out on nonexisting file would break backwards compatibility of + very old behavior so we can't really go there. - There are no current users and no Netware related changes done in the - code for over 13 years is a clear sign this is abandoned. + Closes: #8699 + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro - Closes #8358 +Daniel Stenberg (20 Apr 2022) +- libcurl-tutorial.3: spellfix and minor polish -- CI: move two jobs from Zuul to Circle CI +- CURLINFO_PRIMARY_PORT.3: spellfix - - openssl-no-verbose - - openssl-no-proxy + Reported-by: Patrick Monnerat - Closes #8359 +- [Jay Dommaschk brought this change] -- cirlceci: also run a c-ares job on arm with debug enabled + libssh: fix double close - Closes #8357 + libssh closes the socket in ssh_diconnect() so make sure that libcurl + does not also close it. -- ci: move the OpenSSL + c-ares job from Zuul to Circle CI + Fixes #8708 + Closes #8718 - Closes #8357 +Jay Satiro (20 Apr 2022) +- [Gisle Vanem brought this change] -- mailmap: Jan-Piet Mens + unit1620: call global_init before calling Curl_open -- [luminixinc on github brought this change] + Curl_open calls the resolver init and on Windows if the resolver backend + is c-ares then the Windows sockets library (winsock) must already have + been initialized (via global init). - multi: remember connection_id before returning connection to pool + Ref: https://github.com/curl/curl/pull/8540#issuecomment-1059771800 - Fix a bug that does not require a new CVE as discussed on hackerone.com. - Previously `connection_id` was accessed after returning connection to - the shared pool. + Closes https://github.com/curl/curl/pull/8719 - Bug: https://hackerone.com/reports/1463013 - Closes #8355 +Daniel Stenberg (19 Apr 2022) +- CURLINFO_PRIMARY_PORT.3: clarify which port this is -Jay Satiro (31 Jan 2022) -- write-out.d: Fix num_headers formatting + As it was not entirely clear previously. -- [Jan-Piet Mens brought this change] + Closes #8725 - docs: capitalize the name 'Netscape' +- CURLOPT_UNRESTRICTED_AUTH.3: extended explanation - Closes https://github.com/curl/curl/pull/8354 + Include details about Authentication headers. -Daniel Stenberg (30 Jan 2022) -- RELEASE-NOTES: synced + Reported-by: Brad Spencer + Fixes #8724 + Closes #8726 -- [Antoine Pietri brought this change] +- .github/workflows/macos.yml: add a libssh job with c-ares - docs: grammar proofread, typo fixes + ... to enable the memdebug system - (Partially automated) proofread of most of the documentation, leading to - various typo fixes. + Closes #8720 - Closes #8353 +- RELEASE-NOTES: synced -- urldata: CONN_IS_PROXIED replaces bits.close when proxy can be disabled +Jay Satiro (17 Apr 2022) +- [Gisle Vanem brought this change] - To remove run-time checks for such builds. + docs/HTTP3.md: fix typo - Closes #8350 + also fix msh3 section formatting -- setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds + Ref: https://github.com/curl/curl/commit/37492ebb#r70980087 - Closes #8350 +Marc Hoersken (17 Apr 2022) +- timediff.[ch]: add curlx helper functions for timeval conversions -- conncache: make conncache_add_bundle return the pointer + Also move timediff_t definitions from timeval.h to timediff.h and + then make timeval.h include the new standalone-capable timediff.h. - Simplifies the logic a little and avoids a ternary operator. + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg - Ref: #8346 - Closes #8349 + Supersedes #5888 + Closes #8595 -- mailmap: neutric on github +Daniel Stenberg (17 Apr 2022) +- [Balakrishnan Balasubramanian brought this change] -Jay Satiro (30 Jan 2022) -- [neutric on github brought this change] + tests: refactor server/socksd.c to support --unix-socket - docs/TheArtOfHttpScripting: fix example POST URL + Closes #8687 - Closes https://github.com/curl/curl/pull/8352 +- [Emanuele Torre brought this change] -Daniel Stenberg (28 Jan 2022) -- nss: handshake callback during shutdown has no conn->bundle + tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) - The callback gets called because of the call to PR_Recv() done to - attempt to avoid RST on the TCP connection. The conn->bundle pointer is - already cleared at this point so avoid dereferencing it. + This loop was using the number of bytes read from the file as condition + to keep reading. - Reported-by: Eric Musser - Fixes #8341 - Closes #8342 + From Linux's fread(3) man page: + > On success, fread() and fwrite() return the number of items read or + > written. This number equals the number of bytes transferred only when + > size is 1. If an error occurs, or the end of the file is reached, the + > return value is a short item count (or zero). + > + > The file position indicator for the stream is advanced by the number + > of bytes successfully read or written. + > + > fread() does not distinguish between end-of-file and error, and + > callers must use feof(3) and ferror(3) to determine which occurred. -- [Michał Antoniak brought this change] + This means that nread!=0 doesn't make much sense as an end condition for + the loop: nread==0 doesn't necessarily mean that EOF has been reached or + an error has occured (but that is usually the case) and nread!=0 doesn't + necessarily mean that EOF has not been reached or that no read errors + have occured. feof(3) and ferror(3) should be uses when using fread(3). - mbedtls: remove #include + Currently curl has to performs an extra fread(3) call to get a return + value equal to 0 to stop looping. - mbedtls/certs.h file contains only certificates example (all definitions - is beginning by mbedtls_test_*). None of them is used so we can avoid - include the file. + This usually "works" (even though nread==0 shouldn't be interpreted as + EOF) if stdin is a pipe because EOF usually marks the "real" end of the + stream, so the extra fread(3) call will return immediately and the extra + read syscall won't be noticeable: - Closes #8343 + bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 | + > tail -n 5 + read(0, "a\n", 4096) = 2 + read(0, "", 4096) = 0 + read(0, "", 4096) = 0 + http://0x0.st/oRs.txt + +++ exited with 0 +++ + bash-5.1$ -- [Michał Antoniak brought this change] + But this doesn't work if curl is reading from stdin, stdin is a + terminal, and the EOF is being emulated using a shell with ^D. Two + consecutive ^D will be required in this case to actually make curl stop + reading: - mbedtls: enable use of mbedtls without CRL support + bash-5.1$ curl -F file=@- 0x0.st + a + ^D^D + http://0x0.st/oRs.txt + bash-5.1$ - Closes #8344 + A possible workaround to this issue is to use a program that handles EOF + correctly to indirectly send data to curl's stdin: -- [Bernhard Walle brought this change] + bash-5.1$ cat - | curl -F file=@- 0x0.st + a + ^D + http://0x0.st/oRs.txt + bash-5.1$ - configure: set CURL_LIBRARY_PATH for nghttp2 + This patch makes curl handle EOF properly when using fread(3) in + file2memory() so that the workaround is not necessary. - To execute the test program, we might need the library path so that the - lib is found at runtime. + Since curl was previously ignoring read errors caused by this fread(3), + ferror(3) is also used in the condition of the loop: read errors and EOF + will have the same meaning; this is done to somewhat preserve the old + behaviour instead of making the command fail when a read error occurs. - Closes #8340 + Closes #8701 -Jay Satiro (28 Jan 2022) -- schannel: restore debug message in schannel_connect_step2 +- gen.pl: change wording for mutexed options - This is a follow-up to recent commit 2218c3a which removed the debug - message to avoid an unused variable warning. The message has been - reworked to avoid the warning. + Instead of saying "This option overrides NNN", now say "This option is + mutually exclusive to NNN" in the generated man page ouput, as the + option does not in all cases actually override the others but they are + always mutually exclusive. - Ref: https://github.com/curl/curl/pull/8320#issuecomment-1022957904 + Ref: #8704 + Closes #8716 - Closes https://github.com/curl/curl/pull/8336 +- curl: error out if -T and -d are used for the same URL -- test3021: disable all msys2 path transformation + As one implies PUT and the other POST, both cannot be used + simultaneously. - - Disable all MSYS2 path transformation in test3021 and test3022. + Add test 378 to verify. - Prior to this change path transformation in those tests was disabled - only for arguments that start with forward slashes. However arguments - that are in base64 contain forward slashes at any position and caused - unwanted translations. + Reported-by: Boris Verkhovskiy + Fixes #8704 + Closes #8715 - == Info: Denied establishing ssh session: mismatch sha256 fingerprint. - Remote +/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw= is not equal to - +C:/msys64/EYG2YDzDGm6yiwepEMSuExgRRMoTi8Di1UN3kixZw +- lib: remove exclamation marks - In the above example an argument containing a base64 sha256 fingerprint - was passed to curl after MSYS2 translated +/ into +C:/msys64/, and then - the fingerprint didn't match what was expected. + ... from infof() and failf() calls. Make them less attention seeking. - Ref: https://www.msys2.org/wiki/Porting/ + Closes #8713 - Fixes https://github.com/curl/curl/issues/8084 - Closes https://github.com/curl/curl/pull/8325 +- fail.d: tweak the description -Daniel Stenberg (27 Jan 2022) -- CI: move scan-build job from Zuul to Azure Pipelines + Reviewed-by: Daniel Gustafsson + Suggested-by: Robert Charles Muir + Ref: https://twitter.com/rcmuir/status/1514915401574010887 - Closes #8338 + Closes #8714 -Marcel Raad (27 Jan 2022) -- openssl: fix `ctx_option_t` for OpenSSL v3+ +Daniel Gustafsson (15 Apr 2022) +- docs: Fix missing semicolon in example code - The options have been changed to `uint64_t` in - https://github.com/openssl/openssl/commit/56bd17830f2d5855b533d923d4e0649d3ed61d11. + Multiple share examples were missing a semicolon on the line defining + the CURLSHcode variable. - Closes https://github.com/curl/curl/pull/8331 + Closes: #8697 + Reported-by: Michael Kaufmann + Reviewed-by: Daniel Stenberg -Daniel Stenberg (27 Jan 2022) -- CI: move 'distcheck' job from zuul to azure pipelines +- infof: consistent capitalization of warning messages - Assisted-by: Kushal Das + Ensure that all infof calls with a warning message are capitalized + in the same way. At some point we should probably set up a style- + guide for infof but until then let's aim for a little consistenncy + where we can. - Closes #8334 + Closes: #8711 + Reviewed-by: Daniel Stenberg -- vtls: pass on the right SNI name +- RELEASE-NOTES: synced - The TLS backends convert the host name to SNI name and need to use that. - This involves cutting off any trailing dot and lowercasing. +- [Matteo Baccan brought this change] - Co-authored-by: Jay Satiro - Closes #8320 + perl: removed a double semicolon at end of line -- url: revert the removal of trailing dot from host name + Remove double semicolons at end of line in Perl code. - Reverts 5de8d84098db1bd24e (May 2014, shipped in 7.37.0) and the - follow-up changes done afterward. + Closes: #8709 + Reviewed-by: Daniel Gustafsson - Keep the dot in names for everything except the SNI to make curl behave - more similar to current browsers. This means 'name' and 'name.' send the - same SNI for different 'Host:' headers. +- curl_easy_header: fix typos in documentation - Updated test 1322 accordingly + Closes: #8694 + Reviewed-by: Daniel Stenberg - Fixes #8290 - Reported-by: Charles Cazabon - Closes #8320 +Marcel Raad (11 Apr 2022) +- appveyor: add Cygwin build -- [neutric on github brought this change] + Closes https://github.com/curl/curl/pull/8693 - docs/TheArtOfHttpScripting: fix capitalization +- appveyor: only add MSYS2 to PATH where required - Closes #8333 + Closes https://github.com/curl/curl/pull/8693 -- tests/memanalyze.pl: also count and show "total allocations" +Daniel Stenberg (10 Apr 2022) +- [Tatsuhiro Tsujikawa brought this change] - This is the total number of bytes allocated, increasing for new - allocations and never reduced when freed. The existing "Maximum - allocated" is the high water mark. + ngtcp2: fix memory leak - Closes #8330 + Closes #8691 -- mailmap: spellfix githuh => github +- [Tatsuhiro Tsujikawa brought this change] -- RELEASE-NOTES: synced + ngtcp2: remove remote_addr which is not used in a meaningful way -- hostcheck: fixed to not touch used input strings + Closes #8689 - Avoids the need to clone the strings before check, thus avoiding - mallocs, which for cases where there are many SAN names in a cert could - end up numerous. +- [Tatsuhiro Tsujikawa brought this change] - Closes #8321 + ngtcp2: enlarge H3_SEND_SIZE -- ngtcp2: adapt to changed end of headers callback proto + Make h3_SEND_SIZE larger because current value (20KiB) is too small + for the high latency environment. - Closes #8322 + Closes #8690 -- [Xiaoke Wang brought this change] +- [Tatsuhiro Tsujikawa brought this change] - openssl: check SSL_get_ex_data to prevent potential NULL dereference + ngtcp2: fix HTTP/3 upload stall and avoid busy loop - Closes #8268 + This commit fixes HTTP/3 upload stall if upload data is larger than + H3_SEND_SIZE. Only check writability of socket if a stream is + writable to avoid busy loop when QUIC flow control window is filled + up, or upload buffer is full. -Jay Satiro (23 Jan 2022) -- md5: check md5_init_func return value + Closes #8688 - Prior to this change the md5_init_func (my_md5_init) return value was - ignored. +- [Nick Banks brought this change] - Closes https://github.com/curl/curl/pull/8319 + msh3: add support for QUIC and HTTP/3 using msh3 -- md5: refactor for standard compliance + Considered experimental, as the other HTTP/3 backends. - - Wrap OpenSSL / wolfSSL MD5 functions instead of taking their function - addresses during static initialization. + Closes #8517 - Depending on how curl was built the old way may have used a dllimport - function address during static initialization, which is not standard - compliant, resulting in Visual Studio warning C4232 (nonstandard - extension). Instead the function pointers now point to the wrappers - which call the MD5 functions. +- TODO: "SFTP with SCP://" - This change only affects OpenSSL and wolfSSL because calls to other SSL - libraries' md5 functions were already wrapped. Also sha256.c already - does this for all SSL libraries. +- GHA: move bearssl jobs over from zuul - Ref: https://github.com/curl/curl/pull/8298 + Closes #8684 - Closes https://github.com/curl/curl/pull/8318 +- data/DISABLED: disable test 313 on bearssl builds -Daniel Stenberg (21 Jan 2022) -- [Lucas Pardue brought this change] + Closes #8684 - docs: update IETF links to use datatracker +- runtests: add 'bearssl' as testable feature - The tools.ietf.org domain has been deprecated a while now, with the - links being redirected to datatracker.ietf.org. + Closes #8684 - Rather than make people eat that redirect time, this change switches the - URL to a more canonical source. +- GHA: add openssl3 jobs moved over from zuul - Closes #8317 + Closes #8683 -- [Harry Sarson brought this change] +- schannel: remove dead code that will never run - CI: test building wolfssl with --enable-opensslextra + As the condition can't ever evaluate true - Closes #8315 + Reported-by: Andrey Alifanov + Ref: #8675 + Closes #8677 -- [Harry Sarson brought this change] +- connecache: remove duplicate connc->closure_handle check - misc: allow curl to build with wolfssl --enable-opensslextra + The superfluous extra check could cause analyzer false positives + and doesn't serve any purpose. - put all #include of openssl files behind wolfssl ifdefs so that we can - use the wolfssl/ prefixed include paths. Without these curl only builds - when wolfssl is built with enable-all. + Closes #8676 - Fixes #8292 - Closes #8315 +- [Michał Antoniak brought this change] -- [Lucas Pardue brought this change] + mbedtls: remove server_fd from backend - quiche: change qlog file extension to `.sqlog` + Closes #8682 - quiche has just switched it's qlog serialization format to JSON-SEQ by - default . The spec says this SHOULD use `.sqlog` extension. +- [Tatsuhiro Tsujikawa brought this change] - I believe ngtcp2 also supports JSON-SEQ by default as of - https://github.com/ngtcp2/ngtcp2/commit/9baf06fc3f352a1d062b6953ae1de22cae30639d + ngtcp2: use token when detecting :status header field - Let's update curl so that tools know what format we are using! + Closes #8679 - Closes #8316 +- [Tatsuhiro Tsujikawa brought this change] -Jay Satiro (21 Jan 2022) -- projects: Fix Visual Studio wolfSSL configurations + ngtcp2: make curl 1ms faster - - Change build-wolfssl.bat to disable SSLv3, enable TLSv1.3, enable - wolfSSL_DES_ecb_encrypt (needed by NTLM) and enable alt cert chains. + Pass 0 for an already expired timer. - - Disable warning C4214 'bit field types other than int'. + Closes #8678 - - Add include directory wolfssl\wolfssl. +- [Tatsuhiro Tsujikawa brought this change] - wolfSSL offers OpenSSL API compatibility that libcurl uses, and some - recent change in libcurl included an include file for wolfSSL like - openssl/foo.h, which has a path like wolfssl\wolfssl\openssl\foo.h. + ngtcp2: fix QUIC_IDLE_TIMEOUT - The include directory issue was reported in #8292 but it's currently - unclear whether this type of change is needed for other build systems. + QUIC_IDLE_TIMEOUT should be of type ngtcp2_duration which is + nanoseconds resolution. - Bug: https://github.com/curl/curl/issues/8292 - Reported-by: Harry Sarson + Closes #8678 - Closes https://github.com/curl/curl/pull/8298 +- English: use American spelling consistently -Daniel Stenberg (21 Jan 2022) -- openssl: return error if TLS 1.3 is requested when not supported + Authorization, Initialization, Organization etc. - Previously curl would just silently ignore it if the necessary defines - are not present at build-time. + Closes #8673 - Reported-by: Stefan Eissing - Fixes #8309 - Closes #8310 +Daniel Gustafsson (5 Apr 2022) +- [Sascha Zengler brought this change] -- TODO: Passing NOTIFY option to CURLOPT_MAIL_RCPT + BUGS: Fix incorrect punctuation - Closes #8232 + Closes #8672 + Reviewed-by: Daniel Gustafsson -- [Philip H brought this change] +Daniel Stenberg (4 Apr 2022) +- tool_listhelp.c: uppercase URL - workflows/wolfssl: install impacket +- RELEASE-NOTES: synced - needed Python Package for SMB tests +- http: streamclose "already downloaded" - Closes #8307 + Instead of connclose()ing, since when HTTP/2 is used it doesn't need to + close the connection as stopping the current transfer is enough. -- url: make Curl_disconnect return void + Reported-by: Evangelos Foutras + Closes #8665 - 1. The function would only ever return CURLE_OK anyway - 2. Only one caller actually used the return code - 3. Most callers did (void)Curl_disconnect() +Jay Satiro (1 Apr 2022) +- ftp: fix error message for partial file upload - Closes #8303 + - Show the count of bytes written on partial file upload. -- docs: document HTTP/2 not insisting on TLS 1.2 + Prior to this change the error message mistakenly showed the count of + bytes read, not written. - Both for --http2 and CURLOPT_HTTP_VERSION. + Bug: https://github.com/curl/curl/discussions/8637 + Reported-by: Taras Kushnir - Reported-by: jhoyla on github - Fixes #8235 - Closes #8300 + Closes https://github.com/curl/curl/pull/8649 -- cmdline-opts/gen.pl: fix option matching to improve references +Daniel Stenberg (1 Apr 2022) +- http: correct the header error message to say colon - Previously it could mistakenly match partial names when there are - options that start with the same prefix, leading to the wrong references - used. + Not semicolon - Closes #8299 + Reported-by: Gisle Vanem + Ref: #8666 + Closes #8667 -- TODO: Less memory massaging with Schannel +- lib: #ifdef on USE_HTTP2 better -- [Patrick Monnerat brought this change] + ... as nghttp2 might not be the library that provides HTTP/2 support. - runtests.pl: disable debuginfod + Closes #8661 - Valgrind and gdb implement this feature: as this highly slows down tests, - disable it. +- [Michał Antoniak brought this change] - Closes #8291 + mbedtls: remove 'protocols' array from backend when ALPN is not used -- RELEASE-NOTES: synced + Closes #8663 -- CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples +- http2: RST the stream if we stop it on our own will - ... to not call libcurl recursively back. + For the "simulated 304" case the done-call isn't considered "premature" + but since the server didn't close the stream it needs to be reset to + stop delivering data. - Closes #8286 + Closes #8664 -- multi: set in_callback for multi interface callbacks +- http: close the stream (not connection) on time condition abort - This makes most libcurl functions return error if called from within a - callback using the same multi handle. For example timer or socket - callbacks calling curl_multi_socket_action. + Closes #8664 - Reported-by: updatede on github - Fixes #8282 - Closes #8286 +- http2: handle DONE called for the paused stream -- docs/HISTORY.md: mention alt-svc and HSTS + As it could otherwise stall all streams on the connection -- misc: remove the final watcom references + Reported-by: Evangelos Foutras + Fixes #8626 + Closes #8664 - Follow-up to bbf8cae44dedc495e6 +- tls: make mbedtls and NSS check for h2, not nghttp2 - We removed support for the watcom builds files back in September - 2020. This removes all remaining watcom references and ifdefs. + This makes them able to also negotiate HTTP/2 even when built to use + hyper for h2. - Closes #8287 + Closes #8656 -- misc: remove BeOS code and references +- tests/libtest/lib670.c: fixup the copyright year range - There has not been a mention of this OS in any commit since December - 2004 (58f4af7973e3d2). The OS is also long gone. + follow-up to b54e18640ea4b7 - Closes #8288 +- [Leandro Coutinho brought this change] -- tool_getparam: DNS options that need c-ares now fail without it + lib670: avoid double check result - Just silently accepting the options and then not having any effect is - not good. + Closes #8660 - Ref: #8283 - Closes #8285 +- vtls: use a generic "ALPN, server accepted" message -- curl: remove "separators" (when using globbed URLs) + Closes #8657 - Unless muted (with -s) When doing globbing, curl would output mime-like - separators between the separate transfers. This is not documented - anywhere, surprises users and clobbers the output. Gone now. +- vtls: use a backend standard message for "ALPN: offers %s" - Updated test 18 and 1235 + I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the + infof() call also needs a string argument: the ALPN ID. - Reported-by: jonny112 on github - Bug: https://github.com/curl/curl/discussions/8257 - Closes #8278 + Closes #8657 -Jay Satiro (15 Jan 2022) -- [Niels Martignène brought this change] +- [Christian Schmitz brought this change] - mbedtls: fix CURLOPT_SSLCERT_BLOB (again) + strcase.h: add comment about the return code - - Increase the buffer length passed to mbedtls_x509_crt_parse to account - for the null byte appended to the temporary blob. + Tool often we run into expecting this to work like strcmp, but it + returns 1 instead of 0 for match. - Follow-up to 867ad1c which uses a null terminated copy of the - certificate blob, because mbedtls_x509_crt_parse requires PEM data - to be null terminated. + Closes #8658 - Ref: https://github.com/curl/curl/commit/867ad1c#r63439893 - Ref: https://github.com/curl/curl/pull/8146 +- vtls: provide a unified APLN-disagree string for all backends - Closes https://github.com/curl/curl/pull/8260 + Also rephrase to make it sound less dangerous: -Daniel Stenberg (15 Jan 2022) -- [Alessandro Ghedini brought this change] + "ALPN: server did not agree on a protocol. Uses default." - quiche: verify the server cert on connect + Reported-by: Nick Coghlan + Fixes #8643 + Closes #8651 - Similarly to c148f0f551f9bea0e3d0, make quiche correctly acknowledge - `CURLOPT_SSL_VERIFYPEER` and `CURLOPT_SSL_VERIFYHOST`. +- projects/README: converted to markdown - Fixes #8173 - Closes #8275 + Closes #8652 -- [Ikko Ashimine brought this change] +- misc: spelling fixes - checksrc: fix typo in comment + Mostly in comments but also in the -w documentation for headers_json. - enfore -> enforce + Closes #8647 - Closes #8281 +- KNOW_BUGS: HTTP3/Transfer closed with n bytes remaining to read -- curl-openssl: remove the OpenSSL headers and library versions check + "HTTP/3 does not support client certs" considered fixed, at least with + the ngtcp2 backend. - It is more work to maintain that check than the (any?) benefit it - brings. + Closes #8523 - Fixes #8279 - Reported-by: Satadru Pramanik - Closes #8280 +- CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs -- mqtt: free any leftover when done + Also add to quote.d. Add to TODO as something to add in a future. - Oss-fuzz found an issue when the "sendleftovers" pointer could leak memory. - Fix this by always freeing it (if still assigned) in the done function. + Reported-by: anon00000000 on github + Closes #8602 + Closes #8648 - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43515 - Closes #8274 +- RELEASE-NOTES: synced -- formdata: avoid size_t => long typecast overflows +- pop3/smtp: return *WEIRD_SERVER_REPLY when not understood - Typically a problem for platforms with 32 bit long and 64 bit size_t + This leaves the CURLE_RECV_ERROR error code for explicit failure to + receive network data and allows users to better separate the problems. - Reported-by: Fabian Yamaguchi - Bug: https://hackerone.com/reports/1444539 - Closes #8272 + Ref #8356 + Reported-by: Rianov Viacheslav + Closes #8506 -- RELEASE-NOTES: synced +- docs: lots of minor language polish - bump next release to become 7.82.0 + Mostly based on recent language decisions from "everything curl": -Marcel Raad (13 Jan 2022) -- build: enable -Warith-conversion + - remove contractions (isn't => is not) + - *an* HTTP (consistency) + - runtime (no hyphen) + - backend (no hyphen) + - URL is uppercase - This makes the behavior consistent between GCC 10 and earlier versions. + Closes #8646 - Closes https://github.com/curl/curl/pull/8271 +Jay Satiro (29 Mar 2022) +- projects: Update VC version names for VS2017, VS2022 -- build: fix -Wenum-conversion handling + - Rename VC15 -> VC14.10, VC17 -> VC14.30. - Don't enable that warning when warnings are disabled. - Also add it to CMake. + The projects directory that holds the pre-generated Visual Studio + project files uses VC to indicate the MSVC version. At some point + support for Visual Studio 2017 (Visual Studio version 15 which uses MSVC + 14.10) was added as VC15. Visual Studio 2022 (Visual Studio version 17 + which uses MSVC 14.30) project files were recently added and followed + that same format using VC17. - Closes https://github.com/curl/curl/pull/8271 + There is no such MSVC version (yet) as VC15 or VC17. -- appveyor: use VS 2017 image for the autotools builds + For VS 2017 for example, the name we use is correct as either VS17, + VS2017, VC14.10. I opted for the latter since we use VC for earlier + versions (eg VC10, VC12, etc). - The newer images don't have all required MSYS2 packages. + Ref: https://github.com/curl/curl/pull/8438#issuecomment-1037070192 - Fixes https://github.com/curl/curl/issues/8248 - Closes https://github.com/curl/curl/pull/8265 + Closes https://github.com/curl/curl/pull/8447 -- appveyor: update images from VS 2019 to 2022 +Daniel Stenberg (29 Mar 2022) +- mqtt: better handling of TCP disconnect mid-message - Closes https://github.com/curl/curl/pull/8265 + Reported-by: Jenny Heino + Bug: https://hackerone.com/reports/1521610 + Closes #8644 -Daniel Stenberg (12 Jan 2022) -- [Michał Antoniak brought this change] +- CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - mbedtls: return CURLcode result instead of a mbedtls error code +- [Ian Blanes brought this change] - ... when a certificate fails to be loaded from a blob + docs/DYNBUF: clarify documentation for Curl_dyn_ptr and Curl_dyn_uptr - Closes #8266 + Closes #8606 -- curl_multi_socket.3: remove callback and typical usage descriptions +- [Ian Blanes brought this change] - 1. The callback is better described in the option for setting it. Having - it in a single place reduces the risk that one of them is wrong. + curl: fix segmentation fault for empty output file names. - 2. The "typical usage" is wrong since the functions described in this - man page are both deprecated so they cannot be used in any "typical" way - anymore. + Function glob_match_url set *result to NULL when called with filename = + "", producing an indirect NULL pointer dereference. - Closes #8262 + Closes #8606 -- curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE +- TODO: Read keys from ~/.ssh/id_ecdsa, id_ed25519 - Mostly reverts ba0657c343f, but now instead just run the plain macro on - darwin. The approach as used on other platforms is simply not necessary - on macOS. + It would be nice to expand the list of key locations curl uses for the + newer key types supported by libssh2. - Fixes #8229 - Reported-by: Ryan Schmidt - Closes #8247 + Closes #8586 -- [Patrick Monnerat brought this change] +- ngtcp2: update to work after recent ngtcp2 updates - openldap: implement SASL authentication + Assisted-by: Tatsuhiro Tsujikawa + Reported-by: jurisuk on github + Fixes #8638 + Closes #8639 - As credentials can be quite different depending on the mechanism used, - there are no default mechanisms for LDAP and simple bind with a DN is - then used. +- [Farzin brought this change] - The caller has to provide mechanism(s) using CURLOPT_LOGIN_OPTIONS to - enable SASL authentication and disable simple bind. + CURLOPT_PROGRESSFUNCTION.3: fix typo in example - Closes #8152 + Closes #8636 -Jay Satiro (10 Jan 2022) -- [Cameron Will brought this change] +- curl/header_json: output the header names in lowercase - CURLOPT_RESOLVE.3: change example port to 443 + To better allow json[“header”]. - 83cc966 changed documentation from using http to https. However, - CURLOPT_RESOLVE being set to port 80 in the documentation means that it - isn't valid for the new URL. Update to 443. + Reported-by: Peter Korsgaard + Bug: https://daniel.haxx.se/blog/2022/03/24/easier-header-picking-with-curl/comment-page-1/#comment-25878 + Closes #8633 - Closes https://github.com/curl/curl/pull/8258 +- RELEASE-NOTES: synced -Daniel Stenberg (10 Jan 2022) -- [Fabian Keil brought this change] +- headers.h: make Curl_headers_push() be CURLE_OK when not built - test374: gif data without new line at the end + ... to avoid errors when the function isn't there. - Closes #8239 + Reported-by: Marcel Raad + Fixes #8627 + Closes #8628 -- [Fabian Keil brought this change] +- scripts: move three scripts from lib/ to scripts/ - runtests.pl: support the nonewline attribute for the data part + Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't + particularly belong in lib/ - Added to FILEFORMAT + Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying + those files in the root Makefile.am - Closes #8239 + Closes #8625 -- [Patrick Monnerat brought this change] +Marc Hoersken (23 Mar 2022) +- lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 - curl tool: erase some more sensitive command line arguments + curl_setup.h automatically defines WIN32 if just _WIN32 is defined. - As the ps command may reveal sensitive command line info, obfuscate - options --tlsuser, --tlspasswd, --proxy-tlsuser, --proxy-tlspassword and - --oauth2-bearer arguments. + Therefore make sure curl_setup.h is included through warnless.h. - Reported-by: Stephen Boost + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro - Closes #7964 + Closes #8594 -- mesalink: remove support +- tests/server/util.h: align WIN32 condition with util.c - Mesalink has ceased development. We can no longer encourage use of it. - It seems to be continued under the name TabbySSL, but no attempts have - (yet) been to make curl support it. + There is no need to test for both _WIN32 and WIN32 as curl_setup.h + automatically defines the later if the first one is defined. - Fixes #8188 - Closes #8191 + Also tests/server/util.c is only checking for WIN32 arouund the + implementation of win32_perror, so just defining _WIN32 + would not be sufficient for a successful compilation. -- ldap: return CURLE_URL_MALFORMAT for bad URL + Reviewed-by: Daniel Stenberg + Reviewed-by: Jay Satiro - For consistency, use the same return code for URL malformats, - independently of what scheme that is used. Previously this would return - CURLE_LDAP_INVALID_URL, but starting now that error cannot be returned. + Closes #8594 - Closes #8170 +Daniel Stenberg (22 Mar 2022) +- [Philip Heiduck brought this change] -- docs/cmdline-opts: add "mutexed" options for more http versions + firefox-db2pem.sh: make the shell script safer - Update four http version man page sections. + Reported by lift - Closes #8254 + Closes #8616 -- [Stephen M. Coakley brought this change] +Jay Satiro (22 Mar 2022) +- gtls: fix build for disabled TLS-SRP - rustls: add CURLOPT_CAINFO_BLOB support + Prior to this change if, at build time, the GnuTLS backend was found to + have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl + via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. - Add support for `CURLOPT_CAINFO_BLOB` `CURLOPT_PROXY_CAINFO_BLOB` to the - rustls TLS backend. Multiple certificates in a single PEM string are - supported just like OpenSSL does with this option. + Bug: https://curl.se/mail/lib-2022-03/0046.html + Reported-by: Robert Brose - This is compatible at least with rustls-ffi 0.8+ which is our new - minimum version anyway. + Closes https://github.com/curl/curl/pull/8604 - I was able to build and run this on Windows, pulling trusted certs from - the system and then add them to rustls by setting - `CURLOPT_CAINFO_BLOB`. Handy! +- winbuild: Add a Visual Studio example to the README - Closes #8255 + - Add an example that explains in detail how the user can add libcurl to + their Visual Studio project. -- scripts/copyright.pl: ignore missing files + Ref: https://github.com/curl/curl/issues/8591 -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/8592 -- data/DISABLED: disable test 313 for wolfssl builds +- docs/opts: Mention Schannel client cert type is P12 - It was previously disabled only in the CI jobs yaml + Schannel backend code behaves same as Secure Transport, it expects a P12 + certificate file or the name of a certificate already in the user's OS + key store. Also, both backends ignore CURLOPT_SSLKEY (tool: --key) + because they expect the private key to already be available from the + keystore or P12 certificate. - Closes #8252 + Ref: https://github.com/curl/curl/discussions/8581#discussioncomment-2337260 -- runtests: make 'wolfssl' a testable feature + Closes https://github.com/curl/curl/pull/8587 - Closes #8252 +Daniel Stenberg (22 Mar 2022) +- lib1945: fix compiler warning 4706 on MSVC -- GHA: install stunnel in the medbtls + wolfssl CI jobs + Follow-up from d1e4a677340c - Closes #8252 + Closes #8623 -- CI: move the rustls CI job to GHA from Zuul +- [Philip Heiduck brought this change] - Closes #8251 + ci/event-based.yml: improve impacket install -- DISABLE: disable a dozen tests in the rustls build + skip python3-pip + install impacket with library module - Disables tests that don't yet work with the rustls backend. + Closes #8621 - Fixes #8004 - Closes #8250 +- test1459: disable for oldlibssh -- runtests: make 'rustls' a testable feature + This test with libssh 0.9.3 works fine on github but fails on circleci. + Might as well disable this test for oldlibssh installations. -- remote-header-name.d: clarify + Closes #8622 - - it strips off the path from the server provided name - - it saves in current directory or --output-dir +- test1135: sync with recent API updates - Ref: https://curl.se/mail/archive-2022-01/0032.html - Closes #8249 + This test verifies that the order of functions in public headers remain + the same but hasn't been updated to care for recently added header + files. The order is important for some few platforms - or VERSIONINFO + needs to updated. -- url: given a user in the URL, find pwd for that user in netrc + This fix also updates VERSIONINFO to be sure. - Add test 380 and 381 to verify, edited test 133 + Closes #8620 - Reported-by: Manfred Schwarb - Fixes #8241 - Closes #8243 +- curl_easy_nextheader.3: fix two typos -- [Niels Martignène brought this change] + Reported-by: Timothe Litt + Bug: https://curl.se/mail/lib-2022-03/0060.html - mbedtls: Fix ssl_init error with mbedTLS 3.1.0+ +- options: remove mistaken space before paren in prototype - Since mbedTLS 3.1.0, mbedtls_ssl_setup() fails if the provided - config struct is not valid. +- cirrus: add --enable-headers-api for some windows builds - mbedtls_ssl_config_defaults() needs to be called before the config - struct is passed to mbedtls_ssl_setup(). +- GHA: --enable-headers-api in all workflows - Closes #8238 +- lib: make the headers API depend on --enable-headers-api -- [Filip Lundgren brought this change] +- configure: add --enable-headers-api to enable the headers API - cmake: fix iOS CMake project generation error + Defaults to disabled while labeled EXPERIMENTAL. - Closes #8244 + Make all the headers API tests require 'headers-api' to run. -- ngtcp2: fix declaration of ‘result’ shadows a previous local +- test1671: verify -w '%{header_json} - Follow-up to 8fbd6feddfa587cfd3 +- test1670: verify -w %header{} - Closes #8245 +- curl: add %{header_json} support in -w handling -- openssl.h: avoid including OpenSSL headers here + Outputs all response headers as a JSON object. - ... by instead using the struct version of the typedef'ed pointer. To - fix build errors when both Schannel and OpenSSL are enabled. +- curl: add %header{name} support in -w handling - Fixes #8240 - Reported-by: Jan Ehrhardt - Closes #8246 + Outputs the response header 'name' -- curl_url_set.3: mention when CURLU_ALLOW_SPACE was added +- header api: add curl_easy_header and curl_easy_nextheader -- tool_findfile: free mem properly + Add test 1940 to 1946 to verify. - Follow-up to 764e4f066d5 + Closes #8593 - Closes #8242 +- test1459: remove the different exit code for oldlibssh -- tool_findfile: check ~/.config/curlrc too + When using libssh/0.9.3/openssl/zlib, we seem to be getting the "right" + error code. - ... after the initial checks for .curlrc and if XDG_CONFIG_HOME is not - set, use $HOME and $CURL_HOME to check if ~/.config/curlrc is present. + Closes #8490 - Add test 436 to verify +- libssh: unstick SFTP transfers when done event-based - Reported-by: Sandro Jaeckel - Fixes #8208 - Closes #8213 + Test 604 and 606 (at least). -- runtests: allow client/file to specify multiple directories + Closes #8490 - ... and make sure to mkdir them all +- gha: move the event-based test over from Zuul -- scripts/copyright.pl: support many provided file names on the cmdline + Switched libssh2 to libssh -- [Fabian Keil brought this change] + Closes #8490 - tests/FILEFORMAT.md: fix typo +- RELEASE-NOTES: synced -- [Fabian Keil brought this change] +- http: return error on colon-less HTTP headers - Add test373: multiple chunks with binary zeros + It's a protocol violation and accepting them leads to no good. -- [Fabian Keil brought this change] + Add test case 398 to verify - Add test372: binary zero in data element + Closes #8610 -- [Fabian Keil brought this change] +- test718: edited slightly to return better HTTP - tests/server/getpart.c: properly deal with binary data containing NUL bytes + Since hyper is picky and won't play ball otherwise. -- [Fabian Keil brought this change] + Bug: https://github.com/hyperium/hyper/issues/2783 + Reported-by: Daniel Valenzuela + Closes #8614 - runtests.pl: properly print the test if it contains binary zeros +- hyper: no h2c support -- mailmap: Xiaoke Wang + Make tests require h2c feature present to run, and only set h2c if + nghttp2 is used in the build. Hyper does not support it. -- openssl: copyright year update + Remove those tests from DISABLED - Follow-up to 30aea2b1ede + Fixes #8605 + Closes #8613 -- scripts/copyright.pl: hush unless -v (for verbose) is used +- configure: bump the copyright year range int the generated output -- [Xiaoke Wang brought this change] +- [Andreas Falkenhahn brought this change] - openssl: check the return value of BIO_new_mem_buf() + BINDINGS.md: add Hollywood binding - Closes #8233 + Closes #8609 -- examples/multi-app.c: call curl_multi_remove_handle as well +- HISTORY: add some 2022 data - Fixes #8234 - Reported-by: Melroy van den Berg - Closes #8236 +- scripts/copyright.pl: ignore the new mlc_config.json file -- COPYING: bump copyright year range +- [Philip Heiduck brought this change] -- RELEASE-NOTES: synced + mlc_config.json: add file to ignore known troublesome URLs - and bump curlver after release + This is the config file for the CI markdown link checker and lets us + filter URLs that are known to cause problems. Like + https://curl.zuul.vexxhost.dev/ for now. -- docs: fix mandoc -T lint formatting complaints + Closes #8597 - Closes #8228 +- [Philip Heiduck brought this change] -- next.d. remove .fi/.nf as they are handled by gen.pl + winbuild/README.md: fixup dead link - Closes #8228 + Closes #8597 -- gen.pl: terminate "example" sections better +Jay Satiro (18 Mar 2022) +- rtsp: don't let CSeq error override earlier errors - If the example (section that is prefixed with spaces) ends the - description gen.pl would previously miss to output the terminating .fi + - When done, if an error has already occurred then don't check the + sequence numbers for mismatch. - Closes #8228 + A sequence number may not have been received if an error occurred. -- [Satadru Pramanik brought this change] + Prior to this change a sequence mismatch error would override earlier + errors. For example, a server that returns nothing would cause error + CURLE_GOT_NOTHING in Curl_http_done which was then overridden by + CURLE_RTSP_CSEQ_ERROR in rtsp_done. - curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval + Closes https://github.com/curl/curl/pull/8525 - $$ usage in a m4 file introduces the PID in linux. - Instead, just duplicate previous working code with a case switch. +- lib: fix some misuse of curlx_convert_wchar_to_UTF8 - Fixes #8229 - Closes #8230 + curlx_convert_wchar_to_UTF8 must be freed by curlx_unicodefree, but + prior to this change some uses mistakenly called free. -Version 7.81.0 (5 Jan 2022) + I've reviewed all other uses of curlx_convert_wchar_to_UTF8 and + curlx_convert_UTF8_to_wchar. -Daniel Stenberg (5 Jan 2022) -- RELEASE-NOTES: synced + Ref: https://github.com/curl/curl/commit/1d5d0ae - curl 7.81.0 release + Closes https://github.com/curl/curl/pull/8521 -- THANKS: add names from 7.81.0 release +- mk-ca-bundle.pl: Use stricter logic to process the certificates -- curl_multi_init.3: fix the copyright year range + .. and bump version to 1.29. -- test719-721: require "proxy" feature present to run + This change makes the script properly ignore unknown blocks and + otherwise fail when Mozilla changes the certdata format in ways we + don't expect. Though this is less flexible behavior it makes it far less + likely that an invalid certificate can slip through. - Bug: https://github.com/curl/curl/pull/8223#issuecomment-1005188696 - Reported-by: Marc Hörsken + Prior to this change the state machine did not always properly reset, + and it was possible that a certificate marked as invalid could then + later be marked as valid when there was conflicting trust info or + an unknown block was erroneously processed as part of the certificate. - Closes #8226 + Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569 -- test719: require ipv6 support to run + Closes https://github.com/curl/curl/pull/8411 - Follow-up to effd2bd7ba2a5fd244 - Reported-by: Marc Hörsken - Bug: https://github.com/curl/curl/pull/8217#issuecomment-1004681145 +Marcel Raad (17 Mar 2022) +- test375: fix line endings on Windows - Closes #8223 + Closes https://github.com/curl/curl/pull/8599 -- test719-721: verify SOCKS details +Daniel Stenberg (17 Mar 2022) +- http: reject header contents with nul bytes - Using the new verify/socks details + They are not allowed by the protocol and allowing them risk that curl + misbehaves somewhere where C functions are used but won't work on the + full contents. Further, they are not supported by hyper and they cause + problems for the new coming headers API work. -- runtests: add verify/socks check + Updated test 262 to verify and enabled it for hyper as well - If used, this data is compared with the data in log/socksd-request.log - which the socksd server logs. + Closes #8601 - Added to FILEFORMAT.md +- [Philip Heiduck brought this change] -- server/socksd: log atyp + address in a separate log + CI: Do not use buildconf. Instead, just use: autoreconf -fi - To allow the test suite to verify that the right data arrived + Closes #8596 -- socks5: use appropriate ATYP for numerical IP address host names +- RELEASE-NOTES: synced - When not resolving the address locallly (known as socks5h). +Jay Satiro (14 Mar 2022) +- libssh: Improve fix for missing SSH_S_ stat macros - Add test 719 and 720 to verify. + - If building libcurl against an old libssh version missing SSH_S_IFMT + and SSH_S_IFLNK then use the values from a supported version. - Reported-by: Peter Piekarski - Fixes #8216 - Closes #8217 + Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK + then S_IFMT and S_IFLNK, respectively, were used instead. The problem + with that is the user's S_ stat macros don't have the same values across + platforms. For example Windows has values different from Linux. -Jay Satiro (3 Jan 2022) -- curl_multi_init.3: fix EXAMPLE formatting + Follow-up to 7b0fd39. -Daniel Stenberg (3 Jan 2022) -- RELEASE-NOTES: synced + Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391 + Ref: https://github.com/curl/curl/pull/8574 -- libtest: avoid "assignment within conditional expression" + Closes https://github.com/curl/curl/pull/8588 - In lib530, lib540 and lib582 +Marc Hoersken (13 Mar 2022) +- tool and tests: force flush of all buffers at end of program - Closes #8218 + On Windows data can be lost in buffers in case of abnormal program + termination, especially in process chains as seen due to flaky tests. + Therefore flushing all buffers manually should avoid this data loss. -- ftp: disable warning 4706 in MSVC + In the curl tool we play the safe game by only flushing write buffers, + but in the testsuite where we manage all buffers, we flush everything. - Follow-up to 21248e052d + This should drastically reduce Windows CI and testsuite flakiness. - Disabling "assignment within conditional expression" for MSVC needs to - be done before the function starts, for it to take effect. + Reviewed-by: Daniel Stenberg - Closes #8218 + Supersedes #7833 and #6064 + Closes #8516 -- tool_operate: warn if too many output arguments were found +Daniel Stenberg (12 Mar 2022) +- [Jan Venekamp brought this change] - More output instructions than URLs is likely a user error. + BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - Add test case 371 to verify + Closes #8478 - Closes #8210 +- [Jan Venekamp brought this change] -- .github/workflows/mbedtls.yml: bump to mbedtls 3.1.0 + BearSSL: add CURLOPT_SSL_CIPHER_LIST support - Closes #8215 + Closes #8477 -- zuul: remove the mbedtls jobs +Dan Fandrich (11 Mar 2022) +- tool_cb_hdr: Turn the Location: into a terminal hyperlink - Now running as github workflows + This turns even relative URLs into clickable hyperlinks in a supported + terminal when --styled-output is enabled. Many terminals already turn + URLs into clickable links but there is not enough information in a + relative URL to do this automatically otherwise. - Closes #8215 +- keepalive-time.d: It takes many probes to detect brokenness -- github/workflows: add mbedtls and mbedtls-clang +Daniel Stenberg (11 Mar 2022) +- [HexTheDragon brought this change] - Closes #8215 + curl: add --no-clobber -- [Valentin Richter brought this change] + Does not overwrite output files if they already exist - mbedtls: fix private member designations for v3.1.0 + Closes #7708 + Co-authored-by: Daniel Stenberg - "As a last resort, you can access the field foo of a structure bar by - writing bar.MBEDTLS_PRIVATE(foo). Note that you do so at your own risk, - since such code is likely to break in a future minor version of Mbed - TLS." - - https://github.com/ARMmbed/mbedtls/blob/f2d1199edc5834df4297f247f213e614f7782d1d/docs/3.0-migration-guide.md +- RELEASE-NOTES: synced - That future minor version is v3.1.0. I set the >= to == for the version - checks because v3.1.0 is a release, and I am not sure when the private - designation was reverted after v3.0.0. + also bump next pending version to become 7.83.0 - Closes #8214 +- [Jean-Philippe Menil brought this change] -- [Valentin Richter brought this change] + openssl: check SSL_get_peer_cert_chain return value - cmake: prevent dev warning due to mismatched arg + Signed-off-by: Jean-Philippe Menil + Closes #8579 - -- curl version=[7.81.0-DEV] - CMake Warning (dev) at /usr/share/cmake-3.22.1/Modules/FindPackageHandleStandardArgs.cmake:438 (message): - The package name passed to `find_package_handle_standard_args` (MBEDTLS) - does not match the name of the calling package (MbedTLS). This can lead to - problems in calling code that expects `find_package` result variables - (e.g., `_FOUND`) to follow a certain pattern. - Call Stack (most recent call first): - deps/curl/CMake/FindMbedTLS.cmake:31 (find_package_handle_standard_args) - deps/curl/CMakeLists.txt:473 (find_package) - This warning is for project developers. Use -Wno-dev to suppress it. +- [Jay Satiro brought this change] - Closes #8207 + mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl -- urlapi: if possible, shorten given numerical IPv6 addresses + mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate + extraction, similar to mk-ca-bundle.pl which runs on any platform. The + vbs version has not been maintained while the perl version has been + maintained with improvements and security fixes. I don't think it's + worth the work to maintain both versions. Windows users should be able + to use mk-ca-bundle.pl without any problems, as long as they have perl. - Extended test 1560 to verify + Closes #8412 - Closes #8206 +- CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype -- [Michał Antoniak brought this change] + Copy and paste error - url: reduce ssl backend count for CURL_DISABLE_PROXY builds + Reported-by: Francisco Olarte + Fixes #8573 + Closes #8577 - Closes #8212 +- remove-on-error.d: typo -- KNOWN_BUGS: "Trying local ports fails on Windows" + Reported-by: Colin Leroy + Bug: https://github.com/curl/curl/pull/8503#pullrequestreview-906520081 - Reported-by: gclinch on github - Closes #8112 +- curl: add --remove-on-error -- misc: update copyright year range + If a transfer returns an error, using this option makes curl remove the + leftover downloded (partial) local file before exiting. -- zuul: remove the wolfssl even more + Added test 376 to verify - Follow-up to 1914465cf180d32b3d + Closes #8503 -- examples/multi-single.c: remove WAITMS() +- libssh: fix build with old libssh versions - As it isn't used. + ... that don't have the SSH_S_* defines. Spotted on a machine using + libssh 0.7.3 - Reported-by: Melroy van den Berg - Fixes #8200 - Closes #8201 + Closes #8574 -- gtls: add gnutls include for the session type +- hyper: fix status_line() return code - Follow-up to 8fbd6feddfa5 to make it build more universally + Detected while working on #7708 that happened to trigger an error here + with a new test case. -- m4/curl-compilers: tell clang -Wno-pointer-bool-conversion + Closes #8572 - To hush compiler warnings we don't care for: error: address of function - 'X' will always evaluate to 'true' +- [Alejandro R. Sedeño brought this change] - Fixes #8197 - Closes #8198 + configure.ac: move -pthread CFLAGS setting back where it used to be -- http_proxy: don't close the socket (too early) + The fix for #8276 proposed in #8374 set `CFLAGS="$CFLAGS -pthead"` + earlier than it used to be set, applying it in cases where it should not + have been applied. - ... and double-check in the OpenSSL shutdown that the socket is actually - still there before it is used. + This moves the AIX XLC check to a new `case $host in` block inside of + the `if test "$USE_THREADS_POSIX" != "1"` block, where `CFLAGS="$CFLAGS + -pthead"` used to happen. - Fixes #8193 - Closes #8195 + Fixes #8541 + Closes #8542 - Reported-by: Leszek Kubik +- [Tatsuhiro Tsujikawa brought this change] -- ngtcp2: verify the server certificate for the gnutls case + ngtcp2: add client certificate authentication for OpenSSL - Closes #8178 + Closes #8522 -- ngtcp2: verify the server cert on connect (quictls) +- tool_operate: fix a scan-build warning - Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and - `CURLOPT_SSL_VERIFYHOST`. + ... and avoid the temp storing of the return code in a diff variable. - The name check now uses a function from lib/vtls/openssl.c which will - need attention for when TLS is not done by OpenSSL or is disabled while - QUIC is enabled. + Closes #8565 - Possibly the servercert() function in openssl.c should be adjusted to be - able to use for both regular TLS and QUIC. +- test375: verify that --proxy errors out if proxy is disabled in the build - Ref: #8173 - Closes #8178 + Closes #8565 -- zuul: remove the wolfssl build +- curl: error out when options need features not present in libcurl -- github workflow: add wolfssl + Trying to use a proxy when libcurl was built with proxy support disabled + should make curl error out properly. - Closes #8196 + Remove knowledge of disabled features from the tool code and instead + make it properly respond to what libcurl returns. Update all tests to + properly require the necessary features to be present/absent so that the + test suite can still be run even with libcurl builds with disabled + features. -- [Nicolas Sterchele brought this change] + Ref: https://curl.se/mail/archive-2022-03/0013.html + Closes #8565 - zuul: fix quiche build pointing to wrong Cargo +- ngtcp2: disconnect the QUIC connection proper - Fixes #8184 - Closes #8189 + Reported-by: mehatzri on github + Reviewed-by: Tatsuhiro Tsujikawa + Fixes #8534 + closes #8569 -- checksrc: detect more kinds of NULL comparisons we avoid +Dan Fandrich (9 Mar 2022) +- test386: Fix an incorrect test markup tag - Co-authored-by: Jay Satiro - Closes #8180 +Daniel Stenberg (9 Mar 2022) +- [Don J Olmstead brought this change] -- RELEASE-NOTES: synced + nonblock: restore setsockopt method to curlx_nonblock -- mesalink: remove the BACKEND define kludge + The implementation using setsockopt was removed when BeOS support was + purged. However this functionality wasn't BeOS specific, it is still + used by for example Orbis OS (Playstation 4/5 OS). - Closes #8183 + Closes #8562 -- schannel: remove the BACKEND define kludge +- openssl: fix CN check error code - Closes #8182 + Due to a missing 'else' this returns error too easily. -- gtls: check return code for gnutls_alpn_set_protocols + Regressed in: d15692ebb - Closes #8181 + Reported-by: Kristoffer Gleditsch + Fixes #8559 + Closes #8560 -- [Stefan Huber brought this change] +- [Frank Meier brought this change] - README: label the link to the support document + connect: make Curl_getconnectinfo work with conn cache from share handle - Closes #8185 + Closes #8524 diff --git a/vendor/curl/RELEASE-NOTES b/vendor/curl/RELEASE-NOTES index 30165420bb..9b70c8c86e 100644 --- a/vendor/curl/RELEASE-NOTES +++ b/vendor/curl/RELEASE-NOTES @@ -1,379 +1,423 @@ -curl and libcurl 7.85.0 +curl and libcurl 7.86.0 - Public curl releases: 210 + Public curl releases: 211 Command line options: 248 - curl_easy_setopt() options: 299 - Public functions in libcurl: 88 - Contributors: 2690 + curl_easy_setopt() options: 300 + Public functions in libcurl: 91 + Contributors: 2733 This release includes the following changes: - o quic: add support via wolfSSL [142] - o schannel: Add TLS 1.3 support [96] - o setopt: add CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR [30] + o NPN: remove support for and use of [16] + o Websockets: initial support [23] This release includes the following bugfixes: - o amigaos: fix threaded resolver on AmigaOS 4.x [133] - o amissl: allow AmiSSL to be used with AmigaOS 4.x builds [115] - o amissl: make AmiSSL v5 a minimum requirement [117] - o asyn-ares: make a single alloc out of hostname + async data [123] - o asyn-thread: fix socket leak on OOM [128] - o asyn-thread: make getaddrinfo_complete return CURLcode [53] - o base64: base64url encoding has no padding [41] - o BUGS.md: improve language [62] - o build: improve OS string in CMake and `config-win32.h` [15] - o cert.d: clarify that escape character works for file paths [161] - o cirrus.yml: replace py38-pip with py39-pip [63] - o cirrus/freebsd-ci: bootstrap the pip installer [104] - o cmake: add detection of threadsafe feature [163] - o cmake: do not force Windows target versions [28] - o cmake: fix build for mingw cross compile [33] - o cmake: link curl to its dependencies with PRIVATE [57] - o cmake: remove APPEND in export(TARGETS) [58] - o cmake: set feature PSL if present [168] - o cmake: support ngtcp2 boringssl backend [18] - o cmdline-opts/gen.pl: improve performance [97] - o config: remove the check for and use of SIZEOF_SHORT [129] - o configure: -pthread not available on AmigaOS 4.x [118] - o configure: check for the stdatomic.h header in configure [7] - o configure: fix --disable-headers-api [55] - o configure: fix broken m4 syntax in TLS options [145] - o configure: fixup bsdsocket detection code for AmigaOS 4.x [110] - o configure: if asked to use TLS, fail if no TLS lib was detected [156] - o configure: introduce CURL_SIZEOF [130] - o connect: add quic connection information [100] - o connect: close the happy eyeballs loser connection when using QUIC [109] - o connect: revert the use of IP*_RECVERR [102] - o connect: set socktype/protocol correctly [114] - o cookie: reject cookies with "control bytes" [152] - o cookie: treat a blank domain in Set-Cookie: as non-existing [40] - o cookie: use %zu to infof() for size_t values [26] - o curl-compilers.m4: make icc use -diag* options and disable two warnings [84] - o curl-config: quote directories with potential space [132] - o curl-confopts: remove leftover AC_REQUIREs [91] - o curl-functions.m4: check whether atomics can link [86] - o curl-wolfssl.m4: add options header when building test code [87] - o curl.h: CURLE_CONV_FAILED is obsoleted [4] - o curl.h: include on SunOS [151] - o curl: output warning when a cookie is dropped due to size [5] - o curl: writeout: fix repeated header outputs [47] - o Curl_close: call Curl_resolver_cancel to avoid memory-leak [124] - o curl_easy_header: Add CURLH_PSEUDO to sanity check [94] - o curl_mime_data.3: polish the wording [6] - o curl_multi_timeout.3: clarify usage [48] - o CURLINFO_SPEED_UPLOAD/DOWNLOAD.3: fix examples [121] - o CURLOPT_BUFFERSIZE.3: add upload buffersize to see also [159] - o CURLOPT_CONNECT_ONLY.3: clarify multi API use [64] - o CURLOPT_SERVER_RESPONSE_TIMEOUT: the new name [16] - o digest: fix memory leak, fix not quoted 'opaque' [66] - o digest: fix missing increment of 'nc' value for auth-int [39] - o digest: pass over leading spaces in qop values [119] - o digest: reject broken header with session protocol but without qop [120] - o docs/cmdline-opts/gen.pl: encode leading single and double quotes [138] - o docs/cmdline-opts: fix example and categories for --form-escape [125] - o docs/cmdline: mark fail and fail-with-body as mutually exclusive [98] - o docs: add dns category to --resolve [95] - o docs: explain curl_easy_escape/unescape curl handle is ignored [23] - o docs: remove him/her/he/she from documentation [103] - o doh: move doh related struct definitions to doh.h [45] - o doh: use https protocol by default [51] - o easy_lock.h: include sched.h if available to fix build [13] - o easy_lock.h: use __asm__ instead of asm to fix build [11] - o easy_lock: fix build for mingw [34] - o easy_lock: fix build with icc [54] - o easy_lock: fix the #ifdef conditional for ia32_pause [8] - o easy_lock: switch to using atomic_int instead of bool [9] - o easyoptions: fix icc warning [42] - o escape: remove outdated comment [25] - o examples/curlx.c: remove [150] - o file: add handling of native AmigaOS paths [108] - o file: fix icc enumerated type mixed with another type warning [92] - o ftp: use a correct expire ID for timer expiry [88] - o getinfo: return better error on NULL as first argument [21] - o GHA: add two Intel compiler CI jobs [85] - o GHA: move libressl CI from zuul to GitHub [144] - o gha: move over ngtcp2-gnutls CI job from zuul [162] - o GHA: mv CI torture test from Zuul [135] - o h2h3: fix overriding the 'TE: Trailers' header [43] - o hostip: resolve *.localhost to 127.0.0.1/::1 [127] - o HTTP3.md: update to msh3 v0.4.0 [126] - o http: typecast the httpreq assignment to avoid icc compiler warning [76] - o http_aws_sigv4.c: remove two unusued includes [36] - o http_chunks: remove an assign + typecast [82] - o hyper: customize test1274 to how hyper unfolds headers [131] - o hyper: enable obs-folded multiline headers [101] - o hyper: use wakers for curl pause/resume [2] - o imap: use ISALNUM() for alphanumeric checks [134] - o ldap: adapt to conn->port now being an 'int' [106] - o lib/curl_path.c: add ISC to license expression [1] - o lib3026: reduce the number of threads to 100 [44] - o libcurl-security.3: fix typo on macro "SH_" [12] - o libssh2: make atime/mtime date overflow return error [148] - o libssh2: provide symlink name in SFTP dir listing [155] - o libssh: ignore deprecation warnings [157] - o libssh: make atime/mtime date overflow return error [149] - o Makefile.m32: add `CURL_RC` and `CURL_STRIP` variables [ci skip] [17] - o Makefile.m32: add `NGTCP2_LIBS` option [ci skip] [38] - o makefile.m32: add support for custom ARCH [ci skip] [27] - o Makefile.m32: allow -nghttp3/-ngtcp2 without -ssl [ci skip] [141] - o Makefile.m32: do not set the libcurl.rc debug flag [ci skip] [3] - o Makefile.m32: stop trying to build libcares.a [ci skip] [46] - o memdebug: add annotation attributes [143] - o mprintf: fix *dyn_vprintf() when out-of-memory [90] - o mprintf: make dprintf_formatf never return negative [49] - o msh3: fix the QUIC disconnect function [107] - o multi: fix the return code from Curl_pgrsDone() [80] - o multi: have curl_multi_remove_handle close CONNECT_ONLY transfer [136] - o multi: use a pipe instead of a socketpair on apple platforms [154] - o multi: use larger dns hash table for multi interface [140] - o multi_wait: fix and improve Curl_poll error handling on Windows [146] - o multi_wait: fix skipping to populate revents for extra_fds [147] - o netrc.d: remove spurious quote [37] - o netrc: Use the password from lines without login [166] - o ngtcp2: Fix build error due to change in nghttp3 prototypes [61] - o ngtcp2: fix incompatible function pointer types [10] - o ngtcp2: Fix missing initialization of nghttp3_nv.flags [31] - o ngtcp2: fix stall or busy loop on STOP_SENDING with upload data [19] - o ngtcp2: implement cb_h3_stop_sending and cb_h3_reset_stream callbacks [59] - o openssl: add `CURL_BORINGSSL_VERSION` to identify BoringSSL [24] - o openssl: add cert path in error message [160] - o openssl: add details to "unable to set client certificate" error [116] - o openssl: fix BoringSSL symbol conflicts with LDAP and Schannel [52] - o quiche: fix build failure [99] - o select: do not return fatal error on EINTR from poll() [32] - o sendf: fix paused header writes since after the header API [89] - o sendf: make Curl_debug a void function [81] - o sendf: skip storing HTTP headers if HTTP disabled [73] - o sendf: store the header type in an usigned char to avoid icc warnings [79] - o splay: avoid using -1 in unsigned variable [78] - o test3026: add support for Windows using native Win32 threads [65] - o test3026: require 'threadsafe' [56] - o test44[2-4]: add '--resolve' to the keywords [122] - o tests/server/sockfilt.c: avoid race condition without a mutex [139] - o tests: fix http2 tests to use CRLF headers [153] - o tests: several enumerated type cleanups [67] - o THANKS: merged two entries for Evgeny Grin - o tidy-up: delete unused build configuration macros [93] - o tool: reintroduce set file comment code for AmigaOS [111] - o tool_cfgable: make 'synthetic_error' a plain bool [70] - o tool_formparse: fix variable may be used before its value is set [72] - o tool_getparam: make --doh-url "" switch it off [60] - o tool_getparam: repair cleanarg [22] - o tool_operate: better cleanup of easy handle in exit path [20] - o tool_paramhlp: fix "enumerated type mixed with another type" [68] - o tool_paramhlp: make check_protocol return ParameterError [71] - o tool_progress: avoid division by zero in parallel progress meter [35] - o tool_writeout: fix enumerated type mixed with another type [69] - o trace: 0x7F character is non-printable [50] - o unit1303: four tests should have TRUE for 'connecting' [158] - o url: enumerated type mixed with another type [74] - o url: really use the user provided in the url when netrc entry exists [165] - o url: reject URLs with hostnames longer than 65535 bytes [137] - o url: treat missing usernames in netrc as empty [167] - o urldata: change second proxytype field to unsigned char to match [75] - o urldata: make 'negnpn' use less storage [112] - o urldata: make state.httpreq an unsigned char [77] - o urldata: make three *_proto struct fields smaller [113] - o urldata: move smaller fields down in connectdata struct [105] - o urldata: reduce size of several struct fields [14] - o vtls: make Curl_ssl_backend() return the enum type curl_sslbackend [83] - o windows: improve random source [29] + o altsvc: reject bad port numbers [86] + o altsvc: use 'h3' for h3 [46] + o amiga: do not hardcode openssl/zlib into the os config [158] + o amiga: set SIZEOF_CURL_OFF_T=8 by default [150] + o amigaos: add missing curl header [159] + o asyn-ares: set hint flags when calling ares_getaddrinfo [93] + o autotools: allow --enable-symbol-hiding with windows [65] + o autotools: allow unix sockets on Windows [144] + o autotools: reduce brute-force when detecting recv/send arg list [66] + o aws_sigv4: fix header computation [139] + o bearssl: make it proper C89 compliant + o CI/GHA: cancel outdated CI runs on new PR changes [20] + o CI/GHA: merge msh3 and openssl3 builds into linux workflow [110] + o cirrus-ci: add macOS build with m1 [81] + o cirrus: use make LDFLAGS=-all-static instead of curl_LDFLAGS [129] + o cli tool: do not use disabled protocols + o cmake: add missing inet_ntop check [145] + o cmake: add the check of HAVE_SOCKETPAIR [98] + o cmake: define BUILDING_LIBCURL in lib/CMakeLists, not config.h [5] + o cmake: delete duplicate HAVE_GETADDRINFO test [149] + o cmake: enable more detection on Windows [143] + o cmake: fix original MinGW builds [177] + o cmake: improve usability of CMake build as a sub-project [186] + o cmake: set HAVE_GETADDRINFO_THREADSAFE on Windows [147] + o cmake: set HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID on Windows [146] + o cmake: sync HAVE_SIGNAL detection with autotools [148] + o cmdline/docs: add a required 'multi' keyword for each option [160] + o configure: correct the wording when checking grep -E [13] + o configure: deprecate builds with small curl_off_t [89] + o configure: fail if '--without-ssl' + explicit parameter for an ssl lib [164] + o configure: the ngtcp2 option should default to 'no' [125] + o connect: change verbose IPv6 address:port to [address]:port [83] + o connect: fix builds without AF_INET6 [152] + o connect: fix Curl_updateconninfo for TRNSPRT_UNIX [108] + o connect: fix the wrong error message on connect failures [55] + o content_encoding: use writer struct subclasses for different encodings [8] + o cookie: reject cookie names or content with TAB characters [94] + o ctype: remove all use of , use our own versions [12] + o curl-compilers.m4: for gcc + want warnings, set gnu89 standard [72] + o curl-compilers.m4: use -O2 as default optimize for clang [6] + o curl-wolfssl.m4: error out if wolfSSL is not usable [102] + o curl.h: fix mention of wrong error code in comment + o curl/add_file_name_to_url: use the libcurl URL parser [99] + o curl/add_parallel_transfers: better error handling [101] + o curl/get_url_file_name: use libcurl URL parser [97] + o curl: warn for --ssl use, considered insecure [49] + o curl_ctype: convert to macros-only [10] + o curl_easy_pause.3: unpausing is as fast as possible [14] + o curl_escape.3: fix typo [50] + o curl_setup: disable use of FLOSS for 64-bit NonStop builds [69] + o curl_setup: include curl.h after platform setup headers [37] + o curl_setup: include only system.h instead of curl.h [34] + o curl_strequal.3: fix argument typo [60] + o curl_url_set.3: document CURLU_APPENDQUERY proper [96] + o CURLMOPT_PIPELINING.3: dedup manpage xref [111] + o CURLOPT_ACCEPT_ENCODING.3: remove "four" as they are five [85] + o CURLOPT_AUTOREFERER.3: highlight the privacy leak risk [161] + o CURLOPT_COOKIEFILE: insist on "" for enable-without-file [119] + o CURLOPT_COOKIELIST.3: fix formatting mistake [80] + o CURLOPT_DNS_INTERFACE.3: mention it works for almost all protocols [15] + o CURLOPT_MIMEPOST.3: add an (inline) example [126] + o CURLOPT_POSTFIELDS.3: refer to CURLOPT_MIMEPOST [167] + o CURLOPT_PROXY_SSLCERT_BLOB.3: this is for HTTPS proxies [9] + o CURLOPT_WILDCARDMATCH.3: Fix backslash escaping under single quotes [172] + o CURLSHOPT_UNLOCKFUNC.3: the callback has no 'access' argument [84] + o DEPRECATE.md: Support for systems without 64 bit data types [19] + o docs/examples: avoid deprecated options in examples where possible [115] + o docs/INSTALL: update Android Instructions for newer NDKs [151] + o docs/libcurl/symbols-in-versions: add several missing symbols + o docs: 100+ spellfixes + o docs: correct missing uppercase in Markdown files [38] + o docs: document more server names for test files + o docs: fix deprecation versions inconsistencies [123] + o docs: make sure libcurl opts examples pass in long arguments [182] + o docs: remove mentions of deprecated '--without-openssl' parameter [170] + o docs: tag curl options better in man pages + o docs: tell about disabled protocols in CURLOPT_*PROTOCOLS_STR. + o docs: update sourceforge project links [95] + o easy: fix the #include order [53] + o easy: fix the altsvc init for curl_easy_duphandle [77] + o easy_lock: check for HAVE_STDATOMIC_H as well [187] + o examples/chkspeed: improve portability [48] + o formdata: fix warning: 'CURLformoption' is promoted to 'int' [24] + o ftp: ignore a 550 response to MDTM [1] + o ftp: remove redundant if [163] + o functypes: provide the recv and send arg and return types [87] + o getparameter: return PARAM_MANUAL_REQUESTED for -M even when disabled [17] + o GHA: build tests in a separate step from the running of them [78] + o GHA: run proselint on markdown files [22] + o github: initial CODEOWNERS setup for CI configuration [52] + o header: define public API functions as extern c [26] + o headers: reset the requests counter at transfer start [25] + o hostip: guard PF_INET6 use [157] + o hostip: lazily wait to figure out if IPv6 works until needed [36] + o http, vauth: always provide Curl_allow_auth_to_host() functionality [90] + o http2: make nghttp2 less picky about field whitespace [27] + o HTTP3.md: update Caddy example [76] + o http: try parsing Retry-After: as a number first [122] + o http_proxy: restore the protocol pointer on error [104] + o httpput-postfields.c: shorten string for C89 compliance [57] + o ldap: delete stray CURL_HAS_MOZILLA_LDAP reference [79] + o lib1560: extended to verify detect/reject of unknown schemes + o lib517: fix C89 constant signedness [73] + o lib: add missing limits.h includes [35] + o lib: add required Win32 setup definitions in setup-win32.h [4] + o lib: prepare the incoming of additional protocols [71] + o lib: sanitize conditional exclusion around MIME [82] + o lib: set more flags in config-win32.h [109] + o lib: the number four in a sequence is the "fourth" [28] + o libssh: if sftp_init fails, don't get the sftp error code [132] + o Makefile.m32: deduplicate build rules [131] + o Makefile.m32: drop CROSSPREFIX and our CC/AR defaults [137] + o Makefile.m32: exclude libs & libpaths for shared mode exes [127] + o Makefile.m32: fix regression with tool_hugehelp [130] + o Makefile.m32: major rework [92] + o Makefile.m32: reintroduce CROSSPREFIX and -W -Wall [179] + o Makefile.m32: support more options [142] + o manpage-syntax.pl: all libcurl option symbols should be \fI-tagged [75] + o manpages: Fix spelling of "allows to" -> "allows one to" [171] + o misc: ISSPACE() => ISBLANK() [11] + o misc: use the term "null-terminate" consistently [41] + o mprintf: reject two kinds of precision for the same argument [162] + o mprintf: use snprintf if available [74] + o mqtt: return error for too long topic [133] + o mqtt: spell out CONNECT in comments [166] + o msh3: change the static_assert to make the code C89 + o netrc: compare user name case sensitively [118] + o netrc: replace fgets with Curl_get_line [174] + o netrc: use the URL-decoded user [103] + o ngtcp2: fix build errors due to changes in ngtcp2 library [107] + o ngtcp2: fix C89 compliance nit + o noproxy: support proxies specified using cidr notation [184] + o openssl: make certinfo available for QUIC [91] + o README.md: add GHA status badges for Linux and macOS builds [40] + o RELEASE-PROCEDURE.md: mention patch releases [21] + o resolve: make forced IPv4 resolve only use A queries [61] + o runtests: fix uninitialized value on ignored tests [128] + o schannel: ban server ALPN change during recv renegotiation [63] + o schannel: don't reset recv/send function pointers on renegotiation [156] + o schannel: when importing PFX, disable key persistence [141] + o scripts: use `grep -E` instead of `egrep` [30] + o setopt: use the handler table for protocol name to number conversions [45] + o setopt: when POST is set, reset the 'upload' field [51] + o setup-win32: no longer define UNICODE/_UNICODE implicitly [3] + o single_transfer: use the libcurl URL parser when appending query parts [100] + o smb: replace CURL_WIN32 with WIN32 [138] + o strcase: add and use Curl_timestrcmp [106] + o strerror: improve two URL API error messages + o symbol-scan.pl: also check for LIBCURL* symbols [43] + o symbol-scan.pl: scan and verify .3 man pages [42] + o symbols-in-versions: add missing LIBCURL* symbols + o symbols-in-versions: CURLOPT_ENCODING is deprecated since 7.21.6 + o test1119: scan all public headers [44] + o test1275: verify uppercase after period in markdown [135] + o test972: verify the output without using external tool [32] + o tests/certs/scripts: insert standard curl source headers [169] + o tests/Makefile: remove run time stats from ci-test [120] + o tests: avoid CreateThread if _beginthreadex is available [155] + o tests: fix tag syntax errors in test files + o tests: skip mime/form tests when mime is not built-in [54] + o tidy-up: delete parallel/unused feature flags [117] + o tidy-up: delete unused HAVE_STRUCT_POLLFD [134] + o TODO: provide the error body from a CONNECT response [67] + o tool: avoid generating ambiguous escaped characters in --libcurl [124] + o tool: remove dead code [70] + o tool: reorganize function c_escape around a dynbuf [121] + o tool_hugehelp: make hugehelp a blank macro when disabled [7] + o tool_main: exit at once if out of file descriptors [113] + o tool_operate: avoid a few #ifdefs for disabled-libcurl builds [29] + o tool_operate: more transfer cleanup after parallel transfer fail [165] + o tool_operate: prevent over-queuing in parallel mode [176] + o tool_operate: reduce errorbuffer allocs [173] + o tool_paramhelp: asserts verify maximum sizes for string loading [112] + o tool_paramhelp: make the max argument a 'double' [136] + o tool_progress: remove 'Qd' from the parallel progress bar [175] + o tool_setopt: use better English in --libcurl source comments [39] + o tool_xattr: save the original URL, not the final redirected one [181] + o unit test 1655: make it C89-compliant [59] + o url: a zero-length userinfo part in the URL is still a (blank) user [64] + o url: allow non-HTTPS HSTS-matching for debug builds [105] + o url: rename function due to name-clash in Watt-32 [62] + o url: use IDN decoded names for HSTS checks [140] + o urlapi: detect scheme better when not guessing [56] + o urlapi: fix parsing URL without slash with CURLU_URLENCODE [154] + o urlapi: leaner with fewer allocs [2] + o urlapi: reject more bad characters from the host name field [88] + o winbuild/MakefileBuild.vc: handle spaces in libssh(2) include paths [18] + o winbuild: use NMake batch-rules for compilation [47] + o windows: add .rc support to autotools builds [33] + o windows: adjust name of two internal public functions [58] + o windows: autotools .rc warnings fixup [68] + o wolfSSL: fix session management bug. [31] This release includes the following known bugs: o see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html) +Planned upcoming removals include: + + o NSS + o Support for systems without 64 bit data types + + See https://curl.se/dev/deprecate.html for details + This release would not have looked like this without help, code, reports and advice from friends like these: - Adam Sampson, Alessandro Ghedini, Alexandre Bury, Andreas Sommer, - Andrew Lambert, Axel Chong, Brad Forschinger, Brian Carpenter, - Cering on github, Chris Paulson-Ellis, Chris Young, Daniel Katz, - Daniel Stenberg, David Carlier, dEajL3kA on github, Domen Kožar, - Dominik Thalhammer, Don J Olmstead, Dustin Howett, Emanuele Torre, - Emil Engler, Érico Nogueira Rolim, Even Rouault, Evgeny Grin (Karlson2k), - Fabian Fischer, Fabian Keil, Gisle Vanem, Gwen Shapira, Harry Sintonen, - highmtworks on github, Ivan Tsybulin, Jacob Tolar, Jakub Zakrzewski, - Jilayne Lovejoy, Joshua Root, jurisuk on github, jvvprasad78 on github, - Kai Pastor, Litter White, lwthiker on github, Marcel Raad, Marc Hörsken, - Marco Kamner, MasterInQuestion on github, Matthew Thompson, Maxim Ivanov, - Michael Trebilcock, Michał Antoniak, Nao Yonashiro, Nick Banks, - Oliver Roberts, opensignature on github, Orgad Shaneh, Patrick Monnerat, - Philip H, privetryan on github, Ray Satiro, rcombs on github, Rosen Penev, - Ryan Schmidt, Ryan Sleevi, rzrymiak on github, Samuel Henrique, - Sean McArthur, Sergey Ogryzkov, Somnath Kundu, Stefan Eissing, - Sukanya Hanumanthu, Tatsuhiro Tsujikawa, Ted Lyngmo, TheKnarf on github, - Thomas Weißschuh, Tobias Nygren, Viktor Szakats, vlubart on github, Wu Zheng, - Wyatt O'Day, Xiaoke Wang, yiyuaner on github - (79 contributors) + 12932 on github, a1346054 on github, Aftab Alam, ajak in #curl, + Andrew Lambert, Benjamin Loison, Brad Harder, bsergean on github, + Christopher Sauer, Dan Fandrich, Daniel Gustafsson, Daniel Hallberg, + Daniel Stenberg, David Hu, David McLaughlin, Dmitry Karpov, Dominik Klemba, + Don J Olmstead, Dustin Howett, Edoardo Lolletti, Eloy Degen, Emanuele Torre, + Emilio López, Gisle Vanem, Hayden Roche, Hiroki Kurosawa, James Fuller, + Jeremy Maitin-Shepard, Joel Depooter, John Bampton, Jonas Haag, + jurisuk on github, justchen1369 on github, Keitagit-kun on github, + Kelly Kaoudis, Marcel Raad, Marc Hörsken, Mark Itzcovitz, Martin Ågren, + Martin Strunz, Mathieu Carbonneaux, Matthias Gatto, Matt Holt, Max Dymond, + Michael Drake, Michael Heimpold, n0name321 on github, Orgad Shaneh, + Patrick Monnerat, Paul Seligman, Peter Goodman, Petr Štetiar, Philip H, + Philip H., Philip Heiduck, ProceduralMan on github, Randall S. Becker, + Ray Satiro, Rickard Hallerbäck, RobBotic1 on github, Robby Simpson, + Samuel Henrique, Sergey Bronnikov, ShadowZzj on github, Shaun Mirani, + ssdbest on github, Thiago Suchorski, Tobias Schaefer, Trail of Bits, + Vasiliy Ulyanov, Viktor Szakats, Xiang Xiao, Yuriy Chernyshov, + zhanghu on xiaomi + (74 contributors) References to bug reports and discussions on issues: - [1] = https://curl.se/bug/?i=9073 - [2] = https://curl.se/bug/?i=9070 - [3] = https://curl.se/bug/?i=9069 - [4] = https://curl.se/bug/?i=9067 - [5] = https://curl.se/bug/?i=9064 - [6] = https://curl.se/bug/?i=9063 - [7] = https://curl.se/bug/?i=9059 - [8] = https://curl.se/bug/?i=9058 - [9] = https://curl.se/bug/?i=9055 - [10] = https://curl.se/bug/?i=9056 - [11] = https://curl.se/bug/?i=9056 - [12] = https://curl.se/bug/?i=9057 - [13] = https://curl.se/bug/?i=9054 - [14] = https://curl.se/bug/?i=9106 - [15] = https://curl.se/bug/?i=9117 - [16] = https://curl.se/bug/?i=9104 - [17] = https://curl.se/bug/?i=9132 - [18] = https://curl.se/bug/?i=9065 - [19] = https://curl.se/bug/?i=9122 - [20] = https://curl.se/bug/?i=9114 - [21] = https://curl.se/bug/?i=9114 - [22] = https://curl.se/bug/?i=9128 - [23] = https://curl.se/bug/?i=9115 - [24] = https://curl.se/bug/?i=9113 - [25] = https://curl.se/bug/?i=9115 - [26] = https://curl.se/bug/?i=9095 - [27] = https://curl.se/bug/?i=9092 - [28] = https://curl.se/bug/?i=9046 - [29] = https://curl.se/bug/?i=9027 - [30] = https://curl.se/bug/?i=8992 - [31] = https://curl.se/bug/?i=9118 - [32] = https://bugs.archlinux.org/task/75201 - [33] = https://curl.se/bug/?i=9084 - [34] = https://curl.se/bug/?i=8997 - [35] = https://curl.se/bug/?i=9082 - [36] = https://curl.se/bug/?i=9080 - [37] = https://curl.se/bug/?i=9111 - [38] = https://curl.se/bug/?i=9109 - [39] = https://curl.se/bug/?i=9090 - [40] = https://curl.se/bug/?i=9164 - [41] = https://curl.se/bug/?i=9139 - [42] = https://curl.se/bug/?i=9176 - [43] = https://curl.se/bug/?i=9170 - [44] = https://curl.se/bug/?i=9172 - [45] = https://curl.se/bug/?i=9174 - [46] = https://curl.se/bug/?i=9169 - [47] = https://curl.se/bug/?i=9150 - [48] = https://curl.se/bug/?i=9155 - [49] = https://curl.se/bug/?i=9149 - [50] = https://curl.se/bug/?i=9162 - [51] = https://curl.se/bug/?i=9163 - [52] = https://curl.se/bug/?i=9110 - [53] = https://curl.se/bug/?i=9081 - [54] = https://curl.se/bug/?i=9081 - [55] = https://curl.se/bug/?i=9134 - [56] = https://curl.se/bug/?i=9141 - [57] = https://curl.se/bug/?i=9125 - [58] = https://curl.se/bug/?i=9124 - [59] = https://curl.se/bug/?i=9135 - [60] = https://curl.se/bug/?i=9207 - [61] = https://curl.se/bug/?i=9204 - [62] = https://curl.se/bug/?i=9205 - [63] = https://curl.se/bug/?i=9201 - [64] = https://curl.se/bug/?i=9244 - [65] = https://curl.se/bug/?i=9012 - [66] = https://curl.se/bug/?i=9199 - [67] = https://curl.se/bug/?i=9179 - [68] = https://curl.se/bug/?i=9179 - [69] = https://curl.se/bug/?i=9179 - [70] = https://curl.se/bug/?i=9179 - [71] = https://curl.se/bug/?i=9179 - [72] = https://curl.se/bug/?i=9179 - [73] = https://curl.se/bug/?i=9179 - [74] = https://curl.se/bug/?i=9179 - [75] = https://curl.se/bug/?i=9179 - [76] = https://curl.se/bug/?i=9179 - [77] = https://curl.se/bug/?i=9179 - [78] = https://curl.se/bug/?i=9179 - [79] = https://curl.se/bug/?i=9179 - [80] = https://curl.se/bug/?i=9179 - [81] = https://curl.se/bug/?i=9179 - [82] = https://curl.se/bug/?i=9179 - [83] = https://curl.se/bug/?i=9179 - [84] = https://curl.se/bug/?i=9179 - [85] = https://curl.se/bug/?i=9179 - [86] = https://curl.se/bug/?i=9190 - [87] = https://curl.se/bug/?i=9187 - [88] = https://curl.se/bug/?i=9184 - [89] = https://curl.se/bug/?i=9180 - [90] = https://curl.se/bug/?i=9185 - [91] = https://curl.se/bug/?i=9183 - [92] = https://curl.se/bug/?i=9181 - [93] = https://curl.se/bug/?i=9044 - [94] = https://curl.se/bug/?i=9235 - [95] = https://curl.se/bug/?i=9229 - [96] = https://curl.se/bug/?i=8419 - [97] = https://curl.se/bug/?i=9230 - [98] = https://curl.se/bug/?i=9221 - [99] = https://curl.se/bug/?i=9223 - [100] = https://curl.se/bug/?i=9286 - [101] = https://curl.se/bug/?i=9216 - [102] = https://curl.se/bug/?i=9209 - [103] = https://curl.se/bug/?i=9208 - [104] = https://curl.se/bug/?i=9213 - [105] = https://curl.se/bug/?i=9280 - [106] = https://curl.se/bug/?i=9281 - [107] = https://curl.se/bug/?i=8915 - [108] = https://curl.se/bug/?i=9259 - [109] = https://curl.se/bug/?i=9303 - [110] = https://curl.se/bug/?i=9268 - [111] = https://curl.se/bug/?i=9258 - [112] = https://curl.se/bug/?i=9279 - [113] = https://curl.se/bug/?i=9278 - [114] = https://curl.se/bug/?i=9274 - [115] = https://curl.se/bug/?i=9269 - [116] = https://curl.se/bug/?i=9228 - [117] = https://curl.se/bug/?i=9267 - [118] = https://curl.se/bug/?i=9266 - [119] = https://curl.se/bug/?i=9264 - [120] = https://curl.se/bug/?i=9077 - [121] = https://curl.se/bug/?i=9239 - [122] = https://curl.se/bug/?i=9250 - [123] = https://curl.se/bug/?i=9310 - [124] = https://curl.se/bug/?i=9310 - [125] = https://curl.se/bug/?i=9298 - [126] = https://curl.se/bug/?i=9297 - [127] = https://curl.se/bug/?i=9192 - [128] = https://curl.se/bug/?i=9310 - [129] = https://curl.se/bug/?i=9291 - [130] = https://curl.se/bug/?i=9291 - [131] = https://curl.se/bug/?i=9217 - [132] = https://curl.se/bug/?i=9253 - [133] = https://curl.se/bug/?i=9265 - [134] = https://curl.se/bug/?i=9289 - [135] = https://curl.se/bug/?i=9310 - [136] = https://curl.se/bug/?i=9335 - [137] = https://curl.se/bug/?i=9317 - [138] = https://curl.se/bug/?i=9352 - [139] = https://curl.se/bug/?i=9023 - [140] = https://curl.se/bug/?i=9376 - [141] = https://curl.se/bug/?i=9314 - [142] = https://curl.se/bug/?i=9290 - [143] = https://curl.se/bug/?i=9306 - [144] = https://curl.se/bug/?i=9309 - [145] = https://curl.se/bug/?i=9344 - [146] = https://curl.se/bug/?i=9372 - [147] = https://curl.se/bug/?i=9361 - [148] = https://curl.se/bug/?i=9328 - [149] = https://curl.se/bug/?i=9328 - [150] = https://curl.se/bug/?i=9330 - [151] = https://curl.se/bug/?i=9329 - [152] = https://curl.se/docs/CVE-2022-35252.html - [153] = https://curl.se/bug/?i=9364 - [154] = https://curl.se/bug/?i=6132 - [155] = https://curl.se/bug/?i=9369 - [156] = https://curl.se/bug/?i=9367 - [157] = https://curl.se/bug/?i=9382 - [158] = https://curl.se/bug/?i=9356 - [159] = https://curl.se/bug/?i=9354 - [160] = https://curl.se/bug/?i=9349 - [161] = https://curl.se/bug/?i=9349 - [162] = https://curl.se/bug/?i=9331 - [163] = https://curl.se/bug/?i=9312 - [165] = https://curl.se/bug/?i=9243 - [166] = https://curl.se/bug/?i=9248 - [167] = https://curl.se/bug/?i=8653 - [168] = https://curl.se/bug/?i=9391 + [1] = https://curl.se/bug/?i=9357 + [2] = https://curl.se/bug/?i=9408 + [3] = https://curl.se/bug/?i=9375 + [4] = https://curl.se/bug/?i=9375 + [5] = https://curl.se/bug/?i=9498 + [6] = https://curl.se/bug/?i=9444 + [7] = https://curl.se/bug/?i=9485 + [8] = https://curl.se/bug/?i=9455 + [9] = https://curl.se/bug/?i=9434 + [10] = https://curl.se/bug/?i=9429 + [11] = https://curl.se/bug/?i=9432 + [12] = https://curl.se/bug/?i=9433 + [13] = https://curl.se/bug/?i=9471 + [14] = https://curl.se/bug/?i=9410 + [15] = https://curl.se/bug/?i=9427 + [16] = https://curl.se/bug/?i=9307 + [17] = https://curl.se/bug/?i=9485 + [18] = https://curl.se/mail/lib-2022-09/0038.html + [19] = https://curl.se/bug/?i=9604 + [20] = https://curl.se/bug/?i=9533 + [21] = https://curl.se/bug/?i=9495 + [22] = https://curl.se/bug/?i=9520 + [23] = https://curl.se/bug/?i=8995 + [24] = https://curl.se/bug/?i=9484 + [25] = https://curl.se/bug/?i=9424 + [26] = https://curl.se/bug/?i=9424 + [27] = https://curl.se/bug/?i=9448 + [28] = https://curl.se/bug/?i=9535 + [29] = https://curl.se/bug/?i=9486 + [30] = https://curl.se/bug/?i=9491 + [31] = https://curl.se/bug/?i=9492 + [32] = https://curl.se/bug/?i=9563 + [33] = https://curl.se/bug/?i=9521 + [34] = https://curl.se/bug/?i=9453 + [35] = https://curl.se/bug/?i=9453 + [36] = https://curl.se/bug/?i=9553 + [37] = https://curl.se/bug/?i=9453 + [38] = https://curl.se/bug/?i=9474 + [39] = https://curl.se/bug/?i=9475 + [40] = https://curl.se/bug/?i=9530 + [41] = https://curl.se/bug/?i=9527 + [42] = https://curl.se/bug/?i=9544 + [43] = https://curl.se/bug/?i=9544 + [44] = https://curl.se/bug/?i=9544 + [45] = https://curl.se/bug/?i=9472 + [46] = https://curl.se/bug/?i=9515 + [47] = https://curl.se/bug/?i=9512 + [48] = https://curl.se/bug/?i=9562 + [49] = https://curl.se/bug/?i=9519 + [50] = https://curl.se/bug/?i=9517 + [51] = https://curl.se/bug/?i=9507 + [52] = https://curl.se/bug/?i=9505 + [53] = https://curl.se/bug/?i=9560 + [54] = https://curl.se/bug/?i=9596 + [55] = https://curl.se/bug/?i=9549 + [56] = https://curl.se/bug/?i=9503 + [57] = https://curl.se/bug/?i=9555 + [58] = https://curl.se/bug/?i=9598 + [59] = https://curl.se/bug/?i=9551 + [60] = https://curl.se/bug/?i=9548 + [61] = https://curl.se/bug/?i=9540 + [62] = https://curl.se/bug/?i=9585 + [63] = https://curl.se/bug/?i=9463 + [64] = https://curl.se/bug/?i=9088 + [65] = https://curl.se/bug/?i=9586 + [66] = https://curl.se/bug/?i=9591 + [67] = https://curl.se/bug/?i=9513 + [68] = https://curl.se/bug/?i=9582 + [69] = https://curl.se/bug/?i=9575 + [70] = https://curl.se/bug/?i=9576 + [71] = https://curl.se/bug/?i=9534 + [72] = https://curl.se/bug/?i=9542 + [73] = https://curl.se/bug/?i=9572 + [74] = https://curl.se/bug/?i=9569 + [75] = https://curl.se/bug/?i=9574 + [76] = https://curl.se/bug/?i=9623 + [77] = https://curl.se/bug/?i=9624 + [78] = https://curl.se/bug/?i=9619 + [79] = https://curl.se/bug/?i=9625 + [80] = https://curl.se/bug/?i=9639 + [81] = https://curl.se/bug/?i=9565 + [82] = https://curl.se/bug/?i=9610 + [83] = https://curl.se/mail/archive-2022-02/0041.html + [84] = https://curl.se/bug/?i=9612 + [85] = https://curl.se/bug/?i=9614 + [86] = https://curl.se/bug/?i=9607 + [87] = https://curl.se/bug/?i=9592 + [88] = https://curl.se/bug/?i=9608 + [89] = https://curl.se/bug/?i=9605 + [90] = https://curl.se/bug/?i=9600 + [91] = https://curl.se/bug/?i=9584 + [92] = https://curl.se/bug/?i=9632 + [93] = https://curl.se/bug/?i=9694 + [94] = https://curl.se/bug/?i=9659 + [95] = https://curl.se/bug/?i=9630 + [96] = https://curl.se/bug/?i=9628 + [97] = https://curl.se/bug/?i=9684 + [98] = https://curl.se/bug/?i=9686 + [99] = https://curl.se/bug/?i=9683 + [100] = https://curl.se/bug/?i=9681 + [101] = https://curl.se/bug/?i=9729 + [102] = https://curl.se/bug/?i=9682 + [103] = https://curl.se/bug/?i=9709 + [104] = https://curl.se/bug/?i=9790 + [105] = https://curl.se/bug/?i=9728 + [106] = https://curl.se/bug/?i=9658 + [107] = https://curl.se/bug/?i=9747 + [108] = https://curl.se/bug/?i=9664 + [109] = https://curl.se/bug/?i=9712 + [110] = https://curl.se/bug/?i=9646 + [111] = https://curl.se/bug/?i=9776 + [112] = https://curl.se/bug/?i=9719 + [113] = https://curl.se/bug/?i=9663 + [115] = https://curl.se/bug/?i=9661 + [117] = https://curl.se/bug/?i=9652 + [118] = https://curl.se/bug/?i=9657 + [119] = https://curl.se/bug/?i=9654 + [120] = https://curl.se/bug/?i=9656 + [121] = https://curl.se/bug/?i=9653 + [122] = https://curl.se/bug/?i=9718 + [123] = https://curl.se/bug/?i=9711 + [124] = https://curl.se/bug/?i=9643 + [125] = https://curl.se/mail/lib-2022-10/0007.html + [126] = https://curl.se/bug/?i=9637 + [127] = https://curl.se/bug/?i=9651 + [128] = https://curl.se/bug/?i=9648 + [129] = https://curl.se/bug/?i=9633 + [130] = https://curl.se/bug/?i=9645 + [131] = https://curl.se/bug/?i=9642 + [132] = https://curl.se/bug/?i=9737 + [133] = https://curl.se/bug/?i=9744 + [134] = https://curl.se/bug/?i=9707 + [135] = https://curl.se/bug/?i=9697 + [136] = https://curl.se/bug/?i=9700 + [137] = https://curl.se/bug/?i=9698 + [138] = https://curl.se/bug/?i=9701 + [139] = https://curl.se/bug/?i=7966 + [140] = https://curl.se/bug/?i=9791 + [141] = https://curl.se/bug/?i=9300 + [142] = https://curl.se/bug/?i=9680 + [143] = https://curl.se/bug/?i=9687 + [144] = https://github.com/curl/curl-for-win/blob/73a070d96fd906fdee929e2f1f00a9149fb39239/curl-autotools.sh#L44-L47 + [145] = https://curl.se/bug/?i=9689 + [146] = https://curl.se/bug/?i=9726 + [147] = https://curl.se/bug/?i=9727 + [148] = https://curl.se/bug/?i=9725 + [149] = https://curl.se/bug/?i=9731 + [150] = https://curl.se/bug/?i=9771 + [151] = https://curl.se/bug/?i=9732 + [152] = https://curl.se/bug/?i=9770 + [154] = https://curl.se/bug/?i=9763 + [155] = https://curl.se/bug/?i=9705 + [156] = https://curl.se/bug/?i=9451 + [157] = https://curl.se/bug/?i=9760 + [158] = https://curl.se/bug/?i=9762 + [159] = https://curl.se/bug/?i=9761 + [160] = https://curl.se/bug/?i=9759 + [161] = https://curl.se/bug/?i=9757 + [162] = https://curl.se/bug/?i=9754 + [163] = https://curl.se/bug/?i=9753 + [164] = https://curl.se/bug/?i=9414 + [165] = https://curl.se/bug/?i=9749 + [166] = https://curl.se/bug/?i=9751 + [167] = https://curl.se/bug/?i=9752 + [169] = https://curl.se/bug/?i=9417 + [170] = https://curl.se/bug/?i=9415 + [171] = https://curl.se/bug/?i=9419 + [172] = https://curl.se/bug/?i=9418 + [173] = https://curl.se/bug/?i=9394 + [174] = https://curl.se/bug/?i=9789 + [175] = https://curl.se/bug/?i=9389 + [176] = https://curl.se/bug/?i=8933 + [177] = https://curl.se/bug/?i=9214 + [179] = https://curl.se/bug/?i=9784 + [181] = https://curl.se/bug/?i=9766 + [182] = https://curl.se/bug/?i=9779 + [184] = https://curl.se/bug/?i=9773 + [186] = https://curl.se/bug/?i=9638 + [187] = https://curl.se/bug/?i=9755 diff --git a/vendor/curl/include/curl/curl.h b/vendor/curl/include/curl/curl.h index 7a1b561961..e28dd0b5a0 100644 --- a/vendor/curl/include/curl/curl.h +++ b/vendor/curl/include/curl/curl.h @@ -840,8 +840,8 @@ enum curl_khstat { CURLKHSTAT_FINE_ADD_TO_FILE, CURLKHSTAT_FINE, CURLKHSTAT_REJECT, /* reject the connection, return an error */ - CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so - this causes a CURLE_DEFER error but otherwise the + CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now. + Causes a CURLE_PEER_FAILED_VERIFICATION error but the connection will be left intact etc */ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ @@ -2154,6 +2154,9 @@ typedef enum { /* specify which protocols that libcurl is allowed to follow directs to */ CURLOPT(CURLOPT_REDIR_PROTOCOLS_STR, CURLOPTTYPE_STRINGPOINT, 319), + /* websockets options */ + CURLOPT(CURLOPT_WS_OPTIONS, CURLOPTTYPE_LONG, 320), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; @@ -3109,6 +3112,7 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask); #include "urlapi.h" #include "options.h" #include "header.h" +#include "websockets.h" /* the typechecker doesn't work in C++ (yet) */ #if defined(__GNUC__) && defined(__GNUC_MINOR__) && \ diff --git a/vendor/curl/include/curl/curlver.h b/vendor/curl/include/curl/curlver.h index 33753c72f5..2e7124e6ea 100644 --- a/vendor/curl/include/curl/curlver.h +++ b/vendor/curl/include/curl/curlver.h @@ -32,12 +32,12 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.85.0" +#define LIBCURL_VERSION "7.86.0" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 -#define LIBCURL_VERSION_MINOR 85 +#define LIBCURL_VERSION_MINOR 86 #define LIBCURL_VERSION_PATCH 0 /* This is the numeric version of the libcurl version number, meant for easier @@ -59,7 +59,7 @@ CURL_VERSION_BITS() macro since curl's own configure script greps for it and needs it to contain the full number. */ -#define LIBCURL_VERSION_NUM 0x075500 +#define LIBCURL_VERSION_NUM 0x075600 /* * This is the date and time when the full source package was created. The @@ -70,7 +70,7 @@ * * "2007-11-23" */ -#define LIBCURL_TIMESTAMP "2022-08-31" +#define LIBCURL_TIMESTAMP "2022-10-26" #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z)) #define CURL_AT_LEAST_VERSION(x,y,z) \ diff --git a/vendor/curl/include/curl/header.h b/vendor/curl/include/curl/header.h index 6af29c0c0a..1598c6f113 100644 --- a/vendor/curl/include/curl/header.h +++ b/vendor/curl/include/curl/header.h @@ -24,6 +24,10 @@ * ***************************************************************************/ +#ifdef __cplusplus +extern "C" { +#endif + struct curl_header { char *name; /* this might not use the same case */ char *value; @@ -63,4 +67,8 @@ CURL_EXTERN struct curl_header *curl_easy_nextheader(CURL *easy, int request, struct curl_header *prev); +#ifdef __cplusplus +} /* end of extern "C" */ +#endif + #endif /* CURLINC_HEADER_H */ diff --git a/vendor/curl/include/curl/multi.h b/vendor/curl/include/curl/multi.h index 30104925b7..2f3ec37a76 100644 --- a/vendor/curl/include/curl/multi.h +++ b/vendor/curl/include/curl/multi.h @@ -124,7 +124,7 @@ struct curl_waitfd { /* * Name: curl_multi_init() * - * Desc: inititalize multi-style curl usage + * Desc: initialize multi-style curl usage * * Returns: a new CURLM handle to use in all 'curl_multi' functions. */ diff --git a/vendor/curl/include/curl/options.h b/vendor/curl/include/curl/options.h index c8ac827c07..a792687cf4 100644 --- a/vendor/curl/include/curl/options.h +++ b/vendor/curl/include/curl/options.h @@ -33,7 +33,7 @@ typedef enum { CURLOT_VALUES, /* (a defined set or bitmask) */ CURLOT_OFF_T, /* curl_off_t (a range of values) */ CURLOT_OBJECT, /* pointer (void *) */ - CURLOT_STRING, /* (char * to zero terminated buffer) */ + CURLOT_STRING, /* (char * to null-terminated buffer) */ CURLOT_SLIST, /* (struct curl_slist *) */ CURLOT_CBPTR, /* (void * passed as-is to a callback) */ CURLOT_BLOB, /* blob (struct curl_blob *) */ diff --git a/vendor/curl/include/curl/websockets.h b/vendor/curl/include/curl/websockets.h new file mode 100644 index 0000000000..4d57f91e56 --- /dev/null +++ b/vendor/curl/include/curl/websockets.h @@ -0,0 +1,83 @@ +#ifndef CURLINC_WEBSOCKETS_H +#define CURLINC_WEBSOCKETS_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + +#ifdef __cplusplus +extern "C" { +#endif + +struct curl_ws_frame { + int age; /* zero */ + int flags; /* See the CURLWS_* defines */ + curl_off_t offset; /* the offset of this data into the frame */ + curl_off_t bytesleft; /* number of pending bytes left of the payload */ +}; + +/* flag bits */ +#define CURLWS_TEXT (1<<0) +#define CURLWS_BINARY (1<<1) +#define CURLWS_CONT (1<<2) +#define CURLWS_CLOSE (1<<3) +#define CURLWS_PING (1<<4) +#define CURLWS_OFFSET (1<<5) + +/* + * NAME