Commit Graph

28632 Commits

Author SHA1 Message Date
Daniel Gustafsson
5b9770e5fc configure: use the SED value to invoke sed
Rather than assuming sed in PATH, use the resolved $SED variable
like in all other invocations of sed in configure.

Closes: #8891
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2022-05-21 15:34:24 +02:00
Tatsuhiro Tsujikawa
8ea851b29d
ngtcp2: Allow curl to send larger UDP datagrams
Allow curl to send larger UDP datagram if Path MTU Discovery finds the
availability of larger path MTU.  To make it work and not to send
fragmented packet, we need to set DF bit.  That makes send(2) fail with
EMSGSIZE if UDP datagram is too large.  In that case, just let it be
lost.  This patch enables DF bit for Linux only.

Closes #8883
2022-05-20 17:50:38 +02:00
Daniel Stenberg
7f2e1d345a
libcurl-security.3: add "Secrets in memory"
Closes #8881
2022-05-20 17:36:25 +02:00
Daniel Stenberg
cb41a0169c
tests: update NTLM tests to use new host name
Also drop the debug requirement, remove the setenv sections, remove
prechecks and add NTLM to the top keywords.

Closes #8889
2022-05-20 16:24:13 +02:00
Daniel Stenberg
709ae2454f
ntlm: provide a fixed fake host name
The NTLM protocol includes providing the local host name, but apparently
other implementations already provide a fixed fake name instead to avoid
leaking the real local name.

The exact name used is 'WORKSTATION', because Firefox uses that.

The change is written to allow someone to "back-pedal" fairly easy in
case of need.

Reported-by: Carlo Alberto
Fixes #8859
Closes #8889
2022-05-20 16:24:13 +02:00
Daniel Gustafsson
c92c650413 KNOWN_BUGS: fix typo in problem description
s/TSL/TLS/
2022-05-20 13:43:35 +02:00
Daniel Gustafsson
93fe8a0476 FEATURES: remove yassl as TLS library for NTLM
yassl was added in commit 9d904ee41b but is no longer available
and is thus not a library to use for NTLM. This aligns the FEATURES
doc with the FAQ.

Closes: #8886
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-20 13:43:12 +02:00
Daniel Gustafsson
3022c5a946 FEATURES: reorder footnotes
The empty left-behind footnote confused the website rendering into
creating a nested emoty list, making the resulting page look quite
odd.  Remove and re-order the remaining ones to avoid a gap in the
sequence.

Closes: #8886
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-20 13:42:45 +02:00
Daniel Gustafsson
7652310e98 FAQ: remove opinionated sentence on NTLM
curl is a tool that support many different things, and it doesn't
really seem like our job to tell other what to use (as they might
not have much say in the matter even).  Also tidy up wording.

Closes: #8886
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-20 13:40:12 +02:00
Viktor Szakats
fde1cb9247
log2changes: do not indent empty lines [ci skip]
This will omit two spaces of indentation from lines with no content,
thus avoiding 'spaces @ EOL'.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Closes #8887
2022-05-20 05:58:05 +00:00
Daniel Stenberg
a7a18d7589
wolfssl: correct the failf() message when a handle can't be made
Closes #8885
2022-05-19 19:05:17 +02:00
Viktor Szakats
a820c55a72
Makefile.m32: delete two obsolete OpenSSL options [ci skip]
- -DOPENSSL_NO_KRB5: No longer used by OpenSSL 1.1.x, 3.x, or
  LibreSSL 3.5.x, yet it collides with the latter, which defines
  it unconditionally, resulting in this warning:
    ../../libressl/include/openssl/opensslfeatures.h:14:9: warning: 'OPENSSL_NO_KRB5' macro redefined [-Wmacro-redefined]
  It was originally added to curl in 2004.

- -DHAVE_OPENSSL_PKCS12_H: No longer used by OpenSSL 1.1.x, 3.x, or
  LibreSSL back to at least 2.5.5. Originally added in the same
  commit as the above, in 2004.

Closes #8884
2022-05-19 16:47:54 +00:00
Daniel Stenberg
d2c31ef3fb
RELEASE-NOTES: synced
bump to 7.84.0
2022-05-19 17:59:45 +02:00
Christian Weisgerber via curl-library
46f11a4cef
Makefile.am: fix portability issues
Commit a04f0b9613 made me notice that
there is a portability issue in curl's top-level Makefile.am.

$< can only be used in rules that deal with .SUFFIXES.  Its use
for general prerequisites is a GNU make extension.

