Add `data->state.origin` as the origin the transfer is sending the
current request to/gets the response from. Use it for request specific
properties like authentication, hsts and cookie handling, etc.
Unless talking to a forwarding HTTP proxy (e.g. not tunneling),
`data->state.origin` and `conn->origin` are the same.
With a forwarding HTTP proxy in play, `conn->origin` is set to
`conn->http_proxy.peer` and `conn->bits.origin_is_proxy` (a new bit) is
set.
Remove the connection bits, now replaced with:
* `conn->bits.socksproxy` -> `conn->socks_proy.peer`
* `conn->bits.httpproxy` -> `conn->http_proy.peer`
* `conn->bits.proxy` -> `(conn->socks_proy.peer || conn->http_proy.peer`)
* `conn->bits.tunnel_proxy` -> (`conn->http_proy.peer && !conn->bits.origin_is_proxy`)
* `(conn->bits.httpproxy && !conn->bits.tunnel_proxy)` -> `conn->bits.origin_is_proxy`
Rename `noproxy.[ch]` to `proxy.[ch]`. Move the connection proxy setup
code from `url.c` to `proxy.c`.
Remove `data->info.conn_remote_port` as no one uses it.
Add test_40_02b for a SOCKS connection to a forwarding HTTPS proxy.
Update internal documentation about peers and creds.
Closes#21967
To contain the logic of checking for both `EWOULDBLOCK` and/or `EAGAIN`
depending on platform/availability. Also to avoid checking for both if
they mapp to the same value, and to avoid PP guards around use.
This also ensures `EAGAIN` is consistently not checked on Windows, where
headers defined it, but `SOCKERRNO` never returns it, because curl maps
it to `WSAGetLastError()`.
If they map to the same value, checking them both in an `if` expression
trips GCC warning `-Wlogical-op` (the same way it triggers duplicate
case value error in `switch`).
Also:
- replace two `switch()` statements with the new macro.
- tests/server/sws: make two outliers use the new macro that were only
checking for `EWOULDBLOCK` before this patch, in `connect_to()`.
- move variables to the left-side of expressions, where missing.
- rustls: use a variant of this macro that uses raw `EWOULDBLOCK`.
Tried tracing it back to the origins, but I couldn't figure out if
this is working as expected on all supported Windows versions in
Rust. It seems to be using `GetLastError()`, according to
https://docs.rs/system_error/0.2.0/system_error/, which would be
probably incorrect.
Notes:
- it's probably a good idea to assign `SOCKERRNO` to a variable before
passing it to this macro.
Cherry-picked from #21893Closes#21992
Fix build issues:
- src: adjust `toolx_ftruncate()`.
- libtests/cli_ftp_upload: make `struct timeval` initialization portable.
- libtests/lib1960: do unconst in local `inet_pton()` macro.
- tests/server/dnsd: make it stub instead of failing the build.
- tests/server: make them link AmiSSL for `SocketBase`.
Also:
- bump AmiSSL to the latest release.
- add download hash checks and toolchain cache.
- sync restored code with local updates made since last year.
It takes 30 seconds per job, 1 minute in total.
Thanks-to: Bebbo
Thanks-to: Darren Banfi
Ref: https://github.com/curl/curl/pull/21989#issuecomment-4691380623
Follow-up to 7a14898264#17486Closes#21993
This is an implementation of a CURLOPT_WRITEFUNCTION callback that just
throws away the content and returns success. Saves us from having to
reimplement it many times in different tests.
Closes#21971
... even though they use the curl option "--resolve".
This makes it more convenient to choose or skip the tests.
For example Privoxy's cts test framework relies on the "--resolve"
keyword when executing the "upstream-tests" scenario to skip curl
tests that aren't expected to work when the requests are made through
Privoxy. While some of the modified tests are already skipped for
other reasons through other means when testing Privoxy, it's good to
be consistent.
Closes#21930
Even when two 'chunked' are listed and neither is the last encoding the
transfer is rejected.
Verified by test 1722 and 1723
Reported-by: violet12331 on hackerone
Closes#21966
Move as sockaddr2string() into cf-socket.c where its only callers are.
Mark as UNITTEST for unit1609.
Move "struct Curl_sockaddr_ex" into sockaddr.h, so connect.h and
cf-socket.h can be included without all the system headers needed.
Closes#21946
Adjust code to avoid `-Wformat-signedness` warnings, while making sure
that enums are always cast to a known type when passing them to `printf`
functions, to support compilers and compiler settings where enums are
not default-size signed ints.
- cast integers printed as hex to `unsigned`. (63 times, 20 of them in
`mbedtls.c`)
- cast misc enums to `int` for printing. (31 times)
- cast `CURL_LOCK_DATA_*` enums to `int`. (4 times)
- cast `CURL_FORMADD_*` enums to `int`. (13 times)
- cast `CURLSHE_*` enums to `int`. (3 times)
- cast `CURLUE_*` enums to `int`. (33 times)
- cast `CURLMSG_*` enums to `int`. (6 times)
- cast `CURLE_*` enums to `int`. (~380 times)
- unit1675: fix mask.
