mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-15 06:40:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
28,578 Commits 15 Branches 222 Tags 186 MiB
9e6ec8b6d5
Commit Graph

28578 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Fabian Keil
9e6ec8b6d5
tests 1117,1238,1523: adjust writedelay servercmds 
... so the delays are the same now that the unit
is in milliseconds.
 2022-05-11 11:14:18 +02:00
Fabian Keil
fc3a0a872f
tests/server/sws.c: change the HTTP writedelay unit to milliseconds 
This allows to use write delays for large responses without
resulting in the test taking an unreasonable amount of time.

In many cases delaying writes by a whole second or more isn't
necessary for the desired effect.

Closes #8827
 2022-05-11 11:14:18 +02:00
Daniel Gustafsson
37f892fb8c aws-sigv4: fix potentional NULL pointer arithmetic 
We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic.  There is no
live bug here, but fixing it before it can become for hygiene.

Closes: #8814
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2022-05-11 10:52:56 +02:00
Daniel Stenberg
fdb5e21b4d
quiche: support ca-fallback 
Follow-up to b01f3e679f which added this for ngtcp2/openssl

Removed from KNOWN_BUGS

Fixes #8696
Closes #8830
 2022-05-11 10:49:31 +02:00
Daniel Gustafsson
bcf03dd213 x509asn1: mark msnprintf return as unchecked 
We have lots of unchecked msnprintf calls, and this particular msnprintf
call isn't more interesting than the others, but this one yields a Coverity
warning so let's implicitly silence it. Going over the other invocations
is probably a worthwhile project, but for now let's keep the static
analyzers happy.

Closes: #8831
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2022-05-11 10:38:08 +02:00
Daniel Stenberg
462196e6b4
RELEASE-NOTES: synced 
curl 7.83.1 release
 2022-05-11 08:11:15 +02:00
Daniel Stenberg
7fb6c9ba8f
THANKS: added contributors from 7.83.1 2022-05-11 08:11:14 +02:00
Daniel Stenberg
3be1e9c642
zuul: fix the ngtcp2-gnutls build 
Add packages and tweak the configure options.

Use the GnuTLS 3.7.4 branch (not main).

Closes #8829
 2022-05-10 09:44:00 +02:00
Tatsuhiro Tsujikawa
b01f3e679f
ngtcp2: add ca-fallback support for OpenSSL backend 
Closes #8828
 2022-05-10 09:43:08 +02:00
Daniel Stenberg
1645e9b445
url: check SSH config match on connection reuse 
CVE-2022-27782

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
 2022-05-09 23:13:53 +02:00
Daniel Stenberg
f18af4f874
tls: check more TLS details for connection reuse 
CVE-2022-27782

Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27782.html
Closes #8825
 2022-05-09 23:13:53 +02:00
Daniel Stenberg
7e92d12b4e
cookies: make bad_domain() not consider a trailing dot fine 
The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.

CVE-2022-27779

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.html
Closes #8820
 2022-05-09 16:47:28 +02:00
Daniel Stenberg
f8cb6c610a
test977: reproduce ability to set cookie on TLD 
When PSL is not enabled
 2022-05-09 16:47:28 +02:00
Daniel Stenberg
447873dd4c
scripts/contributors.sh: correct the copyright range 2022-05-09 16:41:57 +02:00
Daniel Stenberg
22c4ecee7c
docs/RELEASE-PROCEDURE.md: refreshed and adjsuted the release dates 2022-05-09 16:25:16 +02:00
Daniel Stenberg
43cec1d4f8
test379: verify --remove-on-error with --no-clobber 2022-05-09 12:56:30 +02:00
Daniel Stenberg
8c7ee9083d
post_per_transfer: remove the updated file name 
When --remove-on-error is used with --no-clobber, it might have an
updated file name to remove.

Bug: https://curl.se/docs/CVE-2022-27778.html

CVE-2022-27778

Reported-by: Harry Sintonen

Closes #8824
 2022-05-09 12:56:21 +02:00
Daniel Stenberg
fae6fea209
hsts: ignore trailing dots when comparing hosts names 
CVE-2022-30115

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-30115.html
Closes #8821
 2022-05-09 12:54:39 +02:00
Daniel Stenberg
ff3ee510c3
test440/441: verify HSTS with trailing dots 2022-05-09 12:54:39 +02:00
Daniel Stenberg
cfa47974fe
libtest/lib1560: verify the host name percent decode fix 2022-05-09 12:50:41 +02:00
Daniel Stenberg
914aaab915
urlapi: reject percent-decoding host name into separator bytes 
CVE-2022-27780

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27780.html
Closes #8826
 2022-05-09 12:50:34 +02:00
Daniel Stenberg
5c7da89d40
nss: return error if seemingly stuck in a cert loop 
CVE-2022-27781

Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
Closes #8822
 2022-05-09 10:07:15 +02:00
Daniel Stenberg
46d45ea3af
test412/413: verify alt-svc with trailing dots 2022-05-09 09:39:22 +02:00
Daniel Stenberg
a1d23f287e
altsvc: fix host name matching for trailing dots 
Closes #8819
 2022-05-09 09:39:15 +02:00
Garrett Squire
652fd3fab8
hyper: fix test 357 
This change fixes the hyper API such that PUT requests that receive a
417 response can retry without the Expect header.

Closes #8811
 2022-05-08 23:19:05 +02:00
Harry Sintonen
4fc35c829c
sectransp: bail out if SSLSetPeerDomainName fails 
Before the code would just warn about SSLSetPeerDomainName() errors.

