Do not check if a particular connection is alive or not more than once
every second. We did this on every connection reuse which is overkill
when sending many requests to the same host.
Closes#22169
- there is a risk for a nasty recursive situation
- we avoid certain risks that the pause call changes things so that when
returning from the callback, the state of some internals is undefined
and we need to reload which is easy to miss
- we can't think of legitiate use cases for doing this. This is
basically just the new favorite point for AI and security researchers
to find hypothetical problems
Closes#22179
- GHA/windows: mention `IgnoreStandardErrorWarningFormat=true`
in comment.
- cmake: fix MIT/GNU GSS order in messages.
- drop some exclamation marks from messages.
- drop redundant ending newlines from messages.
- fold/unfold where possible.
- fix indent, whitespace, typos and other nits.
Closes#22185
Do not allocated an internal port string, just keep and number and a bit
if it is present. Format the port string in a local buffer when someone
asks for it and copy that.
This avoid the format/alloc penalty when parsing URLs and no one ever
asking for the port string.
(And there will be a method to get the uint16_t value directly in
another PR)
Closes#22167
- Bypass cert verification if verifypeer is disabled.
Prior to this change libcurl lacked the ability to bypass certificate
verification for Windows native LDAP (USE_WIN32_LDAP). A comment said
"Win32 LDAP SDK does not support insecure mode without CA!" but I found
that we can bypass the check by setting a verify callback to override
Windows' internal verify check.
Closes https://github.com/curl/curl/pull/22152
The buffer is freed on the next instruction via `Curl_meta_remove()`'s
destructor.
Reported-by: netspacer.research
Follow-up to 1ebd92d0fd#16384Closes#22133
If any sublabel is longer than 63 octets, abort. This then also catches
compression attempts.
Verified in test 1658
Reported-by: netspacer.research
Closes#22124
To avoid mistakes or abuse to cause problems. Many public DNS providers
cap their cache times to this.
Verify in test 1650
Reported-by: netspacer.research
Closes#22122
When the HTTP Upgrade to websockets already carries ws frame data,
buffer that data at connection level and not in the ws decoder.
Adding new cfilter `cf_recvbuf` to buffer a fixed amont of data
to be received later. When the data is received, the filter
passes further recv call through to its subfilter.
Fixes#22107
Reported-by: sideshowbarker on github
Closes#22111
Fix a regression in curl 8.21.0-rc3: Check whether the host and the "connect
to host" are equal before initializing the proxy. If they are equal, switching
to tunnel mode is not necessary.
Follow-up to 73daec6Closes#22110
This option is used for both TLS and SSH so it needs to be handled
even in TLS-disabled builds
Mention this in the man page as well.
Follow-up to 52fa8d9
Pointed out by Codex Security
Closes#22121
The header path matches these prefixes case sensitively, as 5af0165562
made it for cookie spec reasons, but the Netscape cookie-file path still
used a case-insensitive match. Align the file path so a differently
cased name like __secure-x is treated as an ordinary cookie instead of
being put through the prefix integrity checks.
Extended test 2311 to cover it.
Closes#22085
Seen with clang-22:
```
lib/vtls/openssl.c:3538:14: error: implicit conversion from 'int' to enumeration type 'CURLcode' is invalid in C++ [-Werror,-Wimplicit-int-enum-cast]
3538 | result = SSL_ech_set1_server_names(octx->ssl,
| ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3539 | peer->origin->hostname, outername,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3540 | 0 /* do send outer */);
| ~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
```
Ref: https://github.com/curl/curl/actions/runs/27769068896/job/82163712258#step:42:43
Cherry-picked from #22086Closes#22087
Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.
Closes#21996
Yes, we were counting the "live" transfers before, but were they
*really* alive?
When determining to add the wakeup socket to fdset/waitfds etc, we
should only do that when the multi handle is actually processing
transfers. Other wise, the application could wait on the wakeup socket
forever.
For this, we counted `multi->xfers_alive` (e.g. the "running" number
returned by `curl_multi_perform()`). This was almost correct.
The problem is that added easy handles are counted as "alive" right away
on the addition. But the processing has not started yet. They did not
trigger any DNS resolves or opened any sockets yet.
