]> granicus.if.org Git - curl/log
curl
6 years agodocs: mention potential leak in curl_slist_append
Daniel Gustafsson [Wed, 2 Jan 2019 11:46:31 +0000 (12:46 +0100)]
docs: mention potential leak in curl_slist_append

When a non-empty list is appended to, and used as the returnvalue,
the list pointer can leak in case of an allocation failure in the
curl_slist_append() call. This is correctly handled in curl code
usage but we weren't explicitly pointing it out in the API call
documentation. Fix by extending the RETURNVALUE manpage section
and example code.

Closes #3424
Reported-by: dnivras on github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agotvnow: silence conversion warnings
Marcel Raad [Tue, 1 Jan 2019 17:03:11 +0000 (18:03 +0100)]
tvnow: silence conversion warnings

MinGW-w64 defaults to targeting Windows 7 now, so GetTickCount64 is
used and the milliseconds are represented as unsigned long long,
leading to a compiler warning when implicitly converting them to long.

6 years agoTHANKS: dedupe more names
Daniel Stenberg [Tue, 1 Jan 2019 16:55:41 +0000 (17:55 +0100)]
THANKS: dedupe more names

Researched-by: Tae Wong
6 years agontlm: update selection of type 3 response
Markus Moeller [Fri, 28 Dec 2018 14:04:53 +0000 (15:04 +0100)]
ntlm: update selection of type 3 response

NTLM2 did not work i.e. no NTLMv2 response was created. Changing the
check seems to work.

Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf

Fixes https://github.com/curl/curl/issues/3286
Closes https://github.com/curl/curl/pull/3287
Closes https://github.com/curl/curl/pull/3415

6 years agoTHANKS: added missing names from year <= 2000
Daniel Stenberg [Mon, 31 Dec 2018 19:01:00 +0000 (20:01 +0100)]
THANKS: added missing names from year <= 2000

Due to a report of a missing name in THANKS I manually went through an
old CHANGES.0 file and added many previously missing names here.

6 years agourlapi: fix parsing ipv6 with zone index
Daniel Gustafsson [Sun, 30 Dec 2018 19:11:57 +0000 (20:11 +0100)]
urlapi: fix parsing ipv6 with zone index

The previous fix for parsing IPv6 URLs with a zone index was a paddle
short for URLs without an explicit port. This patch fixes that case
and adds a unit test case.

This bug was highlighted by issue #3408, and while it's not the full
fix for the problem there it is an isolated bug that should be fixed
regardless.

Closes #3411
Reported-by: GitYuanQu on github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoTHANKS: dedupe Guenter Knauf
Daniel Stenberg [Sun, 30 Dec 2018 16:59:58 +0000 (17:59 +0100)]
THANKS: dedupe Guenter Knauf

Reported-by: Tae Wong
6 years agoTHANKS: missing name from the 6.3.1 release!
Daniel Stenberg [Sun, 30 Dec 2018 16:57:54 +0000 (17:57 +0100)]
THANKS: missing name from the 6.3.1 release!

6 years agoRELEASE-NOTES: synced
Daniel Gustafsson [Thu, 27 Dec 2018 13:40:33 +0000 (14:40 +0100)]
RELEASE-NOTES: synced

6 years agohostip: support wildcard hosts
Claes Jakobsson [Thu, 27 Dec 2018 13:23:13 +0000 (14:23 +0100)]
hostip: support wildcard hosts

This adds support for wildcard hosts in CURLOPT_RESOLVE. These are
try-last so any non-wildcard entry is resolved first. If specified,
any host not matched by another CURLOPT_RESOLVE config will use this
as fallback.

Example send a.com to 10.0.0.1 and everything else to 10.0.0.2:
  curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \
       https://a.com https://b.com

This is probably quite similar to using:
  --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443

Closes #3406
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agourl: fix incorrect indentation
Daniel Gustafsson [Wed, 26 Dec 2018 23:03:35 +0000 (00:03 +0100)]
url: fix incorrect indentation

6 years agoos400: upgrade ILE/RPG binding.
Patrick Monnerat [Wed, 26 Dec 2018 14:17:54 +0000 (15:17 +0100)]
os400: upgrade ILE/RPG binding.

- Trailer function support.
- http 0.9 option.
- curl_easy_upkeep.