curl_ws_recv() + * + * DESCRIPTION + * + * Receives data from the websocket connection. Use after successful + * curl_easy_perform() with CURLOPT_CONNECT_ONLY option. + */ +CURL_EXTERN CURLcode curl_ws_recv(CURL *curl, void *buffer, size_t buflen, + size_t *recv, + struct curl_ws_frame **metap); + +/* sendflags for curl_ws_send() */ +#define CURLWS_PONG (1<<6) + +/* + * NAME curl_easy_send() + * + * DESCRIPTION + * + * Sends data over the websocket connection. Use after successful + * curl_easy_perform() with CURLOPT_CONNECT_ONLY option. + */ +CURL_EXTERN CURLcode curl_ws_send(CURL *curl, const void *buffer, + size_t buflen, size_t *sent, + curl_off_t framesize, + unsigned int sendflags); + +/* bits for the CURLOPT_WS_OPTIONS bitmask: */ +#define CURLWS_RAW_MODE (1<<0) + +CURL_EXTERN struct curl_ws_frame *curl_ws_meta(CURL *curl); + +#ifdef __cplusplus +} +#endif + +#endif /* CURLINC_WEBSOCKETS_H */ diff --git a/vendor/curl/lib/altsvc.c b/vendor/curl/lib/altsvc.c index 2c0b3bdc43..7bca840151 100644 --- a/vendor/curl/lib/altsvc.c +++ b/vendor/curl/lib/altsvc.c @@ -52,15 +52,7 @@ #define MAX_ALTSVC_ALPNLENSTR "10" #define MAX_ALTSVC_ALPNLEN 10 -#if defined(USE_QUICHE) && !defined(UNITTESTS) -#define H3VERSION "h3-29" -#elif defined(USE_NGTCP2) && !defined(UNITTESTS) -#define H3VERSION "h3-29" -#elif defined(USE_MSH3) && !defined(UNITTESTS) -#define H3VERSION "h3-29" -#else #define H3VERSION "h3" -#endif static enum alpnid alpn2alpnid(char *name) { @@ -470,6 +462,7 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, struct altsvc *as; unsigned short dstport = srcport; /* the same by default */ CURLcode result = getalnum(&p, alpnbuf, sizeof(alpnbuf)); + size_t entries = 0; #ifdef CURL_DISABLE_VERBOSE_STRINGS (void)data; #endif @@ -480,11 +473,10 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, DEBUGASSERT(asi); - /* Flush all cached alternatives for this source origin, if any */ - altsvc_flush(asi, srcalpnid, srchost, srcport); - /* "clear" is a magic keyword */ if(strcasecompare(alpnbuf, "clear")) { + /* Flush cached alternatives for this source origin */ + altsvc_flush(asi, srcalpnid, srchost, srcport); return CURLE_OK; } @@ -502,6 +494,7 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, bool quoted = FALSE; time_t maxage = 24 * 3600; /* default is 24 hours */ bool persist = FALSE; + bool valid = TRUE; p++; if(*p != ':') { /* host name starts here */ @@ -511,7 +504,7 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, len = p - hostp; if(!len || (len >= MAX_ALTSVC_HOSTLEN)) { infof(data, "Excessive alt-svc host name, ignoring."); - dstalpnid = ALPN_none; + valid = FALSE; } else { memcpy(namebuf, hostp, len); @@ -528,10 +521,11 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, unsigned long port = strtoul(++p, &end_ptr, 10); if(port > USHRT_MAX || end_ptr == p || *end_ptr != '\"') { infof(data, "Unknown alt-svc port number, ignoring."); - dstalpnid = ALPN_none; + valid = FALSE; } + else + dstport = curlx_ultous(port); p = end_ptr; - dstport = curlx_ultous(port); } if(*p++ != '\"') break; @@ -583,7 +577,12 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, persist = TRUE; } } - if(dstalpnid) { + if(dstalpnid && valid) { + if(!entries++) + /* Flush cached alternatives for this source origin, if any - when + this is the first entry of the line. */ + altsvc_flush(asi, srcalpnid, srchost, srcport); + as = altsvc_createid(srchost, dsthost, srcalpnid, dstalpnid, srcport, dstport); @@ -597,10 +596,6 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, Curl_alpnid2str(dstalpnid)); } } - else { - infof(data, "Unknown alt-svc protocol \"%s\", skipping.", - alpnbuf); - } } else break; diff --git a/vendor/curl/lib/amigaos.c b/vendor/curl/lib/amigaos.c index dcc5316f0f..e8c2fc02e0 100644 --- a/vendor/curl/lib/amigaos.c +++ b/vendor/curl/lib/amigaos.c @@ -26,6 +26,8 @@ #ifdef __AMIGA__ +#include + #include "hostip.h" #include "amigaos.h" diff --git a/vendor/curl/lib/asyn-ares.c b/vendor/curl/lib/asyn-ares.c index fb933b5edf..33edba1395 100644 --- a/vendor/curl/lib/asyn-ares.c +++ b/vendor/curl/lib/asyn-ares.c @@ -746,7 +746,7 @@ static void addrinfo_cb(void *arg, int status, int timeouts, * Curl_resolver_getaddrinfo() - when using ares * * Returns name information about the given hostname and port number. If - * successful, the 'hostent' is returned and the forth argument will point to + * successful, the 'hostent' is returned and the fourth argument will point to * memory we need to free after use. That memory *MUST* be freed with * Curl_freeaddrinfo(), nothing else. */ @@ -779,13 +779,17 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data, int pf = PF_INET; memset(&hints, 0, sizeof(hints)); #ifdef CURLRES_IPV6 - if(Curl_ipv6works(data)) + if((data->conn->ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) /* The stack seems to be IPv6-enabled */ pf = PF_UNSPEC; #endif /* CURLRES_IPV6 */ hints.ai_family = pf; hints.ai_socktype = (data->conn->transport == TRNSPRT_TCP)? SOCK_STREAM : SOCK_DGRAM; + /* Since the service is a numerical one, set the hint flags + * accordingly to save a call to getservbyname in inside C-Ares + */ + hints.ai_flags = ARES_AI_NUMERICSERV; msnprintf(service, sizeof(service), "%d", port); res->num_pending = 1; ares_getaddrinfo((ares_channel)data->state.async.resolver, hostname, @@ -794,7 +798,7 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data, #else #ifdef HAVE_CARES_IPV6 - if(Curl_ipv6works(data)) { + if((data->conn->ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) { /* The stack seems to be IPv6-enabled */ res->num_pending = 2; diff --git a/vendor/curl/lib/asyn-thread.c b/vendor/curl/lib/asyn-thread.c index 1ab1e977b5..8b375eb5ee 100644 --- a/vendor/curl/lib/asyn-thread.c +++ b/vendor/curl/lib/asyn-thread.c @@ -707,7 +707,7 @@ struct Curl_addrinfo *Curl_resolver_getaddrinfo(struct Curl_easy *data, *waitp = 0; /* default to synchronous response */ #ifdef CURLRES_IPV6 - if(Curl_ipv6works(data)) + if((data->conn->ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) /* The stack seems to be IPv6-enabled */ pf = PF_UNSPEC; #endif /* CURLRES_IPV6 */ diff --git a/vendor/curl/lib/asyn.h b/vendor/curl/lib/asyn.h index 80ca54d787..1aab21aaa7 100644 --- a/vendor/curl/lib/asyn.h +++ b/vendor/curl/lib/asyn.h @@ -148,7 +148,7 @@ CURLcode Curl_resolver_wait_resolv(struct Curl_easy *data, * Curl_resolver_getaddrinfo() - when using this resolver * * Returns name information about the given hostname and port number. If - * successful, the 'hostent' is returned and the forth argument will point to + * successful, the 'hostent' is returned and the fourth argument will point to * memory we need to free after use. That memory *MUST* be freed with * Curl_freeaddrinfo(), nothing else. * diff --git a/vendor/curl/lib/base64.c b/vendor/curl/lib/base64.c index 53ebc3db30..52654c2bc3 100644 --- a/vendor/curl/lib/base64.c +++ b/vendor/curl/lib/base64.c @@ -47,7 +47,7 @@ static const char base64[]= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; -/* The Base 64 encoding with an URL and filename safe alphabet, RFC 4648 +/* The Base 64 encoding with a URL and filename safe alphabet, RFC 4648 section 5 */ static const char base64url[]= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; @@ -138,7 +138,7 @@ CURLcode Curl_base64_decode(const char *src, /* Calculate the size of the decoded string */ rawlen = (numQuantums * 3) - padding; - /* Allocate our buffer including room for a zero terminator */ + /* Allocate our buffer including room for a null-terminator */ newstr = malloc(rawlen + 1); if(!newstr) return CURLE_OUT_OF_MEMORY; diff --git a/vendor/curl/lib/c-hyper.c b/vendor/curl/lib/c-hyper.c index d034900b97..86abcdb0fa 100644 --- a/vendor/curl/lib/c-hyper.c +++ b/vendor/curl/lib/c-hyper.c @@ -54,6 +54,7 @@ #include "multiif.h" #include "progress.h" #include "content_encoding.h" +#include "ws.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -471,6 +472,24 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data, if(result) break; + k->deductheadercount = + (100 <= http_status && 199 >= http_status)?k->headerbytecount:0; +#ifdef USE_WEBSOCKETS + if(k->upgr101 == UPGR101_WS) { + if(http_status == 101) { + /* verify the response */ + result = Curl_ws_accept(data); + if(result) + return result; + } + else { + failf(data, "Expected 101, got %u", k->httpcode); + result = CURLE_HTTP_RETURNED_ERROR; + break; + } + } +#endif + /* Curl_http_auth_act() checks what authentication methods that are * available and decides which one (if any) to use. It will set 'newurl' * if an auth method was picked. */ @@ -918,7 +937,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) result = CURLE_OUT_OF_MEMORY; goto error; } - if(conn->negnpn == CURL_HTTP_VERSION_2) { + if(conn->alpn == CURL_HTTP_VERSION_2) { hyper_clientconn_options_http2(options, 1); h2 = TRUE; } @@ -1123,6 +1142,9 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) if(result) goto error; + if(!result && conn->handler->protocol&(CURLPROTO_WS|CURLPROTO_WSS)) + result = Curl_ws_request(data, headers); + result = Curl_add_timecondition(data, headers); if(result) goto error; diff --git a/vendor/curl/lib/config-amigaos.h b/vendor/curl/lib/config-amigaos.h index 409dd78701..b7356c7629 100644 --- a/vendor/curl/lib/config-amigaos.h +++ b/vendor/curl/lib/config-amigaos.h @@ -36,7 +36,6 @@ #define HAVE_INTTYPES_H 1 #define HAVE_IOCTLSOCKET_CAMEL 1 #define HAVE_IOCTLSOCKET_CAMEL_FIONBIO 1 -#define HAVE_LIBZ 1 #define HAVE_LONGLONG 1 #define HAVE_NETDB_H 1 #define HAVE_NETINET_IN_H 1 @@ -65,7 +64,6 @@ #define HAVE_UTIME 1 #define HAVE_UTIME_H 1 #define HAVE_WRITABLE_ARGV 1 -#define HAVE_ZLIB_H 1 #define HAVE_SYS_IOCTL_H 1 #define NEED_MALLOC_H 1 @@ -73,8 +71,11 @@ #define SIZEOF_INT 4 #define SIZEOF_SIZE_T 4 +#ifndef SIZEOF_CURL_OFF_T +#define SIZEOF_CURL_OFF_T 8 +#endif + #define USE_MANUAL 1 -#define USE_OPENSSL 1 #define CURL_DISABLE_LDAP 1 #define OS "AmigaOS" @@ -86,11 +87,6 @@ #define PACKAGE_TARNAME "curl" #define PACKAGE_VERSION "-" #define CURL_CA_BUNDLE "s:curl-ca-bundle.crt" - -#define SELECT_TYPE_ARG1 int -#define SELECT_TYPE_ARG234 (fd_set *) -#define SELECT_TYPE_ARG5 (struct timeval *) - #define STDC_HEADERS 1 #define TIME_WITH_SYS_TIME 1 diff --git a/vendor/curl/lib/config-dos.h b/vendor/curl/lib/config-dos.h index 859dc387a1..8e3c940d9c 100644 --- a/vendor/curl/lib/config-dos.h +++ b/vendor/curl/lib/config-dos.h @@ -105,9 +105,7 @@ /* CURLDEBUG definition enables memory tracking */ /* #define CURLDEBUG */ -/* USE_ZLIB on cmd-line */ -#ifdef USE_ZLIB - #define HAVE_ZLIB_H 1 +#ifdef USE_ZLIB /* Deprecated. Use HAVE_LIBZ instead. */ #define HAVE_LIBZ 1 #endif diff --git a/vendor/curl/lib/config-linux.h b/vendor/curl/lib/config-linux.h index 5f1101a6d6..e66da321a6 100644 --- a/vendor/curl/lib/config-linux.h +++ b/vendor/curl/lib/config-linux.h @@ -390,12 +390,6 @@ /* Define to 1 if you have the `ssh2' library (-lssh2). */ /* #undef HAVE_LIBSSH2 */ -/* Define to 1 if you have the header file. */ -/* #undef HAVE_LIBSSH2_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_LIBSSH_LIBSSH_H */ - /* Define to 1 if you have the `ssl' library (-lssl). */ /* #undef HAVE_LIBSSL */ @@ -569,6 +563,9 @@ /* Define to 1 if you have the sigsetjmp function or macro. */ #define HAVE_SIGSETJMP 1 +/* Define to 1 if you have the `snprintf' function. */ +#define HAVE_SNPRINTF 1 + /* Define to 1 if struct sockaddr_in6 has the sin6_scope_id member */ /* #undef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID */ @@ -746,9 +743,6 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_X509_H */ -/* if you have the zlib.h header file */ -/* #undef HAVE_ZLIB_H */ - /* if libzstd is in use */ /* #undef HAVE_ZSTD */ @@ -800,54 +794,6 @@ /* a suitable file to read random data from */ /* #undef RANDOM_FILE */ -/* Define to the type of arg 1 for recv. */ -#define RECV_TYPE_ARG1 int - -/* Define to the type of arg 2 for recv. */ -#define RECV_TYPE_ARG2 void * - -/* Define to the type of arg 3 for recv. */ -#define RECV_TYPE_ARG3 size_t - -/* Define to the type of arg 4 for recv. */ -#define RECV_TYPE_ARG4 int - -/* Define to the function return type for recv. */ -#define RECV_TYPE_RETV ssize_t - -/* Define to the type qualifier of arg 5 for select. */ -#define SELECT_QUAL_ARG5 - -/* Define to the type of arg 1 for select. */ -#define SELECT_TYPE_ARG1 int - -/* Define to the type of args 2, 3 and 4 for select. */ -#define SELECT_TYPE_ARG234 fd_set * - -/* Define to the type of arg 5 for select. */ -#define SELECT_TYPE_ARG5 struct timeval * - -/* Define to the function return type for select. */ -#define SELECT_TYPE_RETV int - -/* Define to the type qualifier of arg 2 for send. */ -#define SEND_QUAL_ARG2 const - -/* Define to the type of arg 1 for send. */ -#define SEND_TYPE_ARG1 int - -/* Define to the type of arg 2 for send. */ -#define SEND_TYPE_ARG2 void * - -/* Define to the type of arg 3 for send. */ -#define SEND_TYPE_ARG3 size_t - -/* Define to the type of arg 4 for send. */ -#define SEND_TYPE_ARG4 int - -/* Define to the function return type for send. */ -#define SEND_TYPE_RETV ssize_t - /* Size of curl_off_t in number of bytes */ #define SIZEOF_CURL_OFF_T 8 @@ -967,6 +913,9 @@ /* Use Unix domain sockets */ #define USE_UNIX_SOCKETS 1 +/* enable websockets support */ +/* #undef USE_WEBSOCKETS */ + /* Define to 1 if you are building a Windows target with crypto API support. */ /* #undef USE_WIN32_CRYPTO */ diff --git a/vendor/curl/lib/config-macos.h b/vendor/curl/lib/config-macos.h index 3f25147d83..e7da3d6b35 100644 --- a/vendor/curl/lib/config-macos.h +++ b/vendor/curl/lib/config-macos.h @@ -390,12 +390,6 @@ /* Define to 1 if you have the `ssh2' library (-lssh2). */ /* #undef HAVE_LIBSSH2 */ -/* Define to 1 if you have the header file. */ -/* #undef HAVE_LIBSSH2_H */ - -/* Define to 1 if you have the header file. */ -/* #undef HAVE_LIBSSH_LIBSSH_H */ - /* Define to 1 if you have the `ssl' library (-lssl). */ /* #undef HAVE_LIBSSL */ @@ -569,6 +563,9 @@ /* Define to 1 if you have the sigsetjmp function or macro. */ #define HAVE_SIGSETJMP 1 +/* Define to 1 if you have the `snprintf' function. */ +#define HAVE_SNPRINTF 1 + /* Define to 1 if struct sockaddr_in6 has the sin6_scope_id member */ /* #undef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID */ @@ -746,9 +743,6 @@ /* Define to 1 if you have the header file. */ /* #undef HAVE_X509_H */ -/* if you have the zlib.h header file */ -/* #undef HAVE_ZLIB_H */ - /* if libzstd is in use */ /* #undef HAVE_ZSTD */ @@ -774,7 +768,7 @@ /* #undef NTLM_WB_FILE */ /* cpu-machine-OS */ -#define OS "x86_64-apple-darwin21.6.0" +#define OS "x86_64-apple-darwin22.2.0" /* Name of package */ #define PACKAGE "curl" @@ -800,54 +794,6 @@ /* a suitable file to read random data from */ /* #undef RANDOM_FILE */ -/* Define to the type of arg 1 for recv. */ -#define RECV_TYPE_ARG1 int - -/* Define to the type of arg 2 for recv. */ -#define RECV_TYPE_ARG2 void * - -/* Define to the type of arg 3 for recv. */ -#define RECV_TYPE_ARG3 size_t - -/* Define to the type of arg 4 for recv. */ -#define RECV_TYPE_ARG4 int - -/* Define to the function return type for recv. */ -#define RECV_TYPE_RETV ssize_t - -/* Define to the type qualifier of arg 5 for select. */ -#define SELECT_QUAL_ARG5 - -/* Define to the type of arg 1 for select. */ -#define SELECT_TYPE_ARG1 int - -/* Define to the type of args 2, 3 and 4 for select. */ -#define SELECT_TYPE_ARG234 fd_set * - -/* Define to the type of arg 5 for select. */ -#define SELECT_TYPE_ARG5 struct timeval * - -/* Define to the function return type for select. */ -#define SELECT_TYPE_RETV int - -/* Define to the type qualifier of arg 2 for send. */ -#define SEND_QUAL_ARG2 const - -/* Define to the type of arg 1 for send. */ -#define SEND_TYPE_ARG1 int - -/* Define to the type of arg 2 for send. */ -#define SEND_TYPE_ARG2 void * - -/* Define to the type of arg 3 for send. */ -#define SEND_TYPE_ARG3 size_t - -/* Define to the type of arg 4 for send. */ -#define SEND_TYPE_ARG4 int - -/* Define to the function return type for send. */ -#define SEND_TYPE_RETV ssize_t - /* Size of curl_off_t in number of bytes */ #define SIZEOF_CURL_OFF_T 8 @@ -967,6 +913,9 @@ /* Use Unix domain sockets */ #define USE_UNIX_SOCKETS 1 +/* enable websockets support */ +/* #undef USE_WEBSOCKETS */ + /* Define to 1 if you are building a Windows target with crypto API support. */ /* #undef USE_WIN32_CRYPTO */ diff --git a/vendor/curl/lib/config-plan9.h b/vendor/curl/lib/config-plan9.h index b9b7b96430..49a719c1aa 100644 --- a/vendor/curl/lib/config-plan9.h +++ b/vendor/curl/lib/config-plan9.h @@ -63,10 +63,6 @@ #define RECV_TYPE_RETV int #define HAVE_SELECT 1 -#define SELECT_TYPE_ARG1 int -#define SELECT_TYPE_ARG234 fd_set * -#define SELECT_TYPE_ARG5 struct timeval * -#define SELECT_TYPE_RETV int #define HAVE_SEND 1 #define SEND_TYPE_ARG1 int @@ -145,8 +141,6 @@ #define HAVE_UTIME 1 #define HAVE_UTIME_H 1 -#define HAVE_ZLIB_H 1 - #define HAVE_POSIX_STRERROR_R 1 #define HAVE_STRERROR_R 1 diff --git a/vendor/curl/lib/config-win32.h b/vendor/curl/lib/config-win32.h index 0ac529d250..00e8663d2f 100644 --- a/vendor/curl/lib/config-win32.h +++ b/vendor/curl/lib/config-win32.h @@ -78,7 +78,8 @@ /* #define HAVE_SSL_H 1 */ /* Define to 1 if you have the header file. */ -#if defined(_MSC_VER) && (_MSC_VER >= 1800) +#if (defined(_MSC_VER) && (_MSC_VER >= 1800)) || \ + defined(__MINGW64_VERSION_MAJOR) #define HAVE_STDBOOL_H 1 #endif @@ -138,6 +139,17 @@ #define HAVE_WS2TCPIP_H 1 #endif +/* Define to 1 if you have the header file. */ +#define HAVE_SETJMP_H 1 + +/* Define to 1 if you have the header file. */ +#define HAVE_STRING_H 1 + +/* Define to 1 if you have the header file. */ +#if defined(__MINGW64_VERSION_MAJOR) +#define HAVE_LIBGEN_H 1 +#endif + /* ---------------------------------------------------------------- */ /* OTHER HEADER INFO */ /* ---------------------------------------------------------------- */ @@ -149,7 +161,8 @@ /* #define TIME_WITH_SYS_TIME 1 */ /* Define to 1 if bool is an available type. */ -#if defined(_MSC_VER) && (_MSC_VER >= 1800) +#if (defined(_MSC_VER) && (_MSC_VER >= 1800)) || \ + defined(__MINGW64_VERSION_MAJOR) #define HAVE_BOOL_T 1 #endif @@ -161,7 +174,9 @@ #define HAVE_CLOSESOCKET 1 /* Define if you have the ftruncate function. */ -/* #define HAVE_FTRUNCATE 1 */ +#if defined(__MINGW64_VERSION_MAJOR) +#define HAVE_FTRUNCATE 1 +#endif /* Define to 1 if you have the `getpeername' function. */ #define HAVE_GETPEERNAME 1 @@ -254,6 +269,31 @@ /* Define to the function return type for send. */ #define SEND_TYPE_RETV int +/* Define to 1 if you have the snprintf function. */ +#if defined(_MSC_VER) && (_MSC_VER >= 1900) +#define HAVE_SNPRINTF 1 +#endif + +#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 /* Vista */ +/* Define to 1 if you have a IPv6 capable working inet_ntop function. */ +#define HAVE_INET_NTOP 1 +/* Define to 1 if you have a IPv6 capable working inet_pton function. */ +#define HAVE_INET_PTON 1 +#endif + +/* Define to 1 if you have the `basename' function. */ +#if defined(__MINGW64_VERSION_MAJOR) +#define HAVE_BASENAME 1 +#endif + +/* Define to 1 if you have the strtok_r function. */ +#if defined(__MINGW64_VERSION_MAJOR) +#define HAVE_STRTOK_R 1 +#endif + +/* Define to 1 if you have the signal function. */ +#define HAVE_SIGNAL 1 + /* ---------------------------------------------------------------- */ /* TYPEDEF REPLACEMENTS */ /* ---------------------------------------------------------------- */ @@ -296,6 +336,11 @@ /* Define to the size of `curl_off_t', as computed by sizeof. */ #define SIZEOF_CURL_OFF_T 8 +/* Define to the size of `off_t', as computed by sizeof. */ +#ifndef SIZEOF_OFF_T +#define SIZEOF_OFF_T 8 +#endif + /* ---------------------------------------------------------------- */ /* BSD-style lwIP TCP/IP stack SPECIFIC */ /* ---------------------------------------------------------------- */ @@ -506,11 +551,6 @@ Vista /* Define if struct sockaddr_in6 has the sin6_scope_id member. */ #define HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID 1 -#if defined(HAVE_WINSOCK2_H) && defined(_WIN32_WINNT) && \ - (_WIN32_WINNT >= 0x0600) -#define HAVE_STRUCT_POLLFD 1 -#endif - /* ---------------------------------------------------------------- */ /* LARGE FILE SUPPORT */ /* ---------------------------------------------------------------- */ @@ -535,6 +575,13 @@ Vista # define USE_WIN32_SMALL_FILES #endif +/* Number of bits in a file offset, on hosts where this is settable. */ +#if defined(USE_WIN32_LARGE_FILES) && defined(__MINGW64_VERSION_MAJOR) +# ifndef _FILE_OFFSET_BITS +# define _FILE_OFFSET_BITS 64 +# endif +#endif + /* ---------------------------------------------------------------- */ /* DNS RESOLVER SPECIALTY */ /* ---------------------------------------------------------------- */ @@ -560,7 +607,7 @@ Vista /* LDAP SUPPORT */ /* ---------------------------------------------------------------- */ -#if defined(CURL_HAS_NOVELL_LDAPSDK) || defined(CURL_HAS_MOZILLA_LDAPSDK) +#if defined(CURL_HAS_NOVELL_LDAPSDK) #undef USE_WIN32_LDAP #define HAVE_LDAP_SSL_H 1 #define HAVE_LDAP_URL_PARSE 1 diff --git a/vendor/curl/lib/conncache.c b/vendor/curl/lib/conncache.c index 2a399c8814..a557ac6dc9 100644 --- a/vendor/curl/lib/conncache.c +++ b/vendor/curl/lib/conncache.c @@ -498,7 +498,7 @@ Curl_conncache_extract_oldest(struct Curl_easy *data) conn = curr->ptr; if(!CONN_INUSE(conn) && !conn->bits.close && - !conn->bits.connect_only) { + !conn->connect_only) { /* Set higher score for the age passed since the connection was used */ score = Curl_timediff(now, conn->lastused); diff --git a/vendor/curl/lib/conncache.h b/vendor/curl/lib/conncache.h index 6ec2757433..94664bc357 100644 --- a/vendor/curl/lib/conncache.h +++ b/vendor/curl/lib/conncache.h @@ -31,6 +31,7 @@ * be shared. */ +#include #include "timeval.h" struct connectdata; diff --git a/vendor/curl/lib/connect.c b/vendor/curl/lib/connect.c index be9f72117c..ac007c61b0 100644 --- a/vendor/curl/lib/connect.c +++ b/vendor/curl/lib/connect.c @@ -625,7 +625,8 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, else data->info.conn_local_ip[0] = 0; data->info.conn_scheme = conn->handler->scheme; - data->info.conn_protocol = conn->handler->protocol; + /* conn_protocol can only provide "old" protocols */ + data->info.conn_protocol = (conn->handler->protocol) & CURLPROTO_MASK; data->info.conn_primary_port = conn->port; data->info.conn_remote_port = conn->remote_port; data->info.conn_local_port = local_port; @@ -761,18 +762,10 @@ void Curl_updateconninfo(struct Curl_easy *data, struct connectdata *conn, char local_ip[MAX_IPADR_LEN] = ""; int local_port = -1; - if(conn->transport == TRNSPRT_TCP) { - if(!conn->bits.reuse && !conn->bits.tcp_fastopen) - Curl_conninfo_remote(data, conn, sockfd); - Curl_conninfo_local(data, sockfd, local_ip, &local_port); - } /* end of TCP-only section */ -#ifdef ENABLE_QUIC - else if(conn->transport == TRNSPRT_QUIC) { - if(!conn->bits.reuse) - Curl_conninfo_remote(data, conn, sockfd); - Curl_conninfo_local(data, sockfd, local_ip, &local_port); - } -#endif + if(!conn->bits.reuse && + (conn->transport != TRNSPRT_TCP || !conn->bits.tcp_fastopen)) + Curl_conninfo_remote(data, conn, sockfd); + Curl_conninfo_local(data, sockfd, local_ip, &local_port); /* persist connection info in session handle */ Curl_persistconninfo(data, conn, local_ip, local_port); @@ -1046,7 +1039,6 @@ CURLcode Curl_is_connected(struct Curl_easy *data, (conn->tempsock[1] == CURL_SOCKET_BAD)) { /* no more addresses to try */ const char *hostname; - char buffer[STRERROR_LEN]; CURLcode failreason = result; /* if the first address family runs out of addresses to try before the @@ -1073,11 +1065,7 @@ CURLcode Curl_is_connected(struct Curl_easy *data, "%" CURL_FORMAT_TIMEDIFF_T " ms: %s", hostname, conn->port, Curl_timediff(now, data->progress.t_startsingle), -#ifdef ENABLE_QUIC - (conn->transport == TRNSPRT_QUIC) ? - curl_easy_strerror(result) : -#endif - Curl_strerror(error, buffer, sizeof(buffer))); + curl_easy_strerror(result)); Curl_quic_disconnect(data, conn, 0); Curl_quic_disconnect(data, conn, 1); @@ -1209,6 +1197,7 @@ static CURLcode singleipconnect(struct Curl_easy *data, #ifdef TCP_FASTOPEN_CONNECT int optval = 1; #endif + const char *ipmsg; char buffer[STRERROR_LEN]; curl_socket_t *sockp = &conn->tempsock[tempindex]; *sockp = CURL_SOCKET_BAD; @@ -1226,7 +1215,13 @@ static CURLcode singleipconnect(struct Curl_easy *data, Curl_closesocket(data, conn, sockfd); return CURLE_OK; } - infof(data, " Trying %s:%d...", ipaddress, port); +#ifdef ENABLE_IPV6 + if(addr.family == AF_INET6) + ipmsg = " Trying [%s]:%d..."; + else +#endif + ipmsg = " Trying %s:%d..."; + infof(data, ipmsg, ipaddress, port); #ifdef ENABLE_IPV6 is_tcp = (addr.family == AF_INET || addr.family == AF_INET6) && diff --git a/vendor/curl/lib/content_encoding.c b/vendor/curl/lib/content_encoding.c index 95ba48a2dd..bfc13e254d 100644 --- a/vendor/curl/lib/content_encoding.c +++ b/vendor/curl/lib/content_encoding.c @@ -28,7 +28,7 @@ #include #include -#ifdef HAVE_ZLIB_H +#ifdef HAVE_LIBZ #include #endif @@ -82,8 +82,9 @@ typedef enum { ZLIB_INIT_GZIP /* initialized in transparent gzip mode */ } zlibInitState; -/* Writer parameters. */ -struct zlib_params { +/* Deflate and gzip writer. */ +struct zlib_writer { + struct contenc_writer super; zlibInitState zlib_init; /* zlib init state */ uInt trailerlen; /* Remaining trailer byte count. */ z_stream z; /* State structure for zlib. */ @@ -135,7 +136,7 @@ exit_zlib(struct Curl_easy *data, } static CURLcode process_trailer(struct Curl_easy *data, - struct zlib_params *zp) + struct zlib_writer *zp) { z_stream *z = &zp->z; CURLcode result = CURLE_OK; @@ -162,7 +163,7 @@ static CURLcode inflate_stream(struct Curl_easy *data, struct contenc_writer *writer, zlibInitState started) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ uInt nread = z->avail_in; Bytef *orig_in = z->next_in; @@ -265,7 +266,7 @@ static CURLcode inflate_stream(struct Curl_easy *data, static CURLcode deflate_init_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ if(!writer->downstream) @@ -285,7 +286,7 @@ static CURLcode deflate_unencode_write(struct Curl_easy *data, struct contenc_writer *writer, const char *buf, size_t nbytes) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ /* Set the compressed input when this function is called */ @@ -302,7 +303,7 @@ static CURLcode deflate_unencode_write(struct Curl_easy *data, static void deflate_close_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ exit_zlib(data, z, &zp->zlib_init, CURLE_OK); @@ -314,7 +315,7 @@ static const struct content_encoding deflate_encoding = { deflate_init_writer, deflate_unencode_write, deflate_close_writer, - sizeof(struct zlib_params) + sizeof(struct zlib_writer) }; @@ -322,7 +323,7 @@ static const struct content_encoding deflate_encoding = { static CURLcode gzip_init_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ if(!writer->downstream) @@ -439,7 +440,7 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data, struct contenc_writer *writer, const char *buf, size_t nbytes) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ if(zp->zlib_init == ZLIB_INIT_GZIP) { @@ -566,7 +567,7 @@ static CURLcode gzip_unencode_write(struct Curl_easy *data, static void gzip_close_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zlib_params *zp = (struct zlib_params *) &writer->params; + struct zlib_writer *zp = (struct zlib_writer *) writer; z_stream *z = &zp->z; /* zlib state structure */ exit_zlib(data, z, &zp->zlib_init, CURLE_OK); @@ -578,15 +579,16 @@ static const struct content_encoding gzip_encoding = { gzip_init_writer, gzip_unencode_write, gzip_close_writer, - sizeof(struct zlib_params) + sizeof(struct zlib_writer) }; #endif /* HAVE_LIBZ */ #ifdef HAVE_BROTLI -/* Writer parameters. */ -struct brotli_params { +/* Brotli writer. */ +struct brotli_writer { + struct contenc_writer super; BrotliDecoderState *br; /* State structure for brotli. */ }; @@ -631,7 +633,7 @@ static CURLcode brotli_map_error(BrotliDecoderErrorCode be) static CURLcode brotli_init_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct brotli_params *bp = (struct brotli_params *) &writer->params; + struct brotli_writer *bp = (struct brotli_writer *) writer; (void) data; if(!writer->downstream) @@ -645,7 +647,7 @@ static CURLcode brotli_unencode_write(struct Curl_easy *data, struct contenc_writer *writer, const char *buf, size_t nbytes) { - struct brotli_params *bp = (struct brotli_params *) &writer->params; + struct brotli_writer *bp = (struct brotli_writer *) writer; const uint8_t *src = (const uint8_t *) buf; char *decomp; uint8_t *dst; @@ -692,7 +694,8 @@ static CURLcode brotli_unencode_write(struct Curl_easy *data, static void brotli_close_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct brotli_params *bp = (struct brotli_params *) &writer->params; + struct brotli_writer *bp = (struct brotli_writer *) writer; + (void) data; if(bp->br) { @@ -707,14 +710,15 @@ static const struct content_encoding brotli_encoding = { brotli_init_writer, brotli_unencode_write, brotli_close_writer, - sizeof(struct brotli_params) + sizeof(struct brotli_writer) }; #endif #ifdef HAVE_ZSTD -/* Writer parameters. */ -struct zstd_params { +/* Zstd writer. */ +struct zstd_writer { + struct contenc_writer super; ZSTD_DStream *zds; /* State structure for zstd. */ void *decomp; }; @@ -722,7 +726,8 @@ struct zstd_params { static CURLcode zstd_init_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zstd_params *zp = (struct zstd_params *)&writer->params; + struct zstd_writer *zp = (struct zstd_writer *) writer; + (void)data; if(!writer->downstream) @@ -738,7 +743,7 @@ static CURLcode zstd_unencode_write(struct Curl_easy *data, const char *buf, size_t nbytes) { CURLcode result = CURLE_OK; - struct zstd_params *zp = (struct zstd_params *)&writer->params; + struct zstd_writer *zp = (struct zstd_writer *) writer; ZSTD_inBuffer in; ZSTD_outBuffer out; size_t errorCode; @@ -777,7 +782,8 @@ static CURLcode zstd_unencode_write(struct Curl_easy *data, static void zstd_close_writer(struct Curl_easy *data, struct contenc_writer *writer) { - struct zstd_params *zp = (struct zstd_params *)&writer->params; + struct zstd_writer *zp = (struct zstd_writer *) writer; + (void)data; if(zp->decomp) { @@ -796,7 +802,7 @@ static const struct content_encoding zstd_encoding = { zstd_init_writer, zstd_unencode_write, zstd_close_writer, - sizeof(struct zstd_params) + sizeof(struct zstd_writer) }; #endif @@ -829,7 +835,7 @@ static const struct content_encoding identity_encoding = { identity_init_writer, identity_unencode_write, identity_close_writer, - 0 + sizeof(struct contenc_writer) }; @@ -921,7 +927,7 @@ static const struct content_encoding client_encoding = { client_init_writer, client_unencode_write, client_close_writer, - 0 + sizeof(struct contenc_writer) }; @@ -964,7 +970,7 @@ static const struct content_encoding error_encoding = { error_init_writer, error_unencode_write, error_close_writer, - 0 + sizeof(struct contenc_writer) }; /* Create an unencoding writer stage using the given handler. */ @@ -973,8 +979,10 @@ new_unencoding_writer(struct Curl_easy *data, const struct content_encoding *handler, struct contenc_writer *downstream) { - size_t sz = offsetof(struct contenc_writer, params) + handler->paramsize; - struct contenc_writer *writer = (struct contenc_writer *)calloc(1, sz); + struct contenc_writer *writer; + + DEBUGASSERT(handler->writersize >= sizeof(struct contenc_writer)); + writer = (struct contenc_writer *) calloc(1, handler->writersize); if(writer) { writer->handler = handler; @@ -1044,7 +1052,7 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, size_t namelen; /* Parse a single encoding name. */ - while(ISSPACE(*enclist) || *enclist == ',') + while(ISBLANK(*enclist) || *enclist == ',') enclist++; name = enclist; diff --git a/vendor/curl/lib/content_encoding.h b/vendor/curl/lib/content_encoding.h index 81bddd1be1..3c278cf727 100644 --- a/vendor/curl/lib/content_encoding.h +++ b/vendor/curl/lib/content_encoding.h @@ -28,7 +28,6 @@ struct contenc_writer { const struct content_encoding *handler; /* Encoding handler. */ struct contenc_writer *downstream; /* Downstream writer. */ - void *params; /* Encoding-specific storage (variable length). */ }; /* Content encoding writer. */ @@ -42,7 +41,7 @@ struct content_encoding { const char *buf, size_t nbytes); void (*close_writer)(struct Curl_easy *data, struct contenc_writer *writer); - size_t paramsize; + size_t writersize; }; diff --git a/vendor/curl/lib/cookie.c b/vendor/curl/lib/cookie.c index ab790a1cdb..8eaedeeb7f 100644 --- a/vendor/curl/lib/cookie.c +++ b/vendor/curl/lib/cookie.c @@ -458,11 +458,10 @@ static int invalid_octets(const char *p) "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" }; - size_t vlen, len; + size_t len; /* scan for all the octets that are *not* in cookie-octet */ len = strcspn(p, badoctets); - vlen = strlen(p); - return (len != vlen); + return (p[len] != '\0'); } /* @@ -538,7 +537,7 @@ Curl_cookie_add(struct Curl_easy *data, do { /* we have a = pair or a stand-alone word here */ name[0] = what[0] = 0; /* init the buffers */ - if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\r\n=] =%" + if(1 <= sscanf(ptr, "%" MAX_NAME_TXT "[^;\t\r\n=] =%" MAX_NAME_TXT "[^;\r\n]", name, what)) { /* @@ -592,6 +591,13 @@ Curl_cookie_add(struct Curl_easy *data, while(*whatptr && ISBLANK(*whatptr)) whatptr++; + /* Reject cookies with a TAB inside the content */ + if(strchr(whatptr, '\t')) { + freecookie(co); + infof(data, "cookie contains TAB, dropping"); + return NULL; + } + /* * Check if we have a reserved prefix set before anything else, as we * otherwise have to test for the prefix in both the cookie name and diff --git a/vendor/curl/lib/curl_addrinfo.c b/vendor/curl/lib/curl_addrinfo.c index d5d11113f4..72e778b34e 100644 --- a/vendor/curl/lib/curl_addrinfo.c +++ b/vendor/curl/lib/curl_addrinfo.c @@ -279,7 +279,7 @@ Curl_he2ai(const struct hostent *he, int port) for(i = 0; (curr = he->h_addr_list[i]) != NULL; i++) { size_t ss_size; - size_t namelen = strlen(he->h_name) + 1; /* include zero termination */ + size_t namelen = strlen(he->h_name) + 1; /* include null-terminatior */ #ifdef ENABLE_IPV6 if(he->h_addrtype == AF_INET6) ss_size = sizeof(struct sockaddr_in6); diff --git a/vendor/curl/lib/curl_ctype.c b/vendor/curl/lib/curl_ctype.c deleted file mode 100644 index e1a8445151..0000000000 --- a/vendor/curl/lib/curl_ctype.c +++ /dev/null @@ -1,132 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -#include "curl_setup.h" - -#undef _U -#define _U (1<<0) /* upper case */ -#undef _L -#define _L (1<<1) /* lower case */ -#undef _N -#define _N (1<<2) /* decimal numerical digit */ -#undef _S -#define _S (1<<3) /* space */ -#undef _P -#define _P (1<<4) /* punctuation */ -#undef _C -#define _C (1<<5) /* control */ -#undef _X -#define _X (1<<6) /* hexadecimal letter */ -#undef _B -#define _B (1<<7) /* blank */ - -static const unsigned char ascii[128] = { - _C, _C, _C, _C, _C, _C, _C, _C, - _C, _C|_S, _C|_S, _C|_S, _C|_S, _C|_S, _C, _C, - _C, _C, _C, _C, _C, _C, _C, _C, - _C, _C, _C, _C, _C, _C, _C, _C, - _S|_B, _P, _P, _P, _P, _P, _P, _P, - _P, _P, _P, _P, _P, _P, _P, _P, - _N, _N, _N, _N, _N, _N, _N, _N, - _N, _N, _P, _P, _P, _P, _P, _P, - _P, _U|_X, _U|_X, _U|_X, _U|_X, _U|_X, _U|_X, _U, - _U, _U, _U, _U, _U, _U, _U, _U, - _U, _U, _U, _U, _U, _U, _U, _U, - _U, _U, _U, _P, _P, _P, _P, _P, - _P, _L|_X, _L|_X, _L|_X, _L|_X, _L|_X, _L|_X, _L, - _L, _L, _L, _L, _L, _L, _L, _L, - _L, _L, _L, _L, _L, _L, _L, _L, - _L, _L, _L, _P, _P, _P, _P, _C -}; - -int Curl_isspace(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & _S); -} - -int Curl_isdigit(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & _N); -} - -int Curl_isalnum(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_N|_U|_L)); -} - -int Curl_isxdigit(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_N|_X)); -} - -int Curl_isgraph(int c) -{ - if((c < 0) || (c >= 0x80) || (c == ' ')) - return FALSE; - return (ascii[c] & (_N|_X|_U|_L|_P|_S)); -} - -int Curl_isprint(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_N|_X|_U|_L|_P|_S)); -} - -int Curl_isalpha(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_U|_L)); -} - -int Curl_isupper(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_U)); -} - -int Curl_islower(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_L)); -} - -int Curl_iscntrl(int c) -{ - if((c < 0) || (c >= 0x80)) - return FALSE; - return (ascii[c] & (_C)); -} - diff --git a/vendor/curl/lib/curl_ctype.h b/vendor/curl/lib/curl_ctype.h index c70945a8d2..dc6b8cab86 100644 --- a/vendor/curl/lib/curl_ctype.h +++ b/vendor/curl/lib/curl_ctype.h @@ -24,32 +24,24 @@ * ***************************************************************************/ -#include "curl_setup.h" +#define ISLOWHEXALHA(x) (((x) >= 'a') && ((x) <= 'f')) +#define ISUPHEXALHA(x) (((x) >= 'A') && ((x) <= 'F')) -int Curl_isspace(int c); -int Curl_isdigit(int c); -int Curl_isalnum(int c); -int Curl_isxdigit(int c); -int Curl_isgraph(int c); -int Curl_isprint(int c); -int Curl_isalpha(int c); -int Curl_isupper(int c); -int Curl_islower(int c); -int Curl_iscntrl(int c); +#define ISLOWCNTRL(x) ((x) >= 0 && ((x) <= 0x1f)) +#define IS7F(x) ((x) == 0x7f) -#define ISSPACE(x) (Curl_isspace((int) ((unsigned char)x))) -#define ISDIGIT(x) (Curl_isdigit((int) ((unsigned char)x))) -#define ISALNUM(x) (Curl_isalnum((int) ((unsigned char)x))) -#define ISXDIGIT(x) (Curl_isxdigit((int) ((unsigned char)x))) -#define ISGRAPH(x) (Curl_isgraph((int) ((unsigned char)x))) -#define ISALPHA(x) (Curl_isalpha((int) ((unsigned char)x))) -#define ISPRINT(x) (Curl_isprint((int) ((unsigned char)x))) -#define ISUPPER(x) (Curl_isupper((int) ((unsigned char)x))) -#define ISLOWER(x) (Curl_islower((int) ((unsigned char)x))) -#define ISCNTRL(x) (Curl_iscntrl((int) ((unsigned char)x))) -#define ISASCII(x) (((x) >= 0) && ((x) <= 0x80)) +#define ISLOWPRINT(x) (((x) >= 9) && ((x) <= 0x0d)) -#define ISBLANK(x) (int)((((unsigned char)x) == ' ') || \ - (((unsigned char)x) == '\t')) +#define ISPRINT(x) (ISLOWPRINT(x) || (((x) >= ' ') && ((x) <= 0x7e))) +#define ISGRAPH(x) (ISLOWPRINT(x) || (((x) > ' ') && ((x) <= 0x7e))) +#define ISCNTRL(x) (ISLOWCNTRL(x) || IS7F(x)) +#define ISALPHA(x) (ISLOWER(x) || ISUPPER(x)) +#define ISXDIGIT(x) (ISDIGIT(x) || ISLOWHEXALHA(x) || ISUPHEXALHA(x)) +#define ISALNUM(x) (ISDIGIT(x) || ISLOWER(x) || ISUPPER(x)) +#define ISUPPER(x) (((x) >= 'A') && ((x) <= 'Z')) +#define ISLOWER(x) (((x) >= 'a') && ((x) <= 'z')) +#define ISDIGIT(x) (((x) >= '0') && ((x) <= '9')) +#define ISBLANK(x) (((x) == ' ') || ((x) == '\t')) +#define ISSPACE(x) (ISBLANK(x) || (((x) >= 0xa) && ((x) <= 0x0d))) #endif /* HEADER_CURL_CTYPE_H */ diff --git a/vendor/curl/lib/curl_des.c b/vendor/curl/lib/curl_des.c index 6d52cd3635..a2bf648c29 100644 --- a/vendor/curl/lib/curl_des.c +++ b/vendor/curl/lib/curl_des.c @@ -41,7 +41,7 @@ * * The function is a port of the Java based oddParity() function over at: * - * https://davenport.sourceforge.io/ntlm.html + * https://davenport.sourceforge.net/ntlm.html * * Parameters: * diff --git a/vendor/curl/lib/curl_get_line.c b/vendor/curl/lib/curl_get_line.c index 6a26bb254f..22e3705f4c 100644 --- a/vendor/curl/lib/curl_get_line.c +++ b/vendor/curl/lib/curl_get_line.c @@ -25,7 +25,7 @@ #include "curl_setup.h" #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ - !defined(CURL_DISABLE_HSTS) + !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) #include "curl_get_line.h" #include "curl_memory.h" @@ -33,8 +33,8 @@ #include "memdebug.h" /* - * get_line() makes sure to only return complete whole lines that fit in 'len' - * bytes and end with a newline. + * Curl_get_line() makes sure to only return complete whole lines that fit in + * 'len' bytes and end with a newline. */ char *Curl_get_line(char *buf, int len, FILE *input) { diff --git a/vendor/curl/lib/curl_hmac.h b/vendor/curl/lib/curl_hmac.h index 77dce0f165..36c0bd62e5 100644 --- a/vendor/curl/lib/curl_hmac.h +++ b/vendor/curl/lib/curl_hmac.h @@ -26,6 +26,8 @@ #ifndef CURL_DISABLE_CRYPTO_AUTH +#include + #define HMAC_MD5_LENGTH 16 typedef CURLcode (* HMAC_hinit_func)(void *context); diff --git a/vendor/curl/lib/curl_ntlm_core.c b/vendor/curl/lib/curl_ntlm_core.c index b56c647a5a..38e193c186 100644 --- a/vendor/curl/lib/curl_ntlm_core.c +++ b/vendor/curl/lib/curl_ntlm_core.c @@ -29,7 +29,7 @@ /* * NTLM details: * - * https://davenport.sourceforge.io/ntlm.html + * https://davenport.sourceforge.net/ntlm.html * https://www.innovation.ch/java/ntlm.html */ diff --git a/vendor/curl/lib/curl_ntlm_wb.c b/vendor/curl/lib/curl_ntlm_wb.c index f1eb9c6319..33dcf0ce25 100644 --- a/vendor/curl/lib/curl_ntlm_wb.c +++ b/vendor/curl/lib/curl_ntlm_wb.c @@ -30,7 +30,7 @@ /* * NTLM details: * - * https://davenport.sourceforge.io/ntlm.html + * https://davenport.sourceforge.net/ntlm.html * https://www.innovation.ch/java/ntlm.html */ diff --git a/vendor/curl/lib/curl_path.c b/vendor/curl/lib/curl_path.c index 259837539d..b55e83047d 100644 --- a/vendor/curl/lib/curl_path.c +++ b/vendor/curl/lib/curl_path.c @@ -122,7 +122,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) bool relativePath = false; static const char WHITESPACE[] = " \t\r\n"; - if(!*cp) { + DEBUGASSERT(homedir); + if(!*cp || !homedir) { *cpp = NULL; *path = NULL; return CURLE_QUOTE_ERROR; diff --git a/vendor/curl/lib/curl_range.c b/vendor/curl/lib/curl_range.c index 9e03c3d4a6..dd92d05b39 100644 --- a/vendor/curl/lib/curl_range.c +++ b/vendor/curl/lib/curl_range.c @@ -47,7 +47,7 @@ CURLcode Curl_range(struct Curl_easy *data) from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from); if(from_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; - while(*ptr && (ISSPACE(*ptr) || (*ptr == '-'))) + while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); if(to_t == CURL_OFFT_FLOW) diff --git a/vendor/curl/lib/curl_setup.h b/vendor/curl/lib/curl_setup.h index e5356dcc92..ac27b130c6 100644 --- a/vendor/curl/lib/curl_setup.h +++ b/vendor/curl/lib/curl_setup.h @@ -158,8 +158,6 @@ /* please, do it beyond the point further indicated in this file. */ /* ================================================================ */ -#include - /* * Disable other protocols when http is the only one desired. */ @@ -219,7 +217,7 @@ /* ================================================================ */ /* No system header file shall be included in this file before this */ -/* point. The only allowed ones are those included from curl/system.h */ +/* point. */ /* ================================================================ */ /* @@ -246,6 +244,8 @@ # include "setup-win32.h" #endif +#include + /* * Use getaddrinfo to resolve the IPv4 address literal. If the current network * interface doesn't support IPv4, but supports IPv6, NAT64, and DNS64, @@ -322,8 +322,10 @@ #include #endif -#ifdef __TANDEM /* for nsr-tandem-nsk systems */ -#include +#ifdef __TANDEM /* for ns*-tandem-nsk systems */ +# if ! defined __LP64 +# include /* FLOSS is only used for 32-bit builds. */ +# endif #endif #ifndef STDC_HEADERS /* no standard C headers! */ @@ -740,12 +742,12 @@ #define SHUT_RDWR 0x02 #endif -/* Define S_ISREG if not defined by system headers, f.e. MSVC */ +/* Define S_ISREG if not defined by system headers, e.g. MSVC */ #if !defined(S_ISREG) && defined(S_IFMT) && defined(S_IFREG) #define S_ISREG(m) (((m) & S_IFMT) == S_IFREG) #endif -/* Define S_ISDIR if not defined by system headers, f.e. MSVC */ +/* Define S_ISDIR if not defined by system headers, e.g. MSVC */ #if !defined(S_ISDIR) && defined(S_IFMT) && defined(S_IFDIR) #define S_ISDIR(m) (((m) & S_IFMT) == S_IFDIR) #endif diff --git a/vendor/curl/lib/curl_setup_once.h b/vendor/curl/lib/curl_setup_once.h index e9730c9282..f09b00f9f2 100644 --- a/vendor/curl/lib/curl_setup_once.h +++ b/vendor/curl/lib/curl_setup_once.h @@ -33,7 +33,6 @@ #include #include #include -#include #include #ifdef HAVE_ERRNO_H @@ -88,6 +87,8 @@ #include #endif +#include "functypes.h" + #ifdef __hpux # if !defined(_XOPEN_SOURCE_EXTENDED) || defined(_KERNEL) # ifdef OLD_APP32_64BIT_OFF_T @@ -150,20 +151,10 @@ struct timeval { * SEND_TYPE_RETV must also be defined. */ -#if !defined(RECV_TYPE_ARG1) || \ - !defined(RECV_TYPE_ARG2) || \ - !defined(RECV_TYPE_ARG3) || \ - !defined(RECV_TYPE_ARG4) || \ - !defined(RECV_TYPE_RETV) - /* */ - Error Missing_definition_of_return_and_arguments_types_of_recv - /* */ -#else #define sread(x,y,z) (ssize_t)recv((RECV_TYPE_ARG1)(x), \ (RECV_TYPE_ARG2)(y), \ (RECV_TYPE_ARG3)(z), \ (RECV_TYPE_ARG4)(0)) -#endif #else /* HAVE_RECV */ #ifndef sread /* */ @@ -180,21 +171,10 @@ struct timeval { (SEND_TYPE_ARG3)(z)) #elif defined(HAVE_SEND) -#if !defined(SEND_TYPE_ARG1) || \ - !defined(SEND_QUAL_ARG2) || \ - !defined(SEND_TYPE_ARG2) || \ - !defined(SEND_TYPE_ARG3) || \ - !defined(SEND_TYPE_ARG4) || \ - !defined(SEND_TYPE_RETV) - /* */ - Error Missing_definition_of_return_and_arguments_types_of_send - /* */ -#else #define swrite(x,y,z) (ssize_t)send((SEND_TYPE_ARG1)(x), \ (SEND_QUAL_ARG2 SEND_TYPE_ARG2)(y), \ (SEND_TYPE_ARG3)(z), \ (SEND_TYPE_ARG4)(SEND_4TH_ARG)) -#endif #else /* HAVE_SEND */ #ifndef swrite /* */ @@ -229,9 +209,6 @@ struct timeval { # define sfcntl fcntl #endif -#define TOLOWER(x) (tolower((int) ((unsigned char)x))) - - /* * 'bool' stuff compatible with HP-UX headers. */ diff --git a/vendor/curl/lib/curl_sha256.h b/vendor/curl/lib/curl_sha256.h index 82fcdff8ea..754c761fb3 100644 --- a/vendor/curl/lib/curl_sha256.h +++ b/vendor/curl/lib/curl_sha256.h @@ -26,6 +26,7 @@ ***************************************************************************/ #ifndef CURL_DISABLE_CRYPTO_AUTH +#include #include "curl_hmac.h" extern const struct HMAC_params Curl_HMAC_SHA256[1]; diff --git a/vendor/curl/lib/doh.c b/vendor/curl/lib/doh.c index a86e157fc0..3b1d5d60ef 100644 --- a/vendor/curl/lib/doh.c +++ b/vendor/curl/lib/doh.c @@ -396,7 +396,7 @@ struct Curl_addrinfo *Curl_doh(struct Curl_easy *data, goto error; dohp->pending++; - if(Curl_ipv6works(data)) { + if((conn->ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) { /* create IPv6 DoH request */ result = dohprobe(data, &dohp->probe[DOH_PROBE_SLOT_IPADDR_V6], DNS_TYPE_AAAA, hostname, data->set.str[STRING_DOH], @@ -792,7 +792,7 @@ doh2ai(const struct dohentry *de, const char *hostname, int port) #endif CURLcode result = CURLE_OK; int i; - size_t hostlen = strlen(hostname) + 1; /* include zero terminator */ + size_t hostlen = strlen(hostname) + 1; /* include null-terminator */ if(!de) /* no input == no output! */ diff --git a/vendor/curl/lib/dotdot.c b/vendor/curl/lib/dotdot.c deleted file mode 100644 index 0b045315d0..0000000000 --- a/vendor/curl/lib/dotdot.c +++ /dev/null @@ -1,184 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - -#include "curl_setup.h" - -#include - -#include "dotdot.h" -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - -/* - * "Remove Dot Segments" - * https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4 - */ - -/* - * Curl_dedotdotify() - * @unittest: 1395 - * - * This function gets a null-terminated path with dot and dotdot sequences - * passed in and strips them off according to the rules in RFC 3986 section - * 5.2.4. - * - * The function handles a query part ('?' + stuff) appended but it expects - * that fragments ('#' + stuff) have already been cut off. - * - * RETURNS - * - * an allocated dedotdotified output string - */ -char *Curl_dedotdotify(const char *input) -{ - size_t inlen = strlen(input); - char *clone; - size_t clen = inlen; /* the length of the cloned input */ - char *out = malloc(inlen + 1); - char *outptr; - char *orgclone; - char *queryp; - if(!out) - return NULL; /* out of memory */ - - *out = 0; /* null-terminates, for inputs like "./" */ - - /* get a cloned copy of the input */ - clone = strdup(input); - if(!clone) { - free(out); - return NULL; - } - orgclone = clone; - outptr = out; - - if(!