Commit Graph

30961 Commits

Author SHA1 Message Date
Dan Fandrich
3514a394f3 test2600: remove special case handling for USE_ALARM_TIMEOUT
This was originally added to handle platforms that supported only 1
second granularity in connect timeouts, but after some recent changes
the test currently permafails on several Windows platforms.

The need for this special-case was removed in commit 8627416, which
increased the connect timeout in all cases to well above 1 second.

Fixes #11767
Closes #11849
2023-09-14 11:57:00 -07:00
Daniel Stenberg
46d4ae5e11
SECURITY-PROCESS.md. call it vulnerability disclosure policy
SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md

This a name commonly used for a document like this. This name helps
users find it.

Closes #11852
2023-09-14 17:04:33 +02:00
Junho Choi
267e14f1ba quiche: fix build error with --with-ca-fallback
- Fix build error when curl is built with --with-quiche
  and --with-ca-fallback.

- Add --with-ca-fallback to the quiche CI job.

Fixes https://github.com/curl/curl/issues/11850
Closes https://github.com/curl/curl/pull/11847
2023-09-14 03:10:18 -04:00
Jay Satiro
7a2421dbb7 escape: replace Curl_isunreserved with ISUNRESERVED
- Use the ALLCAPS version of the macro so that it is clear a macro is
  being called that evaluates the variable multiple times.

- Also capitalize macro isurlpuntcs => ISURLPUNTCS since it evaluates
  a variable multiple times.

This is a follow-up to 291d225a which changed Curl_isunreserved into an
alias macro for ISUNRESERVED. The problem is the former is not easily
identified as a macro by the caller, which could lead to a bug.

For example, ISUNRESERVED(*foo++) is easily identifiable as wrong but
Curl_isunreserved(*foo++) is not even though they both are the same.

Closes https://github.com/curl/curl/pull/11846
2023-09-14 03:07:45 -04:00
Dan Fandrich
23c3f81ed7 tests: increase the default server logs lock timeout
This timeout is used to wait for the server to finish writing its logs
before checking them against the expected values. An overloaded machine
could take more than the two seconds previously allocated, so increase
the timeout to 5 seconds.

Ref: #11328
Closes #11834
2023-09-13 11:26:08 -07:00
Dan Fandrich
c725ec72a3 tests: increase TEST_HANG_TIMEOUT in two tests
These tests had a 5 second timeout compared to 60 seconds for all other
tests. Make these consistent with the others for more reliability on
heavily-loaded machines.

Ref: #11328
2023-09-13 11:26:08 -07:00
Dan Fandrich
223f601c04 test1056: disable on Windows
This test relies on the IPv6 scope field being ignored when connecting to
ipv6-localhost (i.e. [::1%259999] is treated as [::1]). Maybe this is a bit
dodgy, but it works on all our test platforms except Windows. This
test was disabled manually on all Windows CI builds already, so instead
add an incompatible feature and precheck so it's skipped on Windows
everywhere automatically.
2023-09-13 11:26:08 -07:00
Dan Fandrich
2e2fc007c8 test587: add a slight delay after test
This test is designed to connect to the server, then immediately send a
few bytes and disconnect. In some situations, such as on a loaded
server, this doesn't give the server enough time to write its lock file
before its existence is checked. The test harness then fails to find the
server's input log file (because it hasn't been written yet) and fails
the test. By adding a short delay after the test, the HTTP server has
enough time to write its lock file which gives itself more time to write
its remaining files.

Ref: #11328
2023-09-13 11:26:08 -07:00
Dan Fandrich
d29a62d738 tests: stop overriding the lock timeout
These tests reduce the server lock wait timeout which can increase
flakiness on loaded machines. Since this is merely an optimization,
eliminate them in favour of reliability.

Ref: #11328
2023-09-13 11:26:08 -07:00
Dan Fandrich
2ef67901cc tests: add some --expect100-timeout to reduce timing dependencies
These tests can fail when the test machine is so slow that the test HTTP
server didn't get a chance to complete before the client's one second
100-continue timeout triggered. Increase that 1 second to 999 seconds so
this situation doesn't happen.

Ref: #11328
2023-09-13 11:26:08 -07:00
Dan Fandrich
f0e4fa445d test661: return from test early in case of curl error 2023-09-13 11:26:08 -07:00
Dan Fandrich
381792dfbf tests: add the timing-dependent keyword on several tests
These are ones likely to fail on heavily-loaded machines that alter the
normal test timing. Most of these tests already had the flaky keyword
since this condition makes them more likely to fail on CI.
2023-09-13 11:26:08 -07:00
Dan Fandrich
ae84a52c42 test1592: greatly increase the maximum test timeout
It was too short to be reliable on heavily loaded CI machines, and
as a fail-safe only, it didn't need to be short.

Ref: #11328
2023-09-13 11:26:08 -07:00
Dan Fandrich
7d56d2e50d test: minor test cleanups
Remove an obsolete block of code in tests 2032 & 576.
Add a comment in test 1474.
2023-09-13 11:26:08 -07:00
Dan Fandrich
9db7f17135 tests: quadruple the %FTPTIME2 and %FTPTIME3 timeouts
This gives more of a margin for error when running on overloaded CI
servers.

