Commit Graph

28632 Commits

Author SHA1 Message Date
Daniel Gustafsson
7360f9a565 gssapi: improve handling of errors from gss_display_status
In case gss_display_status() returns an error, avoid trying to add
it to the buffer as the message may well be a NULL pointer.

Originally this fix comes from a discussion in issue #8816.

Closes: #8832
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2022-05-12 14:11:52 +02:00
steini2000
f9bc378ab7 http2: always debug print stream id in decimal with %u
Prior to this change the stream id shown could be hex or decimal which
was inconsistent and confusing.

Closes https://github.com/curl/curl/pull/8808
2022-05-12 01:31:32 -04:00
Kamil Dudka
9494cdc3d2 url: remove redundant #ifdefs in allocate_conn()
No change in behavior intended by this commit.
2022-05-11 15:51:29 +02:00
Fabian Keil
75e9035921
tests 266, 116 and 1540: add a small write delay
This makes it more likely that the trailer is received
seperately from the last-chunk.

curl doesn't seem to care about this but it makes the tests
more useful when testing external proxies like Privoxy.
2022-05-11 11:14:18 +02:00
Fabian Keil
9e6ec8b6d5
tests 1117,1238,1523: adjust writedelay servercmds
... so the delays are the same now that the unit
is in milliseconds.
2022-05-11 11:14:18 +02:00
Fabian Keil
fc3a0a872f
tests/server/sws.c: change the HTTP writedelay unit to milliseconds
This allows to use write delays for large responses without
resulting in the test taking an unreasonable amount of time.

In many cases delaying writes by a whole second or more isn't
necessary for the desired effect.

Closes #8827
2022-05-11 11:14:18 +02:00
Daniel Gustafsson
37f892fb8c aws-sigv4: fix potentional NULL pointer arithmetic
We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic.  There is no
live bug here, but fixing it before it can become for hygiene.

Closes: #8814
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-11 10:52:56 +02:00
Daniel Stenberg
fdb5e21b4d
quiche: support ca-fallback
Follow-up to b01f3e679f which added this for ngtcp2/openssl

Removed from KNOWN_BUGS

Fixes #8696
Closes #8830
2022-05-11 10:49:31 +02:00
Daniel Gustafsson
bcf03dd213 x509asn1: mark msnprintf return as unchecked
We have lots of unchecked msnprintf calls, and this particular msnprintf
call isn't more interesting than the others, but this one yields a Coverity
warning so let's implicitly silence it. Going over the other invocations
is probably a worthwhile project, but for now let's keep the static
analyzers happy.

Closes: #8831
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-11 10:38:08 +02:00
Daniel Stenberg
462196e6b4
RELEASE-NOTES: synced
curl 7.83.1 release
2022-05-11 08:11:15 +02:00
Daniel Stenberg
7fb6c9ba8f
THANKS: added contributors from 7.83.1 2022-05-11 08:11:14 +02:00
Daniel Stenberg
3be1e9c642
zuul: fix the ngtcp2-gnutls build
Add packages and tweak the configure options.

Use the GnuTLS 3.7.4 branch (not main).

Closes #8829
2022-05-10 09:44:00 +02:00
Tatsuhiro Tsujikawa
b01f3e679f
ngtcp2: add ca-fallback support for OpenSSL backend
Closes #8828
2022-05-10 09:43:08 +02:00
Daniel Stenberg
1645e9b445
url: check SSH config match on connection reuse
CVE-2022-27782

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
2022-05-09 23:13:53 +02:00
Daniel Stenberg
f18af4f874
tls: check more TLS details for connection reuse
CVE-2022-27782

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
2022-05-09 23:13:53 +02:00
Daniel Stenberg
7e92d12b4e
cookies: make bad_domain() not consider a trailing dot fine
The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.

CVE-2022-27779

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.html
Closes #8820
2022-05-09 16:47:28 +02:00
Daniel Stenberg
f8cb6c610a
test977: reproduce ability to set cookie on TLD
When PSL is not enabled
2022-05-09 16:47:28 +02:00
Daniel Stenberg
447873dd4c
scripts/contributors.sh: correct the copyright range 2022-05-09 16:41:57 +02:00
Daniel Stenberg
22c4ecee7c
docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates 2022-05-09 16:25:16 +02:00
Daniel Stenberg
43cec1d4f8
test379: verify --remove-on-error with --no-clobber 2022-05-09 12:56:30 +02:00
Daniel Stenberg
8c7ee9083d
post_per_transfer: remove the updated file name
When --remove-on-error is used with --no-clobber, it might have an
updated file name to remove.

Bug: https://curl.se/docs/CVE-2022-27778.html

CVE-2022-27778

Reported-by: Harry Sintonen

Closes #8824
2022-05-09 12:56:21 +02:00
Daniel Stenberg
fae6fea209
hsts: ignore trailing dots when comparing hosts names
CVE-2022-30115

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-30115.html
Closes #8821
2022-05-09 12:54:39 +02:00
Daniel Stenberg
ff3ee510c3
test440/441: verify HSTS with trailing dots 2022-05-09 12:54:39 +02:00
Daniel Stenberg
cfa47974fe
libtest/lib1560: verify the host name percent decode fix 2022-05-09 12:50:41 +02:00
Daniel Stenberg
914aaab915
urlapi: reject percent-decoding host name into separator bytes
CVE-2022-27780

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27780.html
Closes #8826
2022-05-09 12:50:34 +02:00
Daniel Stenberg
5c7da89d40
nss: return error if seemingly stuck in a cert loop
CVE-2022-27781

Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
Closes #8822
2022-05-09 10:07:15 +02:00
Daniel Stenberg
46d45ea3af
test412/413: verify alt-svc with trailing dots 2022-05-09 09:39:22 +02:00
Daniel Stenberg
a1d23f287e
altsvc: fix host name matching for trailing dots
Closes #8819
2022-05-09 09:39:15 +02:00
Garrett Squire
652fd3fab8
hyper: fix test 357
This change fixes the hyper API such that PUT requests that receive a
417 response can retry without the Expect header.