6 years agoFAQ: remove mention of sourceforge for github
Daniel Gustafsson [Tue, 25 Dec 2018 22:20:55 +0000 (23:20 +0100)]
FAQ: remove mention of sourceforge for github

The project bug tracker is no longer hosted at sourceforge but is now
hosted on the curl Github page. Update the FAQ to reflect.

Closes #3410
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoopenvms: fix typos in documentation
Daniel Gustafsson [Tue, 25 Dec 2018 21:28:36 +0000 (22:28 +0100)]
openvms: fix typos in documentation

6 years agoopenvms: fix OpenSSL discovery on VAX
Daniel Gustafsson [Tue, 25 Dec 2018 21:27:29 +0000 (22:27 +0100)]
openvms: fix OpenSSL discovery on VAX

The DCL code had a typo in one of the commands which would make the
OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT.

Closes #3407
Reviewed-by: Viktor Szakats <commit@vszakats.net>
6 years agocmake: use lowercase for function name like the rest of the code
Ruslan Baratov [Tue, 30 Oct 2018 14:45:46 +0000 (17:45 +0300)]
cmake: use lowercase for function name like the rest of the code

Reviewed-by: Sergei Nikulov
closes #3196

6 years agoRevert "libssh: no data pointer == nothing to do"
Daniel Stenberg [Sun, 23 Dec 2018 16:40:46 +0000 (17:40 +0100)]
Revert "libssh: no data pointer == nothing to do"

This reverts commit c98ee5f67f497195c9 since commit f3ce38739fa fixed the
problem in a more generic way.

6 years agodisconnect: set conn->data for protocol disconnect
Daniel Stenberg [Sun, 23 Dec 2018 16:38:59 +0000 (17:38 +0100)]
disconnect: set conn->data for protocol disconnect

Follow-up to fb445a1e18d: Set conn->data explicitly to point out the
current transfer when invoking the protocol-specific disconnect function
so that it can work correctly.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173

6 years agotimeval: Use high resolution timestamps on Windows
Pavel P [Mon, 26 Nov 2018 23:10:10 +0000 (15:10 -0800)]
timeval: Use high resolution timestamps on Windows

- Use QueryPerformanceCounter on Windows Vista+

There is confusing info floating around that QueryPerformanceCounter
can leap etc, which might have been true long time ago, but no longer
the case nowadays (perhaps starting from WinXP?). Also, boost and
std::chrono::steady_clock use QueryPerformanceCounter in a similar way.

Prior to this change GetTickCount or GetTickCount64 was used, which has
lower resolution. That is still the case for <= XP.

Fixes https://github.com/curl/curl/issues/3309
Closes https://github.com/curl/curl/pull/3318

6 years agolibssh: no data pointer == nothing to do
Daniel Stenberg [Sat, 22 Dec 2018 17:13:39 +0000 (18:13 +0100)]
libssh: no data pointer == nothing to do

6 years agoconncache_unlock: avoid indirection by changing input argument type
Daniel Stenberg [Thu, 20 Dec 2018 15:51:44 +0000 (16:51 +0100)]
conncache_unlock: avoid indirection by changing input argument type

6 years agodisconnect: separate connections and easy handles better
Daniel Stenberg [Thu, 20 Dec 2018 15:39:02 +0000 (16:39 +0100)]
disconnect: separate connections and easy handles better

Do not assume/store assocation between a given easy handle and the
connection if it can be avoided.

Long-term, the 'conn->data' pointer should probably be removed as it is a
little too error-prone. Still used very widely though.

Reported-by: masbug on github
Fixes #3391
Closes #3400

6 years agolibssh: free sftp_canonicalize_path() data correctly
Daniel Stenberg [Fri, 21 Dec 2018 13:22:42 +0000 (14:22 +0100)]
libssh: free sftp_canonicalize_path() data correctly

Assisted-by: Harry Sintonen
Fixes #3402
Closes #3403

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Fri, 21 Dec 2018 12:57:20 +0000 (13:57 +0100)]
RELEASE-NOTES: synced

6 years agohttp: added options for allowing HTTP/0.9 responses
Daniel Stenberg [Mon, 17 Dec 2018 14:46:56 +0000 (15:46 +0100)]
http: added options for allowing HTTP/0.9 responses

Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose.

