Closed
Conversation
Reported-by: Joshua Rogers Fixes curl#19089 Closes curl#19090
After this patch libcurl requires (as already documented) the `curl_global_init()` call when using the `curl_formadd()` API with mbedTLS. Note: NTLM is not supported with mbedTLS 4+, because it lacks the necessary crypto primitive: DES. Also: - lib: de-dupe mbedTLS minimum version checks into `curl_setup.h`. - lib: initialize PSA Crypto as part of `curl_global_init()`. For MD5, SHA-256, `curl_formadd()`, and MultiSSL builds with mbedTLS but where mbedTLS isn't the default backend. - lib1308: fix to call `curl_global_init()` (for the Form API). - curl_ntlm_core: disable with mbedTLS 4+. - md4: disable mbedTLS implementation when building against 4.x. - md5: use mbedTLS PSA Crypto API when available, otherwise use the default local implementation. - sha256: use mbedTLS PSA Crypto API when available, otherwise use the default local implementation. - vtls/mbedtls: drop PSA Crypto initialization in favor of `curl_global_init()`. - vtls/mbedtls: use PSA Crypto random API with all mbedTLS versions. - vtls/mbedtls: do the same for the SHA-256 callback. - autotools: detect mbedTLS 4+, and disable NTLM for 3.x. - cmake: disable NTLM for mbedTLS 3.x. - GHA/linux: keep building mbedTLS 3.x manually and use it in an existing job, while also enabling pytest in it. - GHA/linux: bump to mbedTLS 4.0.0. Closes curl#19075 Closes curl#19074 Refs: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-4.0.0 https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/docs/4.0-migration-guide.md https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-4.0.0/tf-psa-crypto/docs/1.0-migration-guide.md [404] https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/1.0-migration-guide.md https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/tf-psa-crypto-1.0.0/docs/psa-transition.md https://github.com/Mbed-TLS/TF-PSA-Crypto/tree/627f727bbed3d9319ed548f1c0839a29c223414e/docs/4.0-migration-guide Closes curl#19077
It should limit the size to the size of the target array, not the incoming data. Pointed out by ZeroPath Closes curl#19095
Pointed out by ZeroPath Closes curl#19094
In MOST protocols and runs, the 'pretransfer' time is less than the 'starttransfer'. E.g. request being sent before response comes in. However, when curl is starved of cpu a server response might start streaming in before the multi-state transitioned to DID (and recorded the 'pretransfer' time). Do no longer check that 'pretransfer' is less or equal 'starttransfer'. Check that is is less or equal to the total time instead. Closes curl#19096
The choice to continue processing incoming data although the writeout of the headers/data failed is not obvious. Add a comment explaining why this is done. Closes curl#19093
Detect and prevent abuse or mistakes. Limit set to 100. Closes curl#19091
- make sure memory allocated by libcurl is freed with curl_free() - drop the ensure_trailing_slash complexity Closes curl#19097
Follow-up to eefd03c Pointed out by ZeroPath https://zeropath.com/ Closes curl#19099
Follow-up to 9d7b532 Pointed out by ZeroPath Closes curl#19098
Avoid the possible 64-bit offset truncation when used on systems with small 'long', like Windows. bonus: make mime_open_file() return bool Pointed out by ZeroPath Closes curl#19100
Found via: curl#17961 Closes curl#19102
When freeing buffers allocated by SSPI, use its own function, not free(). Reported-by: Joshua Rogers Closes curl#19046
A bit more minimal build than the one used for trurl. To stress test a build with most features disabled. Costs 40 seconds, of which 6 is the build, rest is installing tools. Ref: curl/curl-for-win@5b38500 Ref: curl/curl-for-win@3ee1069 Follow-up to 5af2457 curl#17818 Closes curl#17961
For files with sizes using an exact multiple of 256 bytes, the final successful read(s) filled the buffer(s) and the subsequent fread returned 0 for EOF, which caused read_file_into to fail. Now, it needs to return 0 and not be EOF to be an error. Follow-up to dd95a49 Pointed out by ZeroPath Closes curl#19104