*clone) { - /* zero length string, return that */ - free(out); - return clone; - } - - /* - * To handle query-parts properly, we must find it and remove it during the - * dotdot-operation and then append it again at the end to the output - * string. - */ - queryp = strchr(clone, '?'); - if(queryp) - *queryp = 0; - - do { - - /* A. If the input buffer begins with a prefix of "../" or "./", then - remove that prefix from the input buffer; otherwise, */ - - if(!strncmp("./", clone, 2)) { - clone += 2; - clen -= 2; - } - else if(!strncmp("../", clone, 3)) { - clone += 3; - clen -= 3; - } - - /* B. if the input buffer begins with a prefix of "/./" or "/.", where - "." is a complete path segment, then replace that prefix with "/" in - the input buffer; otherwise, */ - else if(!strncmp("/./", clone, 3)) { - clone += 2; - clen -= 2; - } - else if(!strcmp("/.", clone)) { - clone[1]='/'; - clone++; - clen -= 1; - } - - /* C. if the input buffer begins with a prefix of "/../" or "/..", where - ".." is a complete path segment, then replace that prefix with "/" in - the input buffer and remove the last segment and its preceding "/" (if - any) from the output buffer; otherwise, */ - - else if(!strncmp("/../", clone, 4)) { - clone += 3; - clen -= 3; - /* remove the last segment from the output buffer */ - while(outptr > out) { - outptr--; - if(*outptr == '/') - break; - } - *outptr = 0; /* null-terminate where it stops */ - } - else if(!strcmp("/..", clone)) { - clone[2]='/'; - clone += 2; - clen -= 2; - /* remove the last segment from the output buffer */ - while(outptr > out) { - outptr--; - if(*outptr == '/') - break; - } - *outptr = 0; /* null-terminate where it stops */ - } - - /* D. if the input buffer consists only of "." or "..", then remove - that from the input buffer; otherwise, */ - - else if(!strcmp(".", clone) || !strcmp("..", clone)) { - *clone = 0; - *out = 0; - } - - else { - /* E. move the first path segment in the input buffer to the end of - the output buffer, including the initial "/" character (if any) and - any subsequent characters up to, but not including, the next "/" - character or the end of the input buffer. */ - - do { - *outptr++ = *clone++; - clen--; - } while(*clone && (*clone != '/')); - *outptr = 0; - } - - } while(*clone); - - if(queryp) { - size_t qlen; - /* There was a query part, append that to the output. The 'clone' string - may now have been altered so we copy from the original input string - from the correct index. */ - size_t oindex = queryp - orgclone; - qlen = strlen(&input[oindex]); - memcpy(outptr, &input[oindex], qlen + 1); /* include the end zero byte */ - } - - free(orgclone); - return out; -} diff --git a/vendor/curl/lib/dynbuf.c b/vendor/curl/lib/dynbuf.c index 3b907dbe2e..0b1cf9afd8 100644 --- a/vendor/curl/lib/dynbuf.c +++ b/vendor/curl/lib/dynbuf.c @@ -128,7 +128,6 @@ void Curl_dyn_reset(struct dynbuf *s) s->leng = 0; } -#ifdef USE_NGTCP2 /* * Specify the size of the tail to keep (number of bytes from the end of the * buffer). The rest will be dropped. @@ -153,7 +152,6 @@ CURLcode Curl_dyn_tail(struct dynbuf *s, size_t trail) return CURLE_OK; } -#endif /* * Appends a buffer with length. @@ -255,3 +253,18 @@ size_t Curl_dyn_len(const struct dynbuf *s) DEBUGASSERT(!s->leng || s->bufr); return s->leng; } + +/* + * Set a new (smaller) length. + */ +CURLcode Curl_dyn_setlen(struct dynbuf *s, size_t set) +{ + DEBUGASSERT(s); + DEBUGASSERT(s->init == DYNINIT); + DEBUGASSERT(!s->leng || s->bufr); + if(set > s->leng) + return CURLE_BAD_FUNCTION_ARGUMENT; + s->leng = set; + s->bufr[s->leng] = 0; + return CURLE_OK; +} diff --git a/vendor/curl/lib/dynbuf.h b/vendor/curl/lib/dynbuf.h index c1e97235de..04a728c779 100644 --- a/vendor/curl/lib/dynbuf.h +++ b/vendor/curl/lib/dynbuf.h @@ -24,6 +24,8 @@ * ***************************************************************************/ +#include + #ifndef BUILDING_LIBCURL /* this renames the functions so that the tool code can use the same code without getting symbol collisions */ @@ -38,12 +40,13 @@ #define Curl_dyn_len(a) curlx_dyn_len(a) #define Curl_dyn_reset(a) curlx_dyn_reset(a) #define Curl_dyn_tail(a,b) curlx_dyn_tail(a,b) +#define Curl_dyn_setlen(a,b) curlx_dyn_setlen(a,b) #define curlx_dynbuf dynbuf /* for the struct name */ #endif struct dynbuf { char *bufr; /* point to a null-terminated allocated buffer */ - size_t leng; /* number of bytes *EXCLUDING* the zero terminator */ + size_t leng; /* number of bytes *EXCLUDING* the null-terminator */ size_t allc; /* size of the current allocation */ size_t toobig; /* size limit for the buffer */ #ifdef DEBUGBUILD @@ -63,6 +66,7 @@ CURLcode Curl_dyn_vaddf(struct dynbuf *s, const char *fmt, va_list ap) WARN_UNUSED_RESULT; void Curl_dyn_reset(struct dynbuf *s); CURLcode Curl_dyn_tail(struct dynbuf *s, size_t trail); +CURLcode Curl_dyn_setlen(struct dynbuf *s, size_t set); char *Curl_dyn_ptr(const struct dynbuf *s); unsigned char *Curl_dyn_uptr(const struct dynbuf *s); size_t Curl_dyn_len(const struct dynbuf *s); diff --git a/vendor/curl/lib/easy.c b/vendor/curl/lib/easy.c index 978ea5ac30..b8ac1ef8a8 100644 --- a/vendor/curl/lib/easy.c +++ b/vendor/curl/lib/easy.c @@ -82,11 +82,12 @@ #include "altsvc.h" #include "hsts.h" +#include "easy_lock.h" + /* The last 3 #include files should be in this order */ #include "curl_printf.h" #include "curl_memory.h" #include "memdebug.h" -#include "easy_lock.h" /* true globals -- for curl_global_init() and curl_global_cleanup() */ static unsigned int initialized; @@ -943,7 +944,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) goto fail; } -#ifdef USE_ALTSVC +#ifndef CURL_DISABLE_ALTSVC if(data->asi) { outcurl->asi = Curl_altsvc_init(); if(!outcurl->asi) @@ -1170,8 +1171,7 @@ CURLcode curl_easy_pause(struct Curl_easy *data, int action) } -static CURLcode easy_connection(struct Curl_easy *data, - curl_socket_t *sfd, +static CURLcode easy_connection(struct Curl_easy *data, curl_socket_t *sfd, struct connectdata **connp) { if(!data) @@ -1230,11 +1230,12 @@ CURLcode curl_easy_recv(struct Curl_easy *data, void *buffer, size_t buflen, } /* - * Sends data over the connected socket. Use after successful - * curl_easy_perform() with CURLOPT_CONNECT_ONLY option. + * Sends data over the connected socket. + * + * This is the private internal version of curl_easy_send() */ -CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer, - size_t buflen, size_t *n) +CURLcode Curl_senddata(struct Curl_easy *data, const void *buffer, + size_t buflen, ssize_t *n) { curl_socket_t sfd; CURLcode result; @@ -1242,9 +1243,6 @@ CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer, struct connectdata *c = NULL; SIGPIPE_VARIABLE(pipe_st); - if(Curl_is_in_callback(data)) - return CURLE_RECURSIVE_API_CALL; - result = easy_connection(data, &sfd, &c); if(result) return result; @@ -1266,8 +1264,25 @@ CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer, if(!result && !n1) return CURLE_AGAIN; - *n = (size_t)n1; + *n = n1; + + return result; +} + +/* + * Sends data over the connected socket. Use after successful + * curl_easy_perform() with CURLOPT_CONNECT_ONLY option. + */ +CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer, + size_t buflen, size_t *n) +{ + ssize_t written = 0; + CURLcode result; + if(Curl_is_in_callback(data)) + return CURLE_RECURSIVE_API_CALL; + result = Curl_senddata(data, buffer, buflen, &written); + *n = (size_t)written; return result; } diff --git a/vendor/curl/lib/easy_lock.h b/vendor/curl/lib/easy_lock.h index 4c22be5f8a..d96e56b8d8 100644 --- a/vendor/curl/lib/easy_lock.h +++ b/vendor/curl/lib/easy_lock.h @@ -47,7 +47,7 @@ typedef PVOID SRWLOCK, *PSRWLOCK; #define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m) #define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m) -#elif defined (HAVE_ATOMIC) +#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H) #include #if defined(HAVE_SCHED_YIELD) #include diff --git a/vendor/curl/lib/easyif.h b/vendor/curl/lib/easyif.h index 615df3f067..205382cd07 100644 --- a/vendor/curl/lib/easyif.h +++ b/vendor/curl/lib/easyif.h @@ -27,6 +27,9 @@ /* * Prototypes for library-wide functions provided by easy.c */ +CURLcode Curl_senddata(struct Curl_easy *data, const void *buffer, + size_t buflen, ssize_t *n); + #ifdef CURLDEBUG CURL_EXTERN CURLcode curl_easy_perform_ev(struct Curl_easy *easy); #endif diff --git a/vendor/curl/lib/easyoptions.c b/vendor/curl/lib/easyoptions.c index 412aefd990..e59b63af7a 100644 --- a/vendor/curl/lib/easyoptions.c +++ b/vendor/curl/lib/easyoptions.c @@ -354,6 +354,7 @@ struct curl_easyoption Curl_easyopts[] = { {"WRITEDATA", CURLOPT_WRITEDATA, CURLOT_CBPTR, 0}, {"WRITEFUNCTION", CURLOPT_WRITEFUNCTION, CURLOT_FUNCTION, 0}, {"WRITEHEADER", CURLOPT_HEADERDATA, CURLOT_CBPTR, CURLOT_FLAG_ALIAS}, + {"WS_OPTIONS", CURLOPT_WS_OPTIONS, CURLOT_LONG, 0}, {"XFERINFODATA", CURLOPT_XFERINFODATA, CURLOT_CBPTR, 0}, {"XFERINFOFUNCTION", CURLOPT_XFERINFOFUNCTION, CURLOT_FUNCTION, 0}, {"XOAUTH2_BEARER", CURLOPT_XOAUTH2_BEARER, CURLOT_STRING, 0}, @@ -367,6 +368,6 @@ struct curl_easyoption Curl_easyopts[] = { */ int Curl_easyopts_check(void) { - return ((CURLOPT_LASTENTRY%10000) != (319 + 1)); + return ((CURLOPT_LASTENTRY%10000) != (320 + 1)); } #endif diff --git a/vendor/curl/lib/formdata.c b/vendor/curl/lib/formdata.c index f5ed3653df..46542b4329 100644 --- a/vendor/curl/lib/formdata.c +++ b/vendor/curl/lib/formdata.c @@ -251,8 +251,10 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost, } } else { - /* This is not array-state, get next option */ - option = va_arg(params, CURLformoption); + /* This is not array-state, get next option. This gets an 'int' with + va_arg() because CURLformoption might be a smaller type than int and + might cause compiler warnings and wrong behavior. */ + option = (CURLformoption)va_arg(params, int); if(CURLFORM_END == option) break; } diff --git a/vendor/curl/lib/ftp.c b/vendor/curl/lib/ftp.c index 0473a8af00..f1a25b23dc 100644 --- a/vendor/curl/lib/ftp.c +++ b/vendor/curl/lib/ftp.c @@ -516,11 +516,9 @@ static CURLcode AllowServerConnect(struct Curl_easy *data, bool *connected) } else { /* Add timeout to multi handle and break out of the loop */ - if(*connected == FALSE) { - Curl_expire(data, data->set.accepttimeout > 0 ? - data->set.accepttimeout: DEFAULT_ACCEPT_TIMEOUT, - EXPIRE_FTP_ACCEPT); - } + Curl_expire(data, data->set.accepttimeout ? + data->set.accepttimeout: DEFAULT_ACCEPT_TIMEOUT, + EXPIRE_FTP_ACCEPT); } return result; @@ -2131,9 +2129,11 @@ static CURLcode ftp_state_mdtm_resp(struct Curl_easy *data, default: infof(data, "unsupported MDTM reply format"); break; - case 550: /* "No such file or directory" */ - failf(data, "Given file does not exist"); - result = CURLE_REMOTE_FILE_NOT_FOUND; + case 550: /* 550 is used for several different problems, e.g. + "No such file or directory" or "Permission denied". + It does not mean that the file does not exist at all. */ + infof(data, "MDTM failed: file does not exist or permission problem," + " continuing"); break; } diff --git a/vendor/curl/lib/ftplistparser.c b/vendor/curl/lib/ftplistparser.c index 09476e55f4..40f5f3f189 100644 --- a/vendor/curl/lib/ftplistparser.c +++ b/vendor/curl/lib/ftplistparser.c @@ -422,7 +422,7 @@ size_t Curl_ftp_parselist(char *buffer, size_t size, size_t nmemb, char *endptr = finfo->b_data + 6; /* here we can deal with directory size, pass the leading whitespace and then the digits */ - while(ISSPACE(*endptr)) + while(ISBLANK(*endptr)) endptr++; while(ISDIGIT(*endptr)) endptr++; @@ -894,7 +894,7 @@ size_t Curl_ftp_parselist(char *buffer, size_t size, size_t nmemb, parser->item_length++; switch(parser->state.NT.sub.time) { case PL_WINNT_TIME_PRESPACE: - if(!ISSPACE(c)) { + if(!ISBLANK(c)) { parser->state.NT.sub.time = PL_WINNT_TIME_TIME; } break; diff --git a/vendor/curl/lib/functypes.h b/vendor/curl/lib/functypes.h new file mode 100644 index 0000000000..8891b1d5d6 --- /dev/null +++ b/vendor/curl/lib/functypes.h @@ -0,0 +1,115 @@ +#ifndef HEADER_CURL_FUNCTYPES_H +#define HEADER_CURL_FUNCTYPES_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + +#include "curl_setup.h" + +/* defaults: + + ssize_t recv(int, void *, size_t, int); + ssize_t send(int, const void *, size_t, int); + + If other argument or return types are needed: + + 1. For systems that run configure or cmake, the alternatives are provided + here. + 2. For systems with config-*.h files, define them there. +*/ + +#ifdef WIN32 +/* int recv(SOCKET, char *, int, int) */ +#define RECV_TYPE_ARG1 SOCKET +#define RECV_TYPE_ARG2 char * +#define RECV_TYPE_ARG3 int +#define RECV_TYPE_RETV int + +/* int send(SOCKET, const char *, int, int); */ +#define SEND_TYPE_ARG1 SOCKET +#define SEND_TYPE_ARG2 char * +#define SEND_TYPE_ARG3 int +#define SEND_TYPE_RETV int + +#elif defined(__AMIGA__) /* Any AmigaOS flavour */ + +/* long recv(long, char *, long, long); */ +#define RECV_TYPE_ARG1 long +#define RECV_TYPE_ARG2 char * +#define RECV_TYPE_ARG3 long +#define RECV_TYPE_ARG4 long +#define RECV_TYPE_RETV long + +/* int send(int, const char *, int, int); */ +#define SEND_TYPE_ARG1 int +#define SEND_TYPE_ARG2 char * +#define SEND_TYPE_ARG3 int +#define SEND_TYPE_RETV int +#endif + + +#ifndef RECV_TYPE_ARG1 +#define RECV_TYPE_ARG1 int +#endif + +#ifndef RECV_TYPE_ARG2 +#define RECV_TYPE_ARG2 void * +#endif + +#ifndef RECV_TYPE_ARG3 +#define RECV_TYPE_ARG3 size_t +#endif + +#ifndef RECV_TYPE_ARG4 +#define RECV_TYPE_ARG4 int +#endif + +#ifndef RECV_TYPE_RETV +#define RECV_TYPE_RETV ssize_t +#endif + +#ifndef SEND_QUAL_ARG2 +#define SEND_QUAL_ARG2 const +#endif + +#ifndef SEND_TYPE_ARG1 +#define SEND_TYPE_ARG1 int +#endif + +#ifndef SEND_TYPE_ARG2 +#define SEND_TYPE_ARG2 void * +#endif + +#ifndef SEND_TYPE_ARG3 +#define SEND_TYPE_ARG3 size_t +#endif + +#ifndef SEND_TYPE_ARG4 +#define SEND_TYPE_ARG4 int +#endif + +#ifndef SEND_TYPE_RETV +#define SEND_TYPE_RETV ssize_t +#endif + +#endif /* HEADER_CURL_FUNCTYPES_H */ diff --git a/vendor/curl/lib/h2h3.c b/vendor/curl/lib/h2h3.c index 5d26bf0f21..50254ad0fa 100644 --- a/vendor/curl/lib/h2h3.c +++ b/vendor/curl/lib/h2h3.c @@ -191,7 +191,7 @@ CURLcode Curl_pseudo_headers(struct Curl_easy *data, vptr = Curl_checkheaders(data, STRCONST(H2H3_PSEUDO_SCHEME)); if(vptr) { vptr += sizeof(H2H3_PSEUDO_SCHEME); - while(*vptr && ISSPACE(*vptr)) + while(*vptr && ISBLANK(*vptr)) vptr++; nva[2].value = vptr; infof(data, "set pseudo header %s to %s", H2H3_PSEUDO_SCHEME, vptr); diff --git a/vendor/curl/lib/headers.c b/vendor/curl/lib/headers.c index d1e0ed7544..978c918f4f 100644 --- a/vendor/curl/lib/headers.c +++ b/vendor/curl/lib/headers.c @@ -207,7 +207,7 @@ static CURLcode namevalue(char *header, size_t hlen, unsigned int type, return CURLE_BAD_FUNCTION_ARGUMENT; /* skip all leading space letters */ - while(*header && ISSPACE(*header)) + while(*header && ISBLANK(*header)) header++; *value = header; @@ -237,7 +237,7 @@ static CURLcode unfold_value(struct Curl_easy *data, const char *value, vlen--; /* save only one leading space */ - while((vlen > 1) && ISSPACE(value[0]) && ISSPACE(value[1])) { + while((vlen > 1) && ISBLANK(value[0]) && ISBLANK(value[1])) { vlen--; value++; } @@ -259,7 +259,7 @@ static CURLcode unfold_value(struct Curl_easy *data, const char *value, /* put the data at the end of the previous data, not the newline */ memcpy(&newhs->value[olen], value, vlen); - newhs->value[olen + vlen] = 0; /* zero terminate at newline */ + newhs->value[olen + vlen] = 0; /* null-terminate at newline */ /* insert this node into the list of headers */ Curl_llist_insert_next(&data->state.httphdrs, data->state.httphdrs.tail, diff --git a/vendor/curl/lib/hostip.c b/vendor/curl/lib/hostip.c index bb94520acf..941ecacf4a 100644 --- a/vendor/curl/lib/hostip.c +++ b/vendor/curl/lib/hostip.c @@ -181,7 +181,7 @@ create_hostcache_id(const char *name, int port, char *ptr, size_t buflen) len = buflen - 7; /* store and lower case the name */ while(len--) - *ptr++ = (char)TOLOWER(*name++); + *ptr++ = Curl_raw_tolower(*name++); msnprintf(ptr, 7, ":%u", port); } @@ -297,6 +297,31 @@ static struct Curl_dns_entry *fetch_addr(struct Curl_easy *data, } } + /* See if the returned entry matches the required resolve mode */ + if(dns && data->conn->ip_version != CURL_IPRESOLVE_WHATEVER) { + int pf = PF_INET; + bool found = false; + struct Curl_addrinfo *addr = dns->addr; + +#ifdef PF_INET6 + if(data->conn->ip_version == CURL_IPRESOLVE_V6) + pf = PF_INET6; +#endif + + while(addr) { + if(addr->ai_family == pf) { + found = true; + break; + } + addr = addr->ai_next; + } + + if(!found) { + infof(data, "Hostname in DNS cache doesn't have needed family, zapped"); + dns = NULL; /* the memory deallocation is being handled by the hash */ + Curl_hash_delete(data->dns.hostcache, entry_id, entry_len + 1); + } + } return dns; } @@ -546,7 +571,11 @@ bool Curl_ipv6works(struct Curl_easy *data) have the info kept for fast re-use */ DEBUGASSERT(data); DEBUGASSERT(data->multi); - return data->multi->ipv6_works; + if(data->multi->ipv6_up == IPV6_UNKNOWN) { + bool works = Curl_ipv6works(NULL); + data->multi->ipv6_up = works ? IPV6_WORKS : IPV6_DEAD; + } + return data->multi->ipv6_up == IPV6_WORKS; } else { int ipv6_works = -1; @@ -584,7 +613,7 @@ bool Curl_host_is_ipnum(const char *hostname) } -/* return TRUE if 'part' is a case insentive tail of 'full' */ +/* return TRUE if 'part' is a case insensitive tail of 'full' */ static bool tailmatch(const char *full, const char *part) { size_t plen = strlen(part); diff --git a/vendor/curl/lib/hostip6.c b/vendor/curl/lib/hostip6.c index d9868628c3..c62c254c72 100644 --- a/vendor/curl/lib/hostip6.c +++ b/vendor/curl/lib/hostip6.c @@ -96,8 +96,8 @@ static void dump_addrinfo(struct connectdata *conn, * non-ares version). * * Returns name information about the given hostname and port number. If - * successful, the 'addrinfo' is returned and the forth argument will point to - * memory we need to free after use. That memory *MUST* be freed with + * successful, the 'addrinfo' is returned and the fourth argument will point + * to memory we need to free after use. That memory *MUST* be freed with * Curl_freeaddrinfo(), nothing else. */ struct Curl_addrinfo *Curl_getaddrinfo(struct Curl_easy *data, @@ -117,7 +117,7 @@ struct Curl_addrinfo *Curl_getaddrinfo(struct Curl_easy *data, *waitp = 0; /* synchronous response only */ - if(Curl_ipv6works(data)) + if((data->conn->ip_version != CURL_IPRESOLVE_V4) && Curl_ipv6works(data)) /* The stack seems to be IPv6-enabled */ pf = PF_UNSPEC; diff --git a/vendor/curl/lib/hsts.c b/vendor/curl/lib/hsts.c index 4ba0f30726..e3b686ebfa 100644 --- a/vendor/curl/lib/hsts.c +++ b/vendor/curl/lib/hsts.c @@ -156,7 +156,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, return CURLE_OK; do { - while(*p && ISSPACE(*p)) + while(*p && ISBLANK(*p)) p++; if(Curl_strncasecompare("max-age=", p, 8)) { bool quoted = FALSE; @@ -167,7 +167,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, return CURLE_BAD_FUNCTION_ARGUMENT; p += 8; - while(*p && ISSPACE(*p)) + while(*p && ISBLANK(*p)) p++; if(*p == '\"') { p++; @@ -200,7 +200,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, p++; } - while(*p && ISSPACE(*p)) + while(*p && ISBLANK(*p)) p++; if(*p == ';') p++; diff --git a/vendor/curl/lib/http.c b/vendor/curl/lib/http.c index b0ad28e9c3..f57859e8b0 100644 --- a/vendor/curl/lib/http.c +++ b/vendor/curl/lib/http.c @@ -84,6 +84,7 @@ #include "strdup.h" #include "altsvc.h" #include "hsts.h" +#include "ws.h" #include "c-hyper.h" /* The last 3 #include files should be in this order */ @@ -114,6 +115,10 @@ static int https_getsock(struct Curl_easy *data, #endif static CURLcode http_setup_conn(struct Curl_easy *data, struct connectdata *conn); +#ifdef USE_WEBSOCKETS +static CURLcode ws_setup_conn(struct Curl_easy *data, + struct connectdata *conn); +#endif /* * HTTP handler interface. @@ -142,6 +147,32 @@ const struct Curl_handler Curl_handler_http = { PROTOPT_USERPWDCTRL }; +#ifdef USE_WEBSOCKETS +const struct Curl_handler Curl_handler_ws = { + "WS", /* scheme */ + ws_setup_conn, /* setup_connection */ + Curl_http, /* do_it */ + Curl_http_done, /* done */ + ZERO_NULL, /* do_more */ + Curl_http_connect, /* connect_it */ + ZERO_NULL, /* connecting */ + ZERO_NULL, /* doing */ + ZERO_NULL, /* proto_getsock */ + http_getsock_do, /* doing_getsock */ + ZERO_NULL, /* domore_getsock */ + ZERO_NULL, /* perform_getsock */ + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ + ZERO_NULL, /* attach connection */ + PORT_HTTP, /* defport */ + CURLPROTO_WS, /* protocol */ + CURLPROTO_HTTP, /* family */ + PROTOPT_CREDSPERREQUEST | /* flags */ + PROTOPT_USERPWDCTRL +}; +#endif + #ifdef USE_SSL /* * HTTPS handler interface. @@ -166,11 +197,38 @@ const struct Curl_handler Curl_handler_https = { PORT_HTTPS, /* defport */ CURLPROTO_HTTPS, /* protocol */ CURLPROTO_HTTP, /* family */ - PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | PROTOPT_ALPN_NPN | /* flags */ + PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | PROTOPT_ALPN | /* flags */ + PROTOPT_USERPWDCTRL +}; + +#ifdef USE_WEBSOCKETS +const struct Curl_handler Curl_handler_wss = { + "WSS", /* scheme */ + ws_setup_conn, /* setup_connection */ + Curl_http, /* do_it */ + Curl_http_done, /* done */ + ZERO_NULL, /* do_more */ + Curl_http_connect, /* connect_it */ + https_connecting, /* connecting */ + ZERO_NULL, /* doing */ + https_getsock, /* proto_getsock */ + http_getsock_do, /* doing_getsock */ + ZERO_NULL, /* domore_getsock */ + ZERO_NULL, /* perform_getsock */ + ZERO_NULL, /* disconnect */ + ZERO_NULL, /* readwrite */ + ZERO_NULL, /* connection_check */ + ZERO_NULL, /* attach connection */ + PORT_HTTPS, /* defport */ + CURLPROTO_WSS, /* protocol */ + CURLPROTO_HTTP, /* family */ + PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | /* flags */ PROTOPT_USERPWDCTRL }; #endif +#endif + static CURLcode http_setup_conn(struct Curl_easy *data, struct connectdata *conn) { @@ -205,6 +263,16 @@ static CURLcode http_setup_conn(struct Curl_easy *data, return CURLE_OK; } +#ifdef USE_WEBSOCKETS +static CURLcode ws_setup_conn(struct Curl_easy *data, + struct connectdata *conn) +{ + /* websockets is 1.1 only (for now) */ + data->state.httpwant = CURL_HTTP_VERSION_1_1; + return http_setup_conn(data, conn); +} +#endif + #ifndef CURL_DISABLE_PROXY /* * checkProxyHeaders() checks the linked list of custom proxy headers @@ -653,21 +721,6 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) return result; } -/* - * Curl_allow_auth_to_host() tells if authentication, cookies or other - * "sensitive data" can (still) be sent to this host. - */ -bool Curl_allow_auth_to_host(struct Curl_easy *data) -{ - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || - data->set.allow_auth_to_other_hosts || - (data->state.first_host && - strcasecompare(data->state.first_host, conn->host.name) && - (data->state.first_remote_port == conn->remote_port) && - (data->state.first_remote_protocol == conn->handler->protocol))); -} - #ifndef CURL_DISABLE_HTTP_AUTH /* * Output the correct authentication header depending on the auth type @@ -866,7 +919,7 @@ Curl_http_output_auth(struct Curl_easy *data, /* To prevent the user+password to get sent to other than the original host due to a location-follow */ - if(Curl_allow_auth_to_host(data) + if(Curl_auth_allowed_to_host(data) #ifndef CURL_DISABLE_NETRC || conn->bits.netrc #endif @@ -1518,7 +1571,7 @@ CURLcode Curl_http_connect(struct Curl_easy *data, bool *done) } #endif - if(conn->given->protocol & CURLPROTO_HTTPS) { + if(conn->given->flags & PROTOPT_SSL) { /* perform SSL initialization */ result = https_connecting(data, done); if(result) @@ -1643,6 +1696,7 @@ CURLcode Curl_http_done(struct Curl_easy *data, Curl_mime_cleanpart(&http->form); Curl_dyn_reset(&data->state.headerb); Curl_hyper_done(data); + Curl_ws_done(data); if(status) return status; @@ -1919,7 +1973,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, checkprefix("Cookie:", compare)) && /* be careful of sending this potentially sensitive header to other hosts */ - !Curl_allow_auth_to_host(data)) + !Curl_auth_allowed_to_host(data)) ; else { #ifdef USE_HYPER @@ -2151,9 +2205,9 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) [brackets] if the host name is a plain IPv6-address. RFC2732-style. */ const char *host = conn->host.name; - if(((conn->given->protocol&CURLPROTO_HTTPS) && + if(((conn->given->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS)) && (conn->remote_port == PORT_HTTPS)) || - ((conn->given->protocol&CURLPROTO_HTTP) && + ((conn->given->protocol&(CURLPROTO_HTTP|CURLPROTO_WS)) && (conn->remote_port == PORT_HTTP)) ) /* if(HTTPS on port 443) OR (HTTP on port 80) then don't include the port number in the host string */ @@ -2702,6 +2756,13 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, FIRSTSOCKET); if(result) failf(data, "Failed sending HTTP request"); +#ifdef USE_WEBSOCKETS + else if((conn->handler->protocol & (CURLPROTO_WS|CURLPROTO_WSS)) && + !(data->set.connect_only)) + /* Set up the transfer for two-way since without CONNECT_ONLY set, this + request probably wants to send data too post upgrade */ + Curl_setup_transfer(data, FIRSTSOCKET, -1, TRUE, FIRSTSOCKET); +#endif else /* HTTP GET/HEAD download: */ Curl_setup_transfer(data, FIRSTSOCKET, -1, TRUE, -1); @@ -2731,7 +2792,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, const char *host = data->state.aptr.cookiehost ? data->state.aptr.cookiehost : conn->host.name; const bool secure_context = - conn->handler->protocol&CURLPROTO_HTTPS || + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || strcasecompare("localhost", host) || !strcmp(host, "127.0.0.1") || !strcmp(host, "[::1]") ? TRUE : FALSE; @@ -3044,7 +3105,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) if(conn->transport != TRNSPRT_QUIC) { if(conn->httpversion < 20) { /* unless the connection is re-used and already http2 */ - switch(conn->negnpn) { + switch(conn->alpn) { case CURL_HTTP_VERSION_2: conn->httpversion = 20; /* we know we're on HTTP/2 now */ @@ -3256,6 +3317,8 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) } result = Curl_http_cookies(data, conn, &req); + if(!result && conn->handler->protocol&(CURLPROTO_WS|CURLPROTO_WSS)) + result = Curl_ws_request(data, &req); if(!result) result = Curl_add_timecondition(data, &req); if(!result) @@ -3520,15 +3583,15 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, else if(checkprefix("Retry-After:", headp)) { /* Retry-After = HTTP-date / delay-seconds */ curl_off_t retry_after = 0; /* zero for unknown or "now" */ - time_t date = Curl_getdate_capped(headp + strlen("Retry-After:")); - if(-1 == date) { - /* not a date, try it as a decimal number */ - (void)curlx_strtoofft(headp + strlen("Retry-After:"), - NULL, 10, &retry_after); + /* Try it as a decimal number, if it works it is not a date */ + (void)curlx_strtoofft(headp + strlen("Retry-After:"), + NULL, 10, &retry_after); + if(!retry_after) { + time_t date = Curl_getdate_capped(headp + strlen("Retry-After:")); + if(-1 != date) + /* convert date to number of seconds into the future */ + retry_after = date - time(NULL); } - else - /* convert date to number of seconds into the future */ - retry_after = date - time(NULL); data->info.retry_after = retry_after; /* store it */ } else if(!k->http_bodyless && checkprefix("Content-Range:", headp)) { @@ -3540,7 +3603,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, The second format was added since Sun's webserver JavaWebServer/1.1.1 obviously sends the header this way! The third added since some servers use that! - The forth means the requested range was unsatisfied. + The fourth means the requested range was unsatisfied. */ char *ptr = headp + strlen("Content-Range:"); @@ -3568,7 +3631,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, const char *host = data->state.aptr.cookiehost? data->state.aptr.cookiehost:conn->host.name; const bool secure_context = - conn->handler->protocol&CURLPROTO_HTTPS || + conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || strcasecompare("localhost", host) || !strcmp(host, "127.0.0.1") || !strcmp(host, "[::1]") ? TRUE : FALSE; @@ -3652,7 +3715,14 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, #ifndef CURL_DISABLE_HSTS /* If enabled, the header is incoming and this is over HTTPS */ else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && - (conn->handler->flags & PROTOPT_SSL)) { + ((conn->handler->flags & PROTOPT_SSL) || +#ifdef CURLDEBUG + /* allow debug builds to circumvent the HTTPS restriction */ + getenv("CURL_HSTS_HTTP") +#else + 0 +#endif + )) { CURLcode check = Curl_hsts_parse(data->hsts, data->state.up.hostname, headp + strlen("Strict-Transport-Security:")); @@ -3734,7 +3804,7 @@ CURLcode Curl_http_statusline(struct Curl_easy *data, connclose(conn, "HTTP/1.0 close after body"); } else if(conn->httpversion == 20 || - (k->upgr101 == UPGR101_REQUESTED && k->httpcode == 101)) { + (k->upgr101 == UPGR101_H2 && k->httpcode == 101)) { DEBUGF(infof(data, "HTTP/2 found, allow multiplexing")); /* HTTP/2 cannot avoid multiplexing since it is a core functionality of the protocol */ @@ -3960,9 +4030,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, break; case 101: /* Switching Protocols */ - if(k->upgr101 == UPGR101_REQUESTED) { + if(k->upgr101 == UPGR101_H2) { /* Switching to HTTP/2 */ - infof(data, "Received 101"); + infof(data, "Received 101, Switching to HTTP/2"); k->upgr101 = UPGR101_RECEIVED; /* we'll get more headers (HTTP/2 response) */ @@ -3976,8 +4046,21 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, return result; *nread = 0; } +#ifdef USE_WEBSOCKETS + else if(k->upgr101 == UPGR101_WS) { + /* verify the response */ + result = Curl_ws_accept(data); + if(result) + return result; + k->header = FALSE; /* no more header to parse! */ + if(data->set.connect_only) { + k->keepon &= ~KEEP_RECV; /* read no more content */ + *nread = 0; + } + } +#endif else { - /* Switching to another protocol (e.g. WebSocket) */ + /* Not switching to another protocol */ k->header = FALSE; /* no more header to parse! */ } break; @@ -4070,6 +4153,16 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, return CURLE_HTTP_RETURNED_ERROR; } +#ifdef USE_WEBSOCKETS + /* All non-101 HTTP status codes are bad when wanting to upgrade to + websockets */ + if(data->req.upgr101 == UPGR101_WS) { + failf(data, "Refused WebSockets upgrade: %d", k->httpcode); + return CURLE_HTTP_RETURNED_ERROR; + } +#endif + + data->req.deductheadercount = (100 <= k->httpcode && 199 >= k->httpcode)?data->req.headerbytecount:0; diff --git a/vendor/curl/lib/http.h b/vendor/curl/lib/http.h index 2ac287eca8..f7cbb34244 100644 --- a/vendor/curl/lib/http.h +++ b/vendor/curl/lib/http.h @@ -24,6 +24,7 @@ * ***************************************************************************/ #include "curl_setup.h" +#include "ws.h" typedef enum { HTTPREQ_GET, @@ -50,6 +51,15 @@ extern const struct Curl_handler Curl_handler_http; extern const struct Curl_handler Curl_handler_https; #endif +#ifdef USE_WEBSOCKETS +extern const struct Curl_handler Curl_handler_ws; + +#ifdef USE_SSL +extern const struct Curl_handler Curl_handler_wss; +#endif +#endif /* websockets */ + + /* Header specific functions */ bool Curl_compareheader(const char *headerline, /* line to check */ const char *header, /* header keyword _with_ colon */ @@ -218,6 +228,10 @@ struct HTTP { HTTPSEND_BODY /* sending body */ } sending; +#ifdef USE_WEBSOCKETS + struct websocket ws; +#endif + #ifndef CURL_DISABLE_HTTP struct dynbuf send_buffer; /* used if the request couldn't be sent in one chunk, points to an allocated send_buffer @@ -367,10 +381,4 @@ Curl_http_output_auth(struct Curl_easy *data, bool proxytunnel); /* TRUE if this is the request setting up the proxy tunnel */ -/* - * Curl_allow_auth_to_host() tells if authentication, cookies or other - * "sensitive data" can (still) be sent to this host. - */ -bool Curl_allow_auth_to_host(struct Curl_easy *data); - #endif /* HEADER_CURL_HTTP_H */ diff --git a/vendor/curl/lib/http2.c b/vendor/curl/lib/http2.c index f6364d0e02..b7409b027d 100644 --- a/vendor/curl/lib/http2.c +++ b/vendor/curl/lib/http2.c @@ -1277,6 +1277,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) } } +static int client_new(struct connectdata *conn, + nghttp2_session_callbacks *callbacks) +{ +#if NGHTTP2_VERSION_NUM < 0x013200 + /* before 1.50.0 */ + return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); +#else + nghttp2_option *o; + int rc = nghttp2_option_new(&o); + if(rc) + return rc; + /* turn off RFC 9113 leading and trailing white spaces validation against + HTTP field value. */ + nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1); + rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn, + o); + nghttp2_option_del(o); + return rc; +#endif +} + /* * Initialize nghttp2 for a Curl connection */ @@ -1317,7 +1338,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn) nghttp2_session_callbacks_set_error_callback(callbacks, error_callback); /* The nghttp2 session is not yet setup, do it */ - rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); + rc = client_new(conn, callbacks); nghttp2_session_callbacks_del(callbacks); @@ -1371,7 +1392,7 @@ CURLcode Curl_http2_request_upgrade(struct dynbuf *req, NGHTTP2_CLEARTEXT_PROTO_VERSION_ID, base64); free(base64); - k->upgr101 = UPGR101_REQUESTED; + k->upgr101 = UPGR101_H2; return result; } diff --git a/vendor/curl/lib/http_aws_sigv4.c b/vendor/curl/lib/http_aws_sigv4.c index d144fb817a..440eb385f8 100644 --- a/vendor/curl/lib/http_aws_sigv4.c +++ b/vendor/curl/lib/http_aws_sigv4.c @@ -44,6 +44,8 @@ #include "curl_memory.h" #include "memdebug.h" +#include "slist.h" + #define HMAC_SHA256(k, kl, d, dl, o) \ do { \ ret = Curl_hmacit(Curl_HMAC_SHA256, \ @@ -51,49 +53,241 @@ (unsigned int)kl, \ (unsigned char *)d, \ (unsigned int)dl, o); \ - if(ret != CURLE_OK) { \ + if(ret) { \ goto fail; \ } \ } while(0) +#define TIMESTAMP_SIZE 17 + static void sha256_to_hex(char *dst, unsigned char *sha, size_t dst_l) { int i; DEBUGASSERT(dst_l >= 65); for(i = 0; i < 32; ++i) { - curl_msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]); + msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]); + } +} + +static char *find_date_hdr(struct Curl_easy *data, const char *sig_hdr) +{ + char *tmp = Curl_checkheaders(data, sig_hdr, strlen(sig_hdr)); + + if(tmp) + return tmp; + return Curl_checkheaders(data, STRCONST("Date")); +} + +/* remove whitespace, and lowercase all headers */ +static void trim_headers(struct curl_slist *head) +{ + struct curl_slist *l; + for(l = head; l; l = l->next) { + char *value; /* to read from */ + char *store; + size_t colon = strcspn(l->data, ":"); + Curl_strntolower(l->data, l->data, colon); + + value = &l->data[colon]; + if(!*value) + continue; + ++value; + store = value; + + /* skip leading whitespace */ + while(*value && ISBLANK(*value)) + value++; + + while(*value) { + int space = 0; + while(*value && ISBLANK(*value)) { + value++; + space++; + } + if(space) { + /* replace any number of consecutive whitespace with a single space, + unless at the end of the string, then nothing */ + if(*value) + *store++ = ' '; + } + else + *store++ = *value++; + } + *store = 0; /* null terminate */ } } +/* maximum lenth for the aws sivg4 parts */ +#define MAX_SIGV4_LEN 64 +#define MAX_SIGV4_LEN_TXT "64" + +#define DATE_HDR_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Date")) + +#define MAX_HOST_LEN 255 +/* FQDN + host: */ +#define FULL_HOST_LEN (MAX_HOST_LEN + sizeof("host:")) + +/* string been x-PROVIDER-date:TIMESTAMP, I need +1 for ':' */ +#define DATE_FULL_HDR_LEN (DATE_HDR_KEY_LEN + TIMESTAMP_SIZE + 1) + +/* timestamp should point to a buffer of at last TIMESTAMP_SIZE bytes */ +static CURLcode make_headers(struct Curl_easy *data, + const char *hostname, + char *timestamp, + char *provider1, + char **date_header, + struct dynbuf *canonical_headers, + struct dynbuf *signed_headers) +{ + char date_hdr_key[DATE_HDR_KEY_LEN]; + char date_full_hdr[DATE_FULL_HDR_LEN]; + struct curl_slist *head = NULL; + struct curl_slist *tmp_head = NULL; + CURLcode ret = CURLE_OUT_OF_MEMORY; + struct curl_slist *l; + int again = 1; + + /* provider1 mid */ + Curl_strntolower(provider1, provider1, strlen(provider1)); + provider1[0] = Curl_raw_toupper(provider1[0]); + + msnprintf(date_hdr_key, DATE_HDR_KEY_LEN, "X-%s-Date", provider1); + + /* provider1 lowercase */ + Curl_strntolower(provider1, provider1, 1); /* first byte only */ + msnprintf(date_full_hdr, DATE_FULL_HDR_LEN, + "x-%s-date:%s", provider1, timestamp); + + if(Curl_checkheaders(data, STRCONST("Host"))) { + head = NULL; + } + else { + char full_host[FULL_HOST_LEN + 1]; + + if(data->state.aptr.host) { + size_t pos; + + if(strlen(data->state.aptr.host) > FULL_HOST_LEN) { + ret = CURLE_URL_MALFORMAT; + goto fail; + } + strcpy(full_host, data->state.aptr.host); + /* remove /r/n as the separator for canonical request must be '\n' */ + pos = strcspn(full_host, "\n\r"); + full_host[pos] = 0; + } + else { + if(strlen(hostname) > MAX_HOST_LEN) { + ret = CURLE_URL_MALFORMAT; + goto fail; + } + msnprintf(full_host, FULL_HOST_LEN, "host:%s", hostname); + } + + head = curl_slist_append(NULL, full_host); + if(!head) + goto fail; + } + + + for(l = data->set.headers; l; l = l->next) { + tmp_head = curl_slist_append(head, l->data); + if(!tmp_head) + goto fail; + head = tmp_head; + } + + trim_headers(head); + + *date_header = find_date_hdr(data, date_hdr_key); + if(!*date_header) { + tmp_head = curl_slist_append(head, date_full_hdr); + if(!tmp_head) + goto fail; + head = tmp_head; + *date_header = curl_maprintf("%s: %s", date_hdr_key, timestamp); + } + else { + char *value; + + *date_header = strdup(*date_header); + if(!*date_header) + goto fail; + + value = strchr(*date_header, ':'); + if(!value) + goto fail; + ++value; + while(ISBLANK(*value)) + ++value; + strncpy(timestamp, value, TIMESTAMP_SIZE - 1); + timestamp[TIMESTAMP_SIZE - 1] = 0; + } + + /* alpha-sort in a case sensitive manner */ + do { + again = 0; + for(l = head; l; l = l->next) { + struct curl_slist *next = l->next; + + if(next && strcmp(l->data, next->data) > 0) { + char *tmp = l->data; + + l->data = next->data; + next->data = tmp; + again = 1; + } + } + } while(again); + + for(l = head; l; l = l->next) { + char *tmp; + + if(Curl_dyn_add(canonical_headers, l->data)) + goto fail; + if(Curl_dyn_add(canonical_headers, "\n")) + goto fail; + + tmp = strchr(l->data, ':'); + if(tmp) + *tmp = 0; + + if(l != head) { + if(Curl_dyn_add(signed_headers, ";")) + goto fail; + } + if(Curl_dyn_add(signed_headers, l->data)) + goto fail; + } + + ret = CURLE_OK; +fail: + curl_slist_free_all(head); + + return ret; +} + CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) { CURLcode ret = CURLE_OUT_OF_MEMORY; struct connectdata *conn = data->conn; size_t len; - const char *tmp0; - const char *tmp1; - char *provider0_low = NULL; - char *provider0_up = NULL; - char *provider1_low = NULL; - char *provider1_mid = NULL; - char *region = NULL; - char *service = NULL; + const char *arg; + char provider0[MAX_SIGV4_LEN + 1]=""; + char provider1[MAX_SIGV4_LEN + 1]=""; + char region[MAX_SIGV4_LEN + 1]=""; + char service[MAX_SIGV4_LEN + 1]=""; const char *hostname = conn->host.name; -#ifdef DEBUGBUILD - char *force_timestamp; -#endif time_t clock; struct tm tm; - char timestamp[17]; + char timestamp[TIMESTAMP_SIZE]; char date[9]; - const char *content_type = Curl_checkheaders(data, STRCONST("Content-Type")); - char *canonical_headers = NULL; - char *signed_headers = NULL; - Curl_HttpReq httpreq; - const char *method; - size_t post_data_len; - const char *post_data = data->set.postfields ? data->set.postfields : ""; + struct dynbuf canonical_headers; + struct dynbuf signed_headers; + char *date_header = NULL; + const char *post_data = data->set.postfields; + size_t post_data_len = 0; unsigned char sha_hash[32]; char sha_hex[65]; char *canonical_request = NULL; @@ -101,10 +295,9 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) char *credential_scope = NULL; char *str_to_sign = NULL; const char *user = data->state.aptr.user ? data->state.aptr.user : ""; - const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : ""; char *secret = NULL; - unsigned char tmp_sign0[32] = {0}; - unsigned char tmp_sign1[32] = {0}; + unsigned char sign0[32] = {0}; + unsigned char sign1[32] = {0}; char *auth_headers = NULL; DEBUGASSERT(!proxy); @@ -115,6 +308,10 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) return CURLE_OK; } + /* we init thoses buffers here, so goto fail will free initialized dynbuf */ + Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER); + Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER); + /* * Parameters parsing * Google and Outscale use the same OSC or GOOG, @@ -122,223 +319,154 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) * AWS is the default because most of non-amazon providers * are still using aws:amz as a prefix. */ - tmp0 = data->set.str[STRING_AWS_SIGV4] ? + arg = data->set.str[STRING_AWS_SIGV4] ? data->set.str[STRING_AWS_SIGV4] : "aws:amz"; - tmp1 = strchr(tmp0, ':'); - len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0); - if(len < 1) { - infof(data, "first provider can't be empty"); + + /* provider1[:provider2[:region[:service]]] + + No string can be longer than N bytes of non-whitespace + */ + (void)sscanf(arg, "%" MAX_SIGV4_LEN_TXT "[^:]" + ":%" MAX_SIGV4_LEN_TXT "[^:]" + ":%" MAX_SIGV4_LEN_TXT "[^:]" + ":%" MAX_SIGV4_LEN_TXT "s", + provider0, provider1, region, service); + if(!provider0[0]) { + failf(data, "first provider can't be empty"); ret = CURLE_BAD_FUNCTION_ARGUMENT; goto fail; } - provider0_low = malloc(len + 1); - provider0_up = malloc(len + 1); - if(!provider0_low || !provider0_up) { - goto fail; - } - Curl_strntolower(provider0_low, tmp0, len); - provider0_low[len] = '\0'; - Curl_strntoupper(provider0_up, tmp0, len); - provider0_up[len] = '\0'; - - if(tmp1) { - tmp0 = tmp1 + 1; - tmp1 = strchr(tmp0, ':'); - len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0); - if(len < 1) { - infof(data, "second provider can't be empty"); - ret = CURLE_BAD_FUNCTION_ARGUMENT; - goto fail; - } - provider1_low = malloc(len + 1); - provider1_mid = malloc(len + 1); - if(!provider1_low || !provider1_mid) { - goto fail; - } - Curl_strntolower(provider1_low, tmp0, len); - provider1_low[len] = '\0'; - Curl_strntolower(provider1_mid, tmp0, len); - provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]); - provider1_mid[len] = '\0'; - - if(tmp1) { - tmp0 = tmp1 + 1; - tmp1 = strchr(tmp0, ':'); - len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0); - if(len < 1) { - infof(data, "region can't be empty"); - ret = CURLE_BAD_FUNCTION_ARGUMENT; - goto fail; - } - region = Curl_memdup(tmp0, len + 1); - if(!region) { - goto fail; - } - region[len] = '\0'; - - if(tmp1) { - tmp0 = tmp1 + 1; - service = strdup(tmp0); - if(!service) { - goto fail; - } - if(strlen(service) < 1) { - infof(data, "service can't be empty"); - ret = CURLE_BAD_FUNCTION_ARGUMENT; - goto fail; - } - } - } - } - else { - provider1_low = Curl_memdup(provider0_low, len + 1); - provider1_mid = Curl_memdup(provider0_low, len + 1); - if(!provider1_low || !provider1_mid) { - goto fail; - } - provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]); - } + else if(!provider1[0]) + strcpy(provider1, provider0); - if(!service) { - tmp0 = hostname; - tmp1 = strchr(tmp0, '.'); - if(!tmp1) { - infof(data, "service missing in parameters or hostname"); + if(!service[0]) { + char *hostdot = strchr(hostname, '.'); + if(!hostdot) { + failf(data, "service missing in parameters and hostname"); ret = CURLE_URL_MALFORMAT; goto fail; } - len = tmp1 - tmp0; - service = Curl_memdup(tmp0, len + 1); - if(!service) { + len = hostdot - hostname; + if(len > MAX_SIGV4_LEN) { + failf(data, "service too long in hostname"); + ret = CURLE_URL_MALFORMAT; goto fail; } + strncpy(service, hostname, len); service[len] = '\0'; - if(!region) { - tmp0 = tmp1 + 1; - tmp1 = strchr(tmp0, '.'); - if(!tmp1) { - infof(data, "region missing in parameters or hostname"); + if(!region[0]) { + const char *reg = hostdot + 1; + const char *hostreg = strchr(reg, '.'); + if(!hostreg) { + failf(data, "region missing in parameters and hostname"); ret = CURLE_URL_MALFORMAT; goto fail; } - len = tmp1 - tmp0; - region = Curl_memdup(tmp0, len + 1); - if(!region) { + len = hostreg - reg; + if(len > MAX_SIGV4_LEN) { + failf(data, "region too long in hostname"); + ret = CURLE_URL_MALFORMAT; goto fail; } + strncpy(region, reg, len); region[len] = '\0'; } } #ifdef DEBUGBUILD - force_timestamp = getenv("CURL_FORCETIME"); - if(force_timestamp) - clock = 0; - else - time(&clock); + { + char *force_timestamp = getenv("CURL_FORCETIME"); + if(force_timestamp) + clock = 0; + else + time(&clock); + } #else time(&clock); #endif ret = Curl_gmtime(clock, &tm); - if(ret != CURLE_OK) { + if(ret) { goto fail; } if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) { + ret = CURLE_OUT_OF_MEMORY; goto fail; } + + ret = make_headers(data, hostname, timestamp, provider1, + &date_header, &canonical_headers, &signed_headers); + if(ret) + goto fail; + ret = CURLE_OUT_OF_MEMORY; + memcpy(date, timestamp, sizeof(date)); date[sizeof(date) - 1] = 0; - if(content_type) { - content_type = strchr(content_type, ':'); - if(!content_type) { - ret = CURLE_FAILED_INIT; - goto fail; - } - content_type++; - /* Skip whitespace now */ - while(*content_type == ' ' || *content_type == '\t') - ++content_type; - - canonical_headers = curl_maprintf("content-type:%s\n" - "host:%s\n" - "x-%s-date:%s\n", - content_type, - hostname, - provider1_low, timestamp); - signed_headers = curl_maprintf("content-type;host;x-%s-date", - provider1_low); - } - else { - canonical_headers = curl_maprintf("host:%s\n" - "x-%s-date:%s\n", - hostname, - provider1_low, timestamp); - signed_headers = curl_maprintf("host;x-%s-date", provider1_low); - } - - if(!canonical_headers || !signed_headers) { - goto fail; + if(post_data) { + if(data->set.postfieldsize < 0) + post_data_len = strlen(post_data); + else + post_data_len = (size_t)data->set.postfieldsize; } - - if(data->set.postfieldsize < 0) - post_data_len = strlen(post_data); - else - post_data_len = (size_t)data->set.postfieldsize; if(Curl_sha256it(sha_hash, (const unsigned char *) post_data, - post_data_len)) { + post_data_len)) goto fail; - } sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex)); - Curl_http_method(data, conn, &method, &httpreq); - - canonical_request = - curl_maprintf("%s\n" /* HTTPRequestMethod */ - "%s\n" /* CanonicalURI */ - "%s\n" /* CanonicalQueryString */ - "%s\n" /* CanonicalHeaders */ - "%s\n" /* SignedHeaders */ - "%s", /* HashedRequestPayload in hex */ - method, - data->state.up.path, - data->state.up.query ? data->state.up.query : "", - canonical_headers, - signed_headers, - sha_hex); - if(!canonical_request) { - goto fail; + { + Curl_HttpReq httpreq; + const char *method; + + Curl_http_method(data, conn, &method, &httpreq); + + canonical_request = + curl_maprintf("%s\n" /* HTTPRequestMethod */ + "%s\n" /* CanonicalURI */ + "%s\n" /* CanonicalQueryString */ + "%s\n" /* CanonicalHeaders */ + "%s\n" /* SignedHeaders */ + "%s", /* HashedRequestPayload in hex */ + method, + data->state.up.path, + data->state.up.query ? data->state.up.query : "", + Curl_dyn_ptr(&canonical_headers), + Curl_dyn_ptr(&signed_headers), + sha_hex); + if(!canonical_request) + goto fail; } - request_type = curl_maprintf("%s4_request", provider0_low); - if(!request_type) { + /* provider 0 lowercase */ + Curl_strntolower(provider0, provider0, strlen(provider0)); + request_type = curl_maprintf("%s4_request", provider0); + if(!request_type) goto fail; - } credential_scope = curl_maprintf("%s/%s/%s/%s", date, region, service, request_type); - if(!credential_scope) { + if(!credential_scope) goto fail; - } if(Curl_sha256it(sha_hash, (unsigned char *) canonical_request, - strlen(canonical_request))) { + strlen(canonical_request))) goto fail; - } sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex)); + /* provider 0 uppercase */ + Curl_strntoupper(provider0, provider0, strlen(provider0)); + /* - * Google allow to use rsa key instead of HMAC, so this code might change - * In the future, but for now we support only HMAC version + * Google allows using RSA key instead of HMAC, so this code might change + * in the future. For now we ony support HMAC. */ str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */ "%s\n" /* RequestDateTime */ "%s\n" /* CredentialScope */ "%s", /* HashedCanonicalRequest in hex */ - provider0_up, + provider0, timestamp, credential_scope, sha_hex); @@ -346,36 +474,33 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) goto fail; } - secret = curl_maprintf("%s4%s", provider0_up, passwd); - if(!secret) { + /* provider 0 uppercase */ + secret = curl_maprintf("%s4%s", provider0, + data->state.aptr.passwd ? + data->state.aptr.passwd : ""); + if(!secret) goto fail; - } - HMAC_SHA256(secret, strlen(secret), - date, strlen(date), tmp_sign0); - HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0), - region, strlen(region), tmp_sign1); - HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1), - service, strlen(service), tmp_sign0); - HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0), - request_type, strlen(request_type), tmp_sign1); - HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1), - str_to_sign, strlen(str_to_sign), tmp_sign0); + HMAC_SHA256(secret, strlen(secret), date, strlen(date), sign0); + HMAC_SHA256(sign0, sizeof(sign0), region, strlen(region), sign1); + HMAC_SHA256(sign1, sizeof(sign1), service, strlen(service), sign0); + HMAC_SHA256(sign0, sizeof(sign0), request_type, strlen(request_type), sign1); + HMAC_SHA256(sign1, sizeof(sign1), str_to_sign, strlen(str_to_sign), sign0); - sha256_to_hex(sha_hex, tmp_sign0, sizeof(sha_hex)); + sha256_to_hex(sha_hex, sign0, sizeof(sha_hex)); + /* provider 0 uppercase */ auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 " "Credential=%s/%s, " "SignedHeaders=%s, " "Signature=%s\r\n" - "X-%s-Date: %s\r\n", - provider0_up, + "%s\r\n", + provider0, user, credential_scope, - signed_headers, + Curl_dyn_ptr(&signed_headers), sha_hex, - provider1_mid, - timestamp); + date_header); if(!auth_headers) { goto fail; } @@ -386,19 +511,14 