Until now, form field and file names where escaped using the
backslash-escaping algorithm defined for multipart mails. This commit
replaces this with the percent-escaping method for URLs.
As this may introduce incompatibilities with server-side applications, a
new libcurl option CURLOPT_MIME_OPTIONS with bitmask
CURLMIMEOPT_FORMESCAPE is introduced to revert to legacy use of
backslash-escaping. This is controlled by new cli tool option
--form-escape.
New tests and documentation are provided for this feature.
Reported by: Ryan Sleevi
Fixes#7789Closes#7805
When failing to create the output file for saving an etag, only fail
that particular single transfer and allow others to follow.
In a serial transfer setup, if no transfer at all is done due to them
all being skipped because of this error, curl will output an error
message and return exit code 26.
Added test 369 and 370 to verify.
Reported-by: Earnestly on github
Ref: #7942Closes#7945
Previously, -libssh2/-rtmp options assumed that OpenSSL is also enabled
(and then failed with an error when not finding expected OpenSSL headers),
but this isn't necessarly true, e.g. when building both libssh2 and curl
against Schannel. This patch makes sure to only enable the OpenSSL backend
with -libssh2/-rtmp, when there was no SSL option explicitly selected.
- Re-implement the logic as a single block of script.
- Also fix an indentation while there.
Assisted-by: Jay Satiro
Closes#7895
- Use RtlVerifyVersionInfo instead of VerifyVersionInfo, when possible.
Later versions of Windows have normal version functions that compare and
return versions based on the way the application is manifested, instead
of the actual version of Windows the application is running on. We
prefer the actual version of Windows so we'll now call the Rtl variant
of version functions (RtlVerifyVersionInfo) which does a proper
comparison of the actual version.
Reported-by: Wyatt O'Day
Ref: https://github.com/curl/curl/pull/7727
Fixes https://github.com/curl/curl/issues/7742
Closes https://github.com/curl/curl/pull/7810
Adjust the description position to make an aligned column when doing
help listings, which is more pleasing to the eye.
Suggested-by: Gisle Vanem
Closes#7792
tool_listhelp.c is now a separate file with only the command line --help
output, exactly as generated by gen.pl. This makes it easier to generate
updates according to what's in the docs/cmdline-opts docs.
cd $srcroot/docs/cmdline-opts
./gen.pl listhelp *.d > $srcroot/src/tool_listhelp.c
With a configure build, this also works:
make -C src listhelp
Closes#7787
If Retry-After: specifies a period that is longer than what fits within
--retry-max-time, then stop retrying immediately.
Added test 366 to verify.
Reported-by: Kari Pahula
Fixes#7675Closes#7676
The file format for each option now features a "Example:" header that
can provide one or more examples that get rendered appropriately in the
output. All options MUST have at least one example or gen.pl complains
at build-time.
This fix also does a few other minor format and consistency cleanups.
Closes#7654
Due to how this currently works internally, it needs a working initial
file name to store contents in, so it may still fail even with -J is
used (and thus accepting a name from content-disposition:) if the file
name part of the URL isn't "good enough".
Fixes#7628Closes#7635
In an argument like `-F 'x=@/etc/hostname;filename="foo"abc'` the `abc`
is ignored. This adds a warning if the ignored data isn't all
whitespace.
Closes#7394
- Abort via progress callback to fail early during parallel transfers.
When a critical error occurs during a transfer (eg --fail-early
constraint) then other running transfers will be aborted via progress
callback and finish with error CURLE_ABORTED_BY_CALLBACK (42). In this
case, the callback error does not become the most recent error and a
custom error message is used for those transfers:
curld --fail --fail-early --parallel
https://httpbin.org/status/404https://httpbin.org/delay/10
curl: (22) The requested URL returned error: 404
curl: (42) Transfer aborted due to critical error in another transfer
> echo %ERRORLEVEL%
22
Fixes https://github.com/curl/curl/issues/6939
Closes https://github.com/curl/curl/pull/6984
The length of 'long' in a 32-bit system is 32 bits, which cannot be used
to save timestamps after 2038. Most operating systems have extended
time_t to 64 bits.
Remove the castings to long.
Closes#7466
The PRINT_LINES_PAUSE macro is no longer used, and has been mostly
cleaned out but one occurrence remained.
Closes https://github.com/curl/curl/pull/7380
Warning: this will make existing curl command lines that use metalink to
stop working.
Reasons for removal:
1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.
2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.
3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.
4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.
5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.
6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.
Cloes #7176
Reported by GCC analyzer:
Error: GCC_ANALYZER_WARNING (CWE-476):
src/tool_getparam.c: scope_hint: In function 'parse_args'
src/tool_getparam.c:2318:38: warning[-Wanalyzer-possible-null-dereference]: dereference of possibly-NULL 'orig_opt'
lib/curlx.h:56: included_from: Included from here.
src/tool_getparam.c:28: included_from: Included from here.
lib/curl_multibyte.h:70:51: note: in definition of macro 'curlx_convert_tchar_to_UTF8'
src/tool_getparam.c:2316:16: note: in expansion of macro 'curlx_convert_tchar_to_UTF8'
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Stenberg
Closes#7023
- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.
- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
to automatically locate and use a client certificate for
authentication, when requested by the server.
- New curl tool options --ssl-auto-client-cert and
--proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.
This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.
Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn
Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard
Closes https://github.com/curl/curl/pull/6673
This reverts commit 1cba36d216.
CMake provides properties that can be set on a target to rename the
output artifact without changing the name of a target.
Ref: #6899
- Save a parallel transfer's result code only when it fails and the
transfer is not being retried.
Prior to this change the result code was always set which meant that a
failed result could be erroneously discarded if a different transfer
later had a successful result (CURLE_OK).
Before:
> curl --fail -Z https://httpbin.org/status/404https://httpbin.org/delay/10
> echo %ERRORLEVEL%
0
After:
> curl --fail -Z https://httpbin.org/status/404https://httpbin.org/delay/10
> echo %ERRORLEVEL%
22
Closes #xxxx
Instead output a warning about it and continue with the defaults.
These SSL versions are typically not supported by the TLS libraries since a
long time back already since they are inherently insecure and broken. Asking
for them to be used will just cause an error to be returned slightly later.
In the unlikely event that a user's TLS library actually still supports these
protocol versions, this change might make the request a little less insecure.
Closes#6772