Also make the verbose log say it Pointed out by ZeroPath Closes curl#19103
Before this patch system `malloc()`/`free()` were used to allocate the buffer returned in the `output_token` object from the debug stub of `gss_init_sec_context()` when enabled via `CURL_STUB_GSS_CREDS` in debug-enabled libcurl builds. This object is later released via stock `gss_release_buffer()`, which, in the Windows builds of MIT Kerberos, doesn't use the system `free()`, but the Win32 `HeapFree()`. Fix it by using the GSS alloc/free macros: `gssalloc_malloc()` and `gssalloc_free()` from `gssapi_alloc.h`. To make this work without MIT Kerberos feature detection, use a canary macro to detect a version which installs `gssapi_alloc.h` for Windows. For <1.15 (2016-11-30) releases, that do not install it, disable the GSS debug stub in libcurl. Strictly speaking, non-Windows builds would also need to use GSS allocators, but, detecting support for `gssapi_alloc.h` is impossible without build-level logic. Built-level logic is complex and overkill, and MIT Kerberos, as of 1.22.1, uses standard malloc/free on non-Windows platforms anyway. (except in GSS debug builds.) Follow-up to 7384083 curl#17752 Closes curl#19064
curl has run on Closes curl#19106
Bug: https://curl.se/mail/lib-2025-10/0018.html Reported-by: curl.stunt430 Closes curl#19105
Follow-up to 3a30583 Closes curl#19108
Pointed out by ZeroPath Closes curl#19110
Pointed out by ZeroPath Closes curl#19111
- tool_formparse: replace truncated `fseek` with `curlx_fseek`. - tool_operate: replace truncated `fseek` with `curlx_fseek`. - tool_paramhlp: replace local duplicate `myfseek`, with `curlx_fseek`. Follow-up to 4fb12f2 curl#19100 Closes curl#19107
The -F option allows users to provide a file with a set of headers for a specific formpost section. This code used old handcrafted parsing logic that potentially could do wrong. Rewrite to use my_get_line() and dynbuf. Supports longer lines and should be more solid parsing code. Gets somewhat complicated by the (unwise) feature that allows "folding" of header lines in the file: if a line starts with a space it should be appended to the previous. The previous code trimmed spurious CR characters wherever they would occur in a line but this version does not. It does not seem like something we want or that users would expect. Test 646 uses this feature. Closes curl#19113
In providercheck(), when failing to open the "store", the exit path would not previously free the created UI_METHOD and instead leak this resource. Pointed out by ZeroPath Closes curl#19114
- do not pre-fill `HAVE_LINUX_TCP_H` on Linux. `linux/tcp.h` is a Linux kernel userspace header. It's likely installed when using glibc and likely missing by default when using something else, e.g. MUSL (e.g. on Alpine). Therefore always detect it for Linux targets, and only pre-fill it for non-Linux ones. - do not pre-fill `HAVE_GLIBC_STRERROR_R` on Linux. To fix it for non-glibc envs, e.g. MUSL (e.g. on Alpine). Note, the pre-fill option is a disabled by default, internal option and strongly not recommended outside of curl development. Closes curl#19116
When the target host is on a different port than 443, the name "_[port]._https.[name]" shall be used. Fixes curl#19301 Reported-by: Gunni on github Closes curl#19324
- fix regex to not catch CR (from CRLF), in `PORT`, `EPRT` commands, allowing to use `crlf="yes"` more. - add `crlf="headers"` mode for `protocol` sections. To call `subnewlines()` without its force option. This is the mode used in `data` sections when `crlf="yes"`. (This confusion may be subject to a future commit.) - subnewlines: apply CRLF to `HEAD` and `CONNECT` HTTP requests. - subnewlines: apply CRLF to RTSP requests. - delete remaining empty `protocol` sections. Reducing the number of `tests/data/test*`: - CRLF newlines from 11325 to 10295. (119984 lines total) - files with mixed newlines from 707 to 656. (1890 files total) Follow-up to 4d2a05d curl#19284 Closes curl#19318
```
Use of uninitialized value $hash{"crlf"} in string eq at tests/runtests.pl line 1406.