Closes #8811
2022-05-08 23:19:05 +02:00
Harry Sintonen
4fc35c829c
sectransp: bail out if SSLSetPeerDomainName fails
Before the code would just warn about SSLSetPeerDomainName() errors.

Closes #8798
2022-05-06 16:25:20 +02:00
Daniel Stenberg
a8a1dd8ecc
http_proxy/hyper: handle closed connections
Enable test 1021 for hyper builds.

Patched-by: Prithvi MK
Fixes #8700
Closes #8806
2022-05-06 11:01:54 +02:00
Daniel Stenberg
a15fa1c357
KNOWN_BUGS: timeout when reusing a http3 connection
Closes #8764
2022-05-06 09:20:18 +02:00
Daniel Stenberg
06fd9736b7
KNOWN_BUGS: configure --with-ca-fallback is not supported by h3
Closes #8696
2022-05-06 09:15:46 +02:00
Ryan Schmidt
a04f0b9613
Makefile: fix "make ca-firefox"
Closes #8804
2022-05-05 17:12:05 +02:00
Daniel Gustafsson
5d3c57bfaa tests: fix markdown formatting in README
The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be
escaped to not mean start of italic formatting. This is consistent
with docs/RELEASE-PROCEDURE.md.

Closes: #8802
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-05 16:43:38 +02:00
Daniel Stenberg
1b0cab695d
TODO: expand on "Expose tried IP addresses that failed"
Ref: #8794
2022-05-05 13:57:16 +02:00
Fabian Keil
4f0bc19bc7 tests/server: declare variable 'reqlogfile' static
Silences the warning:

     CC       socksd-socksd.o
   socksd.c:143:13: warning: no previous extern declaration for
    non-static variable 'reqlogfile' [-Wmissing-variable-declarations]
   const char *reqlogfile = DEFAULT_REQFILE;
               ^
   socksd.c:143:7: note: declare 'static' if the variable is not
    intended to be used outside of this translation unit
   const char *reqlogfile = DEFAULT_REQFILE;
         ^
   1 warning generated.

... when compiling with clang 13.

Closes: #8799
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2022-05-05 11:55:06 +02:00
Daniel Gustafsson
8e8413ab0b HTTP-COOKIES: add missing CURLOPT_COOKIESESSION
Commit 980a47b42 added support for ignoring session cookies, but it
was never added to the documentation.

Closes: #8795
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-05-05 11:51:07 +02:00
Daniel Stenberg
7fc0123129
docs/THANKS: remove name duplicate 2022-05-05 10:25:56 +02:00
Philip H
613bf27771
.mailmap: update
Closes #8800
2022-05-05 10:24:17 +02:00
Jay Satiro
6285957f1d mbedtls: fix some error messages
Prior to this change some of the error messages misidentified the
function that failed.
2022-05-05 03:13:24 -04:00
Daniel Stenberg
153ada0b21
RELEASE-NOTES: synced 2022-05-05 08:48:17 +02:00
Sergey Markelov
137a668e8c
x509asn1: make do_pubkey handle EC public keys
Closes #8757
2022-05-05 08:44:23 +02:00
Harry Sintonen
d7fb9ab7ce
mbedtls: bail out if rng init fails
There was a failf() call but no actual error return.

Closes #8796
2022-05-05 08:40:38 +02:00
Sergey Markelov
b5b86856a9
urlapi: address (harmless) UndefinedBehavior sanitizer warning
`while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
cannot be represented in type 'size_t' (aka 'unsigned long')

Closes #8797
2022-05-05 08:38:06 +02:00
Fabian Keil
6db4ef1242
test{898,974,976}: add 'HTTP proxy' keywords
... so the tests can be automatically skipped when
testing external HTTP proxies like Privoxy.

Closes #8791
2022-05-04 23:34:50 +02:00
Harry Sintonen
1a78051732
gskit_connect_step1: fixed bogus setsockopt calls
setsockopt takes a reference to value, not value. With the current
code this just leads to -1 return value with errno EFAULT.

Closes #8793
2022-05-04 23:33:17 +02:00
Daniel Stenberg
dd4f2622bc
CURLOPT_SSH_AUTH_TYPES.3: fix the default
The default is all possible methods.

Closes #8792
2022-05-04 23:31:24 +02:00
Daniel Stenberg
851fb743db
CURLOPT_DOH_URL.3: mention the known bug
It is mostly duplicating info from KNOWN_BUGS but make it easier to find
for users of this option.

Closes #8790
2022-05-04 14:44:16 +02:00
Daniel Stenberg
55e137bdf5
CURLOPT_HSTS*FUNCTION.3: document the involved structs as well
Reviewed-By: Daniel Gustafsson
Closes #8788
2022-05-03 17:18:28 +02:00