Ref: #11328
2023-09-13 11:26:07 -07:00
Dan Fandrich
ad3c83599e tests: improve SLOWDOWN test reliability by reducing sent data
These tests are run in SLOWDOWN mode which adds a 10 msec delay after
each character output, which means it takes at least 1.6 seconds (and
320 kernel calls) just to get through the long welcome banner. On an
overloaded system, this can end up taking much more than 1.6 seconds,
and even more than the 7 or 16 second curl timeout that the tests rely
on, causing them to fail. Reducing the size of the welcome banner drops
the total number of characters sent before the transfer starts by more
than half, which reduces the opportunity for test-breaking slowdowns by
the same amount.

Ref: #11328
2023-09-13 11:26:07 -07:00
Dan Fandrich
877e103584 test650: fix an end tag typo 2023-09-13 11:26:07 -07:00
Jay Satiro
73980f9ace tool_cb_wrt: fix debug assertion
- Fix off-by-one out-of-bounds array index in Windows debug assertion.

Bug: https://github.com/curl/curl/commit/af3f4e41#r127212213
Reported-by: Gisle Vanem
2023-09-13 14:00:05 -04:00
Daniel Stenberg
291d225a50
ctype: add ISUNRESERVED()
... and make Curl_isunreserved() use that macro instead of providing a
separate funtion for the purpose.

Closes #11840
2023-09-13 14:29:44 +02:00
Daniel Stenberg
6fa1d817e5
RELEASE-NOTES: syn ced
curl 8.3.0 release
2023-09-13 08:19:24 +02:00
Daniel Stenberg
85ce7f8070
THANKS: contributors from 8.3.0 2023-09-13 08:19:24 +02:00
Thorsten Klein
a77a4a33c2
cmake: set SIZEOF_LONG_LONG in curl_config.h
in order to support 32bit builds regarding wolfssl CTC_SETTINGS

Closes #11839
2023-09-12 14:21:47 +02:00
Jay Satiro
ae5d433ecd curl_ngtcp2: fix error message 2023-09-12 03:14:16 -04:00
Jay Satiro
b5c65f8b7b http_aws_sigv4: handle no-value user header entries
- Handle user headers in format 'name:' and 'name;' with no value.

The former is used when the user wants to remove an internal libcurl
header and the latter is used when the user actually wants to send a
no-value header in the format 'name:' (note the semi-colon is converted
by libcurl to a colon).

Prior to this change the AWS header import code did not special case
either of those and the generated AWS SignedHeaders would be incorrect.

Reported-by: apparentorder@users.noreply.github.com

Ref: https://curl.se/docs/manpage.html#-H

Fixes https://github.com/curl/curl/issues/11664
Closes https://github.com/curl/curl/pull/11668
2023-09-11 15:24:05 -04:00
Dan Fandrich
14108c1b80 CI: run pytest with the -v option
This lists of the test cases being run so it can be tracked over time.

Closes #11824
2023-09-11 09:20:40 -07:00
Daniel Stenberg
3046f477e4
HTTP3: the msquic backend is not functional
I ask that we do not submit bugs for this backend just yet as we know it
does not fully work.

Closes #11831
Closes #11819
2023-09-11 09:50:42 +02:00
Daniel Stenberg
a1532a33b3
aws_sigv4: the query canon code miscounted URL encoded input
Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53

Closes #11829
2023-09-11 08:17:39 +02:00
vvb2060
d5c562cd0d quic: don't set SNI if hostname is an IP address
We already do this for TLS connections.

RFC 6066 says: Literal IPv4 and IPv6 addresses are not permitted in
"HostName".

Ref: https://www.rfc-editor.org/rfc/rfc6066#section-3

Fixes https://github.com/curl/curl/issues/11827
Closes https://github.com/curl/curl/pull/11828
2023-09-11 02:14:23 -04:00
Daniel Stenberg
39c883560a
RELEASE-NOTES: synced 2023-09-10 12:53:26 +02:00
Benoit Pierre
3e39cda4d6
configure: fix HAVE_TIME_T_UNSIGNED check
The syntax was incorrect (need a proper main body), and the test
condition was wrong (resulting in a signed `time_t` detected as
unsigned).

Closes #11825
2023-09-10 12:21:17 +02:00
Daniel Stenberg
fe599ff090
THANKS-filter: pszlazak on github 2023-09-09 23:48:12 +02:00
pszlazak
ba30c5e0da
include.d: explain headers not printed with --fail before 7.75.0
Prior to 7.75.0 response headers were not printed if -f/--fail was used
and an error was reported by server.  This was fixed in ab525c0
(precedes 7.75.0).