Add two fields in multi and easy handle:
* `multi->xfers_really_alive`: counts the "alive" transfers that have
passed `MSTATE_INIT` (at least once)
* `data->state.really_alive`: to track if the transfer has been counted
Add test 2412 to check that adding transfers without perform will not
trigger the wakeup socket to be added.
Fixes#22050
Reported-by: Bryan Henderson
Closes#22066
Since we have the quirky of empty credentials (the empty string for
username and password) for Negotiate reactivated, we need to check for
this when considering Basic and Digest auth.
Verify a redirect to blank user+password in test 2208
Closes#22060
Allow creation of a `Curl_creds` instance with empty username and
password (not NULL username/password). There are authentication
schemes like <insert greek mythology'> that do not use the actual
values of username/password but trigger on the mere existance.
We have no test cases for this, so this is a shot in the dark
here.
Fixes#21943
Reported-by: Dan Fandrich
Closes#22044
The DNS filter knows the peer it resolves and the code parts that want
the results know the peer as well. Pass it to lookup methods to make
sure results match.
Background: when tunneling, the resolved peer is not always the one that
other filters are looking for. Especially when HTTPS-RR results are
accessed in TLS filters, those will differ.
This prevents a HTTPS-RR for a proxy to be used for the origin when ECH
is activated. To make ECH work through a tunnel, we need to start an
additional resolve. Something to be fixed after 8.21.
Closes#22042
When tying credentials to a connection (NTLM, Negotiate) also link the
origin the credentials are for. This prevents a connection reuse with
the same credentials, but intended for another origin.
The mis-reuse could happen for a forwarding proxy and NTLM (although, in
the mind of the person writing this, it is an insane setup).
Closes#22040
When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.
Add a test case for forward proxying without use of ALPN.
Closes#22033
`Curl_secure_context()` checked `conn->scheme` to determine if Secure
cookies may be sent. Since 73daec6, `conn->scheme` is set to the proxy's
scheme when using an HTTPS forwarding proxy, causing the function to
return TRUE for HTTP origins. This leaked Secure cookies over the
plaintext connection between proxy and origin.
Use `data->state.origin->scheme` instead, which always reflects the
origin's scheme regardless of proxy configuration.
Not an approved vulnerability because the regression was introduced
after the last release and is not present in any released version.
Verified by test 3401
Follow-up to 73daec6620
Reported-by: daviey on hackerone
URL: https://hackerone.com/reports/3803415Closes#22024
This PR makes the wolfssl TLS backend work properly for PQC key
exchanges. The following issues are fixed:
* WOLFSSL_HAVE_KYBER is not present anymore in upstream wolfssl (for a
long time actually), so it has no use and the ML-KEM functionality was
never turned on properly.
* Key share group selection (via --curves) is now handled via the
generic wolfSSL_CTX_set1_groups_list() method instead of the prior
wolfSSL_CTX_set1_curves_list() and the additonal PQC handling. This
removes a lot of PQC related special handling and the behavior now
matches the OpenSSL backend.
* The default QUIC group setting has been removed. For QUIC, the key
share as well as the list in the supported_groups extension is now
handled all within wolfssl. This also supports --curves properly now.
Closes#22030
- lib650: pass `long` to `CURLFORM_NAMELENGTH` in test.
Spotted by Copilot.
https://github.com/curl/curl/pull/22011#discussion_r3412407235
Follow-up to 3620e569b3
- lib650: drop an interim variable, and interim casts.
Follow-up to 60776a0515#2747
- curl_formdata.md: document `CURLFORM_NAMELENGTH` on man page.
- curl_formdata.md: pass `long` to `CURLFORM_BUFFERLENGTH` on man page.
- formdata: pass `long` to `CURLFORM_CONTENTSLENGTH` in comment.
Closes#22017
Some protocols (and servers) prefer to batch IO and will not send data
unless the window is of sufficient size. Set the burst rate for our
rate limits to a minimum of 32KB to prevent stalling.
Reported-by: Tatsuhiro Tsujikawa
Closes#22016
Move the setup filter into its own source file.
Move the main connect driving function, `Curl_conn_connect()`,
from cfilters.c to connect.c.
Closes#22022
Now that `conn->origin` can be the proxy, we need to change how
Curl_xfer_is_secure() and some other places work.
Pointed out by Codex Security
Closes#22015