mirror of
https://github.com/curl/curl.git
synced 2024-12-27 06:59:43 +08:00
3829759bd0
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]. Enable new recommended warnings (except `-Wsign-conversion`): - enable `-Wformat=2` for clang (in both cmake and autotools). - add `CURL_PRINTF()` internal attribute and mark functions accepting printf arguments with it. This is a copy of existing `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible with redefinting the `printf` symbol: https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for mingw-w64 and enable it on this platform. - enable `-Wimplicit-fallthrough`. - enable `-Wtrampolines`. - add `-Wsign-conversion` commented with a FIXME. - cmake: enable `-pedantic-errors` the way we do it with autotools. Follow-up tod5c0351055
#2747 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format checks. Previously it was always disabled due to the internal `printf` macro. Fix them: - fix bug where an `set_ipv6_v6only()` call was missed in builds with `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`. - add internal `FALLTHROUGH()` macro. - replace obsolete fall-through comments with `FALLTHROUGH()`. - fix fallthrough markups: Delete redundant ones (showing up as warnings in most cases). Add missing ones. Fix indentation. - silence `-Wformat-nonliteral` warnings with llvm/clang. - fix one `-Wformat-nonliteral` warning. - fix new `-Wformat` and `-Wformat-security` warnings. - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its definition to `lib/curl_setup.h` allowing use in `tests/server`. - lib: fix two wrongly passed string arguments in log outputs. Co-authored-by: Jay Satiro - fix new `-Wformat` warnings on mingw-w64. [1]56c0fde389/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md
Closes #12489
222 lines
5.9 KiB
C
222 lines
5.9 KiB
C
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
/* argv1 = URL
|
|
* argv2 = proxy with embedded user+password
|
|
*/
|
|
|
|
#include "test.h"
|
|
|
|
#include "warnless.h"
|
|
#include "memdebug.h"
|
|
|
|
struct data {
|
|
char trace_ascii; /* 1 or 0 */
|
|
};
|
|
|
|
static
|
|
void dump(const char *text,
|
|
FILE *stream, unsigned char *ptr, size_t size,
|
|
char nohex)
|
|
{
|
|
size_t i;
|
|
size_t c;
|
|
|
|
unsigned int width = 0x10;
|
|
|
|
if(nohex)
|
|
/* without the hex output, we can fit more on screen */
|
|
width = 0x40;
|
|
|
|
fprintf(stream, "%s, %zu bytes (0x%zx)\n", text, size, size);
|
|
|
|
for(i = 0; i<size; i += width) {
|
|
|
|
fprintf(stream, "%04zx: ", i);
|
|
|
|
if(!nohex) {
|
|
/* hex not disabled, show it */
|
|
for(c = 0; c < width; c++)
|
|
if(i + c < size)
|
|
fprintf(stream, "%02x ", ptr[i + c]);
|
|
else
|
|
fputs(" ", stream);
|
|
}
|
|
|
|
for(c = 0; (c < width) && (i + c < size); c++) {
|
|
/* check for 0D0A; if found, skip past and start a new line of output */
|
|
if(nohex && (i + c + 1 < size) && ptr[i + c] == 0x0D &&
|
|
ptr[i + c + 1] == 0x0A) {
|
|
i += (c + 2 - width);
|
|
break;
|
|
}
|
|
fprintf(stream, "%c",
|
|
(ptr[i + c] >= 0x20) && (ptr[i + c]<0x80)? ptr[i + c] : '.');
|
|
/* check again for 0D0A, to avoid an extra \n if it's at width */
|
|
if(nohex && (i + c + 2 < size) && ptr[i + c + 1] == 0x0D &&
|
|
ptr[i + c + 2] == 0x0A) {
|
|
i += (c + 3 - width);
|
|
break;
|
|
}
|
|
}
|
|
fputc('\n', stream); /* newline */
|
|
}
|
|
fflush(stream);
|
|
}
|
|
|
|
static
|
|
int my_trace(CURL *handle, curl_infotype type,
|
|
char *data, size_t size,
|
|
void *userp)
|
|
{
|
|