Closes #8798
 2022-05-06 16:25:20 +02:00
Daniel Stenberg
a8a1dd8ecc
http_proxy/hyper: handle closed connections 
Enable test 1021 for hyper builds.

Patched-by: Prithvi MK
Fixes #8700
Closes #8806
 2022-05-06 11:01:54 +02:00
Daniel Stenberg
a15fa1c357
KNOWN_BUGS: timeout when reusing a http3 connection 
Closes #8764
 2022-05-06 09:20:18 +02:00
Daniel Stenberg
06fd9736b7
KNOWN_BUGS: configure --with-ca-fallback is not supported by h3 
Closes #8696
 2022-05-06 09:15:46 +02:00
Ryan Schmidt
a04f0b9613
Makefile: fix "make ca-firefox" 
Closes #8804
 2022-05-05 17:12:05 +02:00
Daniel Gustafsson
5d3c57bfaa tests: fix markdown formatting in README 
The asterisk in the abbreviation *NIX (for UNIX/Linux) needs to be
escaped to not mean start of italic formatting. This is consistent
with docs/RELEASE-PROCEDURE.md.

Closes: #8802
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2022-05-05 16:43:38 +02:00
Daniel Stenberg
1b0cab695d
TODO: expand on "Expose tried IP addresses that failed" 
Ref: #8794
 2022-05-05 13:57:16 +02:00
Fabian Keil
4f0bc19bc7 tests/server: declare variable 'reqlogfile' static 
Silences the warning:

     CC       socksd-socksd.o
   socksd.c:143:13: warning: no previous extern declaration for
    non-static variable 'reqlogfile' [-Wmissing-variable-declarations]
   const char *reqlogfile = DEFAULT_REQFILE;
               ^
   socksd.c:143:7: note: declare 'static' if the variable is not
    intended to be used outside of this translation unit
   const char *reqlogfile = DEFAULT_REQFILE;
         ^
   1 warning generated.

... when compiling with clang 13.

Closes: #8799
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
 2022-05-05 11:55:06 +02:00
Daniel Gustafsson
8e8413ab0b HTTP-COOKIES: add missing CURLOPT_COOKIESESSION 
Commit 980a47b42 added support for ignoring session cookies, but it
was never added to the documentation.

Closes: #8795
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2022-05-05 11:51:07 +02:00
Daniel Stenberg
7fc0123129
docs/THANKS: remove name duplicate 2022-05-05 10:25:56 +02:00
Philip H
613bf27771
.mailmap: update 
Closes #8800
 2022-05-05 10:24:17 +02:00
Jay Satiro
6285957f1d mbedtls: fix some error messages 
Prior to this change some of the error messages misidentified the
function that failed.
 2022-05-05 03:13:24 -04:00
Daniel Stenberg
153ada0b21
RELEASE-NOTES: synced 2022-05-05 08:48:17 +02:00
Sergey Markelov
137a668e8c
x509asn1: make do_pubkey handle EC public keys 
Closes #8757
 2022-05-05 08:44:23 +02:00
Harry Sintonen
d7fb9ab7ce
mbedtls: bail out if rng init fails 
There was a failf() call but no actual error return.

Closes #8796
 2022-05-05 08:40:38 +02:00
Sergey Markelov
b5b86856a9
urlapi: address (harmless) UndefinedBehavior sanitizer warning 
`while(i--)` causes runtime error: unsigned integer overflow: 0 - 1
cannot be represented in type 'size_t' (aka 'unsigned long')

Closes #8797
 2022-05-05 08:38:06 +02:00
Fabian Keil
6db4ef1242
test{898,974,976}: add 'HTTP proxy' keywords 
... so the tests can be automatically skipped when
testing external HTTP proxies like Privoxy.

Closes #8791
 2022-05-04 23:34:50 +02:00
Harry Sintonen
1a78051732
gskit_connect_step1: fixed bogus setsockopt calls 
setsockopt takes a reference to value, not value. With the current
code this just leads to -1 return value with errno EFAULT.

Closes #8793
 2022-05-04 23:33:17 +02:00
Daniel Stenberg
dd4f2622bc
CURLOPT_SSH_AUTH_TYPES.3: fix the default 
The default is all possible methods.

Closes #8792
 2022-05-04 23:31:24 +02:00
Daniel Stenberg
851fb743db
CURLOPT_DOH_URL.3: mention the known bug 
It is mostly duplicating info from KNOWN_BUGS but make it easier to find
for users of this option.

Closes #8790
 2022-05-04 14:44:16 +02:00
Daniel Stenberg
55e137bdf5
CURLOPT_HSTS*FUNCTION.3: document the involved structs as well 
Reviewed-By: Daniel Gustafsson
Closes #8788
 2022-05-03 17:18:28 +02:00
Daniel Stenberg
45c578f662
docs/SECURITY-PROCESS.md: "Visible command line arguments" 2022-05-03 13:37:04 +02:00
Daniel Stenberg
0d015fb3f6
SECURITY-PROCESS: mention "URL inconsistencies" 
... as common problems that are *not* vulns.
 2022-05-03 08:50:10 +02:00
Daniel Gustafsson
803947a1c7 contributors: strip off final comma 
The final row of contributors should not end with a comma as it's the
end of the list.

Closes: #8785
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2022-05-02 22:45:09 +02:00
Philip H
5e9a703cf2
misc: use "autoreconf -fi" instead buildconf 
Signed-off-by: Philip H <47042125+pheiduck@users.noreply.github.com>
Closes #8777
 2022-05-02 17:53:06 +02:00