The OS detection variable is not initialized at the time of assigning
its value to `OPT_APPLE_SECTRUST`. Replace the current empty value with
`no`. This keeps existing, desired, behavior.
Closes#22054
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Closes#22040
- Clarify that the tarball to verify should be put in the same dir you
run the script.
- Verify that the curl version number in the file name matches the
version number within the tarball. To reduce risk for mistakes.
- When verifying using git, do not unpack the tarball. It avoids the
security risk with malicious tarball contents playing tricks on git.
- Only unpack the tarball for git-less verfication.
- Move the source tarball into _tarballs/ instead of overwriting it,
which can be useful in case the verification fails
Closes#22032
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Closes#22033
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
Verified by test 3401
Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415Closes#22024
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Closes#22030
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b3
- lib650: drop an interim variable, and interim casts.
Follow-up to 60776a0515#2747
- curl_formdata.md: document `CURLFORM_NAMELENGTH` on man page.
- curl_formdata.md: pass `long` to `CURLFORM_BUFFERLENGTH` on man page.
- formdata: pass `long` to `CURLFORM_CONTENTSLENGTH` in comment.
Closes#22017
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Reported-by: Tatsuhiro Tsujikawa
Closes#22016
Move the setup filter into its own source file.
Move the main connect driving function, `Curl_conn_connect()`,
from cfilters.c to connect.c.
Closes#22022
For correctness. Did not cause an issue, because the null-terminator is
present.
Also:
- change a size type to avoid casts.
- reuse input length value.
Spotted by GitHub Code Quality
Follow-up to 1e4cb333ef#4826Closes#22027
In `bind_unix_socket()`, before retrying `bind()`.
This patch uses `ENOENT`. This was last time in source between
d25b050379 (2018) and
dffd996e3b (2023), and also earlier. Also
defined by supported Windows envs. Seems safe to use.
Reported-by CodeQL
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22028
The reason to use them seems to be that just (void) before a function
call is not enough to silence compiler warnings when return codes are
ignored and -Werror=unused-result is used.
While (void)! apparently works to silence those warnings, it is just too
weird and surprising to readers to use.
It is rather a reason to reconsider the usefulness of the warning.
Closes#22023
Now that `conn->origin` can be the proxy, we need to change how
Curl_xfer_is_secure() and some other places work.
Pointed out by Codex Security
Closes#22015
On Windows there is no `lstat()`, which was later substituted with
normal `stat()`, but on Windows `S_IFSOCK` is never defined, which meant
the output of stat was not actually used, reducing this to checking for
the presence of the file, and bailing out without retry if missing.
Follow-up to 30e491e5c9#7034
Follow-up to 99fb36797a
Cherry-picked from #22010Closes#22021
- fix property name in comment.
- rename `INTERFACE_CURL_GSS_FLAVOUR` ->
`INTERFACE_CURL_GSS_FLAVOR` to match preferred usage.
Follow-up to 8aeefd0b35 (subcommit)
Follow-up to 16f073ef49#16973Closes#22013
- `N byte` -> `N-byte` or `N bytes`.
- INTERNALS.md: language tweaks.
- schannel: language tweak in comment/error message.
- socks_gssapi, socks_sspi: simplify composing an error message.
(at a cost of 8 extra constant string bytes.)
- m4/curl-compilers.m4: fix typo in link (in comment).
- contrithanks.sh: fix indent, drop stray `;` terminator.
- lib, src, tests: drop/fix a bunch of badwords.
- fix typos in comments.
- fix indent, stray spaces.
Some of these spotted by GitHub Code Quality and Copilot
Closes#22009
Store the unwrapped protection level in `conn->socks5_gssapi_enctype` to
prevent the proxy from contuning unprotected. Matches the GSSAPI version
of the code.
Reported-by: Trail of Bits
Closes#22004
- sws: fix socket error code in `select()` failure message.
Spotted by Copilot
Bug: https://github.com/curl/curl/pull/21998#discussion_r3409469444
- sws: do not call `SOCKERRNO` twice on error.
- dnsd: do not call `SOCKERRNO` twice on error.
- dnsd: replace `goto` with `while()` to sync with rest of code.
- dnsd: `sendto()` fail message fixes:
- replace `int` cast with `%zu` mask.
- drop redundant newline.
- show socket error string like rest of code.
- report not-fully-sent error separately from socket errors.
Closes#22007
Check for `!got_exit_signal` as part of the `while()` expression,
instead of doing it after calling `curlx_wait_ms()`. To simplify and
improve consistency with rest of code.
Follow-up to 0653fa107f
Follow-up to 123c92c904Closes#22006
The WinLDAP backend only base64 encoded LDAP values when the attribute
name ended in ;binary. This made attributes such as jpegPhoto get
written as raw bytes, producing malformed LDIF output.
Match the OpenLDAP backend by also base64 encoding values with leading
or trailing blanks or non-printable bytes.
Fixes#21926
Reported-by: oreadvanthink on github
Closes#21982
