This fixes a misleading log in verbose mode when ipv6 connectivity isn't
available, presumably also in other cases:
```
* Immediate connect fail for 2a00:1450:4028:806::200e: Network is unreachable
* connect to 2a00:1450:4028:806::200e port 443 from :: port 0 failed: Success
```
Closes#21914
If a SECURE cookie is set for a sub-domain (`example.com`) and is then
attempted to get set again for more specific part of that domain
(`www.example.com`) without the SECURE property, the second occurance
should not be allowed.
Reported-by: Trail of Bits
Verified by test 3305
Closes#21910
Do not send PONG frames unless there is sufficient space left in the
websocket send buffer. A server might be lazy in reading our data and
intermediary PONG frames can be skipped by a client (RFC 6455, ch.
5.5.3).
Add test case measuring no real RSS increase on a server blasting with
PING frames.
Closes#21911
- dante.py, dnsd.py, sshd.py: drop redundant conditions.
Spotted in sshd by GitHub Code Quality.
- curl.py: comment out `if` to silence CodeQL warning.
Reported by GitHub CodeQL
Follow-up to 8145476d5d#21916Closes#21917
Since the username is decoded when used and control codes are accepted
in HTTP usernames in general, the username encoding for the Digest auth
needs to percent encode such bytes.
Verified by test 3221
Reported-by: Trail of Bits
Closes#21915
With this, IPv6 addresses that end with '%25' with no following zone id are
considered invalid.
Extend test 1560 to verify
Reported-by: Hem Parekh
Closes#21918
Also:
- drop two unreachable return statements.
- test_17_ssl_use: avoid implicit string concatenations in lists.
Reported by GitHub CodeQL
Closes#21916
Trailers are delivered to the application as headers via
CLIENTWRITE_TRAILER, but unlike regular response headers they skipped
the verify_header() checks, so a server could smuggle a nul byte (or
stray CR) into a header reaching CURLOPT_HEADERFUNCTION and
curl_easy_header().
Run each assembled trailer line through Curl_verify_header(), the same
validation used for normal headers.
Covered by the new test 2106.
Closes#21896
Add bit `native_ca_store_opt` to keep the setting of
CURLOPT_(PROXY_)SSL_OPTIONS and use that to calculate every easy
transfer if a native CA store shall be used or not.
This avoids `native_ca_store` getting stuck on TRUE after being set
once.
Closes#21902
Some tests may take a long time in torture mode. Make it possible
to skip individual tests when runtests in running in torture mode.
Also:
- skip test 357 for the reason above.
Saved 1-3 minutes for the Linux CI torture job, 1-1.5m on Windows.
No savings on macOS.
Reported-by: Stefan Eissing
Fixes#21873Closes#21906
As the 'c' pointer might actually get modified before it is time to free
the memory.
Verify in test 2310
Reported-by: Eunsoo Kim
Fixes#21898Closes#21900
This reverts commit 3e9817cd1b.
The change was incorrect as the check was not for the options the commit
message mentions.
Reported-by: ByteRay on hackerone
Closes#21899
Whack the times reported for a transfer (see
https://curl.se/libcurl/c/curl_easy_getinfo.html#TIMES) into order for
all variations of up-/download, http/ftp etc. Make sure they are
reported in the documented order.
There is still the *possibility* of PRETRANSFER being longer then
POSTTRANSFER, if a server sends a response before an upload is done.
POST is the time the first response byte is received, and PRE is the
time the last byte was sent by curl.
This may happen with more likelihood on HTTP/2 and 3 for a server
rejected upload. But for successful uploads, the answer will almost over
come afterwards.
Undo the previous twists in lib500.c tests, adjust pytest timeline
checks.
Fixes#21828
Reported-by: BazaarAcc32 on github
Closes#21843
- Specify that the content is base64 encoded, rather than rely on
auto-detect.
- Remove unnecessary sanity check of the returned content type.
Closes https://github.com/curl/curl/pull/21760
Supported since libssh2 v1.2.5. Replacing `libssh2_knownhost_add()`,
which was deprecated in that same version.
The new API supports a comment field.
Ref: https://github.com/libssh2/libssh2/pull/1977Closes#21866
With a flood of zero lenght UDP packets to curl, the receive loop might
run longer than intended to. Count such packets against the max to
terminate the loop as intended.
URL: https://hackerone.com/reports/3783438
Reported-by: vectorqueue on hackerone
Closes#21869