$< could be replaced by $?, but I think in an autotools context,
something like this is better:

Bug: https://curl.se/mail/lib-2022-05/0024.html
Closes #8861
2022-05-19 15:45:26 +02:00
Balakrishnan Balasubramanian
dfa84a0450
socks: support unix sockets for socks proxy
Usage:
  curl -x "socks5h://localhost/run/tor/socks" "https://example.com"

Updated runtests.pl to run a socksd server listening on unix socket

Added tests test1467 test1468

Added documentation for proxy command line option and socks proxy
options

Closes #8668
2022-05-19 15:35:03 +02:00
Vincent Torri
ee52bead4d
cmake: add libpsl support
Fixes #8865
Closes #8867
2022-05-19 15:29:55 +02:00
Tatsuhiro Tsujikawa
9accb9a5be
ngtcp2: extend QUIC transport parameters buffer
Extend QUIC transport parameters buffer because 64 bytes are too
short for the ever increasing parameters.

Closes #8872
2022-05-19 14:56:50 +02:00
Tatsuhiro Tsujikawa
136ab928c8
ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
Closes #8871
2022-05-19 14:55:37 +02:00
Tatsuhiro Tsujikawa
fe1d00e71b
ngtcp2: send appropriate connection close error code
Closes #8870
2022-05-19 14:54:46 +02:00
Daniel Stenberg
b6487eb3d4
test1561: adjusted for the cookie fix 2022-05-19 14:48:26 +02:00
Daniel Stenberg
9ec22e4fe6
test414: verify secure cookie domain overlay 2022-05-19 14:48:26 +02:00
Harry Sintonen
e9a8451a3b
cookie: address secure domain overlay
Bug: https://hackerone.com/reports/1560324
Co-authored-by: Daniel Stenberg
Closes #8840
2022-05-19 14:48:26 +02:00
Frank Gevaerts
b12c2b91df
strcase: some optimisations
Lookup tables for toupper() and tolower() make Curl_strcasecompare()
about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
early then also allows simplifying the check at the end, for another
15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7
times faster.

Note that these optimisation assume ASCII. The original
Curl_raw_toupper() and raw_tolower() look like they already made that
assumption.

Closes #8875
2022-05-19 12:03:57 +02:00
Daniel Stenberg
435acbd379
BUG-BOUNTY.md: mention the audit exception
Dedicated - paid for - security audits that are performed in
collaboration with curl developers are not eligible for bounties.

(plus I changed the sub-titles to use ## instead of # in the markdown)

Closes #8880
2022-05-19 11:14:54 +02:00
Daniel Stenberg
0842936292
lib/vssh/wolfssh.h: removed
Unused header file

Reported-by: Illarion Taev
Fixes #8863
Closes #8866
2022-05-17 17:31:02 +02:00
Elms
835a205370
wolfSSL: explicitly use compatibility layer
This change removes adding an include `$prefix/wolfssl` or similar to
allow for openssl include aliasing. Include paths of `wolfssl/openssl/`
are used to explicitly use wolfSSL includes. This fixes cmake builds as
well as avoiding potentially using openSSL headers since include path
order is not guaranteed.

Closes #8864
2022-05-17 16:58:03 +02:00
Daniel Stenberg
84052154f7
curl: deprecate --random-file and --egd-file
As libcurl no longer has any functionality for them, the tool now does
nothing with them.

Closes #8670
2022-05-17 11:06:07 +02:00
Daniel Stenberg
8d86718f3f
opts: deprecate RANDOM_FILE and EGDSOCKET
These two options were only ever used for the OpenSSL backend for
versions before 1.1.0. They were never used for other backends and they
are not used with recent OpenSSL versions. They were never used much by
applications.

The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time
for ancient EOL OpenSSL versions.

Closes #8670
2022-05-17 11:05:54 +02:00
Harry Sintonen
1b3dcaed9f
bindlocal: don't use a random port if port number would wrap
Earlier if CURLOPT_LOCALPORT + CURLOPT_LOCALPORTRANGE would go past port
65535 the code would fall back to random port rather than giving up.

Closes #8862
2022-05-17 08:53:25 +02:00
Daniel Gustafsson
542c78dda7 transfer: Fix potential NULL pointer dereference
Commit 0ef54abf52 accidentally used the conn variable before the
assertion for it being NULL. Fix by moving the assignment which use
conn to after the assertion.

Closes: #8857
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-16 21:18:46 +02:00
Daniel Gustafsson
2df67e93c3 docs: clarify data replacement policy for MIME API
The API documentation for the MIME functions specify that the parts
can be set twice, with the last call winning.  While true, the user
can set the parts n times for n > 2, reword to specify multiple API
calls instead.

Closes: #8860
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-16 20:32:38 +02:00
vvb2060 on github
adde9f0e8c
ngtcp2: support boringssl crypto backend
Closes #8789
2022-05-16 18:21:54 +02:00
Tatsuhiro Tsujikawa
6fcd3e6f51
quic: add Curl_quic_idle
Add Curl_quic_idle which is called when no HTTP level read or write is
performed.  It is a good place to handle timer expiry for QUIC transport
(.e.g, retransmission).

