It seems that the usual '#ifdef USE_IPV6' guards have been overlooked in
lib/asyn-thrdd.c.
This commit makes sure that the code compiles if IPv6 is not available.
Closes#21881
Even when two 'chunked' are listed and neither is the last encoding the
transfer is rejected.
Verified by test 1722 and 1723
Reported-by: violet12331 on hackerone
Closes#21966
Do not set the easy handle opening a proxy tunnel as userdata on the
stream. The ease handle might go out of scope long before the tunnel
stream is closed.
Closes#21962
Move as sockaddr2string() into cf-socket.c where its only callers are.
Mark as UNITTEST for unit1609.
Move "struct Curl_sockaddr_ex" into sockaddr.h, so connect.h and
cf-socket.h can be included without all the system headers needed.
Closes#21946
Adjust code to avoid `-Wformat-signedness` warnings, while making sure
that enums are always cast to a known type when passing them to `printf`
functions, to support compilers and compiler settings where enums are
not default-size signed ints.
- cast integers printed as hex to `unsigned`. (63 times, 20 of them in
`mbedtls.c`)
- cast misc enums to `int` for printing. (31 times)
- cast `CURL_LOCK_DATA_*` enums to `int`. (4 times)
- cast `CURL_FORMADD_*` enums to `int`. (13 times)
- cast `CURLSHE_*` enums to `int`. (3 times)
- cast `CURLUE_*` enums to `int`. (33 times)
- cast `CURLMSG_*` enums to `int`. (6 times)
- cast `CURLE_*` enums to `int`. (~380 times)
- unit1675: fix mask.
Follow-up to 7c34365cce#21879
Ref: #18343 (initial attempt)
Closes#20848
Share common functions/structs between ngtcp2 HTTP/3 and the proxy
version.
Fix bugs in proxy implementation when it comes to stream and pollset
handling and transfer lifetimes.
Curl_multi_xfer_sockbuf_borrow: work without multi
When a connection gets shutdown by a share, the easy handle used is
share->admin and it does not have a multi handle. In that case let
Curl_multi_xfer_sockbuf_borrow() allocate a buffer to be freed on
release.
This happens when a TLS filter sends its last notify through a HTTP/3
proxy tunnel.
Closes#21871
This fixes a misleading log in verbose mode when ipv6 connectivity isn't
available, presumably also in other cases:
```
* Immediate connect fail for 2a00:1450:4028:806::200e: Network is unreachable
* connect to 2a00:1450:4028:806::200e port 443 from :: port 0 failed: Success
```
Closes#21914
If a SECURE cookie is set for a sub-domain (`example.com`) and is then
attempted to get set again for more specific part of that domain
(`www.example.com`) without the SECURE property, the second occurance
should not be allowed.
Reported-by: Trail of Bits
Verified by test 3305
Closes#21910
Do not send PONG frames unless there is sufficient space left in the
websocket send buffer. A server might be lazy in reading our data and
intermediary PONG frames can be skipped by a client (RFC 6455, ch.
5.5.3).
Add test case measuring no real RSS increase on a server blasting with
PING frames.
Closes#21911
Since the username is decoded when used and control codes are accepted
in HTTP usernames in general, the username encoding for the Digest auth
needs to percent encode such bytes.
Verified by test 3221
Reported-by: Trail of Bits
Closes#21915
With this, IPv6 addresses that end with '%25' with no following zone id are
considered invalid.
Extend test 1560 to verify
Reported-by: Hem Parekh
Closes#21918
Trailers are delivered to the application as headers via
CLIENTWRITE_TRAILER, but unlike regular response headers they skipped
the verify_header() checks, so a server could smuggle a nul byte (or
stray CR) into a header reaching CURLOPT_HEADERFUNCTION and
curl_easy_header().
Run each assembled trailer line through Curl_verify_header(), the same
validation used for normal headers.
Covered by the new test 2106.
Closes#21896
Add bit `native_ca_store_opt` to keep the setting of
CURLOPT_(PROXY_)SSL_OPTIONS and use that to calculate every easy
transfer if a native CA store shall be used or not.
This avoids `native_ca_store` getting stuck on TRUE after being set
once.
Closes#21902
This reverts commit 3e9817cd1b.
The change was incorrect as the check was not for the options the commit
message mentions.
Reported-by: ByteRay on hackerone
Closes#21899
Whack the times reported for a transfer (see
https://curl.se/libcurl/c/curl_easy_getinfo.html#TIMES) into order for
all variations of up-/download, http/ftp etc. Make sure they are
reported in the documented order.
There is still the *possibility* of PRETRANSFER being longer then
POSTTRANSFER, if a server sends a response before an upload is done.
POST is the time the first response byte is received, and PRE is the
time the last byte was sent by curl.
This may happen with more likelihood on HTTP/2 and 3 for a server
rejected upload. But for successful uploads, the answer will almost over
come afterwards.
Undo the previous twists in lib500.c tests, adjust pytest timeline
checks.
Fixes#21828
Reported-by: BazaarAcc32 on github
Closes#21843
- Specify that the content is base64 encoded, rather than rely on
auto-detect.
- Remove unnecessary sanity check of the returned content type.
Closes https://github.com/curl/curl/pull/21760