Follow-up to 7c34365cce#21879
Ref: #18343 (initial attempt)
Closes#20848
Share common functions/structs between ngtcp2 HTTP/3 and the proxy
version.
Fix bugs in proxy implementation when it comes to stream and pollset
handling and transfer lifetimes.
Curl_multi_xfer_sockbuf_borrow: work without multi
When a connection gets shutdown by a share, the easy handle used is
share->admin and it does not have a multi handle. In that case let
Curl_multi_xfer_sockbuf_borrow() allocate a buffer to be freed on
release.
This happens when a TLS filter sends its last notify through a HTTP/3
proxy tunnel.
Closes#21871
They were not exact duplicates. Tweaked their names to clarify.
Also renamed 608 accordingly.
Follow-up to 4ead4285a6
Spotted-by: Dan Fandrich
Closes#21938
- test 1030: remove, duplicate of 154
- test 1105: make name unique
- test 161: make name reflect what it tests
- test 2074: correct the name
- test 310: improve name
- test 358: correct the name
- test 409: removed, duplicate of 401
- test 472: clarify the test name (how it differs from 439)
- test 1509: update name
- test 527: duplicate of 526
- test 758: separate the name from 530
- test 611: duplicate of 608, remove
- test 639: adjust the name
- test 688: minor name tweak to clarify
- test 708: enhance name
- test 800/847: clarify the names
- test 1520: dedupe the name
- test 962: enhance name
- test 1196/2203: enhanced names
- test 1211: name tweak
- test 1256/1257: enhance the names
- test 1483: fix name
- test 1541: fix name
- test 1553: fix name
- test 1609: removed, exact duplicate of 1607
- test 2200: fix name
- test 3031: corret the name
- test 3016/3203: fix names and keywords
- test 3201/3220: enhance names
- test 3212: fix name
- add missing FILE keywords
- drop FAILURE as keyword
Closes#21936
If a SECURE cookie is set for a sub-domain (`example.com`) and is then
attempted to get set again for more specific part of that domain
(`www.example.com`) without the SECURE property, the second occurance
should not be allowed.
Reported-by: Trail of Bits
Verified by test 3305
Closes#21910
Do not send PONG frames unless there is sufficient space left in the
websocket send buffer. A server might be lazy in reading our data and
intermediary PONG frames can be skipped by a client (RFC 6455, ch.
5.5.3).
Add test case measuring no real RSS increase on a server blasting with
PING frames.
Closes#21911
- dante.py, dnsd.py, sshd.py: drop redundant conditions.
Spotted in sshd by GitHub Code Quality.
- curl.py: comment out `if` to silence CodeQL warning.
Reported by GitHub CodeQL
Follow-up to 8145476d5d#21916Closes#21917
Since the username is decoded when used and control codes are accepted
in HTTP usernames in general, the username encoding for the Digest auth
needs to percent encode such bytes.
Verified by test 3221
Reported-by: Trail of Bits
Closes#21915
With this, IPv6 addresses that end with '%25' with no following zone id are
considered invalid.
Extend test 1560 to verify
Reported-by: Hem Parekh
Closes#21918
Also:
- drop two unreachable return statements.
- test_17_ssl_use: avoid implicit string concatenations in lists.
Reported by GitHub CodeQL
Closes#21916
Trailers are delivered to the application as headers via
CLIENTWRITE_TRAILER, but unlike regular response headers they skipped
the verify_header() checks, so a server could smuggle a nul byte (or
stray CR) into a header reaching CURLOPT_HEADERFUNCTION and
curl_easy_header().
Run each assembled trailer line through Curl_verify_header(), the same
validation used for normal headers.
Covered by the new test 2106.
Closes#21896
Some tests may take a long time in torture mode. Make it possible
to skip individual tests when runtests in running in torture mode.
Also:
- skip test 357 for the reason above.
Saved 1-3 minutes for the Linux CI torture job, 1-1.5m on Windows.
No savings on macOS.
Reported-by: Stefan Eissing
Fixes#21873Closes#21906
As the 'c' pointer might actually get modified before it is time to free
the memory.
Verify in test 2310
Reported-by: Eunsoo Kim
Fixes#21898Closes#21900
Whack the times reported for a transfer (see
https://curl.se/libcurl/c/curl_easy_getinfo.html#TIMES) into order for
all variations of up-/download, http/ftp etc. Make sure they are
reported in the documented order.
There is still the *possibility* of PRETRANSFER being longer then
POSTTRANSFER, if a server sends a response before an upload is done.
POST is the time the first response byte is received, and PRE is the
time the last byte was sent by curl.
This may happen with more likelihood on HTTP/2 and 3 for a server
rejected upload. But for successful uploads, the answer will almost over
come afterwards.
Undo the previous twists in lib500.c tests, adjust pytest timeline
checks.
Fixes#21828
Reported-by: BazaarAcc32 on github
Closes#21843
