Even when two 'chunked' are listed and neither is the last encoding the
transfer is rejected.
Verified by test 1722 and 1723
Reported-by: violet12331 on hackerone
Closes#21966
They were not exact duplicates. Tweaked their names to clarify.
Also renamed 608 accordingly.
Follow-up to 4ead4285a6
Spotted-by: Dan Fandrich
Closes#21938
- test 1030: remove, duplicate of 154
- test 1105: make name unique
- test 161: make name reflect what it tests
- test 2074: correct the name
- test 310: improve name
- test 358: correct the name
- test 409: removed, duplicate of 401
- test 472: clarify the test name (how it differs from 439)
- test 1509: update name
- test 527: duplicate of 526
- test 758: separate the name from 530
- test 611: duplicate of 608, remove
- test 639: adjust the name
- test 688: minor name tweak to clarify
- test 708: enhance name
- test 800/847: clarify the names
- test 1520: dedupe the name
- test 962: enhance name
- test 1196/2203: enhanced names
- test 1211: name tweak
- test 1256/1257: enhance the names
- test 1483: fix name
- test 1541: fix name
- test 1553: fix name
- test 1609: removed, exact duplicate of 1607
- test 2200: fix name
- test 3031: corret the name
- test 3016/3203: fix names and keywords
- test 3201/3220: enhance names
- test 3212: fix name
- add missing FILE keywords
- drop FAILURE as keyword
Closes#21936
If a SECURE cookie is set for a sub-domain (`example.com`) and is then
attempted to get set again for more specific part of that domain
(`www.example.com`) without the SECURE property, the second occurance
should not be allowed.
Reported-by: Trail of Bits
Verified by test 3305
Closes#21910
Since the username is decoded when used and control codes are accepted
in HTTP usernames in general, the username encoding for the Digest auth
needs to percent encode such bytes.
Verified by test 3221
Reported-by: Trail of Bits
Closes#21915
Trailers are delivered to the application as headers via
CLIENTWRITE_TRAILER, but unlike regular response headers they skipped
the verify_header() checks, so a server could smuggle a nul byte (or
stray CR) into a header reaching CURLOPT_HEADERFUNCTION and
curl_easy_header().
Run each assembled trailer line through Curl_verify_header(), the same
validation used for normal headers.
Covered by the new test 2106.
Closes#21896
As the 'c' pointer might actually get modified before it is time to free
the memory.
Verify in test 2310
Reported-by: Eunsoo Kim
Fixes#21898Closes#21900
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Signed-off-by: Aritra Basu <aritrbas+gh@cisco.com>
Closes#21153
cert_type, key, key_type, key_passwd and key_blob lived in
ssl_config_data but not in ssl_primary_config, so they were invisible to
match_ssl_primary_config() and to the TLS session cache peer key.
Two easy handles sharing a connection pool could reuse each other's
authenticated connections when they differed only on SSLKEY, SSLKEYTYPE,
KEYPASSWD, SSLCERTTYPE or SSLKEYBLOB. The second handle would silently
inherit the first handle's authenticated identity.
Promote all five fields into ssl_primary_config so the conn-reuse
predicate and session cache key cover the complete client credential
set. Also replace the fixed ":CCERT" session cache marker with the
actual clientcert path so sessions are not shared across different
client certificates.
Verified by test 3303 and 3304
Reported-By: Joshua Rogers (AISLE Research)
Closes#21667
When a proxy is set from an environment variable, detect if that proxy
is not the same as previously and flush state.
Verified by test1647: verify changing proxy with env variables and make
sure Digest state is flushed in the second use
Closes#21666
The dh(g) parameter was read from param->beg instead of from the
cursor p returned by parsing dh(p). This caused dh(g) to always
report the same value as dh(p) when inspecting DH certificates
via CURLOPT_CERTINFO on non-OpenSSL backends.
The DSA branch correctly advances the cursor; the DH branch lost
this during what appears to be a copy-paste.
Add unit1676 to verify that dh(p) and dh(g) report distinct values
using a hand-crafted minimal DER certificate.
Assisted by: Claude Opus 4.6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Closes#21595
Use parts of text from the upload filename field when that uses globbing
by giving it a name the same way we do it for URL globs. For example, if
you upload three files to a HTTP URL and want to save the corresponding
responses in separate files:
curl -T 'file{<num>1,2,3}' https://upload.example/ -o 'response-#<num>'
Verified by test 2014
Closes#21407
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
Due to how the range span globbing code works, a range that ends with
9223372036854775807 (the maximum signed 63 bit value) cannot be used as
it triggers an integer overflow.
Verified in test 2092
Reported-by: Andrew Nesbit
Closes#21529
Per MQTT 3.1.1 sections 3.13.1 and 3.14.1, PINGRESP and DISCONNECT fixed
headers must have remaining_length set to zero. The previous code
dispatched to mqtt->nextstate based on the queued state alone without
validating remaining_length for these no-payload packet types, allowing
a malicious broker to send a PINGRESP with non-zero remaining_length
whose trailing bytes would be interpreted as the payload of whatever
message type was queued (CONNACK, SUBACK, etc.).
The exploitation path turned out to be narrow — curl sends data to the
server the user chose to talk to — but the spec violation and the
resulting protocol-state error are real. Reject the malformed packets
with CURLE_WEIRD_SERVER_REPLY before state dispatch.
Reported-by: Raymond Steen <raymond@vortiqxconsilium.com>
Found by VORTIQ-X VXF Framework
Bug: https://hackerone.com/reports/3702718
Signed-off-by: Raymond Steen <raymond@vortiqxconsilium.com>
Closes#21465
Fix to create the top directory `foo` when specified as
`X:foo\bar\filename`, on Windows and MS-DOS. Add test to verify.
Caught by Codex Security
Follow-up to 787ee935ac#16566Closes#21449
When a user supplies an IP address to use for the HAPROXY protocol,
the IP version reported must be deduced from the address and has
no relation to the IP version used for the upstream connection.
Add test3220 to verify.
Fixes#21340
Reported-by: Fiona Klute
Closes#21341
To make it scoped for the single request appropriately.
Reported-by: Muhamad Arga Reksapati
Verify with libtest 2504: a custom Host *disabled* on reused handle
Closes#21312
This should return a SSL_CTX pointer but it was accidentally broken.
Verify with test 1587
Follow-up to 2db8ae480f
Spotted by Codex Security
Closes#21290
... unless it is a POST and the user explicitly asked to keep doing
POST.
Add test1983/1984: verify --follow with 303 and PUT + custom GET
Fixes#20715
Reported-by: Dan Arnfield
Closes#21280