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) ret = CURLE_OK; fail: - free(provider0_low); - free(provider0_up); - free(provider1_low); - free(provider1_mid); - free(region); - free(service); - free(canonical_headers); - free(signed_headers); + Curl_dyn_free(&canonical_headers); + Curl_dyn_free(&signed_headers); free(canonical_request); free(request_type); free(credential_scope); free(str_to_sign); free(secret); + free(date_header); return ret; } diff --git a/vendor/curl/lib/http_chunks.c b/vendor/curl/lib/http_chunks.c index 290dbe8faa..0b836851ac 100644 --- a/vendor/curl/lib/http_chunks.c +++ b/vendor/curl/lib/http_chunks.c @@ -125,7 +125,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, while(length) { switch(ch->state) { case CHUNK_HEX: - if(isxdigit_ascii(*datap)) { + if(ISXDIGIT(*datap)) { if(ch->hexindex < CHUNK_MAXNUM_LEN) { ch->hexbuffer[ch->hexindex] = *datap; datap++; diff --git a/vendor/curl/lib/http_digest.c b/vendor/curl/lib/http_digest.c index c2472e103b..a71c6b7cfb 100644 --- a/vendor/curl/lib/http_digest.c +++ b/vendor/curl/lib/http_digest.c @@ -58,11 +58,11 @@ CURLcode Curl_input_digest(struct Curl_easy *data, digest = &data->state.digest; } - if(!checkprefix("Digest", header) || !ISSPACE(header[6])) + if(!checkprefix("Digest", header) || !ISBLANK(header[6])) return CURLE_BAD_CONTENT_ENCODING; header += strlen("Digest"); - while(*header && ISSPACE(*header)) + while(*header && ISBLANK(*header)) header++; return Curl_auth_decode_digest_http_message(header, digest); diff --git a/vendor/curl/lib/http_negotiate.c b/vendor/curl/lib/http_negotiate.c index 0ac4ead097..5909f85b0d 100644 --- a/vendor/curl/lib/http_negotiate.c +++ b/vendor/curl/lib/http_negotiate.c @@ -84,7 +84,7 @@ CURLcode Curl_input_negotiate(struct Curl_easy *data, struct connectdata *conn, /* Obtain the input token, if any */ header += strlen("Negotiate"); - while(*header && ISSPACE(*header)) + while(*header && ISBLANK(*header)) header++; len = strlen(header); diff --git a/vendor/curl/lib/http_ntlm.c b/vendor/curl/lib/http_ntlm.c index a1f0f20cbb..5a6a977905 100644 --- a/vendor/curl/lib/http_ntlm.c +++ b/vendor/curl/lib/http_ntlm.c @@ -29,7 +29,7 @@ /* * NTLM details: * - * https://davenport.sourceforge.io/ntlm.html + * https://davenport.sourceforge.net/ntlm.html * https://www.innovation.ch/java/ntlm.html */ diff --git a/vendor/curl/lib/http_proxy.c b/vendor/curl/lib/http_proxy.c index 1f87f6c62a..cc20b3a801 100644 --- a/vendor/curl/lib/http_proxy.c +++ b/vendor/curl/lib/http_proxy.c @@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data) Curl_dyn_free(&s->rcvbuf); Curl_dyn_free(&s->req); - /* restore the protocol pointer, if not already done */ - if(s->prot_save) - data->req.p.http = s->prot_save; - s->prot_save = NULL; + /* restore the protocol pointer */ + data->req.p.http = s->prot_save; data->info.httpcode = 0; /* clear it as it might've been used for the proxy */ data->req.ignorebody = FALSE; diff --git a/vendor/curl/lib/idn_win32.c b/vendor/curl/lib/idn_win32.c index dacba01d7a..2433d927ee 100644 --- a/vendor/curl/lib/idn_win32.c +++ b/vendor/curl/lib/idn_win32.c @@ -67,10 +67,10 @@ WINBASEAPI int WINAPI IdnToUnicode(DWORD dwFlags, #define IDN_MAX_LENGTH 255 -bool curl_win32_idn_to_ascii(const char *in, char **out); -bool curl_win32_ascii_to_idn(const char *in, char **out); +bool Curl_win32_idn_to_ascii(const char *in, char **out); +bool Curl_win32_ascii_to_idn(const char *in, char **out); -bool curl_win32_idn_to_ascii(const char *in, char **out) +bool Curl_win32_idn_to_ascii(const char *in, char **out) { bool success = FALSE; @@ -93,7 +93,7 @@ bool curl_win32_idn_to_ascii(const char *in, char **out) return success; } -bool curl_win32_ascii_to_idn(const char *in, char **out) +bool Curl_win32_ascii_to_idn(const char *in, char **out) { bool success = FALSE; diff --git a/vendor/curl/lib/imap.c b/vendor/curl/lib/imap.c index 12ee2a47eb..ffa08bf7a4 100644 --- a/vendor/curl/lib/imap.c +++ b/vendor/curl/lib/imap.c @@ -1886,8 +1886,8 @@ static char *imap_atom(const char *str, bool escape_only) */ static bool imap_is_bchar(char ch) { - /* Peforming the alnum check with this macro is faster because of ASCII - artihmetic */ + /* Performing the alnum check with this macro is faster because of ASCII + arithmetic */ if(ISALNUM(ch)) return true; diff --git a/vendor/curl/lib/memdebug.h b/vendor/curl/lib/memdebug.h index 7a99e9c58a..7fc90e83a0 100644 --- a/vendor/curl/lib/memdebug.h +++ b/vendor/curl/lib/memdebug.h @@ -30,6 +30,9 @@ * as well as the library. Do not mix with library internals! */ +#include +#include "functypes.h" + #if defined(__GNUC__) && __GNUC__ >= 3 # define ALLOC_FUNC __attribute__((malloc)) # define ALLOC_SIZE(s) __attribute__((alloc_size(s))) diff --git a/vendor/curl/lib/mime.c b/vendor/curl/lib/mime.c index 11e614dc32..042141fc80 100644 --- a/vendor/curl/lib/mime.c +++ b/vendor/curl/lib/mime.c @@ -31,8 +31,9 @@ #include "urldata.h" #include "sendf.h" -#if (!defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_MIME)) || \ - !defined(CURL_DISABLE_SMTP) || !defined(CURL_DISABLE_IMAP) +#if !defined(CURL_DISABLE_MIME) && (!defined(CURL_DISABLE_HTTP) || \ + !defined(CURL_DISABLE_SMTP) || \ + !defined(CURL_DISABLE_IMAP)) #if defined(HAVE_LIBGEN_H) && defined(HAVE_BASENAME) #include @@ -1924,8 +1925,8 @@ void Curl_mime_unpause(curl_mimepart *part) } -#else /* !CURL_DISABLE_HTTP && !CURL_DISABLE_MIME || - !CURL_DISABLE_SMTP || !CURL_DISABLE_IMAP */ +#else /* !CURL_DISABLE_MIME && (!CURL_DISABLE_HTTP || + !CURL_DISABLE_SMTP || !CURL_DISABLE_IMAP) */ /* Mime not compiled in: define stubs for externally-referenced functions. */ curl_mime *curl_mime_init(CURL *easy) diff --git a/vendor/curl/lib/mime.h b/vendor/curl/lib/mime.h index fe1a61c060..bafde29f40 100644 --- a/vendor/curl/lib/mime.h +++ b/vendor/curl/lib/mime.h @@ -134,8 +134,9 @@ struct curl_mimepart { CURLcode Curl_mime_add_header(struct curl_slist **slp, const char *fmt, ...); -#if (!defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_MIME)) || \ - !defined(CURL_DISABLE_SMTP) || !defined(CURL_DISABLE_IMAP) +#if !defined(CURL_DISABLE_MIME) && (!defined(CURL_DISABLE_HTTP) || \ + !defined(CURL_DISABLE_SMTP) || \ + !defined(CURL_DISABLE_IMAP)) /* Prototypes. */ void Curl_mime_initpart(struct curl_mimepart *part, struct Curl_easy *easy); diff --git a/vendor/curl/lib/mprintf.c b/vendor/curl/lib/mprintf.c index 30347de250..8a7c17a7ff 100644 --- a/vendor/curl/lib/mprintf.c +++ b/vendor/curl/lib/mprintf.c @@ -318,6 +318,11 @@ static int dprintf_Pass1(const char *format, struct va_stack *vto, flags |= FLAGS_PREC; precision = strtol(fmt, &fmt, 10); } + if((flags & (FLAGS_PREC | FLAGS_PRECPARAM)) == + (FLAGS_PREC | FLAGS_PRECPARAM)) + /* it is not permitted to use both kinds of precision for the same + argument */ + return 1; break; case 'h': flags |= FLAGS_SHORT; @@ -956,7 +961,7 @@ static int dprintf_formatf( else *fptr++ = 'f'; - *fptr = 0; /* and a final zero termination */ + *fptr = 0; /* and a final null-termination */ #ifdef __clang__ #pragma clang diagnostic push @@ -964,7 +969,11 @@ static int dprintf_formatf( #endif /* NOTE NOTE NOTE!! Not all sprintf implementations return number of output characters */ +#ifdef HAVE_SNPRINTF + (snprintf)(work, sizeof(work), formatbuf, p->data.dnum); +#else (sprintf)(work, formatbuf, p->data.dnum); +#endif #ifdef __clang__ #pragma clang diagnostic pop #endif diff --git a/vendor/curl/lib/mqtt.c b/vendor/curl/lib/mqtt.c index 7320747af0..4f3d14386f 100644 --- a/vendor/curl/lib/mqtt.c +++ b/vendor/curl/lib/mqtt.c @@ -186,7 +186,7 @@ static int add_passwd(const char *passwd, const size_t plen, return 0; } -/* add user to the CONN packet */ +/* add user to the CONNECT packet */ static int add_user(const char *username, const size_t ulen, unsigned char *pkt, const size_t start, int remain_pos) { @@ -204,7 +204,7 @@ static int add_user(const char *username, const size_t ulen, return 0; } -/* add client ID to the CONN packet */ +/* add client ID to the CONNECT packet */ static int add_client_id(const char *client_id, const size_t client_id_len, char *pkt, const size_t start) { @@ -216,7 +216,7 @@ static int add_client_id(const char *client_id, const size_t client_id_len, return 0; } -/* Set initial values of CONN packet */ +/* Set initial values of CONNECT packet */ static int init_connpack(char *packet, char *remain, int remain_pos) { /* Fixed header starts */ @@ -293,7 +293,7 @@ static CURLcode mqtt_connect(struct Curl_easy *data) return CURLE_OUT_OF_MEMORY; memset(packet, 0, packetlen); - /* set initial values for CONN pack */ + /* set initial values for the CONNECT packet */ pos = init_connpack(packet, remain, remain_pos); result = Curl_rand_hex(data, (unsigned char *)&client_id[clen], @@ -389,10 +389,18 @@ static CURLcode mqtt_get_topic(struct Curl_easy *data, char **topic, size_t *topiclen) { char *path = data->state.up.path; - if(strlen(path) > 1) - return Curl_urldecode(path + 1, 0, topic, topiclen, REJECT_NADA); - failf(data, "No MQTT topic found. Forgot to URL encode it?"); - return CURLE_URL_MALFORMAT; + CURLcode result = CURLE_URL_MALFORMAT; + if(strlen(path) > 1) { + result = Curl_urldecode(path + 1, 0, topic, topiclen, REJECT_NADA); + if(!result && (*topiclen > 0xffff)) { + failf(data, "Too long MQTT topic"); + result = CURLE_URL_MALFORMAT; + } + } + else + failf(data, "No MQTT topic found. Forgot to URL encode it?"); + + return result; } static CURLcode mqtt_subscribe(struct Curl_easy *data) @@ -690,7 +698,7 @@ static CURLcode mqtt_do(struct Curl_easy *data, bool *done) result = mqtt_connect(data); if(result) { - failf(data, "Error %d sending MQTT CONN request", result); + failf(data, "Error %d sending MQTT CONNECT request", result); return result; } mqstate(data, MQTT_FIRST, MQTT_CONNACK); diff --git a/vendor/curl/lib/multi.c b/vendor/curl/lib/multi.c index 5340a0c8a5..51acba73ac 100644 --- a/vendor/curl/lib/multi.c +++ b/vendor/curl/lib/multi.c @@ -45,7 +45,6 @@ #include "multihandle.h" #include "sigpipe.h" #include "vtls/vtls.h" -#include "connect.h" #include "http_proxy.h" #include "http2.h" #include "socketpair.h" @@ -417,7 +416,6 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ /* -1 means it not set by user, use the default value */ multi->maxconnects = -1; multi->max_concurrent_streams = 100; - multi->ipv6_works = Curl_ipv6works(NULL); #ifdef USE_WINSOCK multi->wsa_event = WSACreateEvent(); @@ -753,7 +751,7 @@ static int close_connect_only(struct Curl_easy *data, if(data->state.lastconnect_id != conn->connection_id) return 0; - if(!conn->bits.connect_only) + if(!conn->connect_only) return 1; connclose(conn, "Removing connect-only easy handle"); @@ -851,7 +849,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, Curl_detach_connection(data); if(data->set.connect_only && !data->multi_easy) { - /* This removes a handle that was part the multi inteface that used + /* This removes a handle that was part the multi interface that used CONNECT_ONLY, that connection is now left alive but since this handle has bits.close set nothing can use that transfer anymore and it is forbidden from reuse. And this easy handle cannot find the connection @@ -2144,7 +2142,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, } } - if(data->set.connect_only) { + if(data->set.connect_only == 1) { /* keep connection open for application to use the socket */ connkeep(data->conn, "CONNECT_ONLY"); multistate(data, MSTATE_DONE); diff --git a/vendor/curl/lib/multihandle.h b/vendor/curl/lib/multihandle.h index 76a67a89a0..a997784ea3 100644 --- a/vendor/curl/lib/multihandle.h +++ b/vendor/curl/lib/multihandle.h @@ -150,11 +150,13 @@ struct Curl_multi { 0 is used for read, 1 is used for write */ #endif #endif - /* multiplexing wanted */ - bool multiplexing; - bool recheckstate; /* see Curl_multi_connchanged */ +#define IPV6_UNKNOWN 0 +#define IPV6_DEAD 1 +#define IPV6_WORKS 2 + unsigned char ipv6_up; /* IPV6_* defined */ + bool multiplexing; /* multiplexing wanted */ + bool recheckstate; /* see Curl_multi_connchanged */ bool in_callback; /* true while executing a callback */ - bool ipv6_works; #ifdef USE_OPENSSL bool ssl_seeded; #endif diff --git a/vendor/curl/lib/netrc.c b/vendor/curl/lib/netrc.c index 62a6a10df8..4461b8492f 100644 --- a/vendor/curl/lib/netrc.c +++ b/vendor/curl/lib/netrc.c @@ -33,6 +33,7 @@ #include "netrc.h" #include "strtok.h" #include "strcase.h" +#include "curl_get_line.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -58,8 +59,6 @@ enum host_lookup_state { static int parsenetrc(const char *host, char **loginp, char **passwordp, - bool *login_changed, - bool *password_changed, char *netrcfile) { FILE *file; @@ -84,7 +83,7 @@ static int parsenetrc(const char *host, char netrcbuffer[4096]; int netrcbuffsize = (int)sizeof(netrcbuffer); - while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { + while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { char *tok; char *tok_end; bool quoted; @@ -96,7 +95,7 @@ static int parsenetrc(const char *host, } tok = netrcbuffer; while(tok) { - while(ISSPACE(*tok)) + while(ISBLANK(*tok)) tok++; /* tok is first non-space letter */ if(!*tok || (*tok == '#')) @@ -198,9 +197,9 @@ static int parsenetrc(const char *host, /* we are now parsing sub-keywords concerning "our" host */ if(state_login) { if(specific_login) { - state_our_login = strcasecompare(login, tok); + state_our_login = !Curl_timestrcmp(login, tok); } - else if(!login || strcmp(login, tok)) { + else if(!login || Curl_timestrcmp(login, tok)) { if(login_alloc) { free(login); login_alloc = FALSE; @@ -216,7 +215,7 @@ static int parsenetrc(const char *host, } else if(state_password) { if((state_our_login || !specific_login) - && (!password || strcmp(password, tok))) { + && (!password || Curl_timestrcmp(password, tok))) { if(password_alloc) { free(password); password_alloc = FALSE; @@ -243,24 +242,20 @@ static int parsenetrc(const char *host, } /* switch (state) */ tok = ++tok_end; } - } /* while fgets() */ + } /* while Curl_get_line() */ out: if(!retcode) { /* success */ - *login_changed = FALSE; - *password_changed = FALSE; if(login_alloc) { if(*loginp) free(*loginp); *loginp = login; - *login_changed = TRUE; } if(password_alloc) { if(*passwordp) free(*passwordp); *passwordp = password; - *password_changed = TRUE; } } else { @@ -281,11 +276,7 @@ static int parsenetrc(const char *host, * *loginp and *passwordp MUST be allocated if they aren't NULL when passed * in. */ -int Curl_parsenetrc(const char *host, - char **loginp, - char **passwordp, - bool *login_changed, - bool *password_changed, +int Curl_parsenetrc(const char *host, char **loginp, char **passwordp, char *netrcfile) { int retcode = 1; @@ -334,8 +325,7 @@ int Curl_parsenetrc(const char *host, free(homea); return -1; } - retcode = parsenetrc(host, loginp, passwordp, login_changed, - password_changed, filealloc); + retcode = parsenetrc(host, loginp, passwordp, filealloc); free(filealloc); #ifdef WIN32 if(retcode == NETRC_FILE_MISSING) { @@ -345,16 +335,14 @@ int Curl_parsenetrc(const char *host, free(homea); return -1; } - retcode = parsenetrc(host, loginp, passwordp, login_changed, - password_changed, filealloc); + retcode = parsenetrc(host, loginp, passwordp, filealloc); free(filealloc); } #endif free(homea); } else - retcode = parsenetrc(host, loginp, passwordp, login_changed, - password_changed, netrcfile); + retcode = parsenetrc(host, loginp, passwordp, netrcfile); return retcode; } diff --git a/vendor/curl/lib/netrc.h b/vendor/curl/lib/netrc.h index 53e315b61a..53d0056721 100644 --- a/vendor/curl/lib/netrc.h +++ b/vendor/curl/lib/netrc.h @@ -28,12 +28,8 @@ #ifndef CURL_DISABLE_NETRC /* returns -1 on failure, 0 if the host is found, 1 is the host isn't found */ -int Curl_parsenetrc(const char *host, - char **loginp, - char **passwordp, - bool *login_changed, - bool *password_changed, - char *filename); +int Curl_parsenetrc(const char *host, char **loginp, + char **passwordp, char *filename); /* Assume: (*passwordp)[0]=0, host[0] != 0. * If (*loginp)[0] = 0, search for login and password within a machine * section in the netrc. diff --git a/vendor/curl/lib/noproxy.c b/vendor/curl/lib/noproxy.c new file mode 100644 index 0000000000..81f1e09934 --- /dev/null +++ b/vendor/curl/lib/noproxy.c @@ -0,0 +1,222 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + +#include "curl_setup.h" + +#ifndef CURL_DISABLE_PROXY + +#include "inet_pton.h" +#include "strcase.h" +#include "noproxy.h" + +#ifdef HAVE_NETINET_IN_H +#include +#endif + +/* + * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the + * specified CIDR address range. + */ +UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */ + const char *network, /* 1.2.3.4 address */ + unsigned int bits) +{ + unsigned int address = 0; + unsigned int check = 0; + + if(bits > 32) + /* strange input */ + return FALSE; + + if(1 != Curl_inet_pton(AF_INET, ipv4, &address)) + return FALSE; + if(1 != Curl_inet_pton(AF_INET, network, &check)) + return FALSE; + + if(bits && (bits != 32)) { + unsigned int mask = 0xffffffff << (32 - bits); + unsigned int haddr = htonl(address); + unsigned int hcheck = htonl(check); +#if 0 + fprintf(stderr, "Host %s (%x) network %s (%x) bits %u mask %x => %x\n", + ipv4, haddr, network, hcheck, bits, mask, + (haddr ^ hcheck) & mask); +#endif + if((haddr ^ hcheck) & mask) + return FALSE; + return TRUE; + } + return (address == check); +} + +UNITTEST bool Curl_cidr6_match(const char *ipv6, + const char *network, + unsigned int bits) +{ +#ifdef ENABLE_IPV6 + int bytes; + int rest; + unsigned char address[16]; + unsigned char check[16]; + + if(!bits) + bits = 128; + + bytes = bits/8; + rest = bits & 0x07; + if(1 != Curl_inet_pton(AF_INET6, ipv6, address)) + return FALSE; + if(1 != Curl_inet_pton(AF_INET6, network, check)) + return FALSE; + if((bytes > 16) || ((bytes == 16) && rest)) + return FALSE; + if(bytes && memcmp(address, check, bytes)) + return FALSE; + if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest)))) + return FALSE; + + return TRUE; +#else + (void)ipv6; + (void)network; + (void)bits; + return FALSE; +#endif +} + +enum nametype { + TYPE_HOST, + TYPE_IPV4, + TYPE_IPV6 +}; + +/**************************************************************** +* Checks if the host is in the noproxy list. returns TRUE if it matches and +* therefore the proxy should NOT be used. +****************************************************************/ +bool Curl_check_noproxy(const char *name, const char *no_proxy) +{ + /* no_proxy=domain1.dom,host.domain2.dom + * (a comma-separated list of hosts which should + * not be proxied, or an asterisk to override + * all proxy variables) + */ + if(no_proxy && no_proxy[0]) { + const char *p = no_proxy; + size_t namelen; + enum nametype type = TYPE_HOST; + char hostip[128]; + if(!strcmp("*", no_proxy)) + return TRUE; + + /* NO_PROXY was specified and it wasn't just an asterisk */ + + if(name[0] == '[') { + char *endptr; + /* IPv6 numerical address */ + endptr = strchr(name, ']'); + if(!endptr) + return FALSE; + name++; + namelen = endptr - name; + if(namelen >= sizeof(hostip)) + return FALSE; + memcpy(hostip, name, namelen); + hostip[namelen] = 0; + name = hostip; + type = TYPE_IPV6; + } + else { + unsigned int address; + if(1 == Curl_inet_pton(AF_INET, name, &address)) + type = TYPE_IPV4; + namelen = strlen(name); + } + + while(*p) { + const char *token; + size_t tokenlen = 0; + bool match = FALSE; + + /* pass blanks */ + while(*p && ISBLANK(*p)) + p++; + + token = p; + /* pass over the pattern */ + while(*p && !ISBLANK(*p) && (*p != ',')) { + p++; + tokenlen++; + } + + if(tokenlen) { + switch(type) { + case TYPE_HOST: + if(*token == '.') { + ++token; + --tokenlen; + /* tailmatch */ + match = (tokenlen <= namelen) && + strncasecompare(token, name + (namelen - tokenlen), namelen); + } + else + match = (tokenlen == namelen) && + strncasecompare(token, name, namelen); + break; + case TYPE_IPV4: + /* FALLTHROUGH */ + case TYPE_IPV6: { + const char *check = token; + char *slash = strchr(check, '/'); + unsigned int bits = 0; + char checkip[128]; + /* if the slash is part of this token, use it */ + if(slash && (slash < &check[tokenlen])) { + bits = atoi(slash + 1); + /* copy the check name to a temp buffer */ + if(tokenlen >= sizeof(checkip)) + break; + memcpy(checkip, check, tokenlen); + checkip[ slash - check ] = 0; + check = checkip; + } + if(type == TYPE_IPV6) + match = Curl_cidr6_match(name, check, bits); + else + match = Curl_cidr4_match(name, check, bits); + break; + } + } + if(match) + return TRUE; + } /* if(tokenlen) */ + while(*p == ',') + p++; + } /* while(*p) */ + } /* NO_PROXY was specified and it wasn't just an asterisk */ + + return FALSE; +} + +#endif /* CURL_DISABLE_PROXY */ diff --git a/vendor/curl/lib/dotdot.h b/vendor/curl/lib/noproxy.h similarity index 63% rename from vendor/curl/lib/dotdot.h rename to vendor/curl/lib/noproxy.h index 4ffe72de83..8800a21276 100644 --- a/vendor/curl/lib/dotdot.h +++ b/vendor/curl/lib/noproxy.h @@ -1,5 +1,5 @@ -#ifndef HEADER_CURL_DOTDOT_H -#define HEADER_CURL_DOTDOT_H +#ifndef HEADER_CURL_NOPROXY_H +#define HEADER_CURL_NOPROXY_H /*************************************************************************** * _ _ ____ _ * Project ___| | | | _ \| | @@ -23,5 +23,22 @@ * SPDX-License-Identifier: curl * ***************************************************************************/ -char *Curl_dedotdotify(const char *input); -#endif /* HEADER_CURL_DOTDOT_H */ +#include "curl_setup.h" + +#ifndef CURL_DISABLE_PROXY + +#ifdef DEBUGBUILD + +UNITTEST bool Curl_cidr4_match(const char *ipv4, /* 1.2.3.4 address */ + const char *network, /* 1.2.3.4 address */ + unsigned int bits); +UNITTEST bool Curl_cidr6_match(const char *ipv6, + const char *network, + unsigned int bits); +#endif + +bool Curl_check_noproxy(const char *name, const char *no_proxy); + +#endif + +#endif /* HEADER_CURL_NOPROXY_H */ diff --git a/vendor/curl/lib/openldap.c b/vendor/curl/lib/openldap.c index 19f2ad9f08..3a93b6728d 100644 --- a/vendor/curl/lib/openldap.c +++ b/vendor/curl/lib/openldap.c @@ -1068,8 +1068,8 @@ static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf, if(!binary) { /* check for leading or trailing whitespace */ - if(ISSPACE(bvals[i].bv_val[0]) || - ISSPACE(bvals[i].bv_val[bvals[i].bv_len - 1])) + if(ISBLANK(bvals[i].bv_val[0]) || + ISBLANK(bvals[i].bv_val[bvals[i].bv_len - 1])) binval = 1; else { /* check for unprintable characters */ diff --git a/vendor/curl/lib/pingpong.c b/vendor/curl/lib/pingpong.c index 74a678a1a4..d4e6be98c4 100644 --- a/vendor/curl/lib/pingpong.c +++ b/vendor/curl/lib/pingpong.c @@ -330,7 +330,7 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, else if(gotbytes <= 0) { keepon = FALSE; result = CURLE_RECV_ERROR; - failf(data, "response reading failed"); + failf(data, "response reading failed (errno: %d)", SOCKERRNO); } else { /* we got a whole chunk of data, which can be anything from one diff --git a/vendor/curl/lib/rand.c b/vendor/curl/lib/rand.c index c6fd47e7f6..2e7e7e8238 100644 --- a/vendor/curl/lib/rand.c +++ b/vendor/curl/lib/rand.c @@ -212,7 +212,7 @@ CURLcode Curl_rand(struct Curl_easy *data, unsigned char *rnd, size_t num) /* * Curl_rand_hex() fills the 'rnd' buffer with a given 'num' size with random - * hexadecimal digits PLUS a zero terminating byte. It must be an odd number + * hexadecimal digits PLUS a null-terminating byte. It must be an odd number * size. */ @@ -235,7 +235,7 @@ CURLcode Curl_rand_hex(struct Curl_easy *data, unsigned char *rnd, /* make sure it fits in the local buffer and that it is an odd number! */ return CURLE_BAD_FUNCTION_ARGUMENT; - num--; /* save one for zero termination */ + num--; /* save one for null-termination */ result = Curl_rand(data, buffer, num/2); if(result) diff --git a/vendor/curl/lib/rand.h b/vendor/curl/lib/rand.h index 99f25b94e1..30fc29615a 100644 --- a/vendor/curl/lib/rand.h +++ b/vendor/curl/lib/rand.h @@ -42,7 +42,7 @@ CURLcode Curl_rand(struct Curl_easy *data, unsigned char *rnd, size_t num); /* * Curl_rand_hex() fills the 'rnd' buffer with a given 'num' size with random - * hexadecimal digits PLUS a zero terminating byte. It must be an odd number + * hexadecimal digits PLUS a null-terminating byte. It must be an odd number * size. */ CURLcode Curl_rand_hex(struct Curl_easy *data, unsigned char *rnd, diff --git a/vendor/curl/lib/rtsp.c b/vendor/curl/lib/rtsp.c index 5a6644b26c..6d3bf97e6c 100644 --- a/vendor/curl/lib/rtsp.c +++ b/vendor/curl/lib/rtsp.c @@ -794,7 +794,7 @@ CURLcode Curl_rtsp_parseheader(struct Curl_easy *data, char *header) /* Find the first non-space letter */ start = header + 8; - while(*start && ISSPACE(*start)) + while(*start && ISBLANK(*start)) start++; if(!*start) { diff --git a/vendor/curl/lib/select.h b/vendor/curl/lib/select.h index eaff7d9b1c..f2cf8bbd9f 100644 --- a/vendor/curl/lib/select.h +++ b/vendor/curl/lib/select.h @@ -36,8 +36,7 @@ * Definition of pollfd struct and constants for platforms lacking them. */ -#if !defined(HAVE_STRUCT_POLLFD) && \ - !defined(HAVE_SYS_POLL_H) && \ +#if !defined(HAVE_SYS_POLL_H) && \ !defined(HAVE_POLL_H) && \ !defined(POLLIN) diff --git a/vendor/curl/lib/sendf.c b/vendor/curl/lib/sendf.c index 2fe7169dd2..d26b7e7cd7 100644 --- a/vendor/curl/lib/sendf.c +++ b/vendor/curl/lib/sendf.c @@ -48,6 +48,7 @@ #include "strdup.h" #include "http2.h" #include "headers.h" +#include "ws.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -534,6 +535,7 @@ static CURLcode chop_write(struct Curl_easy *data, curl_write_callback writebody = NULL; char *ptr = optr; size_t len = olen; + void *writebody_ptr = data->set.out; if(!len) return CURLE_OK; @@ -544,8 +546,18 @@ static CURLcode chop_write(struct Curl_easy *data, return pausewrite(data, type, ptr, len); /* Determine the callback(s) to use. */ - if(type & CLIENTWRITE_BODY) + if(type & CLIENTWRITE_BODY) { +#ifdef USE_WEBSOCKETS + if(conn->handler->protocol & (CURLPROTO_WS|CURLPROTO_WSS)) { + struct HTTP *ws = data->req.p.http; + writebody = Curl_ws_writecb; + ws->ws.data = data; + writebody_ptr = ws; + } + else +#endif writebody = data->set.fwrite_func; + } if((type & CLIENTWRITE_HEADER) && (data->set.fwrite_header || data->set.writeheader)) { /* @@ -563,7 +575,7 @@ static CURLcode chop_write(struct Curl_easy *data, if(writebody) { size_t wrote; Curl_set_in_callback(data, true); - wrote = writebody(ptr, 1, chunklen, data->set.out); + wrote = writebody(ptr, 1, chunklen, writebody_ptr); Curl_set_in_callback(data, false); if(CURL_WRITEFUNC_PAUSE == wrote) { @@ -723,9 +735,10 @@ void Curl_debug(struct Curl_easy *data, curl_infotype type, static const char s_infotype[CURLINFO_END][3] = { "* ", "< ", "> ", "{ ", "} ", "{ ", "} " }; if(data->set.fdebug) { + bool inCallback = Curl_is_in_callback(data); Curl_set_in_callback(data, true); (void)(*data->set.fdebug)(data, type, ptr, size, data->set.debugdata); - Curl_set_in_callback(data, false); + Curl_set_in_callback(data, inCallback); } else { switch(type) { diff --git a/vendor/curl/lib/setopt.c b/vendor/curl/lib/setopt.c index d5e3b50c82..5b5975485c 100644 --- a/vendor/curl/lib/setopt.c +++ b/vendor/curl/lib/setopt.c @@ -148,81 +148,36 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) #define C_SSLVERSION_VALUE(x) (x & 0xffff) #define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000) -static CURLcode protocol2num(char *str, curl_off_t *val) +static CURLcode protocol2num(const char *str, curl_prot_t *val) { - bool found_comma = FALSE; - static struct scheme { - const char *name; - long bit; - } const protos[] = { - { "dict", CURLPROTO_DICT }, - { "file", CURLPROTO_FILE }, - { "ftp", CURLPROTO_FTP }, - { "ftps", CURLPROTO_FTPS }, - { "gopher", CURLPROTO_GOPHER }, - { "gophers", CURLPROTO_GOPHERS }, - { "http", CURLPROTO_HTTP }, - { "https", CURLPROTO_HTTPS }, - { "imap", CURLPROTO_IMAP }, - { "imaps", CURLPROTO_IMAPS }, - { "ldap", CURLPROTO_LDAP }, - { "ldaps", CURLPROTO_LDAPS }, - { "mqtt", CURLPROTO_MQTT }, - { "pop3", CURLPROTO_POP3 }, - { "pop3s", CURLPROTO_POP3S }, - { "rtmp", CURLPROTO_RTMP }, - { "rtmpe", CURLPROTO_RTMPE }, - { "rtmps", CURLPROTO_RTMPS }, - { "rtmpt", CURLPROTO_RTMPT }, - { "rtmpte", CURLPROTO_RTMPTE }, - { "rtmpts", CURLPROTO_RTMPTS }, - { "rtsp", CURLPROTO_RTSP }, - { "scp", CURLPROTO_SCP }, - { "sftp", CURLPROTO_SFTP }, - { "smb", CURLPROTO_SMB }, - { "smbs", CURLPROTO_SMBS }, - { "smtp", CURLPROTO_SMTP }, - { "smtps", CURLPROTO_SMTPS }, - { "telnet", CURLPROTO_TELNET }, - { "tftp", CURLPROTO_TFTP }, - { NULL, 0 } - }; - if(!str) return CURLE_BAD_FUNCTION_ARGUMENT; - else if(curl_strequal(str, "all")) { - *val = ~0; + + if(curl_strequal(str, "all")) { + *val = ~(curl_prot_t) 0; return CURLE_OK; } *val = 0; do { + const char *token = str; size_t tlen; - struct scheme const *pp; - char *token; - token = strchr(str, ','); - found_comma = token ? TRUE : FALSE; - if(!token) - token = strchr(str, '\0'); - tlen = token - str; + + str = strchr(str, ','); + tlen = str? (size_t) (str - token): strlen(token); if(tlen) { - for(pp = protos; pp->name; pp++) { - if((strlen(pp->name) == tlen) && - curl_strnequal(str, pp->name, tlen)) { - *val |= pp->bit; - break; - } - } - if(!(pp->name)) - /* protocol name didn't match */ - return CURLE_BAD_FUNCTION_ARGUMENT; + const struct Curl_handler *h = Curl_builtin_scheme(token, tlen); + + if(!h) + return CURLE_UNSUPPORTED_PROTOCOL; + + *val |= h->protocol; } - if(found_comma) - str = token + 1; - } while(found_comma); + } while(str++); + if(!*val) - /* no matching protocol */ + /* no protocol listed */ return CURLE_BAD_FUNCTION_ARGUMENT; return CURLE_OK; } @@ -696,8 +651,10 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) } else data->set.method = HTTPREQ_GET; + data->set.upload = FALSE; break; +#ifndef CURL_DISABLE_MIME case CURLOPT_HTTPPOST: /* * Set to make us do HTTP POST @@ -706,6 +663,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.method = HTTPREQ_POST_FORM; data->set.opt_no_body = FALSE; /* this is implied */ break; +#endif case CURLOPT_AWS_SIGV4: /* @@ -721,18 +679,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.httpauth = CURLAUTH_AWS_SIGV4; break; - case CURLOPT_MIMEPOST: - /* - * Set to make us do MIME/form POST - */ - result = Curl_mime_set_subparts(&data->set.mimepost, - va_arg(param, curl_mime *), FALSE); - if(!result) { - data->set.method = HTTPREQ_POST_MIME; - data->set.opt_no_body = FALSE; /* this is implied */ - } - break; - case CURLOPT_REFERER: /* * String to set in the HTTP Referer: field. @@ -754,13 +700,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) va_arg(param, char *)); break; - case CURLOPT_HTTPHEADER: - /* - * Set a list with HTTP headers to use (or replace internals with) - */ - data->set.headers = va_arg(param, struct curl_slist *); - break; - #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXYHEADER: /* @@ -998,6 +937,36 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #endif /* CURL_DISABLE_HTTP */ +#if !defined(CURL_DISABLE_HTTP) || !defined(CURL_DISABLE_SMTP) || \ + !defined(CURL_DISABLE_IMAP) +# if !defined(CURL_DISABLE_HTTP) || !defined(CURL_DISABLE_MIME) + case CURLOPT_HTTPHEADER: + /* + * Set a list with HTTP headers to use (or replace internals with) + */ + data->set.headers = va_arg(param, struct curl_slist *); + break; +# endif + +# ifndef CURL_DISABLE_MIME + case CURLOPT_MIMEPOST: + /* + * Set to make us do MIME POST + */ + result = Curl_mime_set_subparts(&data->set.mimepost, + va_arg(param, curl_mime *), FALSE); + if(!result) { + data->set.method = HTTPREQ_POST_MIME; + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; + + case CURLOPT_MIME_OPTIONS: + data->set.mime_options = (unsigned int)va_arg(param, long); + break; +# endif +#endif + case CURLOPT_HTTPAUTH: /* * Set HTTP Authentication type BITMASK. @@ -2430,9 +2399,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_CONNECT_ONLY: /* - * No data transfer, set up connection and let application use the socket + * No data transfer. + * (1) - only do connection + * (2) - do first get request but get no content */ - data->set.connect_only = (0 != va_arg(param, long)) ? TRUE : FALSE; + arg = va_arg(param, long); + if(arg > 2) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.connect_only = (unsigned char)arg; break; case CURLOPT_SOCKOPTFUNCTION: @@ -2640,31 +2614,35 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) transfer, which thus helps the app which takes URLs from users or other external inputs and want to restrict what protocol(s) to deal with. Defaults to CURLPROTO_ALL. */ - data->set.allowed_protocols = (curl_off_t)va_arg(param, long); + data->set.allowed_protocols = (curl_prot_t)va_arg(param, long); break; case CURLOPT_REDIR_PROTOCOLS: /* set the bitmask for the protocols that libcurl is allowed to follow to, as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs to be set in both bitmasks to be allowed to get redirected to. */ - data->set.redir_protocols = (curl_off_t)va_arg(param, long); + data->set.redir_protocols = (curl_prot_t)va_arg(param, long); break; - case CURLOPT_PROTOCOLS_STR: + case CURLOPT_PROTOCOLS_STR: { + curl_prot_t prot; argptr = va_arg(param, char *); - result = protocol2num(argptr, &bigsize); + result = protocol2num(argptr, &prot); if(result) return result; - data->set.allowed_protocols = bigsize; + data->set.allowed_protocols = prot; break; + } - case CURLOPT_REDIR_PROTOCOLS_STR: + case CURLOPT_REDIR_PROTOCOLS_STR: { + curl_prot_t prot; argptr = va_arg(param, char *); - result = protocol2num(argptr, &bigsize); + result = protocol2num(argptr, &prot); if(result) return result; - data->set.redir_protocols = bigsize; + data->set.redir_protocols = prot; break; + } case CURLOPT_DEFAULT_PROTOCOL: /* Set the protocol to use when the URL doesn't include any protocol */ @@ -2694,13 +2672,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #endif -#if (!defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_MIME)) || \ - !defined(CURL_DISABLE_SMTP) || !defined(CURL_DISABLE_IMAP) - case CURLOPT_MIME_OPTIONS: - data->set.mime_options = (unsigned int)va_arg(param, long); - break; -#endif - case CURLOPT_SASL_AUTHZID: /* Authorization identity (identity to act as) */ result = Curl_setstropt(&data->set.str[STRING_SASL_AUTHZID], @@ -2952,7 +2923,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) #endif break; case CURLOPT_SSL_ENABLE_NPN: - data->set.ssl_enable_npn = (0 != va_arg(param, long)) ? TRUE : FALSE; break; case CURLOPT_SSL_ENABLE_ALPN: data->set.ssl_enable_alpn = (0 != va_arg(param, long)) ? TRUE : FALSE; @@ -3128,6 +3098,15 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_PREREQDATA: data->set.prereq_userp = va_arg(param, void *); break; +#ifdef USE_WEBSOCKETS + case CURLOPT_WS_OPTIONS: { + bool raw; + arg = va_arg(param, long); + raw = (arg & CURLWS_RAW_MODE); + data->set.ws_raw_mode = raw; + break; + } +#endif default: /* unknown tag and its companion, just ignore: */ result = CURLE_UNKNOWN_OPTION; diff --git a/vendor/curl/lib/setup-win32.h b/vendor/curl/lib/setup-win32.h index c16928db90..bc5f8efc3c 100644 --- a/vendor/curl/lib/setup-win32.h +++ b/vendor/curl/lib/setup-win32.h @@ -37,10 +37,21 @@ #ifdef HAVE_WINDOWS_H # if defined(UNICODE) && !defined(_UNICODE) -# define _UNICODE +# error "UNICODE is defined but _UNICODE is not defined" # endif # if defined(_UNICODE) && !defined(UNICODE) -# define UNICODE +# error "_UNICODE is defined but UNICODE is not defined" +# endif +/* + * Don't include unneeded stuff in Windows headers to avoid compiler + * warnings and macro clashes. + * Make sure to define this macro before including any Windows headers. + */ +# ifndef WIN32_LEAN_AND_MEAN +# define WIN32_LEAN_AND_MEAN +# endif +# ifndef NOGDI +# define NOGDI # endif # include # include diff --git a/vendor/curl/lib/smb.c b/vendor/curl/lib/smb.c index 039d680041..a62e858143 100644 --- a/vendor/curl/lib/smb.c +++ b/vendor/curl/lib/smb.c @@ -34,7 +34,7 @@ #include #ifdef CURL_WINDOWS_APP #define getpid GetCurrentProcessId -#elif !defined(MSDOS) +#elif defined(WIN32) #define getpid _getpid #endif #endif diff --git a/vendor/curl/lib/socketpair.h b/vendor/curl/lib/socketpair.h index f91a3c6511..de70df673a 100644 --- a/vendor/curl/lib/socketpair.h +++ b/vendor/curl/lib/socketpair.h @@ -26,6 +26,8 @@ #include "curl_setup.h" #ifndef HAVE_SOCKETPAIR +#include + int Curl_socketpair(int domain, int type, int protocol, curl_socket_t socks[2]); #else diff --git a/vendor/curl/lib/strcase.c b/vendor/curl/lib/strcase.c index f932485204..09d2a8a961 100644 --- a/vendor/curl/lib/strcase.c +++ b/vendor/curl/lib/strcase.c @@ -28,8 +28,6 @@ #include "strcase.h" -static char raw_tolower(char in); - /* Mapping table to go from lowercase to uppercase for plain ASCII.*/ static const unsigned char touppermap[256] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, @@ -79,7 +77,7 @@ char Curl_raw_toupper(char in) /* Portable, consistent tolower. Do not use tolower() because its behavior is altered by the current locale. */ -static char raw_tolower(char in) +char Curl_raw_tolower(char in) { return tolowermap[(unsigned char) in]; } @@ -165,7 +163,7 @@ void Curl_strntolower(char *dest, const char *src, size_t n) return; do { - *dest++ = raw_tolower(*src); + *dest++ = Curl_raw_tolower(*src); } while(*src++ && --n); } @@ -179,6 +177,28 @@ bool Curl_safecmp(char *a, char *b) return !a && !b; } +/* + * Curl_timestrcmp() returns 0 if the two strings are identical. The time this + * function spends is a function of the shortest string, not of the contents. + */ +int Curl_timestrcmp(const char *a, const char *b) +{ + int match = 0; + int i = 0; + + if(a && b) { + while(1) { + match |= a[i]^b[i]; + if(!a[i] || !b[i]) + break; + i++; + } + } + else + return a || b; + return match; +} + /* --- public functions --- */ int curl_strequal(const char *first, const char *second) diff --git a/vendor/curl/lib/strcase.h b/vendor/curl/lib/strcase.h index d245929227..65a575385d 100644 --- a/vendor/curl/lib/strcase.h +++ b/vendor/curl/lib/strcase.h @@ -43,6 +43,7 @@ int Curl_safe_strcasecompare(const char *first, const char *second); int Curl_strncasecompare(const char *first, const char *second, size_t max); char Curl_raw_toupper(char in); +char Curl_raw_tolower(char in); /* checkprefix() is a shorter version of the above, used when the first argument is the string literal */ @@ -52,5 +53,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); void Curl_strntolower(char *dest, const char *src, size_t n); bool Curl_safecmp(char *a, char *b); +int Curl_timestrcmp(const char *first, const char *second); #endif /* HEADER_CURL_STRCASE_H */ diff --git a/vendor/curl/lib/strerror.c b/vendor/curl/lib/strerror.c index eceb1668a1..b9a51e26b9 100644 --- a/vendor/curl/lib/strerror.c +++ b/vendor/curl/lib/strerror.c @@ -476,7 +476,7 @@ curl_url_strerror(CURLUcode error) return "Port number was not a decimal number between 0 and 65535"; case CURLUE_UNSUPPORTED_SCHEME: - return "This libcurl build doesn't support the given URL scheme"; + return "Unsupported URL scheme"; case CURLUE_URLDECODE: return "URL decode error, most likely because of rubbish in the input"; @@ -530,7 +530,7 @@ curl_url_strerror(CURLUcode error) return "Bad file:// URL"; case CURLUE_BAD_SLASHES: - return "Unsupported number of slashes"; + return "Unsupported number of slashes following scheme"; case CURLUE_BAD_SCHEME: return "Bad scheme"; diff --git a/vendor/curl/lib/strtoofft.c b/vendor/curl/lib/strtoofft.c index 30908fdd92..30deb8c05b 100644 --- a/vendor/curl/lib/strtoofft.c +++ b/vendor/curl/lib/strtoofft.c @@ -87,7 +87,7 @@ static curl_off_t strtooff(const char *nptr, char **endptr, int base) /* Skip leading whitespace. */ end = (char *)nptr; - while(ISSPACE(end[0])) { + while(ISBLANK(end[0])) { end++; } @@ -222,9 +222,9 @@ CURLofft curlx_strtoofft(const char *str, char **endp, int base, errno = 0; *num = 0; /* clear by default */ - while(*str && ISSPACE(*str)) + while(*str && ISBLANK(*str)) str++; - if('-' == *str) { + if(('-' == *str) || (ISSPACE(*str))) { if(endp) *endp = (char *)str; /* didn't actually move */ return CURL_OFFT_INVAL; /* nothing parsed */ diff --git a/vendor/curl/lib/timediff.c b/vendor/curl/lib/timediff.c index 27fd911638..c5893187dd 100644 --- a/vendor/curl/lib/timediff.c +++ b/vendor/curl/lib/timediff.c @@ -24,6 +24,8 @@ #include "timediff.h" +#include + /* * Converts number of milliseconds into a timeval structure. * diff --git a/vendor/curl/lib/transfer.c b/vendor/curl/lib/transfer.c index 6560d9607d..441da73429 100644 --- a/vendor/curl/lib/transfer.c +++ b/vendor/curl/lib/transfer.c @@ -1439,6 +1439,7 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) if(result) return result; + data->state.requests = 0; data->state.followlocation = 0; /* reset the location-follow counter */ data->state.this_is_a_follow = FALSE; /* reset this */ data->state.errorbuf = FALSE; /* no error has occurred */ @@ -1636,7 +1637,7 @@ CURLcode Curl_follow(struct Curl_easy *data, if((type != FOLLOW_RETRY) && (data->req.httpcode != 401) && (data->req.httpcode != 407) && - Curl_is_absolute_url(newurl, NULL, 0)) + Curl_is_absolute_url(newurl, NULL, 0, FALSE)) /* If this is not redirect due to a 401 or 407 response and an absolute URL: don't allow a custom port number */ disallowport = TRUE; @@ -1648,8 +1649,11 @@ CURLcode Curl_follow(struct Curl_easy *data, CURLU_ALLOW_SPACE | (data->set.path_as_is ? CURLU_PATH_AS_IS : 0)); if(uc) { - if(type != FOLLOW_FAKE) + if(type != FOLLOW_FAKE) { + failf(data, "The redirect target URL could not be parsed: %s", + curl_url_strerror(uc)); return Curl_uc_to_curlcode(uc); + } /* the URL could not be parsed for some reason, but since this is FAKE mode, just duplicate the field as-is */ @@ -1696,7 +1700,7 @@ CURLcode Curl_follow(struct Curl_easy *data, return Curl_uc_to_curlcode(uc); } - p = Curl_builtin_scheme(scheme); + p = Curl_builtin_scheme(scheme, CURL_ZERO_TERMINATED); if(p && (p->protocol != data->info.conn_protocol)) { infof(data, "Clear auth, redirects scheme from %s to %s", data->info.conn_scheme, scheme); diff --git a/vendor/curl/lib/url.c b/vendor/curl/lib/url.c index bfc784ff39..be5ffca2d8 100644 --- a/vendor/curl/lib/url.c +++ b/vendor/curl/lib/url.c @@ -73,8 +73,8 @@ #endif #elif defined(USE_WIN32_IDN) -/* prototype for curl_win32_idn_to_ascii() */ -bool curl_win32_idn_to_ascii(const char *in, char **out); +/* prototype for Curl_win32_idn_to_ascii() */ +bool Curl_win32_idn_to_ascii(const char *in, char **out); #endif /* USE_LIBIDN2 */ #include "doh.h" @@ -106,6 +106,7 @@ bool curl_win32_idn_to_ascii(const char *in, char **out); #include "urlapi-int.h" #include "system_win32.h" #include "hsts.h" +#include "noproxy.h" /* And now for the protocols */ #include "ftp.h" @@ -128,7 +129,6 @@ bool curl_win32_idn_to_ascii(const char *in, char **out); #include "http_proxy.h" #include "conncache.h" #include "multihandle.h" -#include "dotdot.h" #include "strdup.h" #include "setopt.h" #include "altsvc.h" @@ -168,7 +168,7 @@ static void conn_free(struct connectdata *conn); * * Returns the family as a single bit protocol identifier. */ -static unsigned int get_protocol_family(const struct Curl_handler *h) +static curl_prot_t get_protocol_family(const struct Curl_handler *h) { DEBUGASSERT(h); DEBUGASSERT(h->family); @@ -192,6 +192,16 @@ static const struct Curl_handler * const protocols[] = { &Curl_handler_http, #endif +#ifdef USE_WEBSOCKETS +#if defined(USE_SSL) && !defined(CURL_DISABLE_HTTP) + &Curl_handler_wss, +#endif + +#ifndef CURL_DISABLE_HTTP + &Curl_handler_ws, +#endif +#endif + #ifndef CURL_DISABLE_FTP &Curl_handler_ftp, #endif @@ -568,11 +578,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) set->new_file_perms = 0644; /* Default permissions */ set->new_directory_perms = 0755; /* Default permissions */ - - /* for the *protocols fields we don't use the CURLPROTO_ALL convenience - define since we internally only use the lower 16 bits for the passed - in bitmask to not conflict with the private bits */ - set->allowed_protocols = (unsigned int)CURLPROTO_ALL; + set->allowed_protocols = (curl_prot_t) CURLPROTO_ALL; set->redir_protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS | CURLPROTO_FTP | CURLPROTO_FTPS; @@ -623,7 +629,6 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) set->tcp_keepidle = 60; set->tcp_fastopen = FALSE; set->tcp_nodelay = TRUE; - set->ssl_enable_npn = TRUE; set->ssl_enable_alpn = TRUE; set->expect_100_timeout = 1000L; /* Wait for a second by default. */ set->sep_headers = TRUE; /* separated header lists by default */ @@ -746,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) DEBUGASSERT(data); infof(data, "Closing connection %ld", conn->connection_id); -#ifndef USE_HYPER - if(conn->connect_state && conn->connect_state->prot_save) { - /* If this was closed with a CONNECT in progress, cleanup this temporary - struct arrangement */ - data->req.p.http = NULL; - Curl_safefree(conn->connect_state->prot_save); - } -#endif - /* possible left-overs from the async name resolvers */ Curl_resolver_cancel(data); @@ -869,7 +865,7 @@ void Curl_disconnect(struct Curl_easy *data, /* Cleanup NEGOTIATE connection-related data */ Curl_http_auth_cleanup_negotiate(conn); - if(conn->bits.connect_only) + if(conn->connect_only) /* treat the connection as dead in CONNECT_ONLY situations */ dead_connection = TRUE; @@ -953,19 +949,11 @@ socks_proxy_info_matches(const struct proxy_info *data, /* the user information is case-sensitive or at least it is not defined as case-insensitive see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ - if(!data->user != !needle->user) - return FALSE; - /* curl_strequal does a case insentive comparison, so do not use it here! */ - if(data->user && - needle->user && - strcmp(data->user, needle->user) != 0) - return FALSE; - if(!data->passwd != !needle->passwd) - return FALSE; - /* curl_strequal does a case insentive comparison, so do not use it here! */ - if(data->passwd && - needle->passwd && - strcmp(data->passwd, needle->passwd) != 0) + + /* curl_strequal does a case insensitive comparison, + so do not use it here! */ + if(Curl_timestrcmp(data->user, needle->user) || + Curl_timestrcmp(data->passwd, needle->passwd)) return FALSE; return TRUE; } @@ -1215,7 +1203,7 @@ ConnectionExists(struct Curl_easy *data, check = curr->ptr; curr = curr->next; - if(check->bits.connect_only || check->bits.close) + if(check->connect_only || check->bits.close) /* connect-only or to-be-closed connections will not be reused */ continue; @@ -1367,10 +1355,10 @@ ConnectionExists(struct Curl_easy *data, if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { /* This protocol requires credentials per connection, so verify that we're using the same name and password as well */ - if(strcmp(needle->user, check->user) || - strcmp(needle->passwd, check->passwd) || - !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || - !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + if(Curl_timestrcmp(needle->user, check->user) || + Curl_timestrcmp(needle->passwd, check->passwd) || + Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || + Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { /* one of them was different */ continue; } @@ -1446,8 +1434,8 @@ ConnectionExists(struct Curl_easy *data, possible. (Especially we must not reuse the same connection if partway through a handshake!) */ if(wantNTLMhttp) { - if(strcmp(needle->user, check->user) || - strcmp(needle->passwd, check->passwd)) { + if(Curl_timestrcmp(needle->user, check->user) || + Curl_timestrcmp(needle->passwd, check->passwd)) { /* we prefer a credential match, but this is at least a connection that can be reused and "upgraded" to NTLM */ @@ -1469,8 +1457,10 @@ ConnectionExists(struct Curl_easy *data, if(!check->http_proxy.user || !check->http_proxy.passwd) continue; - if(strcmp(needle->http_proxy.user, check->http_proxy.user) || - strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) + if(Curl_timestrcmp(needle->http_proxy.user, + check->http_proxy.user) || + Curl_timestrcmp(needle->http_proxy.passwd, + check->http_proxy.passwd)) continue; } else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { @@ -1642,7 +1632,7 @@ CURLcode Curl_idnconvert_hostname(struct Curl_easy *data, #elif defined(USE_WIN32_IDN) char *ace_hostname = NULL; - if(curl_win32_idn_to_ascii(host->name, &ace_hostname)) { + if(Curl_win32_idn_to_ascii(host->name, &ace_hostname)) { host->encalloc = ace_hostname; /* change the name pointer to point to the encoded hostname */ host->name = host->encalloc; @@ -1673,7 +1663,7 @@ void Curl_free_idnconverted_hostname(struct hostname *host) } #elif defined(USE_WIN32_IDN) free(host->encalloc); /* must be freed with free() since this was - allocated by curl_win32_idn_to_ascii */ + allocated by Curl_win32_idn_to_ascii */ host->encalloc = NULL; #else (void)host; @@ -1799,7 +1789,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; #endif conn->ip_version = data->set.ipver; - conn->bits.connect_only = data->set.connect_only; + conn->connect_only = data->set.connect_only; conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */ #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ @@ -1843,15 +1833,18 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) } /* returns the handler if the given scheme is built-in */ -const struct Curl_handler *Curl_builtin_scheme(const char *scheme) +const struct Curl_handler *Curl_builtin_scheme(const char *scheme, + size_t schemelen) { const struct Curl_handler * const *pp; const struct Curl_handler *p; /* Scan protocol handler table and match against 'scheme'. The handler may be changed later when the protocol specific setup function is called. */ + if(schemelen == CURL_ZERO_TERMINATED) + schemelen = strlen(scheme); for(pp = protocols; (p = *pp) != NULL; pp++) - if(strcasecompare(p->scheme, scheme)) - /* Protocol found in table. Check if allowed */ + if(strncasecompare(p->scheme, scheme, schemelen) && !p->scheme[schemelen]) + /* Protocol found in table. */ return p; return NULL; /* not found */ } @@ -1861,7 +1854,8 @@ static CURLcode findprotocol(struct Curl_easy *data, struct connectdata *conn, const char *protostr) { - const struct Curl_handler *p = Curl_builtin_scheme(protostr); + const struct Curl_handler *p = Curl_builtin_scheme(protostr, + CURL_ZERO_TERMINATED); if(p && /* Protocol found in table. Check if allowed */ (data->set.allowed_protocols & p->protocol)) { @@ -1985,7 +1979,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; if(data->set.str[STRING_DEFAULT_PROTOCOL] && - !Curl_is_absolute_url(data->state.url, NULL, 0)) { + !Curl_is_absolute_url(data->state.url, NULL, 0, TRUE)) { char *url = aprintf("%s://%s", data->set.str[STRING_DEFAULT_PROTOCOL], data->state.url); if(!url) @@ -2033,10 +2027,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, failf(data, "Too long host name (maximum is %d)", MAX_URL_LEN); return CURLE_URL_MALFORMAT; } + hostname = data->state.up.hostname; + + if(hostname && hostname[0] == '[') { + /* This looks like an IPv6 address literal. See if there is an address + scope. */ + size_t hlen; + conn->bits.ipv6_ip = TRUE; + /* cut off the brackets! */ + hostname++; + hlen = strlen(hostname); + hostname[hlen - 1] = 0; + + zonefrom_url(uh, data, conn); + } + + /* make sure the connect struct gets its own copy of the host name */ + conn->host.rawalloc = strdup(hostname ? hostname : ""); + if(!conn->host.rawalloc) + return CURLE_OUT_OF_MEMORY; + conn->host.name = conn->host.rawalloc; + + /************************************************************* + * IDN-convert the hostnames + *************************************************************/ + result = Curl_idnconvert_hostname(data, &conn->host); + if(result) + return result; + if(conn->bits.conn_to_host) { + result = Curl_idnconvert_hostname(data, &conn->conn_to_host); + if(result) + return result; + } +#ifndef CURL_DISABLE_PROXY + if(conn->bits.httpproxy) { + result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); + if(result) + return result; + } + if(conn->bits.socksproxy) { + result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); + if(result) + return result; + } +#endif #ifndef CURL_DISABLE_HSTS + /* HSTS upgrade */ if(data->hsts && strcasecompare("http", data->state.up.scheme)) { - if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { + /* This MUST use the IDN decoded name */ + if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { char *url; Curl_safefree(data->state.up.scheme); uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); @@ -2087,7 +2127,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, return Curl_uc_to_curlcode(uc); } - if(!data->state.aptr.user) { + if(!data->set.str[STRING_USERNAME]) { /* we don't use the URL API's URL decoder option here since it rejects control codes and we want to allow them for some schemes in the user and password fields */ @@ -2142,26 +2182,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); - hostname = data->state.up.hostname; - if(hostname && hostname[0] == '[') { - /* This looks like an IPv6 address literal. See if there is an address - scope. */ - size_t hlen; - conn->bits.ipv6_ip = TRUE; - /* cut off the brackets! */ - hostname++; - hlen = strlen(hostname); - hostname[hlen - 1] = 0; - - zonefrom_url(uh, data, conn); - } - - /* make sure the connect struct gets its own copy of the host name */ - conn->host.rawalloc = strdup(hostname ? hostname : ""); - if(!conn->host.rawalloc) - return CURLE_OUT_OF_MEMORY; - conn->host.name = conn->host.rawalloc; - #ifdef ENABLE_IPV6 if(data->set.scope_id) /* Override any scope that was set above. */ @@ -2259,83 +2279,6 @@ void Curl_free_request_state(struct Curl_easy *data) #ifndef CURL_DISABLE_PROXY -/**************************************************************** -* Checks if the host is in the noproxy list. returns true if it matches -* and therefore the proxy should NOT be used. -****************************************************************/ -static bool check_noproxy(const char *name, const char *no_proxy) -{ - /* no_proxy=domain1.dom,host.domain2.dom - * (a comma-separated list of hosts which should - * not be proxied, or an asterisk to override - * all proxy variables) - */ - if(no_proxy && no_proxy[0]) { - size_t tok_start; - size_t tok_end; - const char *separator = ", "; - size_t no_proxy_len; - size_t namelen; - char *endptr; - if(strcasecompare("*", no_proxy)) { - return TRUE; - } - - /* NO_PROXY was specified and it wasn't just an asterisk */ - - no_proxy_len = strlen(no_proxy); - if(name[0] == '[') { - /* IPv6 numerical address */ - endptr = strchr(name, ']'); - if(!endptr) - return FALSE; - name++; - namelen = endptr - name; - } - else - namelen = strlen(name); - - for(tok_start = 0; tok_start < no_proxy_len; tok_start = tok_end + 1) { - while(tok_start < no_proxy_len && - strchr(separator, no_proxy[tok_start]) != NULL) { - /* Look for the beginning of the token. */ - ++tok_start; - } - - if(tok_start == no_proxy_len) - break; /* It was all trailing separator chars, no more tokens. */ - - for(tok_end = tok_start; tok_end < no_proxy_len && - strchr(separator, no_proxy[tok_end]) == NULL; ++tok_end) - /* Look for the end of the token. */ - ; - - /* To match previous behavior, where it was necessary to specify - * ".local.com" to prevent matching "notlocal.com", we will leave - * the '.' off. - */ - if(no_proxy[tok_start] == '.') - ++tok_start; - - if((tok_end - tok_start) <= namelen) { - /* Match the last part of the name to the domain we are checking. */ - const char *checkn = name + namelen - (tok_end - tok_start); - if(strncasecompare(no_proxy + tok_start, checkn, - tok_end - tok_start)) { - if((tok_end - tok_start) == namelen || *(checkn - 1) == '.') { - /* We either have an exact match, or the previous character is a . - * so it is within the same domain, so no proxy for this host. - */ - return TRUE; - } - } - } /* if((tok_end - tok_start) <= namelen) */ - } /* for(tok_start = 0; tok_start < no_proxy_len; - tok_start = tok_end + 1) */ - } /* NO_PROXY was specified and it wasn't just an asterisk */ - - return FALSE; -} #ifndef CURL_DISABLE_HTTP /**************************************************************** @@ -2375,7 +2318,7 @@ static char *detect_proxy(struct Curl_easy *data, /* Now, build _proxy and check for such a one to use */ while(*protop) - *envp++ = (char)tolower((int)*protop++); + *envp++ = Curl_raw_tolower(*protop++); /* append _proxy */ strcpy(envp, "_proxy"); @@ -2704,8 +2647,8 @@ static CURLcode create_conn_helper_init_proxy(struct Curl_easy *data, } } - if(check_noproxy(conn->host.name, data->set.str[STRING_NOPROXY] ? - data->set.str[STRING_NOPROXY] : no_proxy)) { + if(Curl_check_noproxy(conn->host.name, data->set.str[STRING_NOPROXY] ? + data->set.str[STRING_NOPROXY] : no_proxy)) { Curl_safefree(proxy); Curl_safefree(socksproxy); } @@ -2902,15 +2845,15 @@ CURLcode Curl_parse_login_details(const char *login, const size_t len, (psep && psep > osep ? (size_t)(psep - osep) : (size_t)(login + len - osep)) - 1 : 0); - /* Allocate the user portion buffer */ - if(userp && ulen) { + /* Allocate the user portion buffer, which can be zero length */ + if(userp) { ubuf = malloc(ulen + 1); if(!ubuf) result = CURLE_OUT_OF_MEMORY; } /* Allocate the password portion buffer */ - if(!result && passwdp && plen) { + if(!result && passwdp && psep) { pbuf = malloc(plen + 1); if(!pbuf) { free(ubuf); @@ -2995,14 +2938,6 @@ static CURLcode override_login(struct Curl_easy *data, char **passwdp = &conn->passwd; char **optionsp = &conn->options; -#ifndef CURL_DISABLE_NETRC - if(data->set.use_netrc == CURL_NETRC_REQUIRED && data->state.aptr.user) { - Curl_safefree(*userp); - Curl_safefree(*passwdp); - Curl_safefree(data->state.aptr.user); /* disable user+password */ - } -#endif - if(data->set.str[STRING_OPTIONS]) { free(*optionsp); *optionsp = strdup(data->set.str[STRING_OPTIONS]); @@ -3011,22 +2946,23 @@ static CURLcode override_login(struct Curl_easy *data, } #ifndef CURL_DISABLE_NETRC + if(data->set.use_netrc == CURL_NETRC_REQUIRED) { + Curl_safefree(*userp); + Curl_safefree(*passwdp); + } conn->bits.netrc = FALSE; if(data->set.use_netrc && !data->set.str[STRING_USERNAME]) { - bool netrc_user_changed = FALSE; - bool netrc_passwd_changed = FALSE; int ret; bool url_provided = FALSE; - if(data->state.up.user) { - /* there was a user name in the URL */ - userp = &data->state.up.user; + if(data->state.aptr.user) { + /* there was a user name in the URL. Use the URL decoded version */ + userp = &data->state.aptr.user; url_provided = TRUE; } ret = Curl_parsenetrc(conn->host.name, userp, passwdp, - &netrc_user_changed, &netrc_passwd_changed, data->set.str[STRING_NETRC_FILE]); if(ret > 0) { infof(data, "Couldn't find host %s in the %s file; using defaults", @@ -3059,9 +2995,13 @@ static CURLcode override_login(struct Curl_easy *data, /* for updated strings, we update them in the URL */ if(*userp) { - CURLcode result = Curl_setstropt(&data->state.aptr.user, *userp); - if(result) - return result; + CURLcode result; + if(data->state.aptr.user != *userp) { + /* nothing to do then */ + result = Curl_setstropt(&data->state.aptr.user, *userp); + if(result) + return result; + } } if(data->state.aptr.user) { uc = curl_url_set(data->state.uh, CURLUPART_USER, data->state.aptr.user, @@ -3493,9 +3433,9 @@ static CURLcode resolve_proxy(struct Curl_easy *data, } #endif -static CURLcode resolve_ip(struct Curl_easy *data, - struct connectdata *conn, - bool *async) +static CURLcode resolve_host(struct Curl_easy *data, + struct connectdata *conn, + bool *async) { struct Curl_dns_entry *hostaddr = NULL; struct hostname *connhost; @@ -3561,7 +3501,7 @@ static CURLcode resolve_fresh(struct Curl_easy *data, return resolve_proxy(data, conn, async); #endif - return resolve_ip(data, conn, async); + return resolve_host(data, conn, async); } /************************************************************* @@ -3790,29 +3730,6 @@ static CURLcode create_conn(struct Curl_easy *data, if(result) goto out; - /************************************************************* - * IDN-convert the hostnames - *************************************************************/ - result = Curl_idnconvert_hostname(data, &conn->host); - if(result) - goto out; - if(conn->bits.conn_to_host) { - result = Curl_idnconvert_hostname(data, &conn->conn_to_host); - if(result) - goto out; - } -#ifndef CURL_DISABLE_PROXY - if(conn->bits.httpproxy) { - result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); - if(result) - goto out; - } - if(conn->bits.socksproxy) { - result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); - if(result) - goto out; - } -#endif /************************************************************* * Check whether the host and the "connect to host" are equal. @@ -4025,13 +3942,11 @@ static CURLcode create_conn(struct Curl_easy *data, be able to do that if we have reached the limit of how many connections we are allowed to open. */ - if(conn->handler->flags & PROTOPT_ALPN_NPN) { + if(conn->handler->flags & PROTOPT_ALPN) { /* The protocol wants it, so set the bits if enabled in the easy handle (default) */ if(data->set.ssl_enable_alpn) conn->bits.tls_enable_alpn = TRUE; - if(data->set.ssl_enable_npn) - conn->bits.tls_enable_npn = TRUE; } if(waitpipe) diff --git a/vendor/curl/lib/url.h b/vendor/curl/lib/url.h index e3b2940305..ba4270d523 100644 --- a/vendor/curl/lib/url.h +++ b/vendor/curl/lib/url.h @@ -46,7 +46,8 @@ CURLcode Curl_parse_login_details(const char *login, const size_t len, char **userptr, char **passwdptr, char **optionsptr); -const struct Curl_handler *Curl_builtin_scheme(const char *scheme); +const struct Curl_handler *Curl_builtin_scheme(const char *scheme, + size_t schemelen); bool Curl_is_ASCII_name(const char *hostname); CURLcode Curl_idnconvert_hostname(struct Curl_easy *data, diff --git a/vendor/curl/lib/urlapi-int.h b/vendor/curl/lib/urlapi-int.h index a03aa888af..43a83ef6e4 100644 --- a/vendor/curl/lib/urlapi-int.h +++ b/vendor/curl/lib/urlapi-int.h @@ -25,10 +25,12 @@ ***************************************************************************/ #include "curl_setup.h" -bool Curl_is_absolute_url(const char *url, char *scheme, size_t buflen); +size_t Curl_is_absolute_url(const char *url, char *buf, size_t buflen, + bool guess_scheme); #ifdef DEBUGBUILD -CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, bool); +CURLUcode Curl_parse_port(struct Curl_URL *u, struct dynbuf *host, + bool has_scheme); #endif #endif /* HEADER_CURL_URLAPI_INT_H */ diff --git a/vendor/curl/lib/urlapi.c b/vendor/curl/lib/urlapi.c index dee4b5aa09..7dac81c85c 100644 --- a/vendor/curl/lib/urlapi.c +++ b/vendor/curl/lib/urlapi.c @@ -27,12 +27,12 @@ #include "urldata.h" #include "urlapi-int.h" #include "strcase.h" -#include "dotdot.h" #include "url.h" #include "escape.h" #include "curl_ctype.h" #include "inet_pton.h" #include "inet_ntop.h" +#include "strdup.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -68,9 +68,6 @@ struct Curl_URL { char *path; char *query; char *fragment; - - char *scratch; /* temporary scratch area */ - char *temppath; /* temporary path pointer */ long portnum; /* the numerical version */ }; @@ -88,8 +85,6 @@ static void free_urlhandle(struct Curl_URL *u) free(u->path); free(u->query); free(u->fragment); - free(u->scratch); - free(u->temppath); } /* @@ -121,95 +116,50 @@ static const char *find_host_sep(const char *url) } /* - * Decide in an encoding-independent manner whether a character in an - * URL must be escaped. The same criterion must be used in strlen_url() - * and strcpy_url(). + * Decide in an encoding-independent manner whether a character in a URL must + * be escaped. This is used in urlencode_str(). */ static bool urlchar_needs_escaping(int c) { return !(ISCNTRL(c) || ISSPACE(c) || ISGRAPH(c)); } -/* - * strlen_url() returns the length of the given URL if the spaces within the - * URL were properly URL encoded. - * URL encoding should be skipped for host names, otherwise IDN resolution - * will fail. - */ -static size_t strlen_url(const char *url, bool relative) -{ - const unsigned char *ptr; - size_t newlen = 0; - bool left = TRUE; /* left side of the ? */ - const unsigned char *host_sep = (const unsigned char *) url; - - if(!relative) - host_sep = (const unsigned char *) find_host_sep(url); - - for(ptr = (unsigned char *)url; *ptr; ptr++) { - - if(ptr < host_sep) { - ++newlen; - continue; - } - - if(*ptr == ' ') { - if(left) - newlen += 3; - else - newlen++; - continue; - } - - if (*ptr == '?') - left = FALSE; - - if(urlchar_needs_escaping(*ptr)) - newlen += 2; - - newlen++; - } - - return newlen; -} - -/* strcpy_url() copies a url to a output buffer and URL-encodes the spaces in - * the source URL accordingly. +/* urlencode_str() writes data into an output dynbuf and URL-encodes the + * spaces in the source URL accordingly. + * * URL encoding should be skipped for host names, otherwise IDN resolution * will fail. - * - * Returns TRUE if something was updated. */ -static bool strcpy_url(char *output, const char *url, bool relative) +static CURLUcode urlencode_str(struct dynbuf *o, const char *url, + size_t len, bool relative, + bool query) { /* we must add this with whitespace-replacing */ - bool left = TRUE; + bool left = !query; const unsigned char *iptr; - char *optr = output; const unsigned char *host_sep = (const unsigned char *) url; - bool changed = FALSE; if(!relative) host_sep = (const unsigned char *) find_host_sep(url); for(iptr = (unsigned char *)url; /* read from here */ - *iptr; /* until zero byte */ - iptr++) { + len; iptr++, len--) { if(iptr < host_sep) { - *optr++ = *iptr; + if(Curl_dyn_addn(o, iptr, 1)) + return CURLUE_OUT_OF_MEMORY; continue; } if(*iptr == ' ') { if(left) { - *optr++='%'; /* add a '%' */ - *optr++='2'; /* add a '2' */ - *optr++='0'; /* add a '0' */ + if(Curl_dyn_addn(o, "%20", 3)) + return CURLUE_OUT_OF_MEMORY; + } + else { + if(Curl_dyn_addn(o, "+", 1)) + return CURLUE_OUT_OF_MEMORY; } - else - *optr++='+'; /* add a '+' here */ - changed = TRUE; continue; } @@ -217,24 +167,28 @@ static bool strcpy_url(char *output, const char *url, bool relative) left = FALSE; if(urlchar_needs_escaping(*iptr)) { - msnprintf(optr, 4, "%%%02x", *iptr); - changed = TRUE; - optr += 3; + if(Curl_dyn_addf(o, "%%%02x", *iptr)) + return CURLUE_OUT_OF_MEMORY; + } + else { + if(Curl_dyn_addn(o, iptr, 1)) + return CURLUE_OUT_OF_MEMORY; } - else - *optr++ = *iptr; } - *optr = 0; /* null-terminate output buffer */ - return changed; + return CURLUE_OK; } /* - * Returns true if the given URL is absolute (as opposed to relative). Returns - * the scheme in the buffer if TRUE and 'buf' is non-NULL. The buflen must - * be larger than MAX_SCHEME_LEN if buf is set. + * Returns the length of the scheme if the given URL is absolute (as opposed + * to relative). Stores the scheme in the buffer if TRUE and 'buf' is + * non-NULL. The buflen must be larger than MAX_SCHEME_LEN if buf is set. + * + * If 'guess_scheme' is TRUE, it means the URL might be provided without + * scheme. */ -bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen) +size_t Curl_is_absolute_url(const char *url, char *buf, size_t buflen, + bool guess_scheme) { int i; DEBUGASSERT(!buf || (buflen > MAX_SCHEME_LEN)); @@ -242,8 +196,8 @@ bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen) if(buf) buf[0] = 0; /* always leave a defined value in buf */ #ifdef WIN32 - if(STARTS_WITH_DRIVE_PREFIX(url)) - return FALSE; + if(guess_scheme && STARTS_WITH_DRIVE_PREFIX(url)) + return 0; #endif for(i = 0; i < MAX_SCHEME_LEN; ++i) { char s = url[i]; @@ -256,16 +210,22 @@ bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen) break; } } - if(i && (url[i] == ':') && (url[i + 1] == '/')) { + if(i && (url[i] == ':') && ((url[i + 1] == '/') || !guess_scheme)) { + /* If this does not guess scheme, the scheme always ends with the colon so + that this also detects data: URLs etc. In guessing mode, data: could + be the host name "data" with a specified port number. */ + + /* the length of the scheme is the name part only */ + size_t len = i; if(buf) { buf[i] = 0; while(i--) { - buf[i] = (char)TOLOWER(url[i]); + buf[i] = Curl_raw_tolower(url[i]); } } - return TRUE; + return len; } - return FALSE; + return 0; } /* @@ -273,34 +233,26 @@ bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen) * URL-encodes any spaces. * The returned pointer must be freed by the caller unless NULL * (returns NULL on out of memory). + * + * Note that this function destroys the 'base' string. */ -static char *concat_url(const char *base, const char *relurl) +static char *concat_url(char *base, const char *relurl) { /*** TRY to append this new path to the old URL to the right of the host part. Oh crap, this is doomed to cause problems in the future... */ - char *newest; + struct dynbuf newest; char *protsep; char *pathsep; - size_t newlen; bool host_changed = FALSE; - const char *useurl = relurl; - size_t urllen; - - /* we must make our own copy of the URL to play with, as it may - point to read-only data */ - char *url_clone = strdup(base); - - if(!url_clone) - return NULL; /* skip out of this NOW */ /* protsep points to the start of the host name */ - protsep = strstr(url_clone, "//"); + protsep = strstr(base, "//"); if(!protsep) - protsep = url_clone; + protsep = base; else protsep += 2; /* pass the slashes */ @@ -393,38 +345,24 @@ static char *concat_url(const char *base, const char *relurl) } } - /* If the new part contains a space, this is a mighty stupid redirect - but we still make an effort to do "right". To the left of a '?' - letter we replace each space with %20 while it is replaced with '+' - on the right side of the '?' letter. - */ - newlen = strlen_url(useurl, !host_changed); - - urllen = strlen(url_clone); - - newest = malloc(urllen + 1 + /* possible slash */ - newlen + 1 /* zero byte */); - - if(!newest) { - free(url_clone); /* don't leak this */ - return NULL; - } + Curl_dyn_init(&newest, CURL_MAX_INPUT_LENGTH); /* copy over the root url part */ - memcpy(newest, url_clone, urllen); + if(Curl_dyn_add(&newest, base)) + return NULL; /* check if we need to append a slash */ if(('/' == useurl[0]) || (protsep && !*protsep) || ('?' == useurl[0])) ; - else - newest[urllen++]='/'; + else { + if(Curl_dyn_addn(&newest, "/", 1)) + return NULL; + } /* then append the new piece on the right side */ - strcpy_url(&newest[urllen], useurl, !host_changed); + urlencode_str(&newest, useurl, strlen(useurl), !host_changed, FALSE); - free(url_clone); - - return newest; + return Curl_dyn_ptr(&newest); } /* scan for byte values < 31 or 127 */ @@ -458,7 +396,7 @@ static bool junkscan(const char *part, unsigned int flags) * */ static CURLUcode parse_hostname_login(struct Curl_URL *u, - char **hostname, + struct dynbuf *host, unsigned int flags) { CURLUcode result = CURLUE_OK; @@ -468,27 +406,31 @@ static CURLUcode parse_hostname_login(struct Curl_URL *u, char *optionsp = NULL; const struct Curl_handler *h = NULL; - /* At this point, we're hoping all the other special cases have - * been taken care of, so conn->host.name is at most - * [user[:password][;options]]@]hostname + /* At this point, we assume all the other special cases have been taken + * care of, so the host is at most + * + * [user[:password][;options]]@]hostname * * We need somewhere to put the embedded details, so do that first. */ - char *ptr = strchr(*hostname, '@'); - char *login = *hostname; + char *login = Curl_dyn_ptr(host); + char *ptr; + + DEBUGASSERT(login); + ptr = strchr(login, '@'); if(!ptr) goto out; /* We will now try to extract the * possible login information in a string like: * ftp://user:password@ftp.my.site:8021/README */ - *hostname = ++ptr; + ptr++; /* if this is a known scheme, get some details */ if(u->scheme) - h = Curl_builtin_scheme(u->scheme); + h = Curl_builtin_scheme(u->scheme, CURL_ZERO_TERMINATED); /* We could use the login information in the URL so extract it. Only parse options if the handler says we should. Note that 'h' might be NULL! */ @@ -530,6 +472,10 @@ static CURLUcode parse_hostname_login(struct Curl_URL *u, u->options = optionsp; } + /* move the name to the start of the host buffer */ + if(Curl_dyn_tail(host, strlen(ptr))) + return CURLUE_OUT_OF_MEMORY; + return CURLUE_OK; out: @@ -543,13 +489,13 @@ static CURLUcode parse_hostname_login(struct Curl_URL *u, return result; } -UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, +UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, struct dynbuf *host, bool has_scheme) { char *portptr = NULL; char endbracket; int len; - + char *hostname = Curl_dyn_ptr(host); /* * Find the end of an IPv6 address, either on the ']' ending bracket or * a percent-encoded zone index. @@ -586,6 +532,7 @@ UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, char *rest; long port; char portbuf[7]; + size_t keep = portptr - hostname; /* Browser behavior adaptation. If there's a colon with no digits after, just cut off the name there which makes us ignore the colon and just @@ -594,15 +541,15 @@ UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, Don't do it if the URL has no scheme, to make something that looks like a scheme not work! */ - if(!portptr[1]) { - *portptr = '\0'; + Curl_dyn_setlen(host, keep); + portptr++; + if(!*portptr) return has_scheme ? CURLUE_OK : CURLUE_BAD_PORT_NUMBER; - } - if(!ISDIGIT(portptr[1])) + if(!ISDIGIT(*portptr)) return CURLUE_BAD_PORT_NUMBER; - port = strtol(portptr + 1, &rest, 10); /* Port number must be decimal */ + port = strtol(portptr, &rest, 10); /* Port number must be decimal */ if(port > 0xffff) return CURLUE_BAD_PORT_NUMBER; @@ -610,7 +557,6 @@ UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, if(rest[0]) return CURLUE_BAD_PORT_NUMBER; - *portptr++ = '\0'; /* cut off the name there */ *rest = 0; /* generate a new port number string to get rid of leading zeroes etc */ msnprintf(portbuf, sizeof(portbuf), "%ld", port); @@ -623,12 +569,15 @@ UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, return CURLUE_OK; } -static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) +static CURLUcode hostname_check(struct Curl_URL *u, char *hostname, + size_t hlen) /* length of hostname */ { size_t len; - size_t hlen = strlen(hostname); + DEBUGASSERT(hostname); - if(hostname[0] == '[') { + if(!hostname[0]) + return CURLUE_NO_HOST; + else if(hostname[0] == '[') { const char *l = "0123456789abcdefABCDEF:."; if(hlen < 4) /* '[::]' is the shortest possible valid string */ return CURLUE_BAD_IPV6; @@ -687,13 +636,11 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) } else { /* letters from the second string are not ok */ - len = strcspn(hostname, " \r\n\t/:#?!@"); + len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME; } - if(!hostname[0]) - return CURLUE_NO_HOST; return CURLUE_OK; } @@ -787,79 +734,230 @@ static bool ipv4_normalize(const char *hostname, char *outp, size_t olen) return TRUE; } -/* return strdup'ed version in 'outp', possibly percent decoded */ -static CURLUcode decode_host(char *hostname, char **outp) +/* if necessary, replace the host content with a URL decoded version */ +static CURLUcode decode_host(struct dynbuf *host) { char *per = NULL; - if(hostname[0] != '[') + const char *hostname = Curl_dyn_ptr(host); + if(hostname[0] == '[') /* only decode if not an ipv6 numerical */ - per = strchr(hostname, '%'); - if(!per) { - *outp = strdup(hostname); - if(!*outp) - return CURLUE_OUT_OF_MEMORY; - } + return CURLUE_OK; + per = strchr(hostname, '%'); + if(!per) + /* nothing to decode */ + return CURLUE_OK; else { - /* might be encoded */ + /* encoded */ size_t dlen; - CURLcode result = Curl_urldecode(hostname, 0, outp, &dlen, REJECT_CTRL); + char *decoded; + CURLcode result = Curl_urldecode(hostname, 0, &decoded, &dlen, + REJECT_CTRL); if(result) return CURLUE_BAD_HOSTNAME; + Curl_dyn_reset(host); + result = Curl_dyn_addn(host, decoded, dlen); + free(decoded); + if(result) + return CURLUE_OUT_OF_MEMORY; } return CURLUE_OK; } -static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) +/* + * "Remove Dot Segments" + * https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4 + */ + +/* + * dedotdotify() + * @unittest: 1395 + * + * This function gets a null-terminated path with dot and dotdot sequences + * passed in and strips them off according to the rules in RFC 3986 section + * 5.2.4. + * + * The function handles a query part ('?' + stuff) appended but it expects + * that fragments ('#' + stuff) have already been cut off. + * + * RETURNS + * + * an allocated dedotdotified output string + */ +UNITTEST char *dedotdotify(const char *input, size_t clen); +UNITTEST char *dedotdotify(const char *input, size_t clen) { - char *path; - bool path_alloced = FALSE; + char *out = malloc(clen + 1); + char *outptr; + const char *orginput = input; + char *queryp; + if(!out) + return NULL; /* out of memory */ + + *out = 0; /* null-terminates, for inputs like "./" */ + outptr = out; + + if(!*input) + /* zero length input string, return that */ + return out; + + /* + * To handle query-parts properly, we must find it and remove it during the + * dotdot-operation and then append it again at the end to the output + * string. + */ + queryp = strchr(input, '?'); + + do { + bool dotdot = TRUE; + if(*input == '.') { + /* A. If the input buffer begins with a prefix of "../" or "./", then + remove that prefix from the input buffer; otherwise, */ + + if(!strncmp("./", input, 2)) { + input += 2; + clen -= 2; + } + else if(!strncmp("../", input, 3)) { + input += 3; + clen -= 3; + } + /* D. if the input buffer consists only of "." or "..", then remove + that from the input buffer; otherwise, */ + + else if(!strcmp(".", input) || !strcmp("..", input) || + !strncmp(".?", input, 2) || !strncmp("..?", input, 3)) { + *out = 0; + break; + } + else + dotdot = FALSE; + } + else if(*input == '/') { + /* B. if the input buffer begins with a prefix of "/./" or "/.", where + "." is a complete path segment, then replace that prefix with "/" in + the input buffer; otherwise, */ + if(!strncmp("/./", input, 3)) { + input += 2; + clen -= 2; + } + else if(!strcmp("/.", input) || !strncmp("/.?", input, 3)) { + *outptr++ = '/'; + *outptr = 0; + break; + } + + /* C. if the input buffer begins with a prefix of "/../" or "/..", + where ".." is a complete path segment, then replace that prefix with + "/" in the input buffer and remove the last segment and its + preceding "/" (if any) from the output buffer; otherwise, */ + + else if(!strncmp("/../", input, 4)) { + input += 3; + clen -= 3; + /* remove the last segment from the output buffer */ + while(outptr > out) { + outptr--; + if(*outptr == '/') + break; + } + *outptr = 0; /* null-terminate where it stops */ + } + else if(!strcmp("/..", input) || !strncmp("/..?", input, 4)) { + /* remove the last segment from the output buffer */ + while(outptr > out) { + outptr--; + if(*outptr == '/') + break; + } + *outptr++ = '/'; + *outptr = 0; /* null-terminate where it stops */ + break; + } + else + dotdot = FALSE; + } + else + dotdot = FALSE; + + if(!dotdot) { + /* E. move the first path segment in the input buffer to the end of + the output buffer, including the initial "/" character (if any) and + any subsequent characters up to, but not including, the next "/" + character or the end of the input buffer. */ + + do { + *outptr++ = *input++; + clen--; + } while(*input && (*input != '/') && (*input != '?')); + *outptr = 0; + } + + /* continue until end of input string OR, if there is a terminating + query part, stop there */ + } while(*input && (!queryp || (input < queryp))); + + if(queryp) { + size_t qlen; + /* There was a query part, append that to the output. */ + size_t oindex = queryp - orginput; + qlen = strlen(&orginput[oindex]); + memcpy(outptr, &orginput[oindex], qlen + 1); /* include zero byte */ + } + + return out; +} + +static CURLUcode parseurl(const char *url, CURLU *u, unsigned int flags) +{ + const char *path; + size_t pathlen; bool uncpath = FALSE; - char *hostname; char *query = NULL; char *fragment = NULL; - CURLUcode result; - bool url_has_scheme = FALSE; char schemebuf[MAX_SCHEME_LEN + 1]; const char *schemep = NULL; size_t schemelen = 0; size_t urllen; + CURLUcode result = CURLUE_OK; + size_t fraglen = 0; + struct dynbuf host; DEBUGASSERT(url); + Curl_dyn_init(&host, CURL_MAX_INPUT_LENGTH); + /************************************************************* * Parse the URL. ************************************************************/ /* allocate scratch area */ urllen = strlen(url); - if(urllen > CURL_MAX_INPUT_LENGTH) + if(urllen > CURL_MAX_INPUT_LENGTH) { /* excessive input length */ - return CURLUE_MALFORMED_INPUT; - - path = u->scratch = malloc(urllen * 2 + 2); - if(!path) - return CURLUE_OUT_OF_MEMORY; - - hostname = &path[urllen + 1]; - hostname[0] = 0; - - if(Curl_is_absolute_url(url, schemebuf, sizeof(schemebuf))) { - url_has_scheme = TRUE; - schemelen = strlen(schemebuf); + result = CURLUE_MALFORMED_INPUT; + goto fail; } + schemelen = Curl_is_absolute_url(url, schemebuf, sizeof(schemebuf), + flags & (CURLU_GUESS_SCHEME| + CURLU_DEFAULT_SCHEME)); + /* handle the file: scheme */ - if(url_has_scheme && !strcmp(schemebuf, "file")) { - if(urllen <= 6) + if(schemelen && !strcmp(schemebuf, "file")) { + if(urllen <= 6) { /* file:/ is not enough to actually be a complete file: URL */ - return CURLUE_BAD_FILE_URL; + result = CURLUE_BAD_FILE_URL; + goto fail; + } /* path has been allocated large enough to hold this */ - strcpy(path, &url[5]); + path = (char *)&url[5]; - u->scheme = strdup("file"); - if(!u->scheme) - return CURLUE_OUT_OF_MEMORY; + schemep = u->scheme = strdup("file"); + if(!u->scheme) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } /* Extra handling URLs with an authority component (i.e. that start with * "file://") @@ -869,7 +967,7 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) */ if(path[0] == '/' && path[1] == '/') { /* swallow the two slashes */ - char *ptr = &path[2]; + const char *ptr = &path[2]; /* * According to RFC 8089, a file: URL can be reliably dereferenced if: @@ -905,13 +1003,17 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) chars, and the delimiting slash character must be appended to the host name */ path = strpbrk(ptr, "/\\:*?\"<>|"); - if(!path || *path != '/') - return CURLUE_BAD_FILE_URL; + if(!path || *path != '/') { + result = CURLUE_BAD_FILE_URL; + goto fail; + } len = path - ptr; if(len) { - memcpy(hostname, ptr, len); - hostname[len] = 0; + if(Curl_dyn_addn(&host, ptr, len)) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } uncpath = TRUE; } @@ -919,7 +1021,8 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) #else /* Invalid file://hostname/, expected localhost or 127.0.0.1 or none */ - return CURLUE_BAD_FILE_URL; + result = CURLUE_BAD_FILE_URL; + goto fail; #endif } } @@ -928,7 +1031,8 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) } if(!uncpath) - hostname = NULL; /* no host for file: URLs by default */ + /* no host for file: URLs by default */ + Curl_dyn_reset(&host); #if !defined(MSDOS) && !defined(WIN32) && !defined(__CYGWIN__) /* Don't allow Windows drive letters when not in Windows. @@ -936,13 +1040,14 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) if(('/' == path[0] && STARTS_WITH_URL_DRIVE_PREFIX(&path[1])) || STARTS_WITH_URL_DRIVE_PREFIX(path)) { /* File drive letters are only accepted in MSDOS/Windows */ - return CURLUE_BAD_FILE_URL; + result = CURLUE_BAD_FILE_URL; + goto fail; } #else /* If the path starts with a slash and a drive letter, ditch the slash */ if('/' == path[0] && STARTS_WITH_URL_DRIVE_PREFIX(&path[1])) { /* This cannot be done with strcpy, as the memory chunks overlap! */ - memmove(path, &path[1], strlen(&path[1]) + 1); + path++; } #endif @@ -952,32 +1057,39 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) const char *p; const char *hostp; size_t len; - path[0] = 0; - if(url_has_scheme) { + if(schemelen) { int i = 0; p = &url[schemelen + 1]; while(p && (*p == '/') && (i < 4)) { p++; i++; } - if((i < 1) || (i>3)) - /* less than one or more than three slashes */ - return CURLUE_BAD_SLASHES; schemep = schemebuf; - if(!Curl_builtin_scheme(schemep) && - !(flags & CURLU_NON_SUPPORT_SCHEME)) - return CURLUE_UNSUPPORTED_SCHEME; + if(!Curl_builtin_scheme(schemep, CURL_ZERO_TERMINATED) && + !(flags & CURLU_NON_SUPPORT_SCHEME)) { + result = CURLUE_UNSUPPORTED_SCHEME; + goto fail; + } - if(junkscan(schemep, flags)) - return CURLUE_BAD_SCHEME; + if((i < 1) || (i>3)) { + /* less than one or more than three slashes */ + result = CURLUE_BAD_SLASHES; + goto fail; + } + if(junkscan(schemep, flags)) { + result = CURLUE_BAD_SCHEME; + goto fail; + } } else { /* no scheme! */ - if(!(flags & (CURLU_DEFAULT_SCHEME|CURLU_GUESS_SCHEME))) - return CURLUE_BAD_SCHEME; + if(!(flags & (CURLU_DEFAULT_SCHEME|CURLU_GUESS_SCHEME))) { + result = CURLUE_BAD_SCHEME; + goto fail; + } if(flags & CURLU_DEFAULT_SCHEME) schemep = DEFAULT_SCHEME; @@ -994,122 +1106,169 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) len = p - hostp; if(len) { - memcpy(hostname, hostp, len); - hostname[len] = 0; + if(Curl_dyn_addn(&host, hostp, len)) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } } else { - if(!(flags & CURLU_NO_AUTHORITY)) - return CURLUE_NO_HOST; + if(!(flags & CURLU_NO_AUTHORITY)) { + result = CURLUE_NO_HOST; + goto fail; + } } - strcpy(path, p); + path = (char *)p; if(schemep) { u->scheme = strdup(schemep); - if(!u->scheme) - return CURLUE_OUT_OF_MEMORY; + if(!u->scheme) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } } } - if((flags & CURLU_URLENCODE) && path[0]) { - /* worst case output length is 3x the original! */ - char *newp = malloc(strlen(path) * 3); - if(!newp) - return CURLUE_OUT_OF_MEMORY; - path_alloced = TRUE; - strcpy_url(newp, path, TRUE); /* consider it relative */ - u->temppath = path = newp; - } - fragment = strchr(path, '#'); if(fragment) { - *fragment++ = 0; - if(junkscan(fragment, flags)) - return CURLUE_BAD_FRAGMENT; - if(fragment[0]) { - u->fragment = strdup(fragment); - if(!u->fragment) - return CURLUE_OUT_OF_MEMORY; + fraglen = strlen(fragment); + if(fraglen > 1) { + /* skip the leading '#' in the copy but include the terminating null */ + u->fragment = Curl_memdup(fragment + 1, fraglen); + if(!u->fragment) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + + if(junkscan(u->fragment, flags)) { + result = CURLUE_BAD_FRAGMENT; + goto fail; + } } } query = strchr(path, '?'); - if(query) { - *query++ = 0; - if(junkscan(query, flags)) - return CURLUE_BAD_QUERY; - /* done even if the query part is a blank string */ - u->query = strdup(query); - if(!u->query) - return CURLUE_OUT_OF_MEMORY; - } + if(query && (!fragment || (query < fragment))) { + size_t qlen = strlen(query) - fraglen; /* includes '?' */ + pathlen = strlen(path) - qlen - fraglen; + if(qlen > 1) { + if(qlen && (flags & CURLU_URLENCODE)) { + struct dynbuf enc; + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); + /* skip the leading question mark */ + if(urlencode_str(&enc, query + 1, qlen - 1, TRUE, TRUE)) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + u->query = Curl_dyn_ptr(&enc); + } + else { + u->query = Curl_memdup(query + 1, qlen); + if(!u->query) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + u->query[qlen - 1] = 0; + } - if(junkscan(path, flags)) - return CURLUE_BAD_PATH; + if(junkscan(u->query, flags)) { + result = CURLUE_BAD_QUERY; + goto fail; + } + } + else { + /* single byte query */ + u->query = strdup(""); + if(!u->query) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + } + } + else + pathlen = strlen(path) - fraglen; + + if(pathlen && (flags & CURLU_URLENCODE)) { + struct dynbuf enc; + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); + if(urlencode_str(&enc, path, pathlen, TRUE, FALSE)) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + pathlen = Curl_dyn_len(&enc); + path = u->path = Curl_dyn_ptr(&enc); + } - if(!path[0]) - /* if there's no path left set, unset */ + if(!pathlen) { + /* there is no path left, unset */ path = NULL; + } else { + if(!u->path) { + u->path = Curl_memdup(path, pathlen + 1); + if(!u->path) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + u->path[pathlen] = 0; + path = u->path; + } + else if(flags & CURLU_URLENCODE) + /* it might have encoded more than just the path so cut it */ + u->path[pathlen] = 0; + + if(junkscan(u->path, flags)) { + result = CURLUE_BAD_PATH; + goto fail; + } + if(!(flags & CURLU_PATH_AS_IS)) { /* remove ../ and ./ sequences according to RFC3986 */ - char *newp = Curl_dedotdotify(path); - if(!newp) - return CURLUE_OUT_OF_MEMORY; - - if(strcmp(newp, path)) { - /* if we got a new version */ - if(path_alloced) - Curl_safefree(u->temppath); - u->temppath = path = newp; - path_alloced = TRUE; + char *newp = dedotdotify((char *)path, pathlen); + if(!newp) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; } - else - free(newp); + free(u->path); + u->path = newp; } - - u->path = path_alloced?path:strdup(path); - if(!u->path) - return CURLUE_OUT_OF_MEMORY; - u->temppath = NULL; /* used now */ } - if(hostname) { + if(Curl_dyn_len(&host)) { char normalized_ipv4[sizeof("255.255.255.255") + 1]; /* * Parse the login details and strip them out of the host name. */ - result = parse_hostname_login(u, &hostname, flags); - if(result) - return result; - - result = Curl_parse_port(u, hostname, url_has_scheme); + result = parse_hostname_login(u, &host, flags); + if(!result) + result = Curl_parse_port(u, &host, schemelen); if(result) - return result; + goto fail; - if(junkscan(hostname, flags)) - return CURLUE_BAD_HOSTNAME; + if(junkscan(Curl_dyn_ptr(&host), flags)) { + result = CURLUE_BAD_HOSTNAME; + goto fail; + } - if(0 == strlen(hostname) && (flags & CURLU_NO_AUTHORITY)) { - /* Skip hostname check, it's allowed to be empty. */ - u->host = strdup(""); + if(ipv4_normalize(Curl_dyn_ptr(&host), + normalized_ipv4, sizeof(normalized_ipv4))) { + Curl_dyn_reset(&host); + if(Curl_dyn_add(&host, normalized_ipv4)) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } } else { - if(ipv4_normalize(hostname, normalized_ipv4, sizeof(normalized_ipv4))) - u->host = strdup(normalized_ipv4); - else { - result = decode_host(hostname, &u->host); - if(result) - return result; - result = hostname_check(u, u->host); - if(result) - return result; - } + result = decode_host(&host); + if(!result) + result = hostname_check(u, Curl_dyn_ptr(&host), Curl_dyn_len(&host)); + if(result) + goto fail; } - if(!u->host) - return CURLUE_OUT_OF_MEMORY; + if((flags & CURLU_GUESS_SCHEME) && !schemep) { + const char *hostname = Curl_dyn_ptr(&host); /* legacy curl-style guess based on host name */ if(checkprefix("ftp.", hostname)) schemep = "ftp"; @@ -1127,27 +1286,26 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) schemep = "http"; u->scheme = strdup(schemep); - if(!u->scheme) - return CURLUE_OUT_OF_MEMORY; + if(!u->scheme) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; + } + } + } + else if(flags & CURLU_NO_AUTHORITY) { + /* allowed to be empty. */ + if(Curl_dyn_add(&host, "")) { + result = CURLUE_OUT_OF_MEMORY; + goto fail; } } - Curl_safefree(u->scratch); - Curl_safefree(u->temppath); - - return CURLUE_OK; -} + u->host = Curl_dyn_ptr(&host); -/* - * Parse the URL and set the relevant members of the Curl_URL struct. - */ -static CURLUcode parseurl(const char *url, CURLU *u, unsigned int flags) -{ - CURLUcode result = seturl(url, u, flags); - if(result) { - free_urlhandle(u); - memset(u, 0, sizeof(struct Curl_URL)); - } + return result; + fail: + Curl_dyn_free(&host); + free_urlhandle(u); return result; } @@ -1165,8 +1323,6 @@ static CURLUcode parseurl_and_replace(const char *url, CURLU *u, free_urlhandle(u); *u = tmpurl; } - else - free_urlhandle(&tmpurl); return result; } @@ -1265,7 +1421,7 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, /* there's no stored port number, but asked to deliver a default one for the scheme */ const struct Curl_handler *h = - Curl_builtin_scheme(u->scheme); + Curl_builtin_scheme(u->scheme, CURL_ZERO_TERMINATED); if(h) { msnprintf(portbuf, sizeof(portbuf), "%u", h->defport); ptr = portbuf; @@ -1275,7 +1431,7 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, /* there is a stored port number, but ask to inhibit if it matches the default one for the scheme */ const struct Curl_handler *h = - Curl_builtin_scheme(u->scheme); + Curl_builtin_scheme(u->scheme, CURL_ZERO_TERMINATED); if(h && (h->defport == u->portnum) && (flags & CURLU_NO_DEFAULT_PORT)) ptr = NULL; @@ -1321,7 +1477,7 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, else return CURLUE_NO_SCHEME; - h = Curl_builtin_scheme(scheme); + h = Curl_builtin_scheme(scheme, CURL_ZERO_TERMINATED); if(!port && (flags & CURLU_DEFAULT_PORT)) { /* there's no stored port number, but asked to deliver a default one for the scheme */ @@ -1344,14 +1500,13 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, if(u->host[0] == '[') { if(u->zoneid) { /* make it '[ host %25 zoneid ]' */ + struct dynbuf enc; size_t hostlen = strlen(u->host); - size_t alen = hostlen + 3 + strlen(u->zoneid) + 1; - allochost = malloc(alen); - if(!allochost) + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); + if(Curl_dyn_addf(&enc, "%.*s%%25%s]", (int)hostlen - 1, u->host, + u->zoneid)) return CURLUE_OUT_OF_MEMORY; - memcpy(allochost, u->host, hostlen - 1); - msnprintf(&allochost[hostlen - 1], alen - hostlen + 1, - "%%25%s]", u->zoneid); + allochost = Curl_dyn_ptr(&enc); } } else if(urlencode) { @@ -1362,32 +1517,32 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, else { /* only encode '%' in output host name */ char *host = u->host; - size_t pcount = 0; + bool percent = FALSE; /* first, count number of percents present in the name */ while(*host) { - if(*host == '%') - pcount++; + if(*host == '%') { + percent = TRUE; + break; + } host++; } - /* if there were percents, encode the host name */ - if(pcount) { - size_t hostlen = strlen(u->host); - size_t alen = hostlen + 2 * pcount + 1; - char *o = allochost = malloc(alen); - if(!allochost) - return CURLUE_OUT_OF_MEMORY; - + /* if there were percent(s), encode the host name */ + if(percent) { + struct dynbuf enc; + CURLcode result; + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); host = u->host; while(*host) { - if(*host == '%') { - memcpy(o, "%25", 3); - o += 3; - host++; - continue; - } - *o++ = *host++; + if(*host == '%') + result = Curl_dyn_addn(&enc, "%25", 3); + else + result = Curl_dyn_addn(&enc, host, 1); + if(result) + return CURLUE_OUT_OF_MEMORY; + host++; } - *o = '\0'; + free(u->host); + u->host = Curl_dyn_ptr(&enc); } } @@ -1420,13 +1575,15 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, break; } if(ptr) { - *part = strdup(ptr); + size_t partlen = strlen(ptr); + size_t i = 0; + *part = Curl_memdup(ptr, partlen + 1); if(!*part) return CURLUE_OUT_OF_MEMORY; if(plusdecode) { /* convert + to space */ - char *plus; - for(plus = *part; *plus; ++plus) { + char *plus = *part; + for(i = 0; i < partlen; ++plus, i++) { if(*plus == '+') *plus = ' '; } @@ -1443,18 +1600,16 @@ CURLUcode curl_url_get(CURLU *u, CURLUPart what, return CURLUE_URLDECODE; } *part = decoded; + partlen = dlen; } if(urlencode) { - /* worst case output length is 3x the original! */ - char *newp = malloc(strlen(*part) * 3); - if(!newp) + struct dynbuf enc; + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); + if(urlencode_str(&enc, *part, partlen, TRUE, + what == CURLUPART_QUERY)) return CURLUE_OUT_OF_MEMORY; - if(strcpy_url(newp, *part, TRUE)) { /* consider it relative */ - free(*part); - *part = newp; - } - else - free(newp); + free(*part); + *part = Curl_dyn_ptr(&enc); } return CURLUE_OK; @@ -1532,7 +1687,7 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, return CURLUE_BAD_SCHEME; if(!