If the hostname is specified as an IPv4 numerical address and it is
followed by a single dot, acccept that as a valid IPv4 and remove the
dot when normalizing.
This prevents otherwise legitimate IPv4 hostnames to have trailing dots.
Seems to match what browsers do.
Extended test 1560 to verify.
Closes#21635
Or consisting of just a single dot.
Such names cannot be resolved with DNS.
While they *can* still be resolved with /etc/hosts or --resolve tricks,
they easily cause internal problems because their trailing dots.
Let's not allow them anymore.
Closes#21622
The SASL service name, used in authentication, is part of curl's credentials
when authenticating to a server/proxy. Make it part of `struct Curl_creds`.
Change code to use `creds` to obtain a service name. By tying creds used
to the connection, connection reuse is also only allowed when the service
name matches.
Closes#21585
Use parts of text from the upload filename field when that uses globbing
by giving it a name the same way we do it for URL globs. For example, if
you upload three files to a HTTP URL and want to save the corresponding
responses in separate files:
curl -T 'file{<num>1,2,3}' https://upload.example/ -o 'response-#<num>'
Verified by test 2014
Closes#21407
This now points to where the duplicate name ends, not where it starts.
Also fixes test 2410 to use a fixed hostname so that the error position
remains the same.
Reported-by: Viktor Szakats
Fixes#21567Closes#21568
Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
See docs/internals/CREDENTIALS.md for use.
Closes#21548
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
- passing an unknown string to CURLOPT_ECH now returns error
To properly allow applications to spot if they pass in a typo or
something to libcurl.
- CURLECH_DISABLE is now a plain zero internally, not a dedicated bit which
simplifies checks for when ECH is enabled
- Dropped the CURLECH_CLA_CFG bit, and just check STRING_ECH_CONFIG
- Turn grease/enable/hard into three different numerical values, no bitmask
needed
- Convert the struct field 'tls_ech' from an int to a byte.
Closes#21532
Due to how the range span globbing code works, a range that ends with
9223372036854775807 (the maximum signed 63 bit value) cannot be used as
it triggers an integer overflow.
Verified in test 2092
Reported-by: Andrew Nesbit
Closes#21529
Convert the silent "was too long!" diagnostics in the timebuf and
max5data width loops into fail_unless assertions, so a regression in
output width fails the unit test directly instead of only printing.
Add small exact-output tables that probe format-transition boundaries
not necessarily hit by the geometric value sweep: the 99999/100000
suffix kick-in for max5data, and the 6d/01h, 51m, 136y, and >99999y roll
points for timebuf.
Closes#21516
- update action `actions/cache` from 5.0.4 to 5.0.5
- update action `actions/upload-artifact` from 7.0.0 to 7.0.1
- update action `github/codeql-action` from 4.32.4 to 4.35.2
- update action `msys2/setup-msys2` from 2.31.0 to 2.31.1
- update pip `filelock` from 3.25.2 to 3.29.0
- update pip `impacket` to 0.13.0
- update pip `ruff` from 0.15.10 to 0.15.12
Closes#21483Closes#21482
- sha256: fix backend priority in comment.
- URLs: link to IETF URLs to the HTML document, to match others.
- VERSIONS.md: use unified date format for recent entries too.
Ref: ce5d32032f
- GHA/labeler.yml: alpha-sort file masks in a label block.
- tests/server/mqttd: fix call arg list in a disabled function.
- tests/server/mqttd: fix comment.
Closes#21473
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Fix to create the top directory `foo` when specified as
`X:foo\bar\filename`, on Windows and MS-DOS. Add test to verify.
Caught by Codex Security
Follow-up to 787ee935ac#16566Closes#21449
To avoid difficult to track down crashes when a tested function ends up
outputing a message via `errorf()`, `warnf()` or siblings.
Cherry-picked from #21449Closes#21454
Necessary when the libssh2/libssh client library does not support KEX
algos offered by default by the OpenSSH server. E.g. libssh2 with WinCNG
combined with OpenSSH 10+.
Also: use this option in GHA/windows.
Follow-up to 3b8bb1a86a#21219
Follow-up to c98d0a2e9a#21220Closes#21438
- introduce 'struct when' to hold the parser result
- initwhen() initializes a 'struct when'
- datestring() parses strings
- datenum() parses numbers
- datecheck() does some final checks
- tzadjust() adds the time zone offset
- convert math to 64 bit, squeeze into time_t only in the last step,
mktimet() does the time_t storing
Closes#21394
The combination of a misspelled directory name and failing to check the
result of cd leads to infinite recursion as `make check` simply invokes
itself over and over.
Follow-up to 00887aee8c#18079Closes#21378
On platforms where struct sockaddr has a length field, the current code
leaves it uninitialized, resulting in a test failure when valgrind is
used.
Closes#21377
`ssh-keygen -t ed25519` does not support PEM key format, and it
defaults to `RFC4716` which is what we want.
It affected GHA/windows tests that explicitly used ed25519 keys.
Also:
- GHA/windows: bump minimums to hopefully catch this early next time.
1701a8319e#21353
- merge two Perl lines.
Reported-by: herbenderbler on github
Fixes#21360
Follow-up to acda4eae5e#21223Closes#21374
Add a "limit" handler to httpd that responds 429 after 5 requests and
then 429s all requests for 2 seconds. After which another 4 requests are
served before 429 strikes again.
Closes#21357
