diff --git a/.gitignore b/.gitignore index 7dcfd8f..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ /curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz +/curl-[0-9.]*.tar.xz.asc +/curl-[0-9]*.[0-9]*.[0-9]*/ +/*.src.rpm diff --git a/0001-curl-7.82.0-openssl-spurious-oom.patch b/0001-curl-7.82.0-openssl-spurious-oom.patch deleted file mode 100644 index 186134d..0000000 --- a/0001-curl-7.82.0-openssl-spurious-oom.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 8 Mar 2022 13:38:13 +0100 -Subject: [PATCH] openssl: fix CN check error code - -Due to a missing 'else' this returns error too easily. - -Regressed in: d15692ebb - -Reported-by: Kristoffer Gleditsch -Fixes #8559 -Closes #8560 - -Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 616a510..1bafe96 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, - memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen); - peer_CN[peerlen] = '\0'; - } -- result = CURLE_OUT_OF_MEMORY; -+ else -+ result = CURLE_OUT_OF_MEMORY; - } - } - else /* not a UTF8 name */ --- -2.34.1 - diff --git a/0002-curl-7.82.0-CVE-2022-22576.patch b/0002-curl-7.82.0-CVE-2022-22576.patch deleted file mode 100644 index 51e9f86..0000000 --- a/0002-curl-7.82.0-CVE-2022-22576.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Mon, 25 Apr 2022 11:44:05 +0200 -Subject: [PATCH] url: check sasl additional parameters for connection reuse. - -Also move static function safecmp() as non-static Curl_safecmp() since -its purpose is needed at several places. - -Bug: https://curl.se/docs/CVE-2022-22576.html - -CVE-2022-22576 - -Closes #8746 - -Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 -Signed-off-by: Kamil Dudka ---- - lib/strcase.c | 10 ++++++++++ - lib/strcase.h | 2 ++ - lib/url.c | 13 ++++++++++++- - lib/urldata.h | 1 + - lib/vtls/vtls.c | 21 ++++++--------------- - 5 files changed, 31 insertions(+), 16 deletions(-) - -diff --git a/lib/strcase.c b/lib/strcase.c -index dd46ca1..692a3f1 100644 ---- a/lib/strcase.c -+++ b/lib/strcase.c -@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) - } while(*src++ && --n); - } - -+/* Compare case-sensitive NUL-terminated strings, taking care of possible -+ * null pointers. Return true if arguments match. -+ */ -+bool Curl_safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ return !a && !b; -+} -+ - /* --- public functions --- */ - - int curl_strequal(const char *first, const char *second) -diff --git a/lib/strcase.h b/lib/strcase.h -index b628656..382b80a 100644 ---- a/lib/strcase.h -+++ b/lib/strcase.h -@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); - void Curl_strntoupper(char *dest, const char *src, size_t n); - void Curl_strntolower(char *dest, const char *src, size_t n); - -+bool Curl_safecmp(char *a, char *b); -+ - #endif /* HEADER_CURL_STRCASE_H */ -diff --git a/lib/url.c b/lib/url.c -index adef2cd..94e3406 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) - Curl_safefree(conn->passwd); - Curl_safefree(conn->sasl_authzid); - Curl_safefree(conn->options); -+ Curl_safefree(conn->oauth_bearer); - Curl_dyn_free(&conn->trailer); - Curl_safefree(conn->host.rawalloc); /* host name buffer */ - Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ -@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, - /* This protocol requires credentials per connection, - so verify that we're using the same name and password as well */ - if(strcmp(needle->user, check->user) || -- strcmp(needle->passwd, check->passwd)) { -+ strcmp(needle->passwd, check->passwd) || -+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || -+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { - /* one of them was different */ - continue; - } -@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, - } - } - -+ if(data->set.str[STRING_BEARER]) { -+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); -+ if(!conn->oauth_bearer) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto out; -+ } -+ } -+ - #ifdef USE_UNIX_SOCKETS - if(data->set.str[STRING_UNIX_SOCKET_PATH]) { - conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); -diff --git a/lib/urldata.h b/lib/urldata.h -index cc8a600..03da59a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -984,6 +984,7 @@ struct connectdata { - char *passwd; /* password string, allocated */ - char *options; /* options string, allocated */ - char *sasl_authzid; /* authorisation identity string, allocated */ -+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ - struct curltime now; /* "current" time */ - struct curltime created; /* creation time */ -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 03b85ba..a40ac06 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - --static bool safecmp(char *a, char *b) --{ -- if(a && b) -- return !strcmp(a, b); -- else if(!a && !b) -- return TRUE; /* match */ -- return FALSE; /* no match */ --} -- - - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, -@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - blobcmp(data->cert_blob, needle->cert_blob) && - blobcmp(data->ca_info_blob, needle->ca_info_blob) && - blobcmp(data->issuercert_blob, needle->issuercert_blob) && -- safecmp(data->CApath, needle->CApath) && -- safecmp(data->CAfile, needle->CAfile) && -- safecmp(data->issuercert, needle->issuercert) && -- safecmp(data->clientcert, needle->clientcert) && -- safecmp(data->random_file, needle->random_file) && -- safecmp(data->egdsocket, needle->egdsocket) && -+ Curl_safecmp(data->CApath, needle->CApath) && -+ Curl_safecmp(data->CAfile, needle->CAfile) && -+ Curl_safecmp(data->issuercert, needle->issuercert) && -+ Curl_safecmp(data->clientcert, needle->clientcert) && -+ Curl_safecmp(data->random_file, needle->random_file) && -+ Curl_safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && --- -2.34.1 - diff --git a/0003-curl-7.82.0-CVE-2022-27775.patch b/0003-curl-7.82.0-CVE-2022-27775.patch deleted file mode 100644 index d1ad8b9..0000000 --- a/0003-curl-7.82.0-CVE-2022-27775.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 11:48:00 +0200 -Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey - -Make connections to two separate IPv6 zone ids create separate -connections. - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27775.html -Closes #8747 - -Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705 -Signed-off-by: Kamil Dudka ---- - lib/conncache.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/lib/conncache.c b/lib/conncache.c -index cd5756a..9b9f683 100644 ---- a/lib/conncache.c -+++ b/lib/conncache.c -@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, - /* report back which name we used */ - *hostp = hostname; - -- /* put the number first so that the hostname gets cut off if too long */ -- msnprintf(buf, len, "%ld%s", port, hostname); -+ /* put the numbers first so that the hostname gets cut off if too long */ -+#ifdef ENABLE_IPV6 -+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); -+#else -+ msnprintf(buf, len, "%ld/%s", port, hostname); -+#endif - Curl_strntolower(buf, buf, len); - } - --- -2.34.1 - diff --git a/0004-curl-7.82.0-CVE-2022-27776.patch b/0004-curl-7.82.0-CVE-2022-27776.patch deleted file mode 100644 index 523b3e7..0000000 --- a/0004-curl-7.82.0-CVE-2022-27776.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 13:05:40 +0200 -Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port - -CVE-2022-27776 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27776.html -Closes #8749 - -Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 34 ++++++++++++++++++++++------------ - lib/urldata.h | 16 +++++++++------- - 2 files changed, 31 insertions(+), 19 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 799d4fb..0791dcf 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, - return CURLE_OK; - } - -+/* -+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive -+ * data" can (still) be sent to this host. -+ */ -+static bool allow_auth_to_host(struct Curl_easy *data) -+{ -+ struct connectdata *conn = data->conn; -+ return (!data->state.this_is_a_follow || -+ data->set.allow_auth_to_other_hosts || -+ (data->state.first_host && -+ strcasecompare(data->state.first_host, conn->host.name) && -+ (data->state.first_remote_port == conn->remote_port) && -+ (data->state.first_remote_protocol == conn->handler->protocol))); -+} -+ - /** - * Curl_http_output_auth() setups the authentication headers for the - * host/proxy and the correct authentication -@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, - with it */ - authproxy->done = TRUE; - -- /* To prevent the user+password to get sent to other than the original -- host due to a location-follow, we do some weirdo checks here */ -- if(!data->state.this_is_a_follow || -+ /* To prevent the user+password to get sent to other than the original host -+ due to a location-follow */ -+ if(allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC -- conn->bits.netrc || -+ || conn->bits.netrc - #endif -- !data->state.first_host || -- data->set.allow_auth_to_other_hosts || -- strcasecompare(data->state.first_host, conn->host.name)) { -+ ) - result = output_auth_headers(data, conn, authhost, request, path, FALSE); -- } - else - authhost->done = TRUE; - -@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- (data->state.this_is_a_follow && -- data->state.first_host && -- !data->set.allow_auth_to_other_hosts && -- !strcasecompare(data->state.first_host, conn->host.name))) -+ !allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) - return CURLE_OUT_OF_MEMORY; - - data->state.first_remote_port = conn->remote_port; -+ data->state.first_remote_protocol = conn->handler->protocol; - } - Curl_safefree(data->state.aptr.host); - -diff --git a/lib/urldata.h b/lib/urldata.h -index 03da59a..f92052a 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1329,14 +1329,16 @@ struct UrlState { - char *ulbuf; /* allocated upload buffer or NULL */ - curl_off_t current_speed; /* the ProgressShow() function sets this, - bytes / second */ -- char *first_host; /* host name of the first (not followed) request. -- if set, this should be the host name that we will -- sent authorization to, no else. Used to make Location: -- following not keep sending user+password... This is -- strdup() data. -- */ -+ -+ /* host name, port number and