For now, both the tool and library allow HTTP/0.9 by default.
docs/DEPRECATE.md lays out the plan for when to reverse that default: 6
months after the 7.64.0 release. The options are added already now so
that applications/scripts can start using them already now.

Fixes #2873
Closes #3383

6 years agoif2ip: remove unused function Curl_if_is_interface_name
Daniel Stenberg [Thu, 20 Dec 2018 16:22:37 +0000 (17:22 +0100)]
if2ip: remove unused function Curl_if_is_interface_name

Closes #3401

6 years agohttp2: clear pause stream id if it gets closed
Daniel Stenberg [Thu, 20 Dec 2018 09:36:52 +0000 (10:36 +0100)]
http2: clear pause stream id if it gets closed

Reported-by: Florian Pritz
Fixes #3392
Closes #3399

6 years agowolfssl: Perform cleanup
David Garske [Wed, 19 Dec 2018 16:30:44 +0000 (08:30 -0800)]
wolfssl: Perform cleanup

This adds a cleanup callback for cyassl. Resolves possible memory leak
when using ECC fixed point cache.

Closes #3395
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
6 years agombedtls: follow-up VERIFYHOST fix from f097669248
Daniel Stenberg [Wed, 19 Dec 2018 07:46:39 +0000 (08:46 +0100)]
mbedtls: follow-up VERIFYHOST fix from f097669248

Fix-by: Eric Rosenquist
Fixes #3376
Closes #3390

6 years agocurlver: bump to 7.64.0 for next release
Daniel Stenberg [Thu, 20 Dec 2018 08:38:01 +0000 (09:38 +0100)]
curlver: bump to 7.64.0 for next release

6 years agocookies: extend domain checks to non psl builds
Daniel Gustafsson [Wed, 19 Dec 2018 19:59:09 +0000 (20:59 +0100)]
cookies: extend domain checks to non psl builds

Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agosmb: fix incorrect path in request if connection reused
Matus Uzak [Tue, 18 Dec 2018 21:28:20 +0000 (22:28 +0100)]
smb: fix incorrect path in request if connection reused

Follow-up to 09e401e01bf9.  If connection gets reused, then data member
will be copied, but not the proto member.  As a result, in smb_do(),
path has been set from the original proto.share data.

Closes #3388

6 years agocurl -J: do not append to the destination file
Daniel Stenberg [Mon, 17 Dec 2018 11:51:51 +0000 (12:51 +0100)]
curl -J: do not append to the destination file

Reported-by: Kamil Dudka
Fixes #3380
Closes #3381

6 years agombedtls: use VERIFYHOST
Daniel Stenberg [Mon, 17 Dec 2018 12:08:41 +0000 (13:08 +0100)]
mbedtls: use VERIFYHOST

Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380

6 years agopingpong: change default response timeout to 120 seconds
Daniel Stenberg [Fri, 14 Dec 2018 08:26:17 +0000 (09:26 +0100)]
pingpong: change default response timeout to 120 seconds

Previously it was 30 minutes

6 years agopingpong: ignore regular timeout in disconnect phase
Daniel Stenberg [Fri, 14 Dec 2018 08:21:47 +0000 (09:21 +0100)]
pingpong: ignore regular timeout in disconnect phase

The timeout set with CURLOPT_TIMEOUT is no longer used when
disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP,
POP3).

Reported-by: jasal82 on github
Fixes #3264
Closes #3374

6 years agoTODO: Windows: set attribute 'archive' for completed downloads
Daniel Stenberg [Fri, 14 Dec 2018 10:18:57 +0000 (11:18 +0100)]
TODO: Windows: set attribute 'archive' for completed downloads

Closes #3354

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Fri, 14 Dec 2018 09:28:59 +0000 (10:28 +0100)]
RELEASE-NOTES: synced

6 years agohttp: minor whitespace cleanup from f464535b
Daniel Stenberg [Fri, 14 Dec 2018 09:20:06 +0000 (10:20 +0100)]
http: minor whitespace cleanup from f464535b

6 years agohttp: Implement trailing headers for chunked transfers
Ayoub Boudhar [Thu, 6 Dec 2018 09:18:03 +0000 (10:18 +0100)]
http: Implement trailing headers for chunked transfers

This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION
options that allow a callback based approach to sending trailing headers
with chunked transfers.