Closes #11822
2023-09-09 23:20:09 +02:00
Daniel Stenberg
16bdc09ee0
http_aws_sigv4: skip the op if the query pair is zero bytes
Follow-up to fc76a24c53

Spotted by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62175
Closes #11823
2023-09-08 22:15:20 +02:00
Daniel Stenberg
4600bd3993
cmdline-docs: use present tense, not future
+ some smaller cleanups

Closes #11821
2023-09-08 16:57:33 +02:00
Daniel Stenberg
bfb48e33fb
cmdline-docs: make sure to phrase it as "added in ...."
References to things that were added or changed in a specific version
should be specified as "(added in [version]) for two reasons:

1 - consistency

2 - to allow gen.pl to strip them out if deemed referring to too old
    versions

Closes #11821
2023-09-08 16:57:25 +02:00
Jay Satiro
fa7df3070a docs: mark --ssl-revoke-best-effort as Schannel specific
Closes https://github.com/curl/curl/pull/11760
2023-09-08 03:49:06 -04:00
Nathan Moinvaziri
f6700c744b schannel: fix ordering of cert chain info
- Use CERT_CONTEXT's pbCertEncoded to determine chain order.

CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains
end-entity/server certificate in pbCertEncoded. We can use this pointer
to determine the order of certificates when enumerating hCertStore using
CertEnumCertificatesInStore.

This change is to help ensure that the ordering of the certificate chain
requested by the user via CURLINFO_CERTINFO has the same ordering on all
versions of Windows.

Prior to this change Schannel certificate order was reversed in 8986df80
but that was later reverted in f540a39b when it was discovered that
Windows 11 22H2 does the reversal on its own.

Ref: https://github.com/curl/curl/issues/9706

Closes https://github.com/curl/curl/pull/11632
2023-09-08 03:47:13 -04:00
Chris Talbot
7703ca7f86 digest: Use hostname to generate spn instead of realm
In https://www.rfc-editor.org/rfc/rfc2831#section-2.1.2

digest-uri-value should be serv-type "/" host , where host is:

      The DNS host name or IP address for the service requested.  The
      DNS host name must be the fully-qualified canonical name of the
      host. The DNS host name is the preferred form; see notes on server
      processing of the digest-uri.

Realm may not be the host, so we must specify the host explicitly.

Note this change only affects the non-SSPI digest code. The digest code
used by SSPI builds already uses the hostname to generate the spn.

Ref: https://github.com/curl/curl/issues/11369

Closes https://github.com/curl/curl/pull/11395
2023-09-08 03:23:44 -04:00
Daniel Stenberg
945db0d958
docs: remove use of the word 'very'
It is mostly superfluous. proselint would complain.

Closes #11818
2023-09-07 22:52:07 +02:00
Daniel Stenberg
28f8440c0b
curl_multi_remove_handle.3: clarify what happens with connection
Closes #11817
2023-09-07 19:47:02 +02:00
Daniel Stenberg
63b9073c6a
RELEASE-NOTES: synced 2023-09-07 18:24:49 +02:00
Daniel Stenberg
656610160f
test439: verify query canonization for aws-sigv4 2023-09-07 17:50:43 +02:00
Daniel Stenberg
c5a9630739
tool_operate: make aws-sigv4 not require TLS to be used
Maybe not used too often, but we want it for testing and it should work.
2023-09-07 17:50:27 +02:00
Daniel Stenberg
fc76a24c53
http_aws_sigv4: canonicalize the query
Percent encoding needs to be done using uppercase, and most
non-alphanumerical must be percent-encoded.

Fixes #11794
Reported-by: John Walker
Closes #11806
2023-09-07 17:50:13 +02:00
Wyatt O'Day
e92edfbef6
lib: add ability to disable auths individually
Both with configure and cmake

Closes #11490
2023-09-07 17:45:06 +02:00
Stefan Eissing
33dac9dfac
ngtcp2: fix handling of large requests
- requests >64K are send in parts to the filter
- fix parsing of the request to assemble it correctly
  from several sends
- open a QUIC stream only when the complete request has
  been collected

Closes #11815
2023-09-07 17:32:47 +02:00
Stefan Eissing
c849062677
openssl: when CURLOPT_SSL_CTX_FUNCTION is registered, init x509 store before
- we delay loading the x509 store to shorten the handshake time.
  However an application callback installed via CURLOPT_SSL_CTX_FUNCTION
  may need to have the store loaded and try to manipulate it.
- load the x509 store before invoking the app callback

Fixes #11800
Reported-by: guoxinvmware on github
Cloes #11805
2023-09-07 16:18:48 +02:00
Daniel Stenberg
25907fd5ba
krb5: fix "implicit conversion loses integer precision" warnings
conversions to/from enum and unsigned chars

Closes #11814
2023-09-07 16:17:13 +02:00
Stefan Eissing
3b30cc1a0d
pytest: improvements
- set CURL_CI for pytest runs in CI environments
- exclude timing sensitive tests from CI runs
- for failed results, list only the log and stat of
  the failed transfer

- fix type in http.c comment

Closes #11812
2023-09-07 10:30:14 +02:00
Stefan Eissing
108e51835e
CI: move on to ngtcp2 v0.19.1
Closes #11809
2023-09-06 23:11:30 +02:00