protocol of the first (not followed) request. -+ if set, this should be the host name that we will sent authorization to, -+ no else. Used to make Location: following not keep sending user+password. -+ This is strdup()ed data. */ -+ char *first_host; -+ int first_remote_port; -+ unsigned int first_remote_protocol; -+ - int retrycount; /* number of retries on a new connection */ -- int first_remote_port; /* remote port of the first (not followed) request */ - struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ - long sessionage; /* number of the most recent session */ - struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ --- -2.34.1 - - -From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 13:05:47 +0200 -Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776 - -Do not pass on Authorization headers on redirects to another port - -Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 91 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test898 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 59d46bc..7ae2cf8 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \ - test863 test864 test865 test866 test867 test868 test869 test870 test871 \ - test872 test873 test874 test875 test876 test877 test878 test879 test880 \ - test881 test882 test883 test884 test885 test886 test887 test888 test889 \ --test890 test891 test892 test893 test894 test895 test896 test897 \ -+test890 test891 test892 test893 test894 test895 test896 test897 test898 \ - \ - test900 test901 test902 test903 test904 test905 test906 test907 test908 \ - test909 test910 test911 test912 test913 test914 test915 test916 test917 \ -diff --git a/tests/data/test898 b/tests/data/test898 -new file mode 100644 -index 0000000..5cbb7d8 ---- /dev/null -+++ b/tests/data/test898 -@@ -0,0 +1,90 @@ -+ -+ -+ -+HTTP -+--location -+Authorization -+Cookie -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with custom auth and cookies redirected to HTTP on a diff port -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA==" -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+Authorization: Basic am9lOnNlY3JldA== -+Cookie: userpwd=am9lOnNlY3JldA== -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -2.34.1 - diff --git a/0005-curl-7.82.0-CVE-2022-27774.patch b/0005-curl-7.82.0-CVE-2022-27774.patch deleted file mode 100644 index 86d0b45..0000000 --- a/0005-curl-7.82.0-CVE-2022-27774.patch +++ /dev/null @@ -1,636 +0,0 @@ -From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct - -To make it available after the connection ended. - -Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 -Signed-off-by: Kamil Dudka ---- - lib/connect.c | 1 + - lib/urldata.h | 6 +++++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/lib/connect.c b/lib/connect.c -index 64f9511..7518807 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, - data->info.conn_scheme = conn->handler->scheme; - data->info.conn_protocol = conn->handler->protocol; - data->info.conn_primary_port = conn->port; -+ data->info.conn_remote_port = conn->remote_port; - data->info.conn_local_port = local_port; - } - -diff --git a/lib/urldata.h b/lib/urldata.h -index f92052a..5218f76 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1160,7 +1160,11 @@ struct PureInfo { - reused, in the connection cache. */ - - char conn_primary_ip[MAX_IPADR_LEN]; -- int conn_primary_port; -+ int conn_primary_port; /* this is the destination port to the connection, -+ which might have been a proxy */ -+ int conn_remote_port; /* this is the "remote port", which is the port -+ number of the used URL, independent of proxy or -+ not */ - char conn_local_ip[MAX_IPADR_LEN]; - int conn_local_port; - const char *conn_scheme; --- -2.34.1 - - -From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear - auth - -... unless explicitly permitted. - -Bug: https://curl.se/docs/CVE-2022-27774.html -Reported-by: Harry Sintonen -Closes #8748 - -Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 -Signed-off-by: Kamil Dudka ---- - lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 48 insertions(+), 1 deletion(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 1f8019b..752fe14 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, - return CURLE_OUT_OF_MEMORY; - } - else { -- - uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); - if(uc) - return Curl_uc_to_curlcode(uc); -+ -+ /* Clear auth if this redirects to a different port number or protocol, -+ unless permitted */ -+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { -+ char *portnum; -+ int port; -+ bool clear = FALSE; -+ -+ if(data->set.use_port && data->state.allow_port) -+ /* a custom port is used */ -+ port = (int)data->set.use_port; -+ else { -+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, -+ CURLU_DEFAULT_PORT); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ port = atoi(portnum); -+ free(portnum); -+ } -+ if(port != data->info.conn_remote_port) { -+ infof(data, "Clear auth, redirects to port from %u to %u", -+ data->info.conn_remote_port, port); -+ clear = TRUE; -+ } -+ else { -+ char *scheme; -+ const struct Curl_handler *p; -+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); -+ if(uc) { -+ free(newurl); -+ return Curl_uc_to_curlcode(uc); -+ } -+ -+ p = Curl_builtin_scheme(scheme); -+ if(p && (p->protocol != data->info.conn_protocol)) { -+ infof(data, "Clear auth, redirects scheme from %s to %s", -+ data->info.conn_scheme, scheme); -+ clear = TRUE; -+ } -+ free(scheme); -+ } -+ if(clear) { -+ Curl_safefree(data->state.aptr.user); -+ Curl_safefree(data->state.aptr.passwd); -+ } -+ } - } - - if(type == FOLLOW_FAKE) { --- -2.34.1 - - -From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 16:24:33 +0200 -Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 - - - Test 973 redirects from HTTP to FTP, clear auth - - Test 974 redirects from HTTP to HTTP different port, clear auth - - Test 975 redirects from HTTP to FTP, permitted to keep auth - - Test 976 redirects from HTTP to HTTP different port, permitted to keep - auth - -Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ - tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 352 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test973 - create mode 100644 tests/data/test974 - create mode 100644 tests/data/test975 - create mode 100644 tests/data/test976 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 7ae2cf8..175fc43 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ - test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ --test972 \ -+test972 test973 test974 test975 test976 \ - \ - test980 test981 test982 test983 test984 test985 test986 \ - \ -diff --git a/tests/data/test973 b/tests/data/test973 -new file mode 100644 -index 0000000..6ced107 ---- /dev/null -+++ b/tests/data/test973 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+FTP -+--location -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+ -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ftp -+ -+ -+HTTP with auth redirected to FTP w/o auth -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+ -+USER anonymous -+PASS ftp@example.com -+PWD -+CWD a -+CWD path -+EPSV -+TYPE I -+SIZE %TESTNUMBER0002 -+RETR %TESTNUMBER0002 -+QUIT -+ -+ -+ -diff --git a/tests/data/test974 b/tests/data/test974 -new file mode 100644 -index 0000000..ac4e641 ---- /dev/null -+++ b/tests/data/test974 -@@ -0,0 +1,87 @@ -+ -+ -+ -+HTTP -+--location -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with auth redirected to HTTP on a diff port w/o auth -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ -diff --git a/tests/data/test975 b/tests/data/test975 -new file mode 100644 -index 0000000..85e03e4 ---- /dev/null -+++ b/tests/data/test975 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+FTP -+--location-trusted -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+ -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 -+ -+data -+ to -+ see -+that FTP -+works -+ so does it? -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ftp -+ -+ -+HTTP with auth redirected to FTP allowing auth to continue -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+ -+USER joe -+PASS secret -+PWD -+CWD a -+CWD path -+EPSV -+TYPE I -+SIZE %TESTNUMBER0002 -+RETR %TESTNUMBER0002 -+QUIT -+ -+ -+ -diff --git a/tests/data/test976 b/tests/data/test976 -new file mode 100644 -index 0000000..c4dd61e ---- /dev/null -+++ b/tests/data/test976 -@@ -0,0 +1,88 @@ -+ -+ -+ -+HTTP -+--location-trusted -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+HTTP/1.1 301 redirect -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 4 -+Connection: close -+Content-Type: text/html -+ -+hey -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+HTTP with auth redirected to HTTP on a diff port --location-trusted -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.com/ HTTP/1.1 -+Host: firsthost.com -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 -+Host: firsthost.com:9999 -+Authorization: Basic am9lOnNlY3JldA== -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -2.34.1 - - -From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 25 Apr 2022 17:59:15 +0200 -Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects - either - -Follow-up to 620ea21410030 - -Reported-by: Harry Sintonen -Closes #8751 - -Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 10 +++++----- - lib/http.h | 6 ++++++ - lib/vtls/openssl.c | 3 ++- - 3 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 0791dcf..4433824 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, - } - - /* -- * allow_auth_to_host() tells if autentication, cookies or other "sensitive -- * data" can (still) be sent to this host. -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. - */ --static bool allow_auth_to_host(struct Curl_easy *data) -+bool Curl_allow_auth_to_host(struct Curl_easy *data) - { - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || -@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, - - /* To prevent the user+password to get sent to other than the original host - due to a location-follow */ -- if(allow_auth_to_host(data) -+ if(Curl_allow_auth_to_host(data) - #ifndef CURL_DISABLE_NETRC - || conn->bits.netrc - #endif -@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, - checkprefix("Cookie:", compare)) && - /* be