Making it just skip the check unless exactly 32 is too brittle. Even if
the docs says it needs to be exactly 32, it is be safer to make the
comparison fail here instead.
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1549461Closes#8745
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug: https://curl.se/docs/CVE-2022-22576.html
CVE-2022-22576
Closes#8746
Set the libcurl version in libcurl.plist like how libcurl.vers is
created.
Closes: #8692
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
The existing programming had some issues with errorhandling for reading
the cookie file. If the file failed to open, we would silently ignore it
and continue as if there was no file (or stdin) passed. In this case, we
would also call fclose() on the NULL FILE pointer, which is undefined
behavior. Fix by ensuring that the FILE pointer is set before calling
fclose on it, and issue a warning in case the file cannot be opened.
Erroring out on nonexisting file would break backwards compatibility of
very old behavior so we can't really go there.
Closes: #8699
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Also move timediff_t definitions from timeval.h to timediff.h and
then make timeval.h include the new standalone-capable timediff.h.
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Supersedes #5888Closes#8595
Ensure that all infof calls with a warning message are capitalized
in the same way. At some point we should probably set up a style-
guide for infof but until then let's aim for a little consistenncy
where we can.
Closes: #8711
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
This commit fixes HTTP/3 upload stall if upload data is larger than
H3_SEND_SIZE. Only check writability of socket if a stream is
writable to avoid busy loop when QUIC flow control window is filled
up, or upload buffer is full.
Closes#8688
Instead of connclose()ing, since when HTTP/2 is used it doesn't need to
close the connection as stopping the current transfer is enough.
Reported-by: Evangelos Foutras
Closes#8665
For the "simulated 304" case the done-call isn't considered "premature"
but since the server didn't close the stream it needs to be reset to
stop delivering data.
Closes#8664
Also rephrase to make it sound less dangerous:
"ALPN: server did not agree on a protocol. Uses default."
Reported-by: Nick Coghlan
Fixes#8643Closes#8651
This leaves the CURLE_RECV_ERROR error code for explicit failure to
receive network data and allows users to better separate the problems.
Ref #8356
Reported-by: Rianov Viacheslav
Closes#8506
Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't
particularly belong in lib/
Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying
those files in the root Makefile.am
Closes#8625
curl_setup.h automatically defines WIN32 if just _WIN32 is defined.
Therefore make sure curl_setup.h is included through warnless.h.
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes#8594
Prior to this change if, at build time, the GnuTLS backend was found to
have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
Bug: https://curl.se/mail/lib-2022-03/0046.html
Reported-by: Robert Brose
Closes https://github.com/curl/curl/pull/8604
This test verifies that the order of functions in public headers remain
the same but hasn't been updated to care for recently added header
files. The order is important for some few platforms - or VERSIONINFO
needs to updated.
This fix also updates VERSIONINFO to be sure.
Closes#8620