(flags & CURLU_NON_SUPPORT_SCHEME) && /* verify that it is a fine scheme */ - !Curl_builtin_scheme(part)) + !Curl_builtin_scheme(part, CURL_ZERO_TERMINATED)) return CURLUE_UNSUPPORTED_SCHEME; storep = &u->scheme; urlencode = FALSE; /* never */ @@ -1598,7 +1753,9 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, /* if the new thing is absolute or the old one is not * (we could not get an absolute url in 'oldurl'), * then replace the existing with the new. */ - if(Curl_is_absolute_url(part, NULL, 0) + if(Curl_is_absolute_url(part, NULL, 0, + flags & (CURLU_GUESS_SCHEME| + CURLU_DEFAULT_SCHEME)) || curl_url_get(u, CURLUPART_URL, &oldurl, flags)) { return parseurl_and_replace(part, u, flags); } @@ -1628,14 +1785,16 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, if(urlencode) { const unsigned char *i; - char *o; - char *enc = malloc(nalloc * 3 + 1); /* for worst case! */ - if(!enc) - return CURLUE_OUT_OF_MEMORY; - for(i = (const unsigned char *)part, o = enc; *i; i++) { + struct dynbuf enc; + + Curl_dyn_init(&enc, nalloc * 3 + 1); + + for(i = (const unsigned char *)part; *i; i++) { + CURLcode result; if((*i == ' ') && plusencode) { - *o = '+'; - o++; + result = Curl_dyn_addn(&enc, "+", 1); + if(result) + return CURLUE_OUT_OF_MEMORY; } else if(Curl_isunreserved(*i) || ((*i == '/') && urlskipslash) || @@ -1643,16 +1802,17 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, if((*i == '=') && equalsencode) /* only skip the first equals sign */ equalsencode = FALSE; - *o = *i; - o++; + result = Curl_dyn_addn(&enc, i, 1); + if(result) + return CURLUE_OUT_OF_MEMORY; } else { - msnprintf(o, 4, "%%%02x", *i); - o += 3; + result = Curl_dyn_addf(&enc, "%%%02x", *i); + if(result) + return CURLUE_OUT_OF_MEMORY; } } - *o = 0; /* null-terminate */ - newp = enc; + newp = Curl_dyn_ptr(&enc); } else { char *p; @@ -1664,8 +1824,8 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, /* make sure percent encoded are lower case */ if((*p == '%') && ISXDIGIT(p[1]) && ISXDIGIT(p[2]) && (ISUPPER(p[1]) || ISUPPER(p[2]))) { - p[1] = (char)TOLOWER(p[1]); - p[2] = (char)TOLOWER(p[2]); + p[1] = Curl_raw_tolower(p[1]); + p[2] = Curl_raw_tolower(p[2]); p += 3; } else @@ -1674,34 +1834,41 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, } if(appendquery) { - /* Append the string onto the old query. Add a '&' separator if none is - present at the end of the exsting query already */ + /* Append the 'newp' string onto the old query. Add a '&' separator if + none is present at the end of the existing query already */ + size_t querylen = u->query ? strlen(u->query) : 0; bool addamperand = querylen && (u->query[querylen -1] != '&'); if(querylen) { - size_t newplen = strlen(newp); - char *p = malloc(querylen + addamperand + newplen + 1); - if(!p) { - free((char *)newp); - return CURLUE_OUT_OF_MEMORY; + struct dynbuf enc; + Curl_dyn_init(&enc, CURL_MAX_INPUT_LENGTH); + + if(Curl_dyn_addn(&enc, u->query, querylen)) /* add original query */ + goto nomem; + + if(addamperand) { + if(Curl_dyn_addn(&enc, "&", 1)) + goto nomem; } - strcpy(p, u->query); /* original query */ - if(addamperand) - p[querylen] = '&'; /* ampersand */ - strcpy(&p[querylen + addamperand], newp); /* new suffix */ + if(Curl_dyn_add(&enc, newp)) + goto nomem; free((char *)newp); free(*storep); - *storep = p; + *storep = Curl_dyn_ptr(&enc); return CURLUE_OK; + nomem: + free((char *)newp); + return CURLUE_OUT_OF_MEMORY; } } if(what == CURLUPART_HOST) { - if(0 == strlen(newp) && (flags & CURLU_NO_AUTHORITY)) { + size_t n = strlen(newp); + if(!n && (flags & CURLU_NO_AUTHORITY)) { /* Skip hostname check, it's allowed to be empty. */ } else { - if(hostname_check(u, (char *)newp)) { + if(hostname_check(u, (char *)newp, n)) { free((char *)newp); return CURLUE_BAD_HOSTNAME; } diff --git a/vendor/curl/lib/urldata.h b/vendor/curl/lib/urldata.h index 828cc65811..1d430b5e88 100644 --- a/vendor/curl/lib/urldata.h +++ b/vendor/curl/lib/urldata.h @@ -53,6 +53,33 @@ #define PORT_GOPHER 70 #define PORT_MQTT 1883 +#ifdef USE_WEBSOCKETS +/* CURLPROTO_GOPHERS (29) is the highest publicly used protocol bit number, + * the rest are internal information. If we use higher bits we only do this on + * platforms that have a >= 64 bit type and then we use such a type for the + * protocol fields in the protocol handler. + */ +#define CURLPROTO_WS (1<<30) +#define CURLPROTO_WSS ((curl_prot_t)1<<31) +#else +#define CURLPROTO_WS 0 +#define CURLPROTO_WSS 0 +#endif + +/* This should be undefined once we need bit 32 or higher */ +#define PROTO_TYPE_SMALL + +#ifndef PROTO_TYPE_SMALL +typedef curl_off_t curl_prot_t; +#else +typedef unsigned int curl_prot_t; +#endif + +/* This mask is for all the old protocols that are provided and defined in the + public header and shall exclude protocols added since which are not exposed + in the API */ +#define CURLPROTO_MASK (0x3ffffff) + #define DICT_MATCH "/MATCH:" #define DICT_MATCH2 "/M:" #define DICT_MATCH3 "/FIND:" @@ -66,7 +93,8 @@ /* Convenience defines for checking protocols or their SSL based version. Each protocol handler should only ever have a single CURLPROTO_ in its protocol field. */ -#define PROTO_FAMILY_HTTP (CURLPROTO_HTTP|CURLPROTO_HTTPS) +#define PROTO_FAMILY_HTTP (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_WS| \ + CURLPROTO_WSS) #define PROTO_FAMILY_FTP (CURLPROTO_FTP|CURLPROTO_FTPS) #define PROTO_FAMILY_POP3 (CURLPROTO_POP3|CURLPROTO_POP3S) #define PROTO_FAMILY_SMB (CURLPROTO_SMB|CURLPROTO_SMBS) @@ -157,10 +185,10 @@ typedef CURLcode (*Curl_datastream)(struct Curl_easy *data, # endif #endif -#ifdef HAVE_LIBSSH2_H +#ifdef USE_LIBSSH2 #include #include -#endif /* HAVE_LIBSSH2_H */ +#endif /* USE_LIBSSH2 */ #define READBUFFER_SIZE CURL_MAX_WRITE_SIZE #define READBUFFER_MAX CURL_MAX_READ_SIZE @@ -507,9 +535,7 @@ struct ConnectBits { connection */ BIT(multiplex); /* connection is multiplexed */ BIT(tcp_fastopen); /* use TCP Fast Open */ - BIT(tls_enable_npn); /* TLS NPN extension? */ BIT(tls_enable_alpn); /* TLS ALPN extension? */ - BIT(connect_only); #ifndef CURL_DISABLE_DOH BIT(doh); #endif @@ -554,7 +580,7 @@ struct Curl_async { struct Curl_dns_entry *dns; struct thread_data *tdata; void *resolver; /* resolver state, if it is used in the URL state - - ares_channel f.e. */ + ares_channel e.g. */ int port; int status; /* if done is TRUE, this is the status from the callback */ BIT(done); /* set TRUE when the lookup is complete */ @@ -575,8 +601,9 @@ enum expect100 { enum upgrade101 { UPGR101_INIT, /* default state */ - UPGR101_REQUESTED, /* upgrade requested */ - UPGR101_RECEIVED, /* response received */ + UPGR101_WS, /* upgrade to WebSockets requested */ + UPGR101_H2, /* upgrade to HTTP/2 requested */ + UPGR101_RECEIVED, /* 101 response received */ UPGR101_WORKING /* talking upgraded protocol */ }; @@ -779,10 +806,10 @@ struct Curl_handler { void (*attach)(struct Curl_easy *data, struct connectdata *conn); int defport; /* Default port. */ - unsigned int protocol; /* See CURLPROTO_* - this needs to be the single - specific protocol bit */ - unsigned int family; /* single bit for protocol family; basically the - non-TLS name of the protocol this is */ + curl_prot_t protocol; /* See CURLPROTO_* - this needs to be the single + specific protocol bit */ + curl_prot_t family; /* single bit for protocol family; basically the + non-TLS name of the protocol this is */ unsigned int flags; /* Extra particular characteristics, see PROTOPT_* */ }; @@ -803,7 +830,7 @@ struct Curl_handler { url query strings (?foo=bar) ! */ #define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login credentials per request instead of per connection */ -#define PROTOPT_ALPN_NPN (1<<8) /* set ALPN and/or NPN for this */ +#define PROTOPT_ALPN (1<<8) /* set ALPN for this */ #define PROTOPT_STREAM (1<<9) /* a protocol with individual logical streams */ #define PROTOPT_URLOPTIONS (1<<10) /* allow options part in the userinfo field of the URL */ @@ -1118,11 +1145,12 @@ struct connectdata { unsigned short localport; unsigned short secondary_port; /* secondary socket remote port to connect to (ftp) */ - unsigned char negnpn; /* APLN or NPN TLS negotiated protocol, - a CURL_HTTP_VERSION* value */ + unsigned char alpn; /* APLN TLS negotiated protocol, a CURL_HTTP_VERSION* + value */ unsigned char transport; /* one of the TRNSPRT_* defines */ unsigned char ip_version; /* copied from the Curl_easy at creation time */ unsigned char httpversion; /* the HTTP version*10 reported by the server */ + unsigned char connect_only; }; /* The end of connectdata. */ @@ -1336,7 +1364,7 @@ struct UrlState { This is strdup()ed data. */ char *first_host; int first_remote_port; - unsigned int first_remote_protocol; + curl_prot_t first_remote_protocol; int retrycount; /* number of retries on a new connection */ struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ @@ -1767,8 +1795,8 @@ struct UserDefined { #ifdef ENABLE_IPV6 unsigned int scope_id; /* Scope id for IPv6 */ #endif - curl_off_t allowed_protocols; - curl_off_t redir_protocols; + curl_prot_t allowed_protocols; + curl_prot_t redir_protocols; unsigned int mime_options; /* Mime option flags. */ #ifndef CURL_DISABLE_RTSP @@ -1817,6 +1845,8 @@ struct UserDefined { BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some recipients */ #endif + unsigned char connect_only; /* make connection/request, then let + application use the socket */ BIT(is_fread_set); /* has read callback been set to non-NULL? */ #ifndef CURL_DISABLE_TFTP BIT(tftp_no_options); /* do not send TFTP options requests */ @@ -1862,7 +1892,6 @@ struct UserDefined { BIT(no_signal); /* do not use any signal/alarm handler */ BIT(tcp_nodelay); /* whether to enable TCP_NODELAY or not */ BIT(ignorecl); /* ignore content length */ - BIT(connect_only); /* make connection, let application use the socket */ BIT(http_te_skip); /* pass the raw body data to the user, even when transfer-encoded (chunked, compressed) */ BIT(http_ce_skip); /* pass the raw body data to the user, even when @@ -1875,7 +1904,6 @@ struct UserDefined { BIT(sasl_ir); /* Enable/disable SASL initial response */ BIT(tcp_keepalive); /* use TCP keepalives */ BIT(tcp_fastopen); /* use TCP Fast Open */ - BIT(ssl_enable_npn); /* TLS NPN extension? */ BIT(ssl_enable_alpn);/* TLS ALPN extension? */ BIT(path_as_is); /* allow dotdots? */ BIT(pipewait); /* wait for multiplex status before starting a new @@ -1895,6 +1923,9 @@ struct UserDefined { BIT(doh_verifystatus); /* DoH certificate status verification */ #endif BIT(http09_allowed); /* allow HTTP/0.9 responses */ +#ifdef USE_WEBSOCKETS + BIT(ws_raw_mode); +#endif }; struct Names { diff --git a/vendor/curl/lib/vauth/digest.c b/vendor/curl/lib/vauth/digest.c index 962aa624a3..f945e8b6c9 100644 --- a/vendor/curl/lib/vauth/digest.c +++ b/vendor/curl/lib/vauth/digest.c @@ -382,7 +382,7 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, if(!(qop_values & DIGEST_QOP_VALUE_AUTH)) return CURLE_BAD_CONTENT_ENCODING; - /* Generate 32 random hex chars, 32 bytes + 1 zero termination */ + /* Generate 32 random hex chars, 32 bytes + 1 null-termination */ result = Curl_rand_hex(data, (unsigned char *)cnonce, sizeof(cnonce)); if(result) return result; @@ -521,7 +521,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, char content[DIGEST_MAX_CONTENT_LENGTH]; /* Pass all additional spaces here */ - while(*chlg && ISSPACE(*chlg)) + while(*chlg && ISBLANK(*chlg)) chlg++; /* Extract a value=content pair */ @@ -561,7 +561,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, token = strtok_r(tmp, ",", &tok_buf); while(token) { /* Pass additional spaces here */ - while(*token && ISSPACE(*token)) + while(*token && ISBLANK(*token)) token++; if(strcasecompare(token, DIGEST_QOP_VALUE_STRING_AUTH)) { foundAuth = TRUE; @@ -622,7 +622,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, break; /* We're done here */ /* Pass all additional spaces here */ - while(*chlg && ISSPACE(*chlg)) + while(*chlg && ISBLANK(*chlg)) chlg++; /* Allow the list to be comma-separated */ diff --git a/vendor/curl/lib/vauth/digest_sspi.c b/vendor/curl/lib/vauth/digest_sspi.c index af463848a6..89a9db52c7 100644 --- a/vendor/curl/lib/vauth/digest_sspi.c +++ b/vendor/curl/lib/vauth/digest_sspi.c @@ -259,7 +259,7 @@ CURLcode Curl_override_sspi_http_realm(const char *chlg, char content[DIGEST_MAX_CONTENT_LENGTH]; /* Pass all additional spaces here */ - while(*chlg && ISSPACE(*chlg)) + while(*chlg && ISBLANK(*chlg)) chlg++; /* Extract a value=content pair */ @@ -292,7 +292,7 @@ CURLcode Curl_override_sspi_http_realm(const char *chlg, break; /* We're done here */ /* Pass all additional spaces here */ - while(*chlg && ISSPACE(*chlg)) + while(*chlg && ISBLANK(*chlg)) chlg++; /* Allow the list to be comma-separated */ @@ -333,7 +333,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, char value[DIGEST_MAX_VALUE_LENGTH]; char content[DIGEST_MAX_CONTENT_LENGTH]; - while(*p && ISSPACE(*p)) + while(*p && ISBLANK(*p)) p++; if(!Curl_auth_digest_get_pair(p, value, content, &p)) @@ -345,7 +345,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, break; } - while(*p && ISSPACE(*p)) + while(*p && ISBLANK(*p)) p++; if(',' == *p) @@ -431,8 +431,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, has changed then delete that context. */ if((userp && !digest->user) || (!userp && digest->user) || (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || - (userp && digest->user && strcmp(userp, digest->user)) || - (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { + (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || + (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { if(digest->http_context) { s_pSecFn->DeleteSecurityContext(digest->http_context); Curl_safefree(digest->http_context); diff --git a/vendor/curl/lib/vauth/gsasl.c b/vendor/curl/lib/vauth/gsasl.c index 9d137b72ca..a73c644434 100644 --- a/vendor/curl/lib/vauth/gsasl.c +++ b/vendor/curl/lib/vauth/gsasl.c @@ -36,7 +36,8 @@ #include -/* The last #include files should be: */ +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" #include "curl_memory.h" #include "memdebug.h" diff --git a/vendor/curl/lib/vauth/ntlm.c b/vendor/curl/lib/vauth/ntlm.c index edaacbb9ed..c10fa6caaf 100644 --- a/vendor/curl/lib/vauth/ntlm.c +++ b/vendor/curl/lib/vauth/ntlm.c @@ -29,7 +29,7 @@ /* * NTLM details: * - * https://davenport.sourceforge.io/ntlm.html + * https://davenport.sourceforge.net/ntlm.html * https://www.innovation.ch/java/ntlm.html */ @@ -600,7 +600,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* A safer but less compatible alternative is: * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp); - * See https://davenport.sourceforge.io/ntlm.html#ntlmVersion2 */ + * See https://davenport.sourceforge.net/ntlm.html#ntlmVersion2 */ } if(unicode) { @@ -658,7 +658,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* LanManager response */ /* NT response */ - 0, /* zero termination */ + 0, /* null-termination */ 0, 0, 0, /* type-3 long, the 24 upper bits */ SHORTPAIR(0x18), /* LanManager response length, twice */ diff --git a/vendor/curl/lib/vauth/ntlm.h b/vendor/curl/lib/vauth/ntlm.h index 97325d975c..4dfda55453 100644 --- a/vendor/curl/lib/vauth/ntlm.h +++ b/vendor/curl/lib/vauth/ntlm.h @@ -34,7 +34,8 @@ /* Stuff only required for curl_ntlm_msgs.c */ #ifdef BUILDING_CURL_NTLM_MSGS_C -/* Flag bits definitions based on https://davenport.sourceforge.io/ntlm.html */ +/* Flag bits definitions based on + https://davenport.sourceforge.net/ntlm.html */ #define NTLMFLAG_NEGOTIATE_UNICODE (1<<0) /* Indicates that Unicode strings are supported for use in security buffer diff --git a/vendor/curl/lib/vauth/vauth.c b/vendor/curl/lib/vauth/vauth.c index 9d6363df07..58fe05139d 100644 --- a/vendor/curl/lib/vauth/vauth.c +++ b/vendor/curl/lib/vauth/vauth.c @@ -27,6 +27,8 @@ #include #include "vauth.h" +#include "urldata.h" +#include "strcase.h" #include "curl_multibyte.h" #include "curl_printf.h" @@ -144,3 +146,18 @@ bool Curl_auth_user_contains_domain(const char *user) return valid; } + +/* + * Curl_auth_ollowed_to_host() tells if authentication, cookies or other + * "sensitive data" can (still) be sent to this host. + */ +bool Curl_auth_allowed_to_host(struct Curl_easy *data) +{ + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || + data->set.allow_auth_to_other_hosts || + (data->state.first_host && + strcasecompare(data->state.first_host, conn->host.name) && + (data->state.first_remote_port == conn->remote_port) && + (data->state.first_remote_protocol == conn->handler->protocol))); +} diff --git a/vendor/curl/lib/vauth/vauth.h b/vendor/curl/lib/vauth/vauth.h index 1c4b5b5dc6..af27f01dfb 100644 --- a/vendor/curl/lib/vauth/vauth.h +++ b/vendor/curl/lib/vauth/vauth.h @@ -54,6 +54,12 @@ struct gsasldata; #define GSS_ERROR(status) ((status) & 0x80000000) #endif +/* + * Curl_auth_allowed_to_host() tells if authentication, cookies or other + * "sensitive data" can (still) be sent to this host. + */ +bool Curl_auth_allowed_to_host(struct Curl_easy *data); + /* This is used to build a SPN string */ #if !defined(USE_WINDOWS_SSPI) char *Curl_auth_build_spn(const char *service, const char *host, @@ -224,7 +230,7 @@ CURLcode Curl_auth_decode_spnego_message(struct Curl_easy *data, CURLcode Curl_auth_create_spnego_message(struct negotiatedata *nego, char **outptr, size_t *outlen); -/* This is used to clean up the SPNEGO specifiec data */ +/* This is used to clean up the SPNEGO specific data */ void Curl_auth_cleanup_spnego(struct negotiatedata *nego); #endif /* USE_SPNEGO */ diff --git a/vendor/curl/lib/version.c b/vendor/curl/lib/version.c index 4672182d50..f71f49e09a 100644 --- a/vendor/curl/lib/version.c +++ b/vendor/curl/lib/version.c @@ -53,7 +53,7 @@ #include #endif -#ifdef HAVE_ZLIB_H +#ifdef HAVE_LIBZ #include #endif @@ -338,6 +338,11 @@ static const char * const protocols[] = { #endif #ifdef USE_LIBRTMP "rtmp", + "rtmpe", + "rtmps", + "rtmpt", + "rtmpte", + "rtmpts", #endif #ifndef CURL_DISABLE_RTSP "rtsp", @@ -367,6 +372,12 @@ static const char * const protocols[] = { #ifndef CURL_DISABLE_TFTP "tftp", #endif +#ifdef USE_WEBSOCKETS + "ws", +#endif +#if defined(USE_SSL) && defined(USE_WEBSOCKETS) + "wss", +#endif NULL }; diff --git a/vendor/curl/lib/vquic/msh3.c b/vendor/curl/lib/vquic/msh3.c index e309be9dfa..c3e58e726a 100644 --- a/vendor/curl/lib/vquic/msh3.c +++ b/vendor/curl/lib/vquic/msh3.c @@ -114,7 +114,7 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, socklen_t addrlen) { struct quicsocket *qs = &conn->hequic[sockindex]; - bool unsecure = !conn->ssl_config.verifypeer; + bool insecure = !conn->ssl_config.verifypeer; memset(qs, 0, sizeof(*qs)); (void)sockfd; @@ -132,7 +132,7 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, qs->conn = MsH3ConnectionOpen(qs->api, conn->host.name, (uint16_t)conn->remote_port, - unsecure); + insecure); if(!qs->conn) { failf(data, "can't create msh3 connection"); if(qs->api) { @@ -381,9 +381,6 @@ static void MSH3_CALL msh3_shutdown(MSH3_REQUEST *Request, void *IfContext) (void)stream; } -static_assert(sizeof(MSH3_HEADER) == sizeof(struct h2h3pseudo), - "Sizes must match for cast below to work"); - static ssize_t msh3_stream_send(struct Curl_easy *data, int sockindex, const void *mem, @@ -396,6 +393,9 @@ static ssize_t msh3_stream_send(struct Curl_easy *data, struct h2h3req *hreq; (void)sockindex; + /* Sizes must match for cast below to work" */ + DEBUGASSERT(sizeof(MSH3_HEADER) == sizeof(struct h2h3pseudo)); + H3BUGF(infof(data, "msh3_stream_send %zu", len)); if(!stream->req) { diff --git a/vendor/curl/lib/vquic/ngtcp2.c b/vendor/curl/lib/vquic/ngtcp2.c index 9e7f99e872..097cca44b0 100644 --- a/vendor/curl/lib/vquic/ngtcp2.c +++ b/vendor/curl/lib/vquic/ngtcp2.c @@ -760,6 +760,7 @@ static ngtcp2_callbacks ng_callbacks = { NULL, /* version_negotiation */ cb_recv_rx_key, NULL, /* recv_tx_key */ + NULL, /* early_data_rejected */ }; /* @@ -1703,6 +1704,11 @@ static CURLcode ng_has_connected(struct Curl_easy *data, } else infof(data, "Skipped certificate verification"); +#ifdef USE_OPENSSL + if(data->set.ssl.certinfo) + /* asked to gather certificate info */ + (void)Curl_ossl_certchain(data, conn->quic->ssl); +#endif return result; } @@ -1828,15 +1834,17 @@ static CURLcode do_sendmsg(size_t *psent, struct Curl_easy *data, int sockfd, size_t pktlen, size_t gsolen) { #ifdef HAVE_SENDMSG - struct iovec msg_iov = {(void *)pkt, pktlen}; + struct iovec msg_iov; struct msghdr msg = {0}; - uint8_t msg_ctrl[32]; ssize_t sent; #if defined(__linux__) && defined(UDP_SEGMENT) + uint8_t msg_ctrl[32]; struct cmsghdr *cm; #endif *psent = 0; + msg_iov.iov_base = (uint8_t *)pkt; + msg_iov.iov_len = pktlen; msg.msg_iov = &msg_iov; msg.msg_iovlen = 1; @@ -1981,9 +1989,9 @@ static CURLcode ng_flush_egress(struct Curl_easy *data, ngtcp2_ssize outlen; uint8_t *outpos = qs->pktbuf; size_t max_udp_payload_size = - ngtcp2_conn_get_max_udp_payload_size(qs->qconn); + ngtcp2_conn_get_max_tx_udp_payload_size(qs->qconn); size_t path_max_udp_payload_size = - ngtcp2_conn_get_path_max_udp_payload_size(qs->qconn); + ngtcp2_conn_get_path_max_tx_udp_payload_size(qs->qconn); size_t max_pktcnt = CURLMIN(MAX_PKT_BURST, qs->pktbuflen / max_udp_payload_size); size_t pktcnt = 0; diff --git a/vendor/curl/lib/vquic/quiche.c b/vendor/curl/lib/vquic/quiche.c index 9ebfdf7a81..a52a7e8e21 100644 --- a/vendor/curl/lib/vquic/quiche.c +++ b/vendor/curl/lib/vquic/quiche.c @@ -416,6 +416,10 @@ static CURLcode quiche_has_connected(struct Curl_easy *data, qs->cfg = NULL; qs->conn = NULL; } + if(data->set.ssl.certinfo) + /* asked to gather certificate info */ + (void)Curl_ossl_certchain(data, qs->ssl); + return CURLE_OK; fail: quiche_h3_config_free(qs->h3config); diff --git a/vendor/curl/lib/vssh/libssh.c b/vendor/curl/lib/vssh/libssh.c index a078c464dd..0105e4079c 100644 --- a/vendor/curl/lib/vssh/libssh.c +++ b/vendor/curl/lib/vssh/libssh.c @@ -963,10 +963,9 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) rc = sftp_init(sshc->sftp_session); if(rc != SSH_OK) { - rc = sftp_get_error(sshc->sftp_session); failf(data, "Failure initializing sftp session: %s", ssh_get_error(sshc->ssh_session)); - MOVE_TO_ERROR_STATE(sftp_error_to_CURLE(rc)); + MOVE_TO_ERROR_STATE(sftp_error_to_CURLE(SSH_FX_FAILURE)); break; } state(data, SSH_SFTP_REALPATH); @@ -1667,7 +1666,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) if(from_t == CURL_OFFT_FLOW) { return CURLE_RANGE_ERROR; } - while(*ptr && (ISSPACE(*ptr) || (*ptr == '-'))) + while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); if(to_t == CURL_OFFT_FLOW) { diff --git a/vendor/curl/lib/vssh/libssh2.c b/vendor/curl/lib/vssh/libssh2.c index 02030c1ea3..5a2c0f8bbf 100644 --- a/vendor/curl/lib/vssh/libssh2.c +++ b/vendor/curl/lib/vssh/libssh2.c @@ -2506,7 +2506,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from); if(from_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; - while(*ptr && (ISSPACE(*ptr) || (*ptr == '-'))) + while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); if(to_t == CURL_OFFT_FLOW) diff --git a/vendor/curl/lib/vssh/ssh.h b/vendor/curl/lib/vssh/ssh.h index 7e1d8159cb..13bb8aa2d6 100644 --- a/vendor/curl/lib/vssh/ssh.h +++ b/vendor/curl/lib/vssh/ssh.h @@ -26,10 +26,10 @@ #include "curl_setup.h" -#if defined(HAVE_LIBSSH2_H) +#if defined(USE_LIBSSH2) #include #include -#elif defined(HAVE_LIBSSH_LIBSSH_H) +#elif defined(USE_LIBSSH) #include #include #elif defined(USE_WOLFSSH) diff --git a/vendor/curl/lib/vtls/bearssl.c b/vendor/curl/lib/vtls/bearssl.c index f14eb66a20..1221ce8c84 100644 --- a/vendor/curl/lib/vtls/bearssl.c +++ b/vendor/curl/lib/vtls/bearssl.c @@ -76,9 +76,9 @@ struct cafile_parser { #define CAFILE_SOURCE_PATH 1 #define CAFILE_SOURCE_BLOB 2 struct cafile_source { - const int type; - const char * const data; - const size_t len; + int type; + const char *data; + size_t len; }; static void append_dn(void *ctx, const void *buf, size_t len) @@ -618,11 +618,11 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, } if(ca_info_blob) { - struct cafile_source source = { - CAFILE_SOURCE_BLOB, - ca_info_blob->data, - ca_info_blob->len, - }; + struct cafile_source source; + source.type = CAFILE_SOURCE_BLOB; + source.data = ca_info_blob->data; + source.len = ca_info_blob->len; + ret = load_cafile(&source, &backend->anchors, &backend->anchors_len); if(ret != CURLE_OK) { if(verifypeer) { @@ -635,11 +635,11 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, } if(ssl_cafile) { - struct cafile_source source = { - CAFILE_SOURCE_PATH, - ssl_cafile, - 0, - }; + struct cafile_source source; + source.type = CAFILE_SOURCE_PATH; + source.data = ssl_cafile; + source.len = 0; + ret = load_cafile(&source, &backend->anchors, &backend->anchors_len); if(ret != CURLE_OK) { if(verifypeer) { @@ -875,14 +875,14 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, #ifdef USE_HTTP2 if(!strcmp(protocol, ALPN_H2)) - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; else #endif if(!strcmp(protocol, ALPN_HTTP_1_1)) - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; else infof(data, "ALPN, unrecognized protocol %s", protocol); - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else diff --git a/vendor/curl/lib/vtls/gtls.c b/vendor/curl/lib/vtls/gtls.c index e2d41f4102..cf3dbc5238 100644 --- a/vendor/curl/lib/vtls/gtls.c +++ b/vendor/curl/lib/vtls/gtls.c @@ -45,6 +45,7 @@ #include "inet_pton.h" #include "gtls.h" #include "vtls.h" +#include "vauth/vauth.h" #include "parsedate.h" #include "connect.h" /* for the connect timeout */ #include "select.h" @@ -448,7 +449,7 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { + Curl_auth_allowed_to_host(data)) { infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(primary.username)); @@ -1274,19 +1275,19 @@ Curl_gtls_verifyserver(struct Curl_easy *data, if(proto.size == ALPN_H2_LENGTH && !memcmp(ALPN_H2, proto.data, ALPN_H2_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(proto.size == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, proto.data, ALPN_HTTP_1_1_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; } } else infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } diff --git a/vendor/curl/lib/vtls/keylog.c b/vendor/curl/lib/vtls/keylog.c index 7471217921..1952a690ca 100644 --- a/vendor/curl/lib/vtls/keylog.c +++ b/vendor/curl/lib/vtls/keylog.c @@ -24,6 +24,7 @@ #include "curl_setup.h" #include "keylog.h" +#include /* The last #include files should be: */ #include "curl_memory.h" diff --git a/vendor/curl/lib/vtls/mbedtls.c b/vendor/curl/lib/vtls/mbedtls.c index ad9bd10f8a..fbde8976eb 100644 --- a/vendor/curl/lib/vtls/mbedtls.c +++ b/vendor/curl/lib/vtls/mbedtls.c @@ -821,19 +821,19 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) && !next_protocol[ALPN_H2_LENGTH]) { - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH) && !next_protocol[ALPN_HTTP_1_1_LENGTH]) { - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; } } else { infof(data, VTLS_INFOF_NO_ALPN); } - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif diff --git a/vendor/curl/lib/vtls/nss.c b/vendor/curl/lib/vtls/nss.c index 9d3a8584c9..12cf618f56 100644 --- a/vendor/curl/lib/vtls/nss.c +++ b/vendor/curl/lib/vtls/nss.c @@ -336,7 +336,7 @@ static SECStatus set_ciphers(struct Curl_easy *data, PRFileDesc *model, char name[MAX_CIPHER_LENGTH + 1]; size_t len; bool found = FALSE; - while((*cipher) && (ISSPACE(*cipher))) + while((*cipher) && (ISBLANK(*cipher))) ++cipher; end = strpbrk(cipher, ":, "); @@ -850,7 +850,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) unsigned int buflen; SSLNextProtoState state; - if(!conn->bits.tls_enable_npn && !conn->bits.tls_enable_alpn) { + if(!conn->bits.tls_enable_alpn) { return; } @@ -871,21 +871,21 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, buflen, buf); break; #endif - case SSL_NEXT_PROTO_NEGOTIATED: - infof(data, "NPN, server accepted to use %.*s", buflen, buf); + default: + /* ignore SSL_NEXT_PROTO_NEGOTIATED */ break; } #ifdef USE_HTTP2 if(buflen == ALPN_H2_LENGTH && !memcmp(ALPN_H2, buf, ALPN_H2_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(buflen == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; } /* This callback might get called when PR_Recv() is used within @@ -893,7 +893,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) * be any "bundle" associated with the connection anymore. */ if(conn->bundle) - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } @@ -936,8 +936,8 @@ static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data, if(cipherInfo.symCipher != ssl_calg_aes_gcm) goto end; - /* Enforce ALPN or NPN to do False Start, as an indicator of server - * compatibility. */ + /* Enforce ALPN to do False Start, as an indicator of server + compatibility. */ rv = SSL_HandshakeNegotiatedExtension(sock, ssl_app_layer_protocol_xtn, &negotiatedExtension); if(rv != SECSuccess || !negotiatedExtension) { @@ -2136,12 +2136,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } #endif -#ifdef SSL_ENABLE_NPN - if(SSL_OptionSet(backend->handle, SSL_ENABLE_NPN, conn->bits.tls_enable_npn - ? PR_TRUE : PR_FALSE) != SECSuccess) - goto error; -#endif - #ifdef SSL_ENABLE_ALPN if(SSL_OptionSet(backend->handle, SSL_ENABLE_ALPN, conn->bits.tls_enable_alpn ? PR_TRUE : PR_FALSE) != SECSuccess) @@ -2160,15 +2154,15 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } #endif -#if defined(SSL_ENABLE_NPN) || defined(SSL_ENABLE_ALPN) - if(conn->bits.tls_enable_npn || conn->bits.tls_enable_alpn) { +#if defined(SSL_ENABLE_ALPN) + if(conn->bits.tls_enable_alpn) { int cur = 0; unsigned char protocols[128]; #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) #endif ) { protocols[cur++] = ALPN_H2_LENGTH; diff --git a/vendor/curl/lib/vtls/openssl.c b/vendor/curl/lib/vtls/openssl.c index 3a594fec86..ad2efa5586 100644 --- a/vendor/curl/lib/vtls/openssl.c +++ b/vendor/curl/lib/vtls/openssl.c @@ -29,7 +29,7 @@ #include "curl_setup.h" -#ifdef USE_OPENSSL +#if defined(USE_QUICHE) || defined(USE_OPENSSL) #include @@ -55,6 +55,7 @@ #include "slist.h" #include "select.h" #include "vtls.h" +#include "vauth/vauth.h" #include "keylog.h" #include "strcase.h" #include "hostcheck.h" @@ -271,195 +272,533 @@ struct ssl_backend_data { #endif }; -static bool ossl_associate_connection(struct Curl_easy *data, - struct connectdata *conn, - int sockindex); - -/* - * Number of bytes to read from the random number seed file. This must be - * a finite value (because some entropy "files" like /dev/urandom have - * an infinite length), but must be large enough to provide enough - * entropy to properly seed OpenSSL's PRNG. - */ -#define RAND_LOAD_LENGTH 1024 +#define push_certinfo(_label, _num) \ +do { \ + long info_len = BIO_get_mem_data(mem, &ptr); \ + Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \ + if(1 != BIO_reset(mem)) \ + break; \ +} while(0) -#ifdef HAVE_KEYLOG_CALLBACK -static void ossl_keylog_callback(const SSL *ssl, const char *line) +static void pubkey_show(struct Curl_easy *data, + BIO *mem, + int num, + const char *type, + const char *name, + const BIGNUM *bn) { - (void)ssl; + char *ptr; + char namebuf[32]; - Curl_tls_keylog_write_line(line); + msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name); + + if(bn) + BN_print(mem, bn); + push_certinfo(namebuf, num); } -#else -/* - * ossl_log_tls12_secret is called by libcurl to make the CLIENT_RANDOMs if the - * OpenSSL being used doesn't have native support for doing that. - */ -static void -ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done) -{ - const SSL_SESSION *session = SSL_get_session(ssl); - unsigned char client_random[SSL3_RANDOM_SIZE]; - unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; - int master_key_length = 0; - if(!session || *keylog_done) - return; +#ifdef HAVE_OPAQUE_RSA_DSA_DH +#define print_pubkey_BN(_type, _name, _num) \ + pubkey_show(data, mem, _num, #_type, #_name, _name) -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !(defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) - /* ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that - * we have a valid SSL context if we have a non-NULL session. */ - SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE); - master_key_length = (int) - SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH); #else - if(ssl->s3 && session->master_key_length > 0) { - master_key_length = session->master_key_length; - memcpy(master_key, session->master_key, session->master_key_length); - memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE); - } +#define print_pubkey_BN(_type, _name, _num) \ +do { \ + if(_type->_name) { \ + pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \ + } \ +} while(0) #endif - /* The handshake has not progressed sufficiently yet, or this is a TLS 1.3 - * session (when curl was built with older OpenSSL headers and running with - * newer OpenSSL runtime libraries). */ - if(master_key_length <= 0) - return; +static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len) +{ + int i, ilen; - *keylog_done = true; - Curl_tls_keylog_write("CLIENT_RANDOM", client_random, - master_key, master_key_length); + ilen = (int)len; + if(ilen < 0) + return 1; /* buffer too big */ + + i = i2t_ASN1_OBJECT(buf, ilen, a); + + if(i >= ilen) + return 1; /* buffer too small */ + + return 0; } -#endif /* !HAVE_KEYLOG_CALLBACK */ -static const char *SSL_ERROR_to_str(int err) +static void X509V3_ext(struct Curl_easy *data, + int certnum, + CONST_EXTS STACK_OF(X509_EXTENSION) *exts) { - switch(err) { - case SSL_ERROR_NONE: - return "SSL_ERROR_NONE"; - case SSL_ERROR_SSL: - return "SSL_ERROR_SSL"; - case SSL_ERROR_WANT_READ: - return "SSL_ERROR_WANT_READ"; - case SSL_ERROR_WANT_WRITE: - return "SSL_ERROR_WANT_WRITE"; - case SSL_ERROR_WANT_X509_LOOKUP: - return "SSL_ERROR_WANT_X509_LOOKUP"; - case SSL_ERROR_SYSCALL: - return "SSL_ERROR_SYSCALL"; - case SSL_ERROR_ZERO_RETURN: - return "SSL_ERROR_ZERO_RETURN"; - case SSL_ERROR_WANT_CONNECT: - return "SSL_ERROR_WANT_CONNECT"; - case SSL_ERROR_WANT_ACCEPT: - return "SSL_ERROR_WANT_ACCEPT"; -#if defined(SSL_ERROR_WANT_ASYNC) - case SSL_ERROR_WANT_ASYNC: - return "SSL_ERROR_WANT_ASYNC"; -#endif -#if defined(SSL_ERROR_WANT_ASYNC_JOB) - case SSL_ERROR_WANT_ASYNC_JOB: - return "SSL_ERROR_WANT_ASYNC_JOB"; -#endif -#if defined(SSL_ERROR_WANT_EARLY) - case SSL_ERROR_WANT_EARLY: - return "SSL_ERROR_WANT_EARLY"; -#endif - default: - return "SSL_ERROR unknown"; + int i; + + if((int)sk_X509_EXTENSION_num(exts) <= 0) + /* no extensions, bail out */ + return; + + for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) { + ASN1_OBJECT *obj; + X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); + BUF_MEM *biomem; + char namebuf[128]; + BIO *bio_out = BIO_new(BIO_s_mem()); + + if(!bio_out) + return; + + obj = X509_EXTENSION_get_object(ext); + + asn1_object_dump(obj, namebuf, sizeof(namebuf)); + + if(!X509V3_EXT_print(bio_out, ext, 0, 0)) + ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext)); + + BIO_get_mem_ptr(bio_out, &biomem); + Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data, + biomem->length); + BIO_free(bio_out); } } -/* Return error string for last OpenSSL error - */ -static char *ossl_strerror(unsigned long error, char *buf, size_t size) -{ - if(size) - *buf = '\0'; - #ifdef OPENSSL_IS_BORINGSSL - ERR_error_string_n((uint32_t)error, buf, size); +typedef size_t numcert_t; #else - ERR_error_string_n(error, buf, size); +typedef int numcert_t; #endif - if(size > 1 && !*buf) { - strncpy(buf, (error ? "Unknown error" : "No error"), size); - buf[size - 1] = '\0'; - } +CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl) +{ + CURLcode result; + STACK_OF(X509) *sk; + int i; + numcert_t numcerts; + BIO *mem; - return buf; -} + DEBUGASSERT(ssl); -/* Return an extra data index for the transfer data. - * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). - */ -static int ossl_get_ssl_data_index(void) -{ - static int ssl_ex_data_data_index = -1; - if(ssl_ex_data_data_index < 0) { - ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + sk = SSL_get_peer_cert_chain(ssl); + if(!sk) { + return CURLE_OUT_OF_MEMORY; } - return ssl_ex_data_data_index; -} -/* Return an extra data index for the connection data. - * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). - */ -static int ossl_get_ssl_conn_index(void) -{ - static int ssl_ex_data_conn_index = -1; - if(ssl_ex_data_conn_index < 0) { - ssl_ex_data_conn_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); - } - return ssl_ex_data_conn_index; -} + numcerts = sk_X509_num(sk); -/* Return an extra data index for the sockindex. - * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). - */ -static int ossl_get_ssl_sockindex_index(void) -{ - static int sockindex_index = -1; - if(sockindex_index < 0) { - sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + result = Curl_ssl_init_certinfo(data, (int)numcerts); + if(result) { + return result; } - return sockindex_index; -} -/* Return an extra data index for proxy boolean. - * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). - */ -static int ossl_get_proxy_index(void) -{ - static int proxy_index = -1; - if(proxy_index < 0) { - proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + mem = BIO_new(BIO_s_mem()); + if(!mem) { + return CURLE_OUT_OF_MEMORY; } - return proxy_index; -} -static int passwd_callback(char *buf, int num, int encrypting, - void *global_passwd) -{ - DEBUGASSERT(0 == encrypting); + for(i = 0; i < (int)numcerts; i++) { + ASN1_INTEGER *num; + X509 *x = sk_X509_value(sk, i); + EVP_PKEY *pubkey = NULL; + int j; + char *ptr; + const ASN1_BIT_STRING *psig = NULL; - if(!encrypting) { - int klen = curlx_uztosi(strlen((char *)global_passwd)); - if(num > klen) { - memcpy(buf, global_passwd, klen + 1); - return klen; - } - } - return 0; -} + X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE); + push_certinfo("Subject", i); -/* - * rand_enough() returns TRUE if we have seeded the random engine properly. - */ -static bool rand_enough(void) + X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE); + push_certinfo("Issuer", i); + + BIO_printf(mem, "%lx", X509_get_version(x)); + push_certinfo("Version", i); + + num = X509_get_serialNumber(x); + if(num->type == V_ASN1_NEG_INTEGER) + BIO_puts(mem, "-"); + for(j = 0; j < num->length; j++) + BIO_printf(mem, "%02x", num->data[j]); + push_certinfo("Serial Number", i); + +#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS) + { + const X509_ALGOR *sigalg = NULL; + X509_PUBKEY *xpubkey = NULL; + ASN1_OBJECT *pubkeyoid = NULL; + + X509_get0_signature(&psig, &sigalg, x); + if(sigalg) { + i2a_ASN1_OBJECT(mem, sigalg->algorithm); + push_certinfo("Signature Algorithm", i); + } + + xpubkey = X509_get_X509_PUBKEY(x); + if(xpubkey) { + X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey); + if(pubkeyoid) { + i2a_ASN1_OBJECT(mem, pubkeyoid); + push_certinfo("Public Key Algorithm", i); + } + } + + X509V3_ext(data, i, X509_get0_extensions(x)); + } +#else + { + /* before OpenSSL 1.0.2 */ + X509_CINF *cinf = x->cert_info; + + i2a_ASN1_OBJECT(mem, cinf->signature->algorithm); + push_certinfo("Signature Algorithm", i); + + i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm); + push_certinfo("Public Key Algorithm", i); + + X509V3_ext(data, i, cinf->extensions); + + psig = x->signature; + } +#endif + + ASN1_TIME_print(mem, X509_get0_notBefore(x)); + push_certinfo("Start date", i); + + ASN1_TIME_print(mem, X509_get0_notAfter(x)); + push_certinfo("Expire date", i); + + pubkey = X509_get_pubkey(x); + if(!pubkey) + infof(data, " Unable to load public key"); + else { + int pktype; +#ifdef HAVE_OPAQUE_EVP_PKEY + pktype = EVP_PKEY_id(pubkey); +#else + pktype = pubkey->type; +#endif + switch(pktype) { + case EVP_PKEY_RSA: + { +#ifndef HAVE_EVP_PKEY_GET_PARAMS + RSA *rsa; +#ifdef HAVE_OPAQUE_EVP_PKEY + rsa = EVP_PKEY_get0_RSA(pubkey); +#else + rsa = pubkey->pkey.rsa; +#endif /* HAVE_OPAQUE_EVP_PKEY */ +#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ + + { +#ifdef HAVE_OPAQUE_RSA_DSA_DH + DECLARE_PKEY_PARAM_BIGNUM(n); + DECLARE_PKEY_PARAM_BIGNUM(e); +#ifdef HAVE_EVP_PKEY_GET_PARAMS + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e); +#else + RSA_get0_key(rsa, &n, &e, NULL); +#endif /* HAVE_EVP_PKEY_GET_PARAMS */ + BIO_printf(mem, "%d", BN_num_bits(n)); +#else + BIO_printf(mem, "%d", BN_num_bits(rsa->n)); +#endif /* HAVE_OPAQUE_RSA_DSA_DH */ + push_certinfo("RSA Public Key", i); + print_pubkey_BN(rsa, n, i); + print_pubkey_BN(rsa, e, i); + FREE_PKEY_PARAM_BIGNUM(n); + FREE_PKEY_PARAM_BIGNUM(e); + } + + break; + } + case EVP_PKEY_DSA: + { +#ifndef OPENSSL_NO_DSA +#ifndef HAVE_EVP_PKEY_GET_PARAMS + DSA *dsa; +#ifdef HAVE_OPAQUE_EVP_PKEY + dsa = EVP_PKEY_get0_DSA(pubkey); +#else + dsa = pubkey->pkey.dsa; +#endif /* HAVE_OPAQUE_EVP_PKEY */ +#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ + { +#ifdef HAVE_OPAQUE_RSA_DSA_DH + DECLARE_PKEY_PARAM_BIGNUM(p); + DECLARE_PKEY_PARAM_BIGNUM(q); + DECLARE_PKEY_PARAM_BIGNUM(g); + DECLARE_PKEY_PARAM_BIGNUM(pub_key); +#ifdef HAVE_EVP_PKEY_GET_PARAMS + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); +#else + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, NULL); +#endif /* HAVE_EVP_PKEY_GET_PARAMS */ +#endif /* HAVE_OPAQUE_RSA_DSA_DH */ + print_pubkey_BN(dsa, p, i); + print_pubkey_BN(dsa, q, i); + print_pubkey_BN(dsa, g, i); + print_pubkey_BN(dsa, pub_key, i); + FREE_PKEY_PARAM_BIGNUM(p); + FREE_PKEY_PARAM_BIGNUM(q); + FREE_PKEY_PARAM_BIGNUM(g); + FREE_PKEY_PARAM_BIGNUM(pub_key); + } +#endif /* !OPENSSL_NO_DSA */ + break; + } + case EVP_PKEY_DH: + { +#ifndef HAVE_EVP_PKEY_GET_PARAMS + DH *dh; +#ifdef HAVE_OPAQUE_EVP_PKEY + dh = EVP_PKEY_get0_DH(pubkey); +#else + dh = pubkey->pkey.dh; +#endif /* HAVE_OPAQUE_EVP_PKEY */ +#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ + { +#ifdef HAVE_OPAQUE_RSA_DSA_DH + DECLARE_PKEY_PARAM_BIGNUM(p); + DECLARE_PKEY_PARAM_BIGNUM(q); + DECLARE_PKEY_PARAM_BIGNUM(g); + DECLARE_PKEY_PARAM_BIGNUM(pub_key); +#ifdef HAVE_EVP_PKEY_GET_PARAMS + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g); + EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); +#else + DH_get0_pqg(dh, &p, &q, &g); + DH_get0_key(dh, &pub_key, NULL); +#endif /* HAVE_EVP_PKEY_GET_PARAMS */ + print_pubkey_BN(dh, p, i); + print_pubkey_BN(dh, q, i); + print_pubkey_BN(dh, g, i); +#else + print_pubkey_BN(dh, p, i); + print_pubkey_BN(dh, g, i); +#endif /* HAVE_OPAQUE_RSA_DSA_DH */ + print_pubkey_BN(dh, pub_key, i); + FREE_PKEY_PARAM_BIGNUM(p); + FREE_PKEY_PARAM_BIGNUM(q); + FREE_PKEY_PARAM_BIGNUM(g); + FREE_PKEY_PARAM_BIGNUM(pub_key); + } + break; + } + } + EVP_PKEY_free(pubkey); + } + + if(psig) { + for(j = 0; j < psig->length; j++) + BIO_printf(mem, "%02x:", psig->data[j]); + push_certinfo("Signature", i); + } + + PEM_write_bio_X509(mem, x); + push_certinfo("Cert", i); + } + + BIO_free(mem); + + return CURLE_OK; +} + +#endif /* quiche or OpenSSL */ + +#ifdef USE_OPENSSL + +static bool ossl_associate_connection(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + +/* + * Number of bytes to read from the random number seed file. This must be + * a finite value (because some entropy "files" like /dev/urandom have + * an infinite length), but must be large enough to provide enough + * entropy to properly seed OpenSSL's PRNG. + */ +#define RAND_LOAD_LENGTH 1024 + +#ifdef HAVE_KEYLOG_CALLBACK +static void ossl_keylog_callback(const SSL *ssl, const char *line) +{ + (void)ssl; + + Curl_tls_keylog_write_line(line); +} +#else +/* + * ossl_log_tls12_secret is called by libcurl to make the CLIENT_RANDOMs if the + * OpenSSL being used doesn't have native support for doing that. + */ +static void +ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done) +{ + const SSL_SESSION *session = SSL_get_session(ssl); + unsigned char client_random[SSL3_RANDOM_SIZE]; + unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; + int master_key_length = 0; + + if(!session || *keylog_done) + return; + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ + !(defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER < 0x20700000L) + /* ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that + * we have a valid SSL context if we have a non-NULL session. */ + SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE); + master_key_length = (int) + SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH); +#else + if(ssl->s3 && session->master_key_length > 0) { + master_key_length = session->master_key_length; + memcpy(master_key, session->master_key, session->master_key_length); + memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE); + } +#endif + + /* The handshake has not progressed sufficiently yet, or this is a TLS 1.3 + * session (when curl was built with older OpenSSL headers and running with + * newer OpenSSL runtime libraries). */ + if(master_key_length <= 0) + return; + + *keylog_done = true; + Curl_tls_keylog_write("CLIENT_RANDOM", client_random, + master_key, master_key_length); +} +#endif /* !HAVE_KEYLOG_CALLBACK */ + +static const char *SSL_ERROR_to_str(int err) +{ + switch(err) { + case SSL_ERROR_NONE: + return "SSL_ERROR_NONE"; + case SSL_ERROR_SSL: + return "SSL_ERROR_SSL"; + case SSL_ERROR_WANT_READ: + return "SSL_ERROR_WANT_READ"; + case SSL_ERROR_WANT_WRITE: + return "SSL_ERROR_WANT_WRITE"; + case SSL_ERROR_WANT_X509_LOOKUP: + return "SSL_ERROR_WANT_X509_LOOKUP"; + case SSL_ERROR_SYSCALL: + return "SSL_ERROR_SYSCALL"; + case SSL_ERROR_ZERO_RETURN: + return "SSL_ERROR_ZERO_RETURN"; + case SSL_ERROR_WANT_CONNECT: + return "SSL_ERROR_WANT_CONNECT"; + case SSL_ERROR_WANT_ACCEPT: + return "SSL_ERROR_WANT_ACCEPT"; +#if defined(SSL_ERROR_WANT_ASYNC) + case SSL_ERROR_WANT_ASYNC: + return "SSL_ERROR_WANT_ASYNC"; +#endif +#if defined(SSL_ERROR_WANT_ASYNC_JOB) + case SSL_ERROR_WANT_ASYNC_JOB: + return "SSL_ERROR_WANT_ASYNC_JOB"; +#endif +#if defined(SSL_ERROR_WANT_EARLY) + case SSL_ERROR_WANT_EARLY: + return "SSL_ERROR_WANT_EARLY"; +#endif + default: + return "SSL_ERROR unknown"; + } +} + +/* Return error string for last OpenSSL error + */ +static char *ossl_strerror(unsigned long error, char *buf, size_t size) +{ + if(size) + *buf = '\0'; + +#ifdef OPENSSL_IS_BORINGSSL + ERR_error_string_n((uint32_t)error, buf, size); +#else + ERR_error_string_n(error, buf, size); +#endif + + if(size > 1 && !*buf) { + strncpy(buf, (error ? "Unknown error" : "No error"), size); + buf[size - 1] = '\0'; + } + + return buf; +} + +/* Return an extra data index for the transfer data. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_data_index(void) +{ + static int ssl_ex_data_data_index = -1; + if(ssl_ex_data_data_index < 0) { + ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return ssl_ex_data_data_index; +} + +/* Return an extra data index for the connection data. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_conn_index(void) +{ + static int ssl_ex_data_conn_index = -1; + if(ssl_ex_data_conn_index < 0) { + ssl_ex_data_conn_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return ssl_ex_data_conn_index; +} + +/* Return an extra data index for the sockindex. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_sockindex_index(void) +{ + static int sockindex_index = -1; + if(sockindex_index < 0) { + sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return sockindex_index; +} + +/* Return an extra data index for proxy boolean. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_proxy_index(void) +{ + static int proxy_index = -1; + if(proxy_index < 0) { + proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return proxy_index; +} + +static int passwd_callback(char *buf, int num, int encrypting, + void *global_passwd) +{ + DEBUGASSERT(0 == encrypting); + + if(!encrypting) { + int klen = curlx_uztosi(strlen((char *)global_passwd)); + if(num > klen) { + memcpy(buf, global_passwd, klen + 1); + return klen; + } + } + return 0; +} + +/* + * rand_enough() returns TRUE if we have seeded the random engine properly. + */ +static bool rand_enough(void) { return (0 != RAND_status()) ? TRUE : FALSE; } @@ -2251,74 +2590,8 @@ static void ossl_trace(int direction, int ssl_ver, int content_type, #undef HAS_ALPN #if OPENSSL_VERSION_NUMBER >= 0x10002000L \ && !defined(OPENSSL_NO_TLSEXT) -# define HAS_ALPN 1 -#endif - -/* Check for OpenSSL 1.0.1 which has NPN support. */ -#undef HAS_NPN -#if OPENSSL_VERSION_NUMBER >= 0x10001000L \ - && !defined(OPENSSL_NO_TLSEXT) \ - && !defined(OPENSSL_NO_NEXTPROTONEG) -# define HAS_NPN 1 -#endif - -#ifdef HAS_NPN - -/* - * in is a list of length prefixed strings. this function has to select - * the protocol we want to use from the list and write its string into out. - */ - -static int -select_next_protocol(unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, - const char *key, unsigned int keylen) -{ - unsigned int i; - for(i = 0; i + keylen <= inlen; i += in[i] + 1) { - if(memcmp(&in[i + 1], key, keylen) == 0) { - *out = (unsigned char *) &in[i + 1]; - *outlen = in[i]; - return 0; - } - } - return -1; -} - -static int -select_next_proto_cb(SSL *ssl, - unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, - void *arg) -{ - struct Curl_easy *data = (struct Curl_easy *)arg; - struct connectdata *conn = data->conn; - (void)ssl; - -#ifdef USE_HTTP2 - if(data->state.httpwant >= CURL_HTTP_VERSION_2 && - !select_next_protocol(out, outlen, in, inlen, ALPN_H2, ALPN_H2_LENGTH)) { - infof(data, "NPN, negotiated HTTP2 (%s)", ALPN_H2); - conn->negnpn = CURL_HTTP_VERSION_2; - return SSL_TLSEXT_ERR_OK; - } -#endif - - if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1, - ALPN_HTTP_1_1_LENGTH)) { - infof(data, "NPN, negotiated HTTP1.1"); - conn->negnpn = CURL_HTTP_VERSION_1_1; - return SSL_TLSEXT_ERR_OK; - } - - infof(data, "NPN, no overlap, use HTTP1.1"); - *out = (unsigned char *)ALPN_HTTP_1_1; - *outlen = ALPN_HTTP_1_1_LENGTH; - conn->negnpn = CURL_HTTP_VERSION_1_1; - - return SSL_TLSEXT_ERR_OK; -} -#endif /* HAS_NPN */ +# define HAS_ALPN 1 +#endif #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ static CURLcode @@ -2810,11 +3083,6 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, SSL_CTX_set_options(backend->ctx, ctx_options); -#ifdef HAS_NPN - if(conn->bits.tls_enable_npn) - SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data); -#endif - #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { int cur = 0; @@ -2904,7 +3172,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef USE_OPENSSL_SRP if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { + Curl_auth_allowed_to_host(data)) { char * const ssl_username = SSL_SET_OPTION(primary.username); char * const ssl_password = SSL_SET_OPTION(primary.password); infof(data, "Using TLS-SRP username: %s", ssl_username); @@ -3351,452 +3619,116 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, /* the connection failed, we're not waiting for anything else. */ connssl->connecting_state = ssl_connect_2; - /* Get the earliest error code from the thread's error queue and remove - the entry. */ - errdetail = ERR_get_error(); - - /* Extract which lib and reason */ - lib = ERR_GET_LIB(errdetail); - reason = ERR_GET_REASON(errdetail); - - if((lib == ERR_LIB_SSL) && - ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) || - (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) { - result = CURLE_PEER_FAILED_VERIFICATION; - - lerr = SSL_get_verify_result(backend->handle); - if(lerr != X509_V_OK) { - SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; - msnprintf(error_buffer, sizeof(error_buffer), - "SSL certificate problem: %s", - X509_verify_cert_error_string(lerr)); - } - else - /* strcpy() is fine here as long as the string fits within - error_buffer */ - strcpy(error_buffer, "SSL certificate verification failed"); - } -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ - !defined(LIBRESSL_VERSION_NUMBER) && \ - !defined(OPENSSL_IS_BORINGSSL)) - /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on - OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */ - else if((lib == ERR_LIB_SSL) && - (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { - /* If client certificate is required, communicate the - error to client */ - result = CURLE_SSL_CLIENTCERT; - ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); - } -#endif - else { - result = CURLE_SSL_CONNECT_ERROR; - ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); - } - - /* detail is already set to the SSL error above */ - - /* If we e.g. use SSLv2 request-method and the server doesn't like us - * (RST connection, etc.), OpenSSL gives no explanation whatsoever and - * the SO_ERROR is also lost. - */ - if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) { - const char * const hostname = SSL_HOST_NAME(); - const long int port = SSL_HOST_PORT(); - char extramsg[80]=""; - int sockerr = SOCKERRNO; - if(sockerr && detail == SSL_ERROR_SYSCALL) - Curl_strerror(sockerr, extramsg, sizeof(extramsg)); - failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ", - extramsg[0] ? extramsg : SSL_ERROR_to_str(detail), - hostname, port); - return result; - } - - /* Could be a CERT problem */ - failf(data, "%s", error_buffer); - - return result; - } - } - else { - /* we connected fine, we're not waiting for anything else. */ - connssl->connecting_state = ssl_connect_3; - - /* Informational message */ - infof(data, "SSL connection using %s / %s", - SSL_get_version(backend->handle), - SSL_get_cipher(backend->handle)); - -#ifdef HAS_ALPN - /* Sets data and len to negotiated protocol, len is 0 if no protocol was - * negotiated - */ - if(conn->bits.tls_enable_alpn) { - const unsigned char *neg_protocol; - unsigned int len; - SSL_get0_alpn_selected(backend->handle, &neg_protocol, &len); - if(len) { - infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, len, neg_protocol); - -#ifdef USE_HTTP2 - if(len == ALPN_H2_LENGTH && - !memcmp(ALPN_H2, neg_protocol, len)) { - conn->negnpn = CURL_HTTP_VERSION_2; - } - else -#endif - if(len == ALPN_HTTP_1_1_LENGTH && - !