careful of sending this potentially sensitive header to - other hosts */ -- !allow_auth_to_host(data)) -+ !Curl_allow_auth_to_host(data)) - ; - else { - #ifdef USE_HYPER -diff --git a/lib/http.h b/lib/http.h -index 07e963d..9000bae 100644 ---- a/lib/http.h -+++ b/lib/http.h -@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, - bool proxytunnel); /* TRUE if this is the request setting - up the proxy tunnel */ - -+/* -+ * Curl_allow_auth_to_host() tells if authentication, cookies or other -+ * "sensitive data" can (still) be sent to this host. -+ */ -+bool Curl_allow_auth_to_host(struct Curl_easy *data); -+ - #endif /* HEADER_CURL_HTTP_H */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 1bafe96..97c5666 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2894,7 +2894,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - - #ifdef USE_OPENSSL_SRP -- if(ssl_authtype == CURL_TLSAUTH_SRP) { -+ if((ssl_authtype == CURL_TLSAUTH_SRP) && -+ Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - - infof(data, "Using TLS-SRP username: %s", ssl_username); --- -2.34.1 - diff --git a/0006-curl-7.82.0-CVE-2022-27780.patch b/0006-curl-7.82.0-CVE-2022-27780.patch deleted file mode 100644 index b1c1cf6..0000000 --- a/0006-curl-7.82.0-CVE-2022-27780.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 08:19:38 +0200 -Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator - bytes - -CVE-2022-27780 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-27780.html -Closes #8826 - -Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a -Signed-off-by: Kamil Dudka ---- - lib/urlapi.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/urlapi.c b/lib/urlapi.c -index ff00ee4..00222fc 100644 ---- a/lib/urlapi.c -+++ b/lib/urlapi.c -@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) - #endif - } - else { -- /* letters from the second string is not ok */ -- len = strcspn(hostname, " \r\n"); -+ /* letters from the second string are not ok */ -+ len = strcspn(hostname, " \r\n\t/:#?!@"); - if(hlen != len) - /* hostname with bad content */ - return CURLUE_BAD_HOSTNAME; --- -2.34.1 - - -From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 08:19:38 +0200 -Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix - -Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f -Signed-off-by: Kamil Dudka ---- - tests/libtest/lib1560.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c -index 7614849..84ee933 100644 ---- a/tests/libtest/lib1560.c -+++ b/tests/libtest/lib1560.c -@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={ - - static const struct urltestcase get_url_list[] = { - /* percent encoded host names */ -+ {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, -+ {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME}, - {"https://%this", "https://%25this/", 0, 0, CURLUE_OK}, - {"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK}, - {"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK}, --- -2.34.1 - diff --git a/0007-curl-7.82.0-CVE-2022-30115.patch b/0007-curl-7.82.0-CVE-2022-30115.patch deleted file mode 100644 index 916c55a..0000000 --- a/0007-curl-7.82.0-CVE-2022-30115.patch +++ /dev/null @@ -1,273 +0,0 @@ -From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 08:13:54 +0200 -Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots - -Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 ++ - tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 146 insertions(+) - create mode 100644 tests/data/test440 - create mode 100644 tests/data/test441 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 175fc43..a5b8dc2 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -72,6 +72,8 @@ test409 test410 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ -+test440 test441 \ -+\ - test490 test491 test492 test493 test494 \ - \ - test500 test501 test502 test503 test504 test505 test506 test507 test508 \ -diff --git a/tests/data/test440 b/tests/data/test440 -new file mode 100644 -index 0000000..c640b02 ---- /dev/null -+++ b/tests/data/test440 -@@ -0,0 +1,72 @@ -+ -+ -+ -+HTTP -+HSTS -+trailing-dot -+ -+ -+ -+ -+ -+# we use this as response to a CONNECT -+ -+HTTP/1.1 403 not OK at all -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+Connection: close -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+ -+ -+http -+ -+ -+HSTS -+proxy -+https -+ -+ -+# no trailing dot in the file only in the URL -+ -+this.hsts.example "99991001 04:47:41" -+ -+ -+ -+HSTS with trailing-dot host name in URL but none in hsts file -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' -+ -+ -+ -+ -+# we let it CONNECT to the server to confirm HSTS but deny from there -+ -+CONNECT this.hsts.example.:443 HTTP/1.1 -+Host: this.hsts.example.:443 -+User-Agent: curl/%VERSION -+Proxy-Connection: Keep-Alive -+ -+ -+ -+HTTP/1.1 403 not OK at all -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+Connection: close -+Funny-head: yesyes -+ -+https://this.hsts.example./%TESTNUMBER -+ -+# Proxy CONNECT aborted -+ -+56 -+ -+ -+ -diff --git a/tests/data/test441 b/tests/data/test441 -new file mode 100644 -index 