The test server (sws) was updated to take into account the detection of the
end of transfer in the case of trailing headers presence.

Test 1591 checks that trailing headers can be sent using libcurl.

Closes #3350

6 years agodarwinssl: accept setting max-tls with default min-tls
Daniel Stenberg [Thu, 13 Dec 2018 08:09:28 +0000 (09:09 +0100)]
darwinssl: accept setting max-tls with default min-tls

Reported-by: Andrei Neculau
Fixes #3367
Closes #3373

6 years agogopher: fix memory leak from 9026083ddb2a9
Daniel Stenberg [Thu, 13 Dec 2018 14:06:17 +0000 (15:06 +0100)]
gopher: fix memory leak from 9026083ddb2a9

6 years agotest1201: Add a trailing `?' to the selector
Leonardo Taccari [Wed, 12 Dec 2018 16:11:20 +0000 (17:11 +0100)]
test1201: Add a trailing `?' to the selector

This verify that the `?' in the selector is kept as is.

Verifies the fix in #3370

6 years agogopher: always include the entire gopher-path in request
Leonardo Taccari [Wed, 12 Dec 2018 15:58:18 +0000 (16:58 +0100)]
gopher: always include the entire gopher-path in request

After the migration to URL API all octets in the selector after the
first `?' were interpreted as query and accidentally discarded and not
passed to the server.

Add a gopherpath to always concatenate possible path and query URL
pieces.

Fixes #3369
Closes #3370

6 years agourlapi: distinguish possibly empty query
Leonardo Taccari [Wed, 12 Dec 2018 15:05:45 +0000 (16:05 +0100)]
urlapi: distinguish possibly empty query

If just a `?' to indicate the query is passed always store a zero length
query instead of having a NULL query.

This permits to distinguish URL with trailing `?'.

Fixes #3369
Closes #3370

6 years agoOS400: handle memory error in list conversion
Daniel Gustafsson [Thu, 13 Dec 2018 09:15:00 +0000 (10:15 +0100)]
OS400: handle memory error in list conversion

Curl_slist_append_nodup() returns NULL when it fails to create a new
item for the specified list, and since the coding here reassigned the
new list on top of the old list it would result in a dangling pointer
and lost memory. Also, in case we hit an allocation failure at some
point during the conversion, with allocation succeeding again on the
subsequent call(s) we will return a truncated list around the malloc
failure point. Fix by assigning to a temporary list pointer, which can
be checked (which is the common pattern for slist appending), and free
all the resources on allocation failure.

Closes #3372
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agocookies: leave secure cookies alone
Daniel Gustafsson [Thu, 13 Dec 2018 08:57:58 +0000 (09:57 +0100)]
cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agodocs: fix the --tls-max description
Daniel Stenberg [Wed, 12 Dec 2018 10:48:56 +0000 (11:48 +0100)]
docs: fix the --tls-max description

Reported-by: Tobias Lindgren
Pointed out in #3367

Closes #3368

6 years agourlapi: Fix port parsing of eol colon
Daniel Gustafsson [Wed, 12 Dec 2018 10:45:09 +0000 (11:45 +0100)]
urlapi: Fix port parsing of eol colon

A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoRELEASE-NOTES: 7.63.0 curl-7_63_0
Daniel Stenberg [Wed, 12 Dec 2018 07:12:27 +0000 (08:12 +0100)]
RELEASE-NOTES: 7.63.0

6 years agoTHANKS: from the curl 7.62.0 cycle
Daniel Stenberg [Wed, 12 Dec 2018 07:12:27 +0000 (08:12 +0100)]
THANKS: from the curl 7.62.0 cycle

6 years agotest1519: use lib1518 and test CURLINFO_REDIRECT_URL more
Daniel Stenberg [Tue, 11 Dec 2018 15:36:07 +0000 (16:36 +0100)]
test1519: use lib1518 and test CURLINFO_REDIRECT_URL more

6 years agoCurl_follow: extract the Location: header field unvalidated
Daniel Stenberg [Tue, 11 Dec 2018 15:08:51 +0000 (16:08 +0100)]
Curl_follow: extract the Location: header field unvalidated

... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364

6 years agomulti: convert two timeout variables to timediff_t
Daniel Stenberg [Tue, 11 Dec 2018 11:52:21 +0000 (12:52 +0100)]
multi: convert two timeout variables to timediff_t

The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363

6 years agodelta: use --diff-filter on the git diff-tree invokes
Daniel Stenberg [Tue, 11 Dec 2018 14:25:52 +0000 (15:25 +0100)]
delta: use --diff-filter on the git diff-tree invokes

Suggested-by: Dave Reisner
6 years agodocumentation: curl_formadd field and file names are now escaped
Patrick Monnerat [Tue, 11 Dec 2018 14:21:10 +0000 (15:21 +0100)]
documentation: curl_formadd field and file names are now escaped

Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition
header without special processing: this may lead to invalid RFC 822
quoted-strings.
7.56.0 introduces escaping of backslashes and double quotes in these names:
mention it in the documentation.

Reported-by: daboul on github
Closes #3361

6 years agoscripts/delta: show repo delta info from last release
Daniel Stenberg [Tue, 11 Dec 2018 14:06:21 +0000 (15:06 +0100)]
scripts/delta: show repo delta info from last release

... where "last release" should be the git tag in the repo.

6 years agotests: add urlapi unittest
Daniel Gustafsson [Tue, 11 Dec 2018 14:02:24 +0000 (15:02 +0100)]
tests: add urlapi unittest

This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agourlapi: fix portnumber parsing for ipv6 zone index
Daniel Gustafsson [Tue, 11 Dec 2018 14:02:19 +0000 (15:02 +0100)]
urlapi: fix portnumber parsing for ipv6 zone index

An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agohttp: fix HTTP auth to include query in URI
Jay Satiro [Mon, 10 Dec 2018 00:34:47 +0000 (19:34 -0500)]
http: fix HTTP auth to include query in URI

- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356

6 years agohttp: don't set CURLINFO_CONDITION_UNMET for http status code 204
Michael Kaufmann [Mon, 10 Dec 2018 16:30:31 +0000 (17:30 +0100)]
http: don't set CURLINFO_CONDITION_UNMET for http status code 204

The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359

6 years agoldap: fix LDAP URL parsing regressions
Samuel Surtees [Tue, 11 Dec 2018 10:15:15 +0000 (20:15 +1000)]
ldap: fix LDAP URL parsing regressions

- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d1a5230 (7.62.0)

Closes #3362

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sun, 9 Dec 2018 23:26:55 +0000 (00:26 +0100)]
RELEASE-NOTES: synced

6 years ago(lib)curl.rc: fixup for minor bugs
Stefan Kanthak [Fri, 7 Dec 2018 15:39:35 +0000 (16:39 +0100)]
(lib)curl.rc: fixup for minor bugs

All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348

6 years agotest329: verify cookie max-age=0 immediate expiry
Daniel Stenberg [Sat, 8 Dec 2018 16:50:09 +0000 (17:50 +0100)]
test329: verify cookie max-age=0 immediate expiry

6 years agocookies: expire "Max-Age=0" immediately
Daniel Stenberg [Sat, 8 Dec 2018 16:29:55 +0000 (17:29 +0100)]
cookies: expire "Max-Age=0" immediately

Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352

6 years agoUpon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
Johannes Schindelin [Fri, 7 Dec 2018 16:04:39 +0000 (17:04 +0100)]
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1

This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agoopenssl: fix unused variable compiler warning with old openssl
Ben Greear [Fri, 7 Dec 2018 10:31:08 +0000 (11:31 +0100)]
openssl: fix unused variable compiler warning with old openssl

URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347

6 years agoNTLM: force the connection to HTTP/1.1
Johannes Schindelin [Thu, 6 Dec 2018 16:26:13 +0000 (17:26 +0100)]
NTLM: force the connection to HTTP/1.1

Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agocurl_global_sslset(): id == -1 is not necessarily an error
Johannes Schindelin [Thu, 6 Dec 2018 16:18:43 +0000 (17:18 +0100)]
curl_global_sslset(): id == -1 is not necessarily an error

