This commit fixes a bug in the dump-header feature regarding the
determination of the second fopen(3) option.
Reported-by: u20221022 on github
See #4753
See #4762Fixes#10074Closes#10079
Makes curl always use dot as decimal separator for options,
independently of what the locale says. Makes scripts and command lines
portable.
Updated docs accordingly.
Reported-by: Daniel Faust
Fixes#9969Closes#9972
If the run-time libcurl is too old to support feature names, the name
array is created locally from the bit masks. This is the only sequence
left that uses feature bit masks.
Closes#9583
If the URL that -G would try to add a query to could not be parsed, it would
display
curl: (27) Out of memory
It now instead shows:
curl: (2) Could not parse the URL, failed to set query
Reported-by: Alex Xu
Fixes#9889Closes#9892
This option adds a piece of data, usually a name + value pair, to the
end of the URL query part. The syntax is identical to that used for
--data-urlencode with one extension:
If the argument starts with a '+' (plus), the rest of the string is
provided as-is unencoded.
This allows users to "build" query parts with options and URL encoding
even when not doing GET requests, which the already provided option -G
(--get) is limited to.
This idea was born in a Twitter thread.
Closes#9691
The read callback can timeout if there's nothing to read within the
given maximum period. Example use case is when doing "curl -m 3
telnet://example.com" or anything else that expects input on stdin or
similar that otherwise would "hang" until something happens and then not
respect the timeout.
This fixes KNOWN_BUG 8.1, first filed in July 2009.
Bug: https://sourceforge.net/p/curl/bugs/846/Closes#9815
- Replace `Github` with `GitHub`.
- Replace `windows` with `Windows`
- Replace `advice` with `advise` where a verb is used.
- A few fixes on removing repeated words.
- Replace `a HTTP` with `an HTTP`
Closes#9802
In some circumstances when doing parallel transfers, the
single_transfer_cleanup() would not be called and then 'inglob' could
leak.
Test 496 verifies
Reported-by: Trail of Bits
Closes#9749
1 - consider the transfer handled at once when in the function, to avoid
the same list entry to get added more than once in rare error
situations
2 - set the ERRORBUFFER for the handle first after it has been added
successfully
Reported-by: Trail of Bits
Closes#9729
Replace bit mask protocol sets by null-terminated arrays of protocol
tokens. These are the addresses of the protocol names returned by
curl_version_info().
Protocol names are sorted case-insensitively before output to satisfy CI
tests matches consistency.
The protocol list returned by curl_version_info() is augmented with all
RTMP protocol variants.
Test 1401 adjusted for new alpha ordered output.
Closes#9546
As they are now rejected by the library, take care of not passing
disabled protocol names to CURLOPT_PROTOCOLS_STR and
CURLOPT_REDIR_PROTOCOLS_STR.
Rather than using the CURLPROTO_* constants, dynamically assign protocol
numbers based on the order they are listed by curl_version_info().
New type proto_set_t implements prototype bit masks: it should therefore
be large enough to accomodate all library-enabled protocols. If not,
protocol numbers beyond the bit count of proto_set_t are recognized but
"inaccessible": when used, a warning is displayed and the value is
ignored. Should proto_set_t overflows, enabled protocols are reordered to
force those having a public CURLPROTO_* representation to be accessible.
Code has been added to subordinate RTMP?* protocols to the presence of
RTMP in the enabled protocol list, being returned by curl_version_info()
or not.
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. In the early days of HTTP/2, before the spec was finalized and
shipped, the protocol could be enabled using this extension with some
servers.
curl supports the NPN extension with some TLS backends since then, with
a command line option `--npn` and in libcurl with
`CURLOPT_SSL_ENABLE_NPN`.
HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
Negotiation) extension and the NPN extension has no purposes
anymore. The HTTP/2 spec was published in May 2015.
Today, use of NPN in the wild should be extremely rare and most likely
totally extinct. Chrome removed NPN support in Chrome 51, shipped in
June 2016. Removed in Firefox 53, April 2017.
Closes#9307
- parallel transfers: only alloc and keep errorbuffers in memory for
actual "live" transfers and not for the ones in the pending queue
- serial transfers: reuse the same fixed buffer for all transfers, not
allocated at all.
Closes#9394
When doing a huge amount of parallel transfers, we must not add them to
the per_transfer list frivolously since they all use memory after all.
This was previous done without really considering millions or billions
of transfers. Massive parallelism would use a lot of memory for no good
purpose.
The queue is now limited to twice the paralleism number.
This makes the 'Qd' value in the parallel progress meter mostly useless
for users, but works for now for us as a debug display.
Reported-by: justchen1369 on github
Fixes#8933Closes#9389
Amiga specific code which put the URL in the file comment was perhaps
accidentally removed in b889408500 having
originally been added in 5c215bdbdf.
Reworked to fit the code changes and added it back in.