Closes #8698
2022-05-16 18:19:08 +02:00
Gregor Jasny
53678992d5
mprintf: ignore clang non-literal format string
Closes #8740
2022-05-16 18:18:12 +02:00
Nick Zitzmann
e0b43c8eb9
sectransp: check for a function defined when __BLOCKS__ is undefined
SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it
requires Grand Central Dispatch to be supported by the compiler, and
some third-party macOS compilers do not support Grand Central Dispatch.
SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't
adversely affect anything.

Fixes #8846
Reported-by: Egor Pugin
Closes #8854
2022-05-16 18:15:04 +02:00
Daniel Gustafsson
d17db5713a test412/413: Use version macro for User-Agent
Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test
output file which breaks when curlver is updated. Shift to using
the %VERSION macro instead.

Closes: #8856
2022-05-16 10:45:41 +02:00
Daniel Gustafsson
bf327a9dfe macos9: remove partial support
The support for compiling on Mac OS 9 hasn't been modified since 2001
and has no active maintainer or packager, so it's time to remove it as
it's incredibly unlikely to work. If a maintainer re-emerges it can be
resurrected from Git history.

Closes: #8836
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-16 10:10:16 +02:00
Daniel Stenberg
3ead914303
test1635: verify --fail-with-body with --retry
Almost a dupe of 1634

Closes #8847
2022-05-16 10:04:21 +02:00
Daniel Stenberg
0356804d13
tool_operate: make sure --fail-with-body works with --retry
... in the same way --fail already does.

Reported-by: Jakub Bochenski
Fixes #8845
Closes #8847
2022-05-16 10:04:06 +02:00
Tatsuhiro Tsujikawa
5980068c87
ngtcp2: Correct use of ngtcp2 and nghttp3 signed integer types
Closes #8851
2022-05-16 10:02:50 +02:00
Tatsuhiro Tsujikawa
33e819d799
ngtcp2: Fix alert_read_func return value
Closes #8852
2022-05-16 09:57:37 +02:00
Harry Sintonen
8540f95444
Curl_parsenetrc: don't access local pwbuf outside of scope
Accessing local variables outside of the scope is forbidden and
depending on the compiler can result in the value being
overwritten. Fixed by moving the pwbuf to be in scope.

Closes #8850
2022-05-16 09:56:26 +02:00
Daniel Stenberg
64a4bb6cc8
RELEASE-NOTES: synced
and bump curlver to 7.83.2 for now (but likely to become 7.84.0 soon)
2022-05-16 09:23:21 +02:00
Frazer Smith
bda0d5fb84
ci: update github actions
- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout

Closes #8843
2022-05-14 23:37:59 +02:00
Daniel Stenberg
5227367903
test1919: verify CURLOPT_XOAUTH2_BEARER leak fix 2022-05-14 18:05:20 +02:00
Daniel Stenberg
06d12105c7
url: free old conn better on reuse
Make use of conn_free() better and avoid duplicate code.

Reported-by: Andrea Pappacoda
Fixes #8841
Closes #8842
2022-05-14 18:05:20 +02:00
Jay Satiro
a61eac6248 FAQ: Clarify Windows double quote usage
- Windows command prompt doesn't use literal quoting via single quotes.

- Windows command prompt inner double quotes are escaped with a
  backslash.

- Windows powershell does use single quotes but curl is not a powershell
  script so the arguments may not be passed on correctly.

- Windows powershell inner double quotes seems can be passed to curl if
  the outer quotes are double quotes and an escape of backslash-backtick
  is used.

Command prompt example:

~~~
getargs -v -d "\"a\""

argv[0]: getargs
argv[1]: -v
argv[2]: -d
argv[3]: "a"
~~~

Ref: https://github.com/curl/curl/issues/8818
Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c

Reported-by: KotlinIsland@users.noreply.github.com

Closes https://github.com/curl/curl/pull/8823
2022-05-14 02:38:58 -04:00
Daniel Stenberg
d56270cb30
github/workflows/nss: apt update first
Fix "libnss3-dev_3.49.1-1ubuntu1.6_amd64.deb 404 Not Found"

Closes #8837
2022-05-12 23:30:47 +02:00
Daniel Stenberg
1ddc8aefb2
page-footer: mention exit code zero too
Success (zero) is also an "exit code" worth mentioning.

Closes #8833
2022-05-12 16:26:20 +02:00
Daniel Gustafsson
f1cdeff37a gssapi: initialize gss_buffer_desc strings
Explicitly initialize gss_buffer_desc strings such that a call to
freeing resources will succeed even if no data has been allocated
to it.

Reported-by: Jay Satiro <raysatiro@yahoo.com>
2022-05-12 14:12:41 +02:00