It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #3346

6 years ago.gitattributes: make tabs in indentation a visible error
Johannes Schindelin [Thu, 6 Dec 2018 19:20:32 +0000 (20:20 +0100)]
.gitattributes: make tabs in indentation a visible error

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 6 Dec 2018 09:02:09 +0000 (10:02 +0100)]
RELEASE-NOTES: synced

6 years agodoh: fix memory leak in OOM situation
Daniel Stenberg [Wed, 5 Dec 2018 14:21:27 +0000 (15:21 +0100)]
doh: fix memory leak in OOM situation

Reviewed-by: Daniel Gustafsson
Closes #3342

6 years agodoh: make it work for h2-disabled builds too
Daniel Stenberg [Mon, 3 Dec 2018 10:51:52 +0000 (11:51 +0100)]
doh: make it work for h2-disabled builds too

Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336

6 years agopackages: remove old leftover files and dirs
Daniel Stenberg [Fri, 30 Nov 2018 15:01:32 +0000 (16:01 +0100)]
packages: remove old leftover files and dirs

This subdir has mostly become an attic of never-used cruft from the
past.

Closes #3331

6 years agoopenssl: do not use file BIOs if not requested
Gergely Nagy [Mon, 3 Dec 2018 16:34:57 +0000 (17:34 +0100)]
openssl: do not use file BIOs if not requested

Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339

6 years agonss: Fix compatibility with nss versions 3.14 to 3.15
Paul Howarth [Tue, 4 Dec 2018 18:43:51 +0000 (18:43 +0000)]
nss: Fix compatibility with nss versions 3.14 to 3.15

6 years agonss: Improve info message when falling back SSL protocol
Paul Howarth [Tue, 4 Dec 2018 10:48:32 +0000 (10:48 +0000)]
nss: Improve info message when falling back SSL protocol

Use descriptive text strings rather than decimal numbers.

6 years agonss: Fall back to latest supported SSL version
Paul Howarth [Mon, 3 Dec 2018 11:42:48 +0000 (11:42 +0000)]
nss: Fall back to latest supported SSL version

NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261

6 years agotravis: enable COPYRIGHTYEAR extended warning
Daniel Gustafsson [Mon, 3 Dec 2018 22:18:59 +0000 (23:18 +0100)]
travis: enable COPYRIGHTYEAR extended warning

The extended warning for checking incorrect COPYRIGHTYEAR is quite
expensive to run, so rather than expecting every developer to do it
we ensure it's turned on locally for Travis.

6 years agochecksrc: add COPYRIGHTYEAR check
Daniel Gustafsson [Mon, 3 Dec 2018 22:13:40 +0000 (23:13 +0100)]
checksrc: add COPYRIGHTYEAR check

Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoCHECKSRC.md: document more warnings
Daniel Stenberg [Mon, 3 Dec 2018 07:25:58 +0000 (08:25 +0100)]
CHECKSRC.md: document more warnings

Closes #3335
[ci skip]

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Fri, 30 Nov 2018 22:54:37 +0000 (23:54 +0100)]
RELEASE-NOTES: synced

6 years agoSECURITY-PROCESS: bountygraph shuts down
Daniel Stenberg [Mon, 26 Nov 2018 10:37:49 +0000 (11:37 +0100)]
SECURITY-PROCESS: bountygraph shuts down

This backpedals back the documents to the state before bountygraph.

Closes #3311

6 years agocurl: fix memory leak reading --writeout from file
Daniel Stenberg [Fri, 30 Nov 2018 10:59:04 +0000 (11:59 +0100)]
curl: fix memory leak reading --writeout from file

If another string had been set first, the writout function for reading
the syntax from file would leak the previously allocated memory.

Reported-by: Brian Carpenter
Fixes #3322
Closes #3330

6 years agotool_main: rename function to make it unique and better
Daniel Stenberg [Fri, 30 Nov 2018 10:58:09 +0000 (11:58 +0100)]
tool_main: rename function to make it unique and better

... there's already another function in the curl tool named
free_config_fields!