Reported-by: Michael Trebilcock
Originally-added-by: Chris Young
Closes#9258
... as replacements for deprecated CURLOPT_PROTOCOLS and
CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
32 bit limit the old ones are facing.
CURLINFO_PROTCOOL is now deprecated.
The curl tool is updated to use the new options.
Added test 1597 to verify the libcurl protocol parser.
Closes#8992
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
When --remove-on-error is used with --no-clobber, it might have an
updated file name to remove.
Bug: https://curl.se/docs/CVE-2022-27778.html
CVE-2022-27778
Reported-by: Harry Sintonen
Closes#8824
This loop was using the number of bytes read from the file as condition
to keep reading.
From Linux's fread(3) man page:
> On success, fread() and fwrite() return the number of items read or
> written. This number equals the number of bytes transferred only when
> size is 1. If an error occurs, or the end of the file is reached, the
> return value is a short item count (or zero).
>
> The file position indicator for the stream is advanced by the number
> of bytes successfully read or written.
>
> fread() does not distinguish between end-of-file and error, and
> callers must use feof(3) and ferror(3) to determine which occurred.
This means that nread!=0 doesn't make much sense as an end condition for
the loop: nread==0 doesn't necessarily mean that EOF has been reached or
an error has occured (but that is usually the case) and nread!=0 doesn't
necessarily mean that EOF has not been reached or that no read errors
have occured. feof(3) and ferror(3) should be uses when using fread(3).
Currently curl has to performs an extra fread(3) call to get a return
value equal to 0 to stop looping.
This usually "works" (even though nread==0 shouldn't be interpreted as
EOF) if stdin is a pipe because EOF usually marks the "real" end of the
stream, so the extra fread(3) call will return immediately and the extra
read syscall won't be noticeable:
bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 |
> tail -n 5
read(0, "a\n", 4096) = 2
read(0, "", 4096) = 0
read(0, "", 4096) = 0
http://0x0.st/oRs.txt
+++ exited with 0 +++
bash-5.1$
But this doesn't work if curl is reading from stdin, stdin is a
terminal, and the EOF is being emulated using a shell with ^D. Two
consecutive ^D will be required in this case to actually make curl stop
reading:
bash-5.1$ curl -F file=@- 0x0.st
a
^D^D
http://0x0.st/oRs.txt
bash-5.1$
A possible workaround to this issue is to use a program that handles EOF
correctly to indirectly send data to curl's stdin:
bash-5.1$ cat - | curl -F file=@- 0x0.st
a
^D
http://0x0.st/oRs.txt
bash-5.1$
This patch makes curl handle EOF properly when using fread(3) in
file2memory() so that the workaround is not necessary.
Since curl was previously ignoring read errors caused by this fread(3),
ferror(3) is also used in the condition of the loop: read errors and EOF
will have the same meaning; this is done to somewhat preserve the old
behaviour instead of making the command fail when a read error occurs.
Closes#8701
As one implies PUT and the other POST, both cannot be used
simultaneously.
Add test 378 to verify.
Reported-by: Boris Verkhovskiy
Fixes#8704Closes#8715
If a transfer returns an error, using this option makes curl remove the
leftover downloded (partial) local file before exiting.
Added test 376 to verify
Closes#8503
Trying to use a proxy when libcurl was built with proxy support disabled
should make curl error out properly.
Remove knowledge of disabled features from the tool code and instead
make it properly respond to what libcurl returns. Update all tests to
properly require the necessary features to be present/absent so that the
test suite can still be run even with libcurl builds with disabled
features.
Ref: https://curl.se/mail/archive-2022-03/0013.htmlCloses#8565
Unless muted (with -s) When doing globbing, curl would output mime-like
separators between the separate transfers. This is not documented
anywhere, surprises users and clobbers the output. Gone now.
Updated test 18 and 1235
Reported-by: jonny112 on github
Bug: https://github.com/curl/curl/discussions/8257Closes#8278
The homedir() function is now renamed into findfile() and iterates over
all the environment variables trying to access the file in question
until it finds it. Last resort is then getpwuid() if
available. Previously it would first try to find a home directory and if
that was set, insist on checking only that directory for the file. This
now returns the full file name it finds.
The Windows specific checks are now done differently too and in this
order:
1 - %USERPROFILE%
2 - %APPDATA%
3 - %USERPROFILE%\\Application Data
The windows order is modified to match how the Windows 10 ssh tool works
when it searches for .ssh/known_hosts.
Reported-by: jeffrson on github
Co-authored-by: Jay Satiro
Fixes#8033Closes#8035
Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails. This commit
replaces this with the percent-escaping method for URLs.
As this may introduce incompatibilities with server-side applications, a
new libcurl option CURLOPT_MIME_OPTIONS with bitmask
CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
backslash-escaping. This is controlled by new cli tool option
--form-escape.
New tests and documentation are provided for this feature.
Reported by: Ryan Sleevi
Fixes#7789Closes#7805