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_1_1; - } - } - else - infof(data, VTLS_INFOF_NO_ALPN); - - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? - BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); - } -#endif - - return CURLE_OK; - } -} - -static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len) -{ - int i, ilen; - - ilen = (int)len; - if(ilen < 0) - return 1; /* buffer too big */ - - i = i2t_ASN1_OBJECT(buf, ilen, a); - - if(i >= ilen) - return 1; /* buffer too small */ - - return 0; -} - -#define push_certinfo(_label, _num) \ -do { \ - long info_len = BIO_get_mem_data(mem, &ptr); \ - Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \ - if(1 != BIO_reset(mem)) \ - break; \ -} while(0) - -static void pubkey_show(struct Curl_easy *data, - BIO *mem, - int num, - const char *type, - const char *name, - const BIGNUM *bn) -{ - char *ptr; - char namebuf[32]; - - msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name); - - if(bn) - BN_print(mem, bn); - push_certinfo(namebuf, num); -} - -#ifdef HAVE_OPAQUE_RSA_DSA_DH -#define print_pubkey_BN(_type, _name, _num) \ - pubkey_show(data, mem, _num, #_type, #_name, _name) - -#else -#define print_pubkey_BN(_type, _name, _num) \ -do { \ - if(_type->_name) { \ - pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \ - } \ -} while(0) -#endif - -static void X509V3_ext(struct Curl_easy *data, - int certnum, - CONST_EXTS STACK_OF(X509_EXTENSION) *exts) -{ - int i; - - if((int)sk_X509_EXTENSION_num(exts) <= 0) - /* no extensions, bail out */ - return; - - for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) { - ASN1_OBJECT *obj; - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - BUF_MEM *biomem; - char namebuf[128]; - BIO *bio_out = BIO_new(BIO_s_mem()); - - if(!bio_out) - return; - - obj = X509_EXTENSION_get_object(ext); - - asn1_object_dump(obj, namebuf, sizeof(namebuf)); - - if(!X509V3_EXT_print(bio_out, ext, 0, 0)) - ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext)); - - BIO_get_mem_ptr(bio_out, &biomem); - Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data, - biomem->length); - BIO_free(bio_out); - } -} - -#ifdef OPENSSL_IS_BORINGSSL -typedef size_t numcert_t; -#else -typedef int numcert_t; -#endif - -static CURLcode get_cert_chain(struct Curl_easy *data, - struct ssl_connect_data *connssl) -{ - CURLcode result; - STACK_OF(X509) *sk; - int i; - numcert_t numcerts; - BIO *mem; - struct ssl_backend_data *backend = connssl->backend; - - DEBUGASSERT(backend); - - sk = SSL_get_peer_cert_chain(backend->handle); - if(!sk) { - return CURLE_OUT_OF_MEMORY; - } - - numcerts = sk_X509_num(sk); - - result = Curl_ssl_init_certinfo(data, (int)numcerts); - if(result) { - return result; - } - - mem = BIO_new(BIO_s_mem()); - if(!mem) { - return CURLE_OUT_OF_MEMORY; - } - - for(i = 0; i < (int)numcerts; i++) { - ASN1_INTEGER *num; - X509 *x = sk_X509_value(sk, i); - EVP_PKEY *pubkey = NULL; - int j; - char *ptr; - const ASN1_BIT_STRING *psig = NULL; - - X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE); - push_certinfo("Subject", i); - - X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE); - push_certinfo("Issuer", i); - - BIO_printf(mem, "%lx", X509_get_version(x)); - push_certinfo("Version", i); - - num = X509_get_serialNumber(x); - if(num->type == V_ASN1_NEG_INTEGER) - BIO_puts(mem, "-"); - for(j = 0; j < num->length; j++) - BIO_printf(mem, "%02x", num->data[j]); - push_certinfo("Serial Number", i); - -#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS) - { - const X509_ALGOR *sigalg = NULL; - X509_PUBKEY *xpubkey = NULL; - ASN1_OBJECT *pubkeyoid = NULL; + /* Get the earliest error code from the thread's error queue and remove + the entry. */ + errdetail = ERR_get_error(); - X509_get0_signature(&psig, &sigalg, x); - if(sigalg) { - i2a_ASN1_OBJECT(mem, sigalg->algorithm); - push_certinfo("Signature Algorithm", i); - } + /* Extract which lib and reason */ + lib = ERR_GET_LIB(errdetail); + reason = ERR_GET_REASON(errdetail); - xpubkey = X509_get_X509_PUBKEY(x); - if(xpubkey) { - X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey); - if(pubkeyoid) { - i2a_ASN1_OBJECT(mem, pubkeyoid); - push_certinfo("Public Key Algorithm", i); + if((lib == ERR_LIB_SSL) && + ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) || + (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) { + result = CURLE_PEER_FAILED_VERIFICATION; + + lerr = SSL_get_verify_result(backend->handle); + if(lerr != X509_V_OK) { + SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; + msnprintf(error_buffer, sizeof(error_buffer), + "SSL certificate problem: %s", + X509_verify_cert_error_string(lerr)); } + else + /* strcpy() is fine here as long as the string fits within + error_buffer */ + strcpy(error_buffer, "SSL certificate verification failed"); + } +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ + !defined(LIBRESSL_VERSION_NUMBER) && \ + !defined(OPENSSL_IS_BORINGSSL)) + /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on + OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */ + else if((lib == ERR_LIB_SSL) && + (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) { + /* If client certificate is required, communicate the + error to client */ + result = CURLE_SSL_CLIENTCERT; + ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); + } +#endif + else { + result = CURLE_SSL_CONNECT_ERROR; + ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); } - X509V3_ext(data, i, X509_get0_extensions(x)); - } -#else - { - /* before OpenSSL 1.0.2 */ - X509_CINF *cinf = x->cert_info; - - i2a_ASN1_OBJECT(mem, cinf->signature->algorithm); - push_certinfo("Signature Algorithm", i); + /* detail is already set to the SSL error above */ - i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm); - push_certinfo("Public Key Algorithm", i); + /* If we e.g. use SSLv2 request-method and the server doesn't like us + * (RST connection, etc.), OpenSSL gives no explanation whatsoever and + * the SO_ERROR is also lost. + */ + if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) { + const char * const hostname = SSL_HOST_NAME(); + const long int port = SSL_HOST_PORT(); + char extramsg[80]=""; + int sockerr = SOCKERRNO; + if(sockerr && detail == SSL_ERROR_SYSCALL) + Curl_strerror(sockerr, extramsg, sizeof(extramsg)); + failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ", + extramsg[0] ? extramsg : SSL_ERROR_to_str(detail), + hostname, port); + return result; + } - X509V3_ext(data, i, cinf->extensions); + /* Could be a CERT problem */ + failf(data, "%s", error_buffer); - psig = x->signature; + return result; } -#endif - - ASN1_TIME_print(mem, X509_get0_notBefore(x)); - push_certinfo("Start date", i); + } + else { + /* we connected fine, we're not waiting for anything else. */ + connssl->connecting_state = ssl_connect_3; - ASN1_TIME_print(mem, X509_get0_notAfter(x)); - push_certinfo("Expire date", i); + /* Informational message */ + infof(data, "SSL connection using %s / %s", + SSL_get_version(backend->handle), + SSL_get_cipher(backend->handle)); - pubkey = X509_get_pubkey(x); - if(!pubkey) - infof(data, " Unable to load public key"); - else { - int pktype; -#ifdef HAVE_OPAQUE_EVP_PKEY - pktype = EVP_PKEY_id(pubkey); -#else - pktype = pubkey->type; -#endif - switch(pktype) { - case EVP_PKEY_RSA: - { -#ifndef HAVE_EVP_PKEY_GET_PARAMS - RSA *rsa; -#ifdef HAVE_OPAQUE_EVP_PKEY - rsa = EVP_PKEY_get0_RSA(pubkey); -#else - rsa = pubkey->pkey.rsa; -#endif /* HAVE_OPAQUE_EVP_PKEY */ -#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ +#ifdef HAS_ALPN + /* Sets data and len to negotiated protocol, len is 0 if no protocol was + * negotiated + */ + if(conn->bits.tls_enable_alpn) { + const unsigned char *neg_protocol; + unsigned int len; + SSL_get0_alpn_selected(backend->handle, &neg_protocol, &len); + if(len) { + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, len, neg_protocol); - { -#ifdef HAVE_OPAQUE_RSA_DSA_DH - DECLARE_PKEY_PARAM_BIGNUM(n); - DECLARE_PKEY_PARAM_BIGNUM(e); -#ifdef HAVE_EVP_PKEY_GET_PARAMS - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e); -#else - RSA_get0_key(rsa, &n, &e, NULL); -#endif /* HAVE_EVP_PKEY_GET_PARAMS */ - BIO_printf(mem, "%d", BN_num_bits(n)); -#else - BIO_printf(mem, "%d", BN_num_bits(rsa->n)); -#endif /* HAVE_OPAQUE_RSA_DSA_DH */ - push_certinfo("RSA Public Key", i); - print_pubkey_BN(rsa, n, i); - print_pubkey_BN(rsa, e, i); - FREE_PKEY_PARAM_BIGNUM(n); - FREE_PKEY_PARAM_BIGNUM(e); +#ifdef USE_HTTP2 + if(len == ALPN_H2_LENGTH && + !memcmp(ALPN_H2, neg_protocol, len)) { + conn->alpn = CURL_HTTP_VERSION_2; } - - break; - } - case EVP_PKEY_DSA: - { -#ifndef OPENSSL_NO_DSA -#ifndef HAVE_EVP_PKEY_GET_PARAMS - DSA *dsa; -#ifdef HAVE_OPAQUE_EVP_PKEY - dsa = EVP_PKEY_get0_DSA(pubkey); -#else - dsa = pubkey->pkey.dsa; -#endif /* HAVE_OPAQUE_EVP_PKEY */ -#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ - { -#ifdef HAVE_OPAQUE_RSA_DSA_DH - DECLARE_PKEY_PARAM_BIGNUM(p); - DECLARE_PKEY_PARAM_BIGNUM(q); - DECLARE_PKEY_PARAM_BIGNUM(g); - DECLARE_PKEY_PARAM_BIGNUM(pub_key); -#ifdef HAVE_EVP_PKEY_GET_PARAMS - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); -#else - DSA_get0_pqg(dsa, &p, &q, &g); - DSA_get0_key(dsa, &pub_key, NULL); -#endif /* HAVE_EVP_PKEY_GET_PARAMS */ -#endif /* HAVE_OPAQUE_RSA_DSA_DH */ - print_pubkey_BN(dsa, p, i); - print_pubkey_BN(dsa, q, i); - print_pubkey_BN(dsa, g, i); - print_pubkey_BN(dsa, pub_key, i); - FREE_PKEY_PARAM_BIGNUM(p); - FREE_PKEY_PARAM_BIGNUM(q); - FREE_PKEY_PARAM_BIGNUM(g); - FREE_PKEY_PARAM_BIGNUM(pub_key); + else +#endif + if(len == ALPN_HTTP_1_1_LENGTH && + !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) { + conn->alpn = CURL_HTTP_VERSION_1_1; } -#endif /* !OPENSSL_NO_DSA */ - break; - } - case EVP_PKEY_DH: - { -#ifndef HAVE_EVP_PKEY_GET_PARAMS - DH *dh; -#ifdef HAVE_OPAQUE_EVP_PKEY - dh = EVP_PKEY_get0_DH(pubkey); -#else - dh = pubkey->pkey.dh; -#endif /* HAVE_OPAQUE_EVP_PKEY */ -#endif /* !HAVE_EVP_PKEY_GET_PARAMS */ - { -#ifdef HAVE_OPAQUE_RSA_DSA_DH - DECLARE_PKEY_PARAM_BIGNUM(p); - DECLARE_PKEY_PARAM_BIGNUM(q); - DECLARE_PKEY_PARAM_BIGNUM(g); - DECLARE_PKEY_PARAM_BIGNUM(pub_key); -#ifdef HAVE_EVP_PKEY_GET_PARAMS - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g); - EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); -#else - DH_get0_pqg(dh, &p, &q, &g); - DH_get0_key(dh, &pub_key, NULL); -#endif /* HAVE_EVP_PKEY_GET_PARAMS */ - print_pubkey_BN(dh, p, i); - print_pubkey_BN(dh, q, i); - print_pubkey_BN(dh, g, i); -#else - print_pubkey_BN(dh, p, i); - print_pubkey_BN(dh, g, i); -#endif /* HAVE_OPAQUE_RSA_DSA_DH */ - print_pubkey_BN(dh, pub_key, i); - FREE_PKEY_PARAM_BIGNUM(p); - FREE_PKEY_PARAM_BIGNUM(q); - FREE_PKEY_PARAM_BIGNUM(g); - FREE_PKEY_PARAM_BIGNUM(pub_key); - } - break; } - } - EVP_PKEY_free(pubkey); - } + else + infof(data, VTLS_INFOF_NO_ALPN); - if(psig) { - for(j = 0; j < psig->length; j++) - BIO_printf(mem, "%02x:", psig->data[j]); - push_certinfo("Signature", i); + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } +#endif - PEM_write_bio_X509(mem, x); - push_certinfo("Cert", i); + return CURLE_OK; } - - BIO_free(mem); - - return CURLE_OK; } /* @@ -3893,8 +3825,8 @@ static CURLcode servercert(struct Curl_easy *data, } if(data->set.ssl.certinfo) - /* we've been asked to gather certificate info! */ - (void)get_cert_chain(data, connssl); + /* asked to gather certificate info */ + (void)Curl_ossl_certchain(data, connssl->backend->handle); backend->server_cert = SSL_get1_peer_certificate(backend->handle); if(!backend->server_cert) { @@ -4437,7 +4369,7 @@ static size_t ossl_version(char *buffer, size_t size) } count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver); for(p = buffer; *p; ++p) { - if(ISSPACE(*p)) + if(ISBLANK(*p)) *p = '_'; } return count; diff --git a/vendor/curl/lib/vtls/openssl.h b/vendor/curl/lib/vtls/openssl.h index cb47f4ea81..9df4ecddba 100644 --- a/vendor/curl/lib/vtls/openssl.h +++ b/vendor/curl/lib/vtls/openssl.h @@ -31,6 +31,7 @@ * This header should only be needed to get included by vtls.c, openssl.c * and ngtcp2.c */ +#include #include "urldata.h" @@ -53,5 +54,7 @@ CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, const struct curl_blob *key_blob, const char *key_type, char *key_passwd); +CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl); + #endif /* USE_OPENSSL */ #endif /* HEADER_CURL_SSLUSE_H */ diff --git a/vendor/curl/lib/vtls/rustls.c b/vendor/curl/lib/vtls/rustls.c index be4af98502..77a49f1ab4 100644 --- a/vendor/curl/lib/vtls/rustls.c +++ b/vendor/curl/lib/vtls/rustls.c @@ -415,20 +415,20 @@ cr_set_negotiated_alpn(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(len == ALPN_H2_LENGTH && 0 == memcmp(ALPN_H2, protocol, len)) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_H2); - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(len == ALPN_HTTP_1_1_LENGTH && 0 == memcmp(ALPN_HTTP_1_1, protocol, len)) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_HTTP_1_1); - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; } else { infof(data, "ALPN, negotiated an unrecognized protocol"); } - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } diff --git a/vendor/curl/lib/vtls/schannel.c b/vendor/curl/lib/vtls/schannel.c index 32abcaa744..454eb79674 100644 --- a/vendor/curl/lib/vtls/schannel.c +++ b/vendor/curl/lib/vtls/schannel.c @@ -108,18 +108,13 @@ #define BCRYPT_SHA384_ALGORITHM L"SHA384" #endif -/* Workaround broken compilers like MingW. +/* Workaround broken compilers like MinGW. Return the number of elements in a statically sized array. */ #ifndef ARRAYSIZE #define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) #endif -#if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \ - && !defined(DISABLE_SCHANNEL_CLIENT_CERT) -#define HAS_CLIENT_CERT_PATH -#endif - #ifdef HAS_CLIENT_CERT_PATH #ifdef UNICODE #define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W @@ -186,6 +181,10 @@ #define ALG_CLASS_DHASH ALG_CLASS_HASH #endif +#ifndef PKCS12_NO_PERSIST_KEY +#define PKCS12_NO_PERSIST_KEY 0x00008000 +#endif + static Curl_recv schannel_recv; static Curl_send schannel_send; @@ -486,6 +485,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, #ifdef HAS_CLIENT_CERT_PATH PCCERT_CONTEXT client_certs[1] = { NULL }; + HCERTSTORE client_cert_store = NULL; #endif SECURITY_STATUS sspi_status = SEC_E_OK; CURLcode result; @@ -676,7 +676,13 @@ schannel_acquire_credential_handle(struct Curl_easy *data, else pszPassword[0] = 0; - cert_store = PFXImportCertStore(&datablob, pszPassword, 0); + if(curlx_verify_windows_version(6, 0, 0, PLATFORM_WINNT, + VERSION_GREATER_THAN_EQUAL)) + cert_store = PFXImportCertStore(&datablob, pszPassword, + PKCS12_NO_PERSIST_KEY); + else + cert_store = PFXImportCertStore(&datablob, pszPassword, 0); + free(pszPassword); } if(!blob) @@ -748,7 +754,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, return CURLE_SSL_CERTPROBLEM; } } - CertCloseStore(cert_store, 0); + client_cert_store = cert_store; } #else if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) { @@ -766,12 +772,21 @@ schannel_acquire_credential_handle(struct Curl_easy *data, #ifdef HAS_CLIENT_CERT_PATH if(client_certs[0]) CertFreeCertificateContext(client_certs[0]); + if(client_cert_store) + CertCloseStore(client_cert_store, 0); #endif return CURLE_OUT_OF_MEMORY; } backend->cred->refcount = 1; +#ifdef HAS_CLIENT_CERT_PATH + /* Since we did not persist the key, we need to extend the store's + * lifetime until the end of the connection + */ + backend->cred->client_cert_store = client_cert_store; +#endif + /* Windows 10, 1809 (a.k.a. Windows 10 build 17763) */ if(curlx_verify_windows_version(10, 0, 17763, PLATFORM_WINNT, VERSION_GREATER_THAN_EQUAL)) { @@ -793,7 +808,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, int crypto_settings_idx = 0; - /* If TLS 1.3 ciphers are explictly listed, then + /* If TLS 1.3 ciphers are explicitly listed, then * disable all the ciphers and re-enable which * ciphers the user has provided. */ @@ -913,7 +928,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, blocked_gcm_modes[0].MaximumLength = sizeof(BCRYPT_CHAIN_MODE_GCM); blocked_gcm_modes[0].Buffer = (PWSTR)BCRYPT_CHAIN_MODE_GCM; - /* if only one is disabled, then explictly disable the + /* if only one is disabled, then explicitly disable the digest cipher suite (sha384 or sha256) */ if(disable_aes_gcm_sha384 != disable_aes_gcm_sha256) { crypto_settings[crypto_settings_idx].eAlgorithmUsage = @@ -1314,6 +1329,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, backend->recv_unrecoverable_err = CURLE_OK; backend->recv_sspi_close_notify = false; backend->recv_connection_closed = false; + backend->recv_renegotiating = false; backend->encdata_is_incomplete = false; /* continue to second handshake step */ @@ -1713,6 +1729,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, if(alpn_result.ProtoNegoStatus == SecApplicationProtocolNegotiationStatus_Success) { + unsigned char alpn = 0; infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, alpn_result.ProtocolIdSize, alpn_result.ProtocolId); @@ -1720,20 +1737,33 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(alpn_result.ProtocolIdSize == ALPN_H2_LENGTH && !memcmp(ALPN_H2, alpn_result.ProtocolId, ALPN_H2_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_2; + alpn = CURL_HTTP_VERSION_2; } else #endif if(alpn_result.ProtocolIdSize == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, alpn_result.ProtocolId, ALPN_HTTP_1_1_LENGTH)) { - conn->negnpn = CURL_HTTP_VERSION_1_1; + alpn = CURL_HTTP_VERSION_1_1; + } + if(backend->recv_renegotiating) { + if(alpn != conn->alpn) { + failf(data, "schannel: server selected an ALPN protocol too late"); + return CURLE_SSL_CONNECT_ERROR; } + } + else + conn->alpn = alpn; + } + else { + if(!backend->recv_renegotiating) + infof(data, VTLS_INFOF_NO_ALPN); + } + + if(!backend->recv_renegotiating) { + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } - else - infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? - BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -1905,8 +1935,15 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = schannel_recv; - conn->send[sockindex] = schannel_send; + if(!connssl->backend->recv_renegotiating) { + /* On renegotiation, we don't want to reset the existing recv/send + * function pointers. They will have been set after the initial TLS + * handshake was completed. If they were subsequently modified, as + * is the case with HTTP/2, we don't want to override that change. + */ + conn->recv[sockindex] = schannel_recv; + conn->send[sockindex] = schannel_send; + } #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS /* When SSPI is used in combination with Schannel @@ -2293,7 +2330,9 @@ schannel_recv(struct Curl_easy *data, int sockindex, infof(data, "schannel: renegotiating SSL/TLS connection"); connssl->state = ssl_connection_negotiating; connssl->connecting_state = ssl_connect_2_writing; + backend->recv_renegotiating = true; *err = schannel_connect_common(data, conn, sockindex, FALSE, &done); + backend->recv_renegotiating = false; if(*err) { infof(data, "schannel: renegotiation failed"); goto cleanup; @@ -2447,6 +2486,12 @@ static void schannel_session_free(void *ptr) if(cred->refcount == 0) { s_pSecFn->FreeCredentialsHandle(&cred->cred_handle); curlx_unicodefree(cred->sni_hostname); +#ifdef HAS_CLIENT_CERT_PATH + if(cred->client_cert_store) { + CertCloseStore(cred->client_cert_store, 0); + cred->client_cert_store = NULL; + } +#endif Curl_safefree(cred); } } diff --git a/vendor/curl/lib/vtls/schannel.h b/vendor/curl/lib/vtls/schannel.h index b2d222ac24..24d7eff25b 100644 --- a/vendor/curl/lib/vtls/schannel.h +++ b/vendor/curl/lib/vtls/schannel.h @@ -83,17 +83,23 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, /* structs to expose only in schannel.c and schannel_verify.c */ #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS +#include + #ifdef __MINGW32__ #ifdef __MINGW64_VERSION_MAJOR #define HAS_MANUAL_VERIFY_API #endif #else -#include #ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN #define HAS_MANUAL_VERIFY_API #endif #endif +#if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \ + && !defined(DISABLE_SCHANNEL_CLIENT_CERT) +#define HAS_CLIENT_CERT_PATH +#endif + #ifndef SCH_CREDENTIALS_VERSION #define SCH_CREDENTIALS_VERSION 0x00000005 @@ -155,6 +161,9 @@ struct Curl_schannel_cred { CredHandle cred_handle; TimeStamp time_stamp; TCHAR *sni_hostname; +#ifdef HAS_CLIENT_CERT_PATH + HCERTSTORE client_cert_store; +#endif int refcount; }; @@ -179,6 +188,7 @@ struct ssl_backend_data { CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */ bool recv_sspi_close_notify; /* true if connection closed by close_notify */ bool recv_connection_closed; /* true if connection closed, regardless how */ + bool recv_renegotiating; /* true if recv is doing renegotiation */ bool use_alpn; /* true if ALPN is used for this connection */ #ifdef HAS_MANUAL_VERIFY_API bool use_manual_cred_validation; /* true if manual cred validation is used */ diff --git a/vendor/curl/lib/vtls/sectransp.c b/vendor/curl/lib/vtls/sectransp.c index a18ca4ee9d..c764e3631b 100644 --- a/vendor/curl/lib/vtls/sectransp.c +++ b/vendor/curl/lib/vtls/sectransp.c @@ -2847,18 +2847,18 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(chosenProtocol && !CFStringCompare(chosenProtocol, CFSTR(ALPN_H2), 0)) { - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(chosenProtocol && !CFStringCompare(chosenProtocol, CFSTR(ALPN_HTTP_1_1), 0)) { - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; } else infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); /* chosenProtocol is a reference to the string within alpnArr diff --git a/vendor/curl/lib/vtls/vtls.c b/vendor/curl/lib/vtls/vtls.c index 8048ba7a41..9dee5aa3b3 100644 --- a/vendor/curl/lib/vtls/vtls.c +++ b/vendor/curl/lib/vtls/vtls.c @@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, Curl_safecmp(data->issuercert, needle->issuercert) && Curl_safecmp(data->clientcert, needle->clientcert) && #ifdef USE_TLS_SRP - Curl_safecmp(data->username, needle->username) && - Curl_safecmp(data->password, needle->password) && + !Curl_timestrcmp(data->username, needle->username) && + !Curl_timestrcmp(data->password, needle->password) && (data->authtype == needle->authtype) && #endif Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && diff --git a/vendor/curl/lib/vtls/wolfssl.c b/vendor/curl/lib/vtls/wolfssl.c index 50cdb4abf0..594c39a324 100644 --- a/vendor/curl/lib/vtls/wolfssl.c +++ b/vendor/curl/lib/vtls/wolfssl.c @@ -763,17 +763,17 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, if(protocol_len == ALPN_HTTP_1_1_LENGTH && !memcmp(protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) - conn->negnpn = CURL_HTTP_VERSION_1_1; + conn->alpn = CURL_HTTP_VERSION_1_1; #ifdef USE_HTTP2 else if(data->state.httpwant >= CURL_HTTP_VERSION_2 && protocol_len == ALPN_H2_LENGTH && !memcmp(protocol, ALPN_H2, ALPN_H2_LENGTH)) - conn->negnpn = CURL_HTTP_VERSION_2; + conn->alpn = CURL_HTTP_VERSION_2; #endif else infof(data, "ALPN, unrecognized protocol %.*s", protocol_len, protocol); - Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else if(rc == SSL_ALPN_NOT_FOUND) @@ -811,8 +811,10 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, if(SSL_SET_OPTION(primary.sessionid)) { bool incache; + bool added = FALSE; void *old_ssl_sessionid = NULL; - SSL_SESSION *our_ssl_sessionid = SSL_get_session(backend->handle); + /* SSL_get1_session allocates memory that has to be freed. */ + SSL_SESSION *our_ssl_sessionid = SSL_get1_session(backend->handle); bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; if(our_ssl_sessionid) { @@ -832,11 +834,20 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, 0, sockindex, NULL); if(result) { Curl_ssl_sessionid_unlock(data); + SSL_SESSION_free(our_ssl_sessionid); failf(data, "failed to store ssl session"); return result; } + else { + added = TRUE; + } } Curl_ssl_sessionid_unlock(data); + + if(!added) { + /* If the session info wasn't added to the cache, free our copy. */ + SSL_SESSION_free(our_ssl_sessionid); + } } } @@ -956,8 +967,7 @@ static ssize_t wolfssl_recv(struct Curl_easy *data, static void wolfssl_session_free(void *ptr) { - (void)ptr; - /* wolfSSL reuses sessions on own, no free */ + SSL_SESSION_free(ptr); } diff --git a/vendor/curl/lib/vtls/x509asn1.c b/vendor/curl/lib/vtls/x509asn1.c index d5661b0976..0cfcbe87da 100644 --- a/vendor/curl/lib/vtls/x509asn1.c +++ b/vendor/curl/lib/vtls/x509asn1.c @@ -45,6 +45,7 @@ #include #include "urldata.h" #include "strcase.h" +#include "curl_ctype.h" #include "hostcheck.h" #include "vtls/vtls.h" #include "sendf.h" @@ -716,7 +717,7 @@ static ssize_t encodeDN(char *buf, size_t buflen, struct Curl_asn1Element *dn) /* Encode delimiter. If attribute has a short uppercase name, delimiter is ", ". */ if(l) { - for(p3 = str; isupper(*p3); p3++) + for(p3 = str; ISUPPER(*p3); p3++) ; for(p3 = (*p3 || p3 - str > 2)? "/": ", "; *p3; p3++) { if(l < buflen) diff --git a/vendor/curl/lib/warnless.c b/vendor/curl/lib/warnless.c index 51187aa52e..b00d7a5a26 100644 --- a/vendor/curl/lib/warnless.c +++ b/vendor/curl/lib/warnless.c @@ -39,6 +39,8 @@ #include "warnless.h" +#include + #define CURL_MASK_UCHAR ((unsigned char)~0) #define CURL_MASK_SCHAR (CURL_MASK_UCHAR >> 1) diff --git a/vendor/curl/lib/wildcard.h b/vendor/curl/lib/wildcard.h index f9d2167bf2..21e933b9a4 100644 --- a/vendor/curl/lib/wildcard.h +++ b/vendor/curl/lib/wildcard.h @@ -27,6 +27,7 @@ #include "curl_setup.h" #ifndef CURL_DISABLE_FTP +#include #include "llist.h" /* list of wildcard process states */ diff --git a/vendor/curl/lib/ws.c b/vendor/curl/lib/ws.c new file mode 100644 index 0000000000..a673446625 --- /dev/null +++ b/vendor/curl/lib/ws.c @@ -0,0 +1,757 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "curl_setup.h" +#include + +#ifdef USE_WEBSOCKETS + +#include "urldata.h" +#include "dynbuf.h" +#include "rand.h" +#include "curl_base64.h" +#include "sendf.h" +#include "multiif.h" +#include "ws.h" +#include "easyif.h" +#include "transfer.h" +#include "nonblock.h" + +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" +#include "curl_memory.h" +#include "memdebug.h" + +struct wsfield { + const char *name; + const char *val; +}; + +CURLcode Curl_ws_request(struct Curl_easy *data, REQTYPE *req) +{ + unsigned int i; + CURLcode result = CURLE_OK; + unsigned char rand[16]; + char *randstr; + size_t randlen; + char keyval[40]; + struct SingleRequest *k = &data->req; + struct wsfield heads[]= { + { + /* The request MUST contain an |Upgrade| header field whose value + MUST include the "websocket" keyword. */ + "Upgrade:", "websocket" + }, + { + /* The request MUST contain a |Connection| header field whose value + MUST include the "Upgrade" token. */ + "Connection:", "Upgrade", + }, + { + /* The request MUST include a header field with the name + |Sec-WebSocket-Version|. The value of this header field MUST be + 13. */ + "Sec-WebSocket-Version:", "13", + }, + { + /* The request MUST include a header field with the name + |Sec-WebSocket-Key|. The value of this header field MUST be a nonce + consisting of a randomly selected 16-byte value that has been + base64-encoded (see Section 4 of [RFC4648]). The nonce MUST be + selected randomly for each connection. */ + "Sec-WebSocket-Key:", NULL, + } + }; + heads[3].val = &keyval[0]; + + /* 16 bytes random */ + result = Curl_rand(data, (unsigned char *)rand, sizeof(rand)); + if(result) + return result; + result = Curl_base64_encode((char *)rand, sizeof(rand), &randstr, &randlen); + if(result) + return result; + DEBUGASSERT(randlen < sizeof(keyval)); + if(randlen >= sizeof(keyval)) + return CURLE_FAILED_INIT; + strcpy(keyval, randstr); + free(randstr); + for(i = 0; !result && (i < sizeof(heads)/sizeof(heads[0])); i++) { + if(!Curl_checkheaders(data, STRCONST(heads[i].name))) { +#ifdef USE_HYPER + char field[128]; + msnprintf(field, sizeof(field), "%s %s", heads[i].name, + heads[i].val); + result = Curl_hyper_header(data, req, field); +#else + (void)data; + result = Curl_dyn_addf(req, "%s %s\r\n", heads[i].name, + heads[i].val); +#endif + } + } + k->upgr101 = UPGR101_WS; + Curl_dyn_init(&data->req.p.http->ws.buf, MAX_WS_SIZE * 2); + return result; +} + +CURLcode Curl_ws_accept(struct Curl_easy *data) +{ + struct SingleRequest *k = &data->req; + struct HTTP *ws = data->req.p.http; + struct connectdata *conn = data->conn; + struct websocket *wsp = &data->req.p.http->ws; + CURLcode result; + + /* Verify the Sec-WebSocket-Accept response. + + The sent value is the base64 encoded version of a SHA-1 hash done on the + |Sec-WebSocket-Key| header field concatenated with + the string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11". + */ + + /* If the response includes a |Sec-WebSocket-Extensions| header field and + this header field indicates the use of an extension that was not present + in the client's handshake (the server has indicated an extension not + requested by the client), the client MUST Fail the WebSocket Connection. + */ + + /* If the response includes a |Sec-WebSocket-Protocol| header field + and this header field indicates the use of a subprotocol that was + not present in the client's handshake (the server has indicated a + subprotocol not requested by the client), the client MUST Fail + the WebSocket Connection. */ + + /* 4 bytes random */ + result = Curl_rand(data, (unsigned char *)&ws->ws.mask, sizeof(ws->ws.mask)); + if(result) + return result; + + infof(data, "Received 101, switch to WebSocket; mask %02x%02x%02x%02x", + ws->ws.mask[0], ws->ws.mask[1], ws->ws.mask[2], ws->ws.mask[3]); + k->upgr101 = UPGR101_RECEIVED; + + if(data->set.connect_only) + /* switch off non-blocking sockets */ + (void)curlx_nonblock(conn->sock[FIRSTSOCKET], FALSE); + + wsp->oleft = 0; + return result; +} + +#define WSBIT_FIN 0x80 +#define WSBIT_OPCODE_CONT 0 +#define WSBIT_OPCODE_TEXT (1) +#define WSBIT_OPCODE_BIN (2) +#define WSBIT_OPCODE_CLOSE (8) +#define WSBIT_OPCODE_PING (9) +#define WSBIT_OPCODE_PONG (0xa) +#define WSBIT_OPCODE_MASK (0xf) + +#define WSBIT_MASK 0x80 + +/* remove the spent bytes from the beginning of the buffer as that part has + now been delivered to the application */ +static void ws_decode_clear(struct Curl_easy *data) +{ + struct websocket *wsp = &data->req.p.http->ws; + size_t spent = wsp->usedbuf; + size_t len = Curl_dyn_len(&wsp->buf); + size_t keep = len - spent; + DEBUGASSERT(len >= spent); + Curl_dyn_tail(&wsp->buf, keep); +} + +/* ws_decode() decodes a binary frame into structured WebSocket data, + + wpkt - the incoming raw data. If NULL, work on the already buffered data. + ilen - the size of the provided data, perhaps too little, perhaps too much + out - stored pointed to extracted data + olen - stored length of the extracted data + oleft - number of unread bytes pending to that belongs to this frame + more - if there is more data in there + flags - stored bitmask about the frame + + Returns CURLE_AGAIN if there is only a partial frame in the buffer. Then it + stores the first part in the ->extra buffer to be used in the next call + when more data is provided. +*/ + +static CURLcode ws_decode(struct Curl_easy *data, + unsigned char *wpkt, size_t ilen, + unsigned char **out, size_t *olen, + curl_off_t *oleft, + bool *more, + unsigned int *flags) +{ + bool fin; + unsigned char opcode; + curl_off_t total; + size_t dataindex = 2; + curl_off_t plen; /* size of data in the buffer */ + curl_off_t payloadsize; + struct websocket *wsp = &data->req.p.http->ws; + unsigned char *p; + CURLcode result; + + *olen = 0; + + /* add the incoming bytes, if any */ + if(wpkt) { + result = Curl_dyn_addn(&wsp->buf, wpkt, ilen); + if(result) + return result; + } + + plen = Curl_dyn_len(&wsp->buf); + if(plen < 2) { + /* the smallest possible frame is two bytes */ + infof(data, "WS: plen == %u, EAGAIN", (int)plen); + return CURLE_AGAIN; + } + + p = Curl_dyn_uptr(&wsp->buf); + + fin = p[0] & WSBIT_FIN; + opcode = p[0] & WSBIT_OPCODE_MASK; + infof(data, "WS:%d received FIN bit %u", __LINE__, (int)fin); + *flags = 0; + switch(opcode) { + case WSBIT_OPCODE_CONT: + if(!fin) + *flags |= CURLWS_CONT; + infof(data, "WS: received OPCODE CONT"); + break; + case WSBIT_OPCODE_TEXT: + infof(data, "WS: received OPCODE TEXT"); + *flags |= CURLWS_TEXT; + break; + case WSBIT_OPCODE_BIN: + infof(data, "WS: received OPCODE BINARY"); + *flags |= CURLWS_BINARY; + break; + case WSBIT_OPCODE_CLOSE: + infof(data, "WS: received OPCODE CLOSE"); + *flags |= CURLWS_CLOSE; + break; + case WSBIT_OPCODE_PING: + infof(data, "WS: received OPCODE PING"); + *flags |= CURLWS_PING; + break; + case WSBIT_OPCODE_PONG: + infof(data, "WS: received OPCODE PONG"); + *flags |= CURLWS_PONG; + break; + } + + if(p[1] & WSBIT_MASK) { + /* A client MUST close a connection if it detects a masked frame. */ + failf(data, "WS: masked input frame"); + return CURLE_RECV_ERROR; + } + payloadsize = p[1]; + if(payloadsize == 126) { + if(plen < 4) { + infof(data, "WS:%d plen == %u, EAGAIN", __LINE__, (int)plen); + return CURLE_AGAIN; /* not enough data available */ + } + payloadsize = (p[2] << 8) | p[3]; + dataindex += 2; + } + else if(payloadsize == 127) { + /* 64 bit payload size */ + if(plen < 10) + return CURLE_AGAIN; + if(p[2] & 80) { + failf(data, "WS: too large frame"); + return CURLE_RECV_ERROR; + } + dataindex += 8; + payloadsize = ((curl_off_t)p[2] << 56) | + (curl_off_t)p[3] << 48 | + (curl_off_t)p[4] << 40 | + (curl_off_t)p[5] << 32 | + (curl_off_t)p[6] << 24 | + (curl_off_t)p[7] << 16 | + (curl_off_t)p[8] << 8 | + p[9]; + } + + total = dataindex + payloadsize; + if(total > plen) { + /* deliver a partial frame */ + *oleft = total - dataindex; + payloadsize = total - dataindex; + } + else { + *oleft = 0; + if(plen > total) + /* there is another fragment after */ + *more = TRUE; + } + + /* point to the payload */ + *out = &p[dataindex]; + + /* return the payload length */ + *olen = payloadsize; + + /* number of bytes "used" from the buffer */ + wsp->usedbuf = dataindex + payloadsize; + infof(data, "WS: received %zu bytes payload (%zu left)", + payloadsize, *oleft); + return CURLE_OK; +} + +/* Curl_ws_writecb() is the write callback for websocket traffic. The + websocket data is provided to this raw, in chunks. This function should + handle/decode the data and call the "real" underlying callback accordingly. +*/ +size_t Curl_ws_writecb(char *buffer, size_t size /* 1 */, + size_t nitems, void *userp) +{ + struct HTTP *ws = (struct HTTP *)userp; + struct Curl_easy *data = ws->ws.data; + void *writebody_ptr = data->set.out; + if(data->set.ws_raw_mode) + return data->set.fwrite_func(buffer, size, nitems, writebody_ptr); + else if(nitems) { + unsigned char *frame = NULL; + size_t flen = 0; + size_t wrote = 0; + CURLcode result; + bool more; /* there's is more to parse in the buffer */ + curl_off_t oleft; + + decode: + more = FALSE; + oleft = ws->ws.frame.bytesleft; + if(!oleft) { + unsigned int recvflags; + result = ws_decode(data, (unsigned char *)buffer, nitems, + &frame, &flen, &oleft, &more, &recvflags); + if(result == CURLE_AGAIN) + /* insufficient amount of data, keep it for later */ + return nitems; + else if(result) { + infof(data, "WS: decode error %d", (int)result); + return nitems - 1; + } + /* Store details about the frame to be reachable with curl_ws_meta() + from within the write callback */ + ws->ws.frame.age = 0; + ws->ws.frame.offset = 0; + ws->ws.frame.flags = recvflags; + ws->ws.frame.bytesleft = oleft; + } + else { + if(nitems > (size_t)ws->ws.frame.bytesleft) { + nitems = ws->ws.frame.bytesleft; + more = TRUE; + } + else + more = FALSE; + ws->ws.frame.offset += nitems; + ws->ws.frame.bytesleft -= nitems; + frame = (unsigned char *)buffer; + flen = nitems; + } + if((ws->ws.frame.flags & CURLWS_PING) && !oleft) { + /* auto-respond to PINGs, only works for single-frame payloads atm */ + size_t bytes; + infof(data, "WS: auto-respond to PING with a PONG"); + DEBUGASSERT(frame); + /* send back the exact same content as a PONG */ + result = curl_ws_send(data, frame, flen, &bytes, 0, CURLWS_PONG); + if(result) + return result; + } + else { + /* deliver the decoded frame to the user callback */ + Curl_set_in_callback(data, true); + wrote = data->set.fwrite_func((char *)frame, 1, flen, writebody_ptr); + Curl_set_in_callback(data, false); + if(wrote != flen) + return 0; + } + if(oleft) + ws->ws.frame.offset += flen; + /* the websocket frame has been delivered */ + ws_decode_clear(data); + if(more) { + /* there's more websocket data to deal with in the buffer */ + buffer = NULL; /* the buffer as been drained already */ + goto decode; + } + } + return nitems; +} + + +CURL_EXTERN CURLcode curl_ws_recv(struct Curl_easy *data, void *buffer, + size_t buflen, size_t *nread, + struct curl_ws_frame **metap) +{ + size_t bytes; + CURLcode result; + struct websocket *wsp = &data->req.p.http->ws; + + *nread = 0; + *metap = NULL; + /* get a download buffer */ + result = Curl_preconnect(data); + if(result) + return result; + + do { + bool drain = FALSE; /* if there is pending buffered data to drain */ + char *inbuf = data->state.buffer; + bytes = wsp->stillbuffer; + if(!bytes) { + result = curl_easy_recv(data, data->state.buffer, + data->set.buffer_size, &bytes); + if(result) + return result; + } + else { + /* the pending bytes can be found here */ + inbuf = wsp->stillb; + drain = TRUE; + } + if(bytes) { + unsigned char *out; + size_t olen; + bool more; + unsigned int recvflags; + curl_off_t oleft = wsp->frame.bytesleft; + + infof(data, "WS: got %u websocket bytes to decode", (int)bytes); + if(!oleft && !drain) { + result = ws_decode(data, (unsigned char *)inbuf, bytes, + &out, &olen, &oleft, &more, &recvflags); + if(result == CURLE_AGAIN) + /* a packet fragment only */ + break; + else if(result) + return result; + wsp->frame.offset = 0; + wsp->frame.bytesleft = oleft; + wsp->frame.flags = recvflags; + } + else { + olen = oleft; + out = (unsigned char *)wsp->stillb; + recvflags = wsp->frame.flags; + if((curl_off_t)buflen < oleft) + /* there is still data left after this */ + wsp->frame.bytesleft -= buflen; + else + wsp->frame.bytesleft = 0; + } + + /* auto-respond to PINGs */ + if((recvflags & CURLWS_PING) && !oleft) { + infof(data, "WS: auto-respond to PING with a PONG"); + /* send back the exact same content as a PONG */ + result = curl_ws_send(data, out, olen, &bytes, 0, CURLWS_PONG); + if(result) + return result; + } + else { + if(olen < buflen) { + /* copy the payload to the user buffer */ + memcpy(buffer, out, olen); + *nread = olen; + if(!oleft) + /* websocket frame has been delivered */ + ws_decode_clear(data); + } + else { + /* copy a partial payload */ + memcpy(buffer, out, buflen); + *nread = buflen; + /* remember what is left and where */ + wsp->stillbuffer = olen - buflen; + wsp->stillb = (char *)buffer + buflen; + } + wsp->frame.offset += *nread; + } + } + else + *nread = bytes; + break; + } while(1); + *metap = &wsp->frame; + return CURLE_OK; +} + +static void ws_xor(struct Curl_easy *data, + const unsigned char *source, + unsigned char *dest, + size_t len) +{ + struct websocket *wsp = &data->req.p.http->ws; + size_t i; + /* append payload after the mask, XOR appropriately */ + for(i = 0; i < len; i++) { + dest[i] = source[i] ^ wsp->mask[wsp->xori]; + wsp->xori++; + wsp->xori &= 3; + } +} + +/*** + RFC 6455 Section 5.2 + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-------+-+-------------+-------------------------------+ + |F|R|R|R| opcode|M| Payload len | Extended payload length | + |I|S|S|S| (4) |A| (7) | (16/64) | + |N|V|V|V| |S| | (if payload len==126/127) | + | |1|2|3| |K| | | + +-+-+-+-+-------+-+-------------+ - - - - - - - - - - - - - - - + + | Extended payload length continued, if payload len == 127 | + + - - - - - - - - - - - - - - - +-------------------------------+ + | |Masking-key, if MASK set to 1 | + +-------------------------------+-------------------------------+ + | Masking-key (continued) | Payload Data | + +-------------------------------- - - - - - - - - - - - - - - - + + : Payload Data continued ... : + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + | Payload Data continued ... | + +---------------------------------------------------------------+ +*/ + +static size_t ws_packethead(struct Curl_easy *data, + size_t len, unsigned int flags) +{ + struct HTTP *ws = data->req.p.http; + unsigned char *out = (unsigned char *)data->state.ulbuf; + unsigned char firstbyte = 0; + int outi; + unsigned char opcode; + if(flags & CURLWS_TEXT) { + opcode = WSBIT_OPCODE_TEXT; + infof(data, "WS: send OPCODE TEXT"); + } + else if(flags & CURLWS_CLOSE) { + opcode = WSBIT_OPCODE_CLOSE; + infof(data, "WS: send OPCODE CLOSE"); + } + else if(flags & CURLWS_PING) { + opcode = WSBIT_OPCODE_PING; + infof(data, "WS: send OPCODE PING"); + } + else if(flags & CURLWS_PONG) { + opcode = WSBIT_OPCODE_PONG; + infof(data, "WS: send OPCODE PONG"); + } + else { + opcode = WSBIT_OPCODE_BIN; + infof(data, "WS: send OPCODE BINARY"); + } + + if(!(flags & CURLWS_CONT)) { + /* if not marked as continuing, assume this is the final fragment */ + firstbyte |= WSBIT_FIN | opcode; + ws->ws.contfragment = FALSE; + } + else if(ws->ws.contfragment) { + /* the previous fragment was not a final one and this isn't either, keep a + CONT opcode and no FIN bit */ + firstbyte |= WSBIT_OPCODE_CONT; + } + else { + ws->ws.contfragment = TRUE; + } + out[0] = firstbyte; + if(len > 65535) { + out[1] = 127 | WSBIT_MASK; + out[2] = (len >> 8) & 0xff; + out[3] = len & 0xff; + outi = 10; + } + else if(len > 126) { + out[1] = 126 | WSBIT_MASK; + out[2] = (len >> 8) & 0xff; + out[3] = len & 0xff; + outi = 4; + } + else { + out[1] = (unsigned char)len | WSBIT_MASK; + outi = 2; + } + + infof(data, "WS: send FIN bit %u (byte %02x)", + firstbyte & WSBIT_FIN ? 1 : 0, + firstbyte); + infof(data, "WS: send payload len %u", (int)len); + + /* 4 bytes mask */ + memcpy(&out[outi], &ws->ws.mask, 4); + + if(data->set.upload_buffer_size < (len + 10)) + return 0; + + /* pass over the mask */ + outi += 4; + + ws->ws.xori = 0; + /* return packet size */ + return outi; +} + +CURL_EXTERN CURLcode curl_ws_send(struct Curl_easy *data, const void *buffer, + size_t buflen, size_t *sent, + curl_off_t totalsize, + unsigned int sendflags) +{ + CURLcode result; + size_t headlen; + char *out; + ssize_t written; + struct websocket *wsp = &data->req.p.http->ws; + + if(!data->set.ws_raw_mode) { + result = Curl_get_upload_buffer(data); + if(result) + return result; + } + else { + if(totalsize || sendflags) + return CURLE_BAD_FUNCTION_ARGUMENT; + } + + if(data->set.ws_raw_mode) { + if(!buflen) + /* nothing to do */ + return CURLE_OK; + /* raw mode sends exactly what was requested, and this is from within + the write callback */ + if(Curl_is_in_callback(data)) + result = Curl_write(data, data->conn->writesockfd, buffer, buflen, + &written); + else + result = Curl_senddata(data, buffer, buflen, &written); + + infof(data, "WS: wanted to send %zu bytes, sent %zu bytes", + buflen, written); + *sent = written; + return result; + } + + if(buflen > (data->set.upload_buffer_size - 10)) + /* don't do more than this in one go */ + buflen = data->set.upload_buffer_size - 10; + + if(sendflags & CURLWS_OFFSET) { + if(totalsize) { + /* a frame series 'totalsize' bytes big, this is the first */ + headlen = ws_packethead(data, totalsize, sendflags); + wsp->sleft = totalsize - buflen; + } + else { + headlen = 0; + if((curl_off_t)buflen > wsp->sleft) { + infof(data, "WS: unaligned frame size (sending %zu instead of %zu)", + buflen, wsp->sleft); + wsp->sleft = 0; + } + else + wsp->sleft -= buflen; + } + } + else + headlen = ws_packethead(data, buflen, sendflags); + + /* headlen is the size of the frame header */ + out = data->state.ulbuf; + if(buflen) + /* for PING and PONG etc there might not be a payload */ + ws_xor(data, buffer, (unsigned char *)out + headlen, buflen); + + if(data->set.connect_only) + result = Curl_senddata(data, out, buflen + headlen, &written); + else + result = Curl_write(data, data->conn->writesockfd, out, + buflen + headlen, &written); + + infof(data, "WS: wanted to send %zu bytes, sent %zu bytes", + headlen + buflen, written); + *sent = written; + + return result; +} + +void Curl_ws_done(struct Curl_easy *data) +{ + struct websocket *wsp = &data->req.p.http->ws; + DEBUGASSERT(wsp); + Curl_dyn_free(&wsp->buf); +} + +CURL_EXTERN struct curl_ws_frame *curl_ws_meta(struct Curl_easy *data) +{ + /* we only return something for websocket, called from within the callback + when not using raw mode */ + if(GOOD_EASY_HANDLE(data) && Curl_is_in_callback(data) && data->req.p.http && + !data->set.ws_raw_mode) + return &data->req.p.http->ws.frame; + return NULL; +} + +#else + +CURL_EXTERN CURLcode curl_ws_recv(CURL *curl, void *buffer, size_t buflen, + size_t *nread, + struct curl_ws_frame **metap) +{ + (void)curl; + (void)buffer; + (void)buflen; + (void)nread; + (void)metap; + return CURLE_OK; +} + +CURL_EXTERN CURLcode curl_ws_send(CURL *curl, const void *buffer, + size_t buflen, size_t *sent, + curl_off_t framesize, + unsigned int sendflags) +{ + (void)curl; + (void)buffer; + (void)buflen; + (void)sent; + (void)framesize; + (void)sendflags; + return CURLE_OK; +} + +CURL_EXTERN struct curl_ws_frame *curl_ws_meta(struct Curl_easy *data) +{ + (void)data; + return NULL; +} +#endif /* USE_WEBSOCKETS */ diff --git a/vendor/curl/lib/ws.h b/vendor/curl/lib/ws.h new file mode 100644 index 0000000000..341242e50e --- /dev/null +++ b/vendor/curl/lib/ws.h @@ -0,0 +1,69 @@ +#ifndef HEADER_CURL_WS_H +#define HEADER_CURL_WS_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "curl_setup.h" + +#ifdef USE_WEBSOCKETS + +#ifdef USE_HYPER +#define REQTYPE void +#else +#define REQTYPE struct dynbuf +#endif + +/* this is the largest single fragment size we support */ +#define MAX_WS_SIZE 65535 + +/* part of 'struct HTTP', when used in the 'struct SingleRequest' in the + Curl_easy struct */ +struct websocket { + bool contfragment; /* set TRUE if the previous fragment sent was not final */ + unsigned char mask[4]; /* 32 bit mask for this connection */ + struct Curl_easy *data; /* used for write callback handling */ + struct dynbuf buf; + size_t usedbuf; /* number of leading bytes in 'buf' the most recent complete + websocket frame uses */ + struct curl_ws_frame frame; /* the struct used for frame state */ + curl_off_t oleft; /* outstanding number of payload bytes left from the + server */ + curl_off_t stillbuffer; /* number of bytes left in the buffer to deliver in + the next curl_ws_recv() call */ + char *stillb; /* the stillbuffer pending bytes are here */ + curl_off_t sleft; /* outstanding number of payload bytes left to send */ + unsigned int xori; /* xor index */ +}; + +CURLcode Curl_ws_request(struct Curl_easy *data, REQTYPE *req); +CURLcode Curl_ws_accept(struct Curl_easy *data); + +size_t Curl_ws_writecb(char *buffer, size_t size, size_t nitems, void *userp); +void Curl_ws_done(struct Curl_easy *data); + +#else +#define Curl_ws_request(x,y) CURLE_OK +#define Curl_ws_done(x) Curl_nop_stmt +#endif + +#endif /* HEADER_CURL_WS_H */