We have lots of unchecked msnprintf calls, and this particular msnprintf
call isn't more interesting than the others, but this one yields a Coverity
warning so let's implicitly silence it. Going over the other invocations
is probably a worthwhile project, but for now let's keep the static
analyzers happy.
Closes: #8831
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.
CVE-2022-27779
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.htmlCloses#8820
This function has been unused since the initial commit of the GSKit
backend in 0eba02fd4. The motivation for the code was getting the
whole certificate chain: the only place where the latter is available
is as a callback parameter. Unfortunately it is not possible to pass
a user pointer to this callback, which precludes the possibility to
associate the cert chain with a data/conn structure.
For further information, search for pgsk_cert_validation_callback on:
https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm
As the upstream library never added a parameter like that to the API,
we give up the wait and remove the dead code.
Closes: #8782
Reviewed-by: Patrick Monnerat <patrick@monnerat.net>
Print the boolean value as its string representation instead of with
%hhu which isn't a format we typically use.
Closes: #8763
Reviewed-by: Nick Banks <nibanks@microsoft.com>
Hyper now has the ability to preserve header order. This commit adds a
few lines setting the connection options for this feature.
Related to issue #8617Closes#8707
To simplify, and also since the returned name is not the full actual
name used for the check. The port number and zone id is also involved,
so just showing the name is misleading.
Closes#8750
Making it just skip the check unless exactly 32 is too brittle. Even if
the docs says it needs to be exactly 32, it is be safer to make the
comparison fail here instead.
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1549461Closes#8745
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug: https://curl.se/docs/CVE-2022-22576.html
CVE-2022-22576
Closes#8746
Set the libcurl version in libcurl.plist like how libcurl.vers is
created.
Closes: #8692
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
The existing programming had some issues with errorhandling for reading
the cookie file. If the file failed to open, we would silently ignore it
and continue as if there was no file (or stdin) passed. In this case, we
would also call fclose() on the NULL FILE pointer, which is undefined
behavior. Fix by ensuring that the FILE pointer is set before calling
fclose on it, and issue a warning in case the file cannot be opened.
Erroring out on nonexisting file would break backwards compatibility of
very old behavior so we can't really go there.
Closes: #8699
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Also move timediff_t definitions from timeval.h to timediff.h and
then make timeval.h include the new standalone-capable timediff.h.
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Supersedes #5888Closes#8595
Ensure that all infof calls with a warning message are capitalized
in the same way. At some point we should probably set up a style-
guide for infof but until then let's aim for a little consistenncy
where we can.
Closes: #8711
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
This commit fixes HTTP/3 upload stall if upload data is larger than
H3_SEND_SIZE. Only check writability of socket if a stream is
writable to avoid busy loop when QUIC flow control window is filled
up, or upload buffer is full.
Closes#8688