6 years agoTODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry
Daniel Gustafsson [Thu, 29 Nov 2018 11:15:04 +0000 (12:15 +0100)]
TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry

Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option
making it a manual code-edit operation to turn it back on. The removal
process has thus started and is now documented in docs/DEPRECATE.md so
remove from the TODO to avoid anyone looking for something to pick up
spend cycles on an already in-progress entry.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoconnect: fix building for recent versions of Minix
Sevan Janiyan [Thu, 29 Nov 2018 01:48:19 +0000 (01:48 +0000)]
connect: fix building for recent versions of Minix

EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323

6 years agoCMake: fix MIT/Heimdal Kerberos detection
Konstantin Kushnir [Tue, 27 Nov 2018 15:12:35 +0000 (17:12 +0200)]
CMake: fix MIT/Heimdal Kerberos detection

- fix syntax error in FindGSS.cmake
- correct krb5 include directory. FindGSS exports
  "GSS_INCLUDE_DIR" variable.

Closes https://github.com/curl/curl/pull/3316

6 years agotest328: verify Content-Encoding: none
Daniel Stenberg [Tue, 27 Nov 2018 16:30:44 +0000 (17:30 +0100)]
test328: verify Content-Encoding: none

Because of issue #3315

Closes #3317

6 years agoconfigure: include all libraries in ssl-libs fetch
James Knight [Tue, 30 Oct 2018 07:17:44 +0000 (03:17 -0400)]
configure: include all libraries in ssl-libs fetch

When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` can produce
only a subset of found in a `--libs` call (e.x. pthread may be excluded).
Adding `--libs-only-other` ensures other libraries are also included in
the list. This corrects select build environments compiling against a
static version of OpenSSL. Before the change, the following could be
observed:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... no
    checking for HMAC_Init_ex in -lcrypto... no
    checking OpenSSL linking with -ldl... no
    checking OpenSSL linking with -ldl and -lpthread... no
    configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
    configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
    ...
    SSL support:      no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
    ...

And include the other libraries when compiling SSL_LIBS succeeds with:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... yes
    checking for SSL_connect in -lssl... yes
    ...
    SSL support:      enabled (OpenSSL)
    ...

Signed-off-by: James Knight <james.d.knight@live.com>
Closes #3193

6 years agodoh: fix typo in infof call
Daniel Gustafsson [Mon, 26 Nov 2018 10:40:26 +0000 (11:40 +0100)]
doh: fix typo in infof call

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agocmdline-opts/gen.pl: define the correct varname
Daniel Gustafsson [Mon, 26 Nov 2018 08:56:49 +0000 (09:56 +0100)]
cmdline-opts/gen.pl: define the correct varname

The variable definition had a small typo making it declare another
variable then the intended.

Closes #3304
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sun, 25 Nov 2018 22:50:39 +0000 (23:50 +0100)]
RELEASE-NOTES: synced

6 years agocurl_easy_perform: fix timeout handling
Daniel Stenberg [Sat, 24 Nov 2018 22:20:19 +0000 (23:20 +0100)]
curl_easy_perform: fix timeout handling

curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308

6 years agoCURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
Daniel Stenberg [Fri, 23 Nov 2018 15:55:33 +0000 (16:55 +0100)]
CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times

6 years agocookies: create the cookiejar even if no cookies to save
Daniel Stenberg [Thu, 22 Nov 2018 12:24:02 +0000 (13:24 +0100)]
cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300

6 years agochecksrc: ban snprintf use, add command line flag to override warns
Daniel Stenberg [Thu, 22 Nov 2018 08:00:57 +0000 (09:00 +0100)]
checksrc: ban snprintf use, add command line flag to override warns

6 years agosnprintf: renamed and we now only use msnprintf()
Daniel Stenberg [Thu, 22 Nov 2018 08:01:24 +0000 (09:01 +0100)]
snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297

6 years agotest: update test20/1322 for eglibc bug workaround
Tobias Hintze [Tue, 13 Nov 2018 14:49:28 +0000 (15:49 +0100)]
test: update test20/1322 for eglibc bug workaround

The tests 20 and 1322 are using getaddrinfo of libc for resolving. In
eglibc-2.19 there is a memory leakage and invalid free bug which
surfaces in some special circumstances (PF_UNSPEC hint with invalid or
non-existent names). The valgrind runs in testing fail in these
situations.

As the tests 20/1322 are not specific on either protocol (IPv4/IPv6)
this commit changes the hints to IPv4 protocol by passing `--ipv4` flag
on the tests' command line.  This prevents the valgrind failures.