```
Follow-up to 6cf3d7b curl#19318
Closes curl#19327
Follow-up to e64c28e Spotted by OSS-Fuzz Closes curl#19332
Test 696 and 556 share the same libtest code. Make sure to issue the `GET` request to the correct runtime test number instead of using the hard-wired "556". It makes the `sws` test server read the response string from `test696` `<data>` section, instead of reading it from `test556`. To avoid this hidden interaction between test data. AFAICS there is no other similar hard-coded string in reused libtests. Ref: curl#19313 (comment) Follow-up to be82a36 curl#16003 Closes curl#19329
The test FTP server returned LF newlines for 227/229 replies, instead of the CRLF used for the rest. Test data added later were explicitly made to expect an LF in these response lines. After this patch the FTP server returns CRLF newlines, allowing to delete this special case in test data. Follow-up to 3bfff57 Follow-up to a7937ed Closes curl#19330
`.mailmap` supports comments and empty lines since at least 2.31.0: https://git-scm.com/docs/gitmailmap/2.31.0 Closes curl#19339
The interim CURLE_AGAIN result was not always converted to a CURLE_OK and then caused write callers to report a failure. Fixes curl#19334 Reported-by: pennae on github Closes curl#19338
The definition of these constants does not give a numeric ordering and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC checks to apply correctly. Fixes curl#19340 Reported-by: Peter Piekarski Closes curl#19341
Fixes curl#19109 - GSSAPI authentication fails on macOS with Apple's Heimdal implementation which lacks GSS_C_CHANNEL_BOUND_FLAG support for TLS channel binding. Commit 0a5ea09 introduced TLS channel binding for SPNEGO/GSSAPI authentication unconditionally, but Apple's Heimdal fork (used on macOS) does not support this feature, causing "unsupported mechanism" errors when authenticating to corporate HTTP services with Kerberos. Solution: - Add CURL_GSSAPI_HAS_CHANNEL_BINDING detection in curl_gssapi.h based on GSS_C_CHANNEL_BOUND_FLAG presence (MIT Kerberos >= 1.19) - Make negotiatedata.channel_binding_data field conditional in vauth.h - Guard channel binding collection/cleanup in http_negotiate.c - Guard channel binding usage in spnego_gssapi.c This follows the same pattern as GSS_C_DELEG_POLICY_FLAG detection and ensures graceful degradation when channel binding is unavailable while maintaining full support for implementations that have it. Changes: - lib/curl_gssapi.h: Add feature detection macro - lib/vauth/vauth.h: Make struct field conditional - lib/http_negotiate.c: Conditional init/cleanup (2 locations) - lib/vauth/spnego_gssapi.c: Conditional channel binding usage Tested on macOS with Apple Heimdal (no channel binding) and Linux with MIT Kerberos (with channel binding). Both configurations authenticate successfully without errors. Closes curl#19164
find_ssl_filter used while(cf && cf->next) and skipped the last node. If the SSL filter was last, channel binding lookup failed and we returned CURLE_BAD_FUNCTION_ARGUMENT. Switch to while(cf) so the tail is examined. This bug was found with ZeroPath. Closes curl#19229
- `reply/data*`, `verify/stdout`, `verify/stderr`, `verify/file*`,
`verify/proxy`:
- make `crlf="yes"` force CRLF to all lines, instead of just applying
to HTTP protocol headers.
- add support for `crlf="headers"` that only converts HTTP protocol
header lines to CRLF. (previously done via `crlf="yes"`.)
- use `crlf="headers"` where possible.
- `reply/connect*`:
- add support for `crlf="yes"` and `crlf="headers"`.
- use them where possible.
- `client/file*`, `client/stdin`:
- add support for `crlf="yes"`.
- use it where possible.
- `reply/data*`, `verify/protocol`:
- replace existing uses of `crlf="yes"` with `crlf="headers`" where it
does not change the result.
Reducing the number of `tests/data/test*`:
- CRLF newlines from 10295 to 1985. (119985 lines total)
- files with mixed newlines from 656 to 113. (1890 files total)
After this patch there remain 141 sections with mixed newlines, where
the mixing is not split between headers/non-headers. There is no obvious
pattern here. Some of the CRLF uses might be accidental, or
non-significant. They will be tackled in a future patch.
Follow-up to 6cf3d7b curl#19318
Follow-up to 4d2a05d curl#19284
Closes curl#19313
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com> Closes curl#19345
Which also mentions all protocols Closes curl#19335
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.