struct data *config = (struct data *)userp;
|
|
const char *text;
|
|
(void)handle; /* prevent compiler warning */
|
|
|
|
switch(type) {
|
|
case CURLINFO_TEXT:
|
|
fprintf(stderr, "== Info: %s", (char *)data);
|
|
return 0;
|
|
case CURLINFO_HEADER_OUT:
|
|
text = "=> Send header";
|
|
break;
|
|
case CURLINFO_DATA_OUT:
|
|
text = "=> Send data";
|
|
break;
|
|
case CURLINFO_SSL_DATA_OUT:
|
|
text = "=> Send SSL data";
|
|
break;
|
|
case CURLINFO_HEADER_IN:
|
|
text = "<= Recv header";
|
|
break;
|
|
case CURLINFO_DATA_IN:
|
|
text = "<= Recv data";
|
|
break;
|
|
case CURLINFO_SSL_DATA_IN:
|
|
text = "<= Recv SSL data";
|
|
break;
|
|
default: /* in case a new one is introduced to shock us */
|
|
return 0;
|
|
}
|
|
|
|
dump(text, stderr, (unsigned char *)data, size, config->trace_ascii);
|
|
return 0;
|
|
}
|
|
|
|
|
|
static size_t current_offset = 0;
|
|
static char databuf[70000]; /* MUST be more than 64k OR
|
|
MAX_INITIAL_POST_SIZE */
|
|
|
|
static size_t read_callback(char *ptr, size_t size, size_t nmemb, void *stream)
|
|
{
|
|
size_t amount = nmemb * size; /* Total bytes curl wants */
|
|
size_t available = sizeof(databuf) - current_offset; /* What we have to
|
|
give */
|
|
size_t given = amount < available ? amount : available; /* What is given */
|
|
(void)stream;
|
|
memcpy(ptr, databuf + current_offset, given);
|
|
current_offset += given;
|
|
return given;
|
|
}
|
|
|
|
|
|
static size_t write_callback(void *ptr, size_t size, size_t nmemb,
|
|
void *stream)
|
|
{
|
|
int amount = curlx_uztosi(size * nmemb);
|
|
printf("%.*s", amount, (char *)ptr);
|
|
(void)stream;
|
|
return size * nmemb;
|
|
}
|
|
|
|
|
|
static curlioerr ioctl_callback(CURL *handle, int cmd, void *clientp)
|
|
{
|
|
(void)clientp;
|
|
if(cmd == CURLIOCMD_RESTARTREAD) {
|
|
printf("APPLICATION received a CURLIOCMD_RESTARTREAD request\n");
|
|
printf("APPLICATION ** REWINDING! **\n");
|
|
current_offset = 0;
|
|
return CURLIOE_OK;
|
|
}
|
|
(void)handle;
|
|
return CURLIOE_UNKNOWNCMD;
|
|
}
|
|
|
|
|
|
|
|
int test(char *URL)
|
|
{
|
|
CURL *curl;
|
|
CURLcode res = CURLE_OK;
|
|
struct data config;
|
|
size_t i;
|
|
static const char fill[] = "test data";
|
|
|
|
config.trace_ascii = 1; /* enable ascii tracing */
|
|
|
|
global_init(CURL_GLOBAL_ALL);
|
|
easy_init(curl);
|
|
|
|
test_setopt(curl, CURLOPT_DEBUGFUNCTION, my_trace);
|
|
test_setopt(curl, CURLOPT_DEBUGDATA, &config);
|
|
/* the DEBUGFUNCTION has no effect until we enable VERBOSE */
|
|
test_setopt(curl, CURLOPT_VERBOSE, 1L);
|
|
|
|
/* setup repeated data string */
|
|
for(i = 0; i < sizeof(databuf); ++i)
|
|
databuf[i] = fill[i % sizeof(fill)];
|
|
|
|
/* Post */
|
|
test_setopt(curl, CURLOPT_POST, 1L);
|
|
|
|
/* Setup read callback */
|
|
test_setopt(curl, CURLOPT_POSTFIELDSIZE, (long) sizeof(databuf));
|
|
test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
|
|
|
|
/* Write callback */
|
|
test_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
|
|
|
|
/* Ioctl function */
|
|
CURL_IGNORE_DEPRECATION(
|
|
test_setopt(curl, CURLOPT_IOCTLFUNCTION, ioctl_callback);
|
|
)
|
|
|
|
test_setopt(curl, CURLOPT_PROXY, libtest_arg2);
|
|
|
|
test_setopt(curl, CURLOPT_URL, URL);
|
|
|
|
/* Accept any auth. But for this bug configure proxy with DIGEST, basic
|
|
might work too, not NTLM */
|
|
test_setopt(curl, CURLOPT_PROXYAUTH, (long)CURLAUTH_ANY);
|
|
|
|
res = curl_easy_perform(curl);
|
|
|
|
test_cleanup:
|
|
|
|
curl_easy_cleanup(curl);
|
|
curl_global_cleanup();
|
|
return (int)res;
|
|
}
|