0000000..7f5245b ---- /dev/null -+++ b/tests/data/test441 -@@ -0,0 +1,72 @@ -+ -+ -+ -+HTTP -+HSTS -+trailing-dot -+ -+ -+ -+ -+ -+# we use this as response to a CONNECT -+ -+HTTP/1.1 403 not OK at all -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+Connection: close -+Funny-head: yesyes -+ -+-foo- -+ -+ -+ -+ -+ -+http -+ -+ -+HSTS -+proxy -+https -+ -+ -+# no trailing dot in the file only in the URL -+ -+this.hsts.example. "99991001 04:47:41" -+ -+ -+ -+HSTS with no t-dot host name in URL but t-dot in file -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' -+ -+ -+ -+ -+# we let it CONNECT to the server to confirm HSTS but deny from there -+ -+CONNECT this.hsts.example:443 HTTP/1.1 -+Host: this.hsts.example:443 -+User-Agent: curl/%VERSION -+Proxy-Connection: Keep-Alive -+ -+ -+ -+HTTP/1.1 403 not OK at all -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+Connection: close -+Funny-head: yesyes -+ -+https://this.hsts.example/%TESTNUMBER -+ -+# Proxy CONNECT aborted -+ -+56 -+ -+ -+ --- -2.34.1 - - -From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 08:13:55 +0200 -Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names - -CVE-2022-30115 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-30115.html -Closes #8821 - -Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a -Signed-off-by: Kamil Dudka ---- - lib/hsts.c | 30 +++++++++++++++++++++++++----- - 1 file changed, 25 insertions(+), 5 deletions(-) - -diff --git a/lib/hsts.c b/lib/hsts.c -index 03fcc9e..b9fa6f7 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, - curl_off_t expires) - { - struct stsentry *sts = hsts_entry(); -+ char *duphost; -+ size_t hlen; - if(!sts) - return CURLE_OUT_OF_MEMORY; - -- sts->expires = expires; -- sts->includeSubDomains = subdomains; -- sts->host = strdup(hostname); -- if(!sts->host) { -+ duphost = strdup(hostname); -+ if(!duphost) { - free(sts); - return CURLE_OUT_OF_MEMORY; - } -+ -+ hlen = strlen(duphost); -+ if(duphost[hlen - 1] == '.') -+ /* strip off trailing any dot */ -+ duphost[--hlen] = 0; -+ -+ sts->host = duphost; -+ sts->expires = expires; -+ sts->includeSubDomains = subdomains; - Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); - return CURLE_OK; - } -@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, - bool subdomain) - { - if(h) { -+ char buffer[MAX_HSTS_HOSTLEN + 1]; - time_t now = time(NULL); - size_t hlen = strlen(hostname); - struct Curl_llist_element *e; - struct Curl_llist_element *n; -+ -+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) -+ return NULL; -+ memcpy(buffer, hostname, hlen); -+ if(hostname[hlen-1] == '.') -+ /* remove the trailing dot */ -+ --hlen; -+ buffer[hlen] = 0; -+ hostname = buffer; -+ - for(e = h->list.head; e; e = n) { - struct stsentry *sts = e->ptr; - n = e->next; -@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) - CURLSTScode sc; - DEBUGASSERT(h); - do { -- char buffer[257]; -+ char buffer[MAX_HSTS_HOSTLEN + 1]; - struct curl_hstsentry e; - e.name = buffer; - e.namelen = sizeof(buffer)-1; --- -2.34.1 - diff --git a/0008-curl-7.82.0-CVE-2022-27779.patch b/0008-curl-7.82.0-CVE-2022-27779.patch deleted file mode 100644 index fad8119..0000000 --- a/0008-curl-7.82.0-CVE-2022-27779.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 16:47:06 +0200 -Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD - -When PSL is not enabled - -Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test977 | 60 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 61 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test977 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index a5b8dc2..98d5516 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ - test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ --test972 test973 test974 test975 test976 \ -+test972 test973 test974 test975 test976 test977 \ - \ - test980 test981 test982 test983 test984 test985 test986 \ - \ -diff --git a/tests/data/test977 b/tests/data/test977 -new file mode 100644 -index 0000000..11ff1b7 ---- /dev/null -+++ b/tests/data/test977 -@@ -0,0 +1,60 @@ -+ -+ -+ -+HTTP -+cookies -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 0 -+Connection: close -+Content-Type: text/html -+Set-Cookie: a=b; Domain=.me.; -+ -+ -+ -+ -+ -+# -+# Client-side -+ -+ -+proxy -+ -+ -+http -+ -+ -+URL with trailing dot and receiving a cookie for the TLD with dot -+ -+ -+-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET http://firsthost.me./ HTTP/1.1 -+Host: firsthost.me. -+User-Agent: curl/%VERSION -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+# Netscape HTTP Cookie File -+# https://curl.se/docs/http-cookies.html -+# This file was generated by libcurl! Edit at your own risk. -+ -+ -+ -+ --- -2.34.1 - - -From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 16:47:06 +0200 -Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot - fine - -The check for a dot in the domain must not consider a single trailing -dot to be fine, as then TLD + trailing dot is fine and curl will accept -setting cookies for it. - -CVE-2022-27779 - -Reported-by: Axel Chong -Bug: https://curl.se/docs/CVE-2022-27779.html -Closes #8820 - -Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59 -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index d418efa..1b8c8f9 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) - /* Make sure domain contains a dot or is localhost. */ - static bool bad_domain(const char *domain) - { -- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); -+ if(strcasecompare(domain, "localhost")) -+ return FALSE; -+ else { -+ /* there must be a dot present, but that dot must not be a trailing dot */ -+ char *dot = strchr(domain, '.'); -+ if(dot) -+ return dot[1] ? FALSE : TRUE; -+ } -+ return TRUE; - } - - /* --- -2.34.1 - diff --git a/0009-curl-7.82.0-CVE-2022-27782.patch b/0009-curl-7.82.0-CVE-2022-27782.patch deleted file mode 100644 index b6b55d2..0000000 --- a/0009-curl-7.82.0-CVE-2022-27782.patch +++ /dev/null @@ -1,659 +0,0 @@ -From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Thu, 17 Mar 2022 15:31:10 -0400 -Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP - -Prior to this change if, at build time, the GnuTLS backend was found to -have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl -via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur. - -Bug: https://curl.se/mail/lib-2022-03/0046.html -Reported-by: Robert Brose - -Closes https://github.com/curl/curl/pull/8604 - -Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a -Signed-off-by: Kamil Dudka ---- - lib/vtls/gtls.c | 26 +++++++++++++++++--------- - 1 file changed, 17 insertions(+), 9 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 5749376..bc8ef68 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -55,6 +55,14 @@ - /* The last #include file should be: */ - #include "memdebug.h" - -+#ifdef HAVE_GNUTLS_SRP -+/* the function exists */ -+#ifdef USE_TLS_SRP -+/* the functionality is not disabled */ -+#define USE_GNUTLS_SRP -+#endif -+#endif -+ - /* Enable GnuTLS debugging by defining GTLSDEBUG */ - /*#define GTLSDEBUG */ - -@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE; - struct ssl_backend_data { - gnutls_session_t session; - gnutls_certificate_credentials_t cred; --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - gnutls_srp_client_credentials_t srp_client_cred; - #endif - }; -@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data, - return CURLE_SSL_CONNECT_ERROR; - } - --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); - -@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data, - if(result) - return result; - --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - /* Only add SRP to the cipher list if SRP is requested. Otherwise - * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data, - #endif - infof(data, "GnuTLS ciphers: %s", prioritylist); - rc = gnutls_priority_set_direct(session, prioritylist, &err); --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - } - #endif - -@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data, - } - } - --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, -@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - if(SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost) || - SSL_CONN_CONFIG(issuercert)) { --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL - && !SSL_CONN_CONFIG(verifypeer) -@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - failf(data, "failed to get server cert"); - *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; - return CURLE_PEER_FAILED_VERIFICATION; --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - } - #endif - } -@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl) - gnutls_certificate_free_credentials(backend->cred); - backend->cred = NULL; - } --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - if(backend->srp_client_cred) { - gnutls_srp_free_client_credentials(backend->srp_client_cred); - backend->srp_client_cred = NULL; -@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, - } - gnutls_certificate_free_credentials(backend->cred); - --#ifdef HAVE_GNUTLS_SRP -+#ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL) - gnutls_srp_free_client_credentials(backend->srp_client_cred); --- -2.35.3 - - -From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 2/3] tls: check more TLS details for connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 29 +++++++++++++++++------------ - lib/url.c | 23 ++++++++++++++++------- - lib/urldata.h | 13 +++++++------ - lib/vtls/gtls.c | 32 +++++++++++++++++--------------- - lib/vtls/mbedtls.c | 2 +- - lib/vtls/nss.c | 6 +++--- - lib/vtls/openssl.c | 10 +++++----- - lib/vtls/vtls.c | 21 +++++++++++++++++++++ - 8 files changed, 87 insertions(+), 49 deletions(-) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 8e1bf12..7aa6fdb 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - - case CURLOPT_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_SSL_OPTIONS: - arg = va_arg(param, long); -+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); - data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); - data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); - data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); -@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_USERNAME: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to -+ SRP */ - break; - #endif - case CURLOPT_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && -+ !data->set.ssl.primary.authtype) -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_PASSWORD: - result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], - va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && -- !data->set.proxy_ssl.authtype) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ -+ !data->set.proxy_ssl.primary.authtype) -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ - break; - #endif - case CURLOPT_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #ifndef CURL_DISABLE_PROXY - case CURLOPT_PROXY_TLSAUTH_TYPE: - argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; - else -- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; -+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; - break; - #endif - #endif -diff --git a/lib/url.c b/lib/url.c -index 94e3406..5ebf5e2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - set->ssl.primary.verifypeer = TRUE; - set->ssl.primary.verifyhost = TRUE; - #ifdef USE_TLS_SRP -- set->ssl.authtype = CURL_TLSAUTH_NONE; -+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; - #endif - set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth - type */ -@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) - conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; - conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; - conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; -+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #ifndef CURL_DISABLE_PROXY - conn->proxy_ssl_config.verifystatus = - data->set.proxy_ssl.primary.verifystatus; - conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; - conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; -+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; -+#ifdef USE_TLS_SRP -+#endif - #endif - conn->ip_version = data->set.ipver; - conn->bits.connect_only = data->set.connect_only; -@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.primary.issuercert_blob = - data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; -- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -+ data->set.proxy_ssl.primary.CRLfile = -+ data->set.str[STRING_SSL_CRLFILE_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; - data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; -@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; - data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; - data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; - data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; - #ifdef USE_TLS_SRP -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; -+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; -+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; - #ifndef CURL_DISABLE_PROXY -- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; -+ data->set.proxy_ssl.primary.username = -+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; -+ data->set.proxy_ssl.primary.password = -+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -diff --git a/lib/urldata.h b/lib/urldata.h -index 5218f76..e006495 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -253,10 +253,17 @@ struct ssl_primary_config { - char *cipher_list; /* list of ciphers to use */ - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; -+ char *CRLfile; /* CRL to check certificate revocation */ - struct curl_blob *cert_blob; - struct curl_blob *ca_info_blob; - struct curl_blob *issuercert_blob; -+#ifdef USE_TLS_SRP -+ char *username; /* TLS username (for, e.g., SRP) */ -+ char *password; /* TLS password (for, e.g., SRP) */ -+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -+#endif - char *curves; /* list of curves to use */ -+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ - BIT(verifystatus); /* set TRUE if certificate status must be checked */ -@@ -266,7 +273,6 @@ struct ssl_primary_config { - struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ -- char *CRLfile; /* CRL to check certificate revocation */ - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert_type; /* format for certificate (default: PEM)*/ -@@ -274,11 +280,6 @@ struct ssl_config_data { - struct curl_blob *key_blob; - char *key_type; /* format for private key (default: PEM) */ - char *key_passwd; /* plain text private key password */ --#ifdef USE_TLS_SRP -- char *username; /* TLS username (for, e.g., SRP) */ -- char *password; /* TLS password (for, e.g., SRP) */ -- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ --#endif - BIT(certinfo); /* gather lots of certificate info */ - BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 5749376..ec6be16 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data, - } - - #ifdef USE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { -+ infof(data, "Using TLS-SRP username: %s", -+ SSL_SET_OPTION(primary.username)); - - rc = gnutls_srp_allocate_client_credentials( - &backend->srp_client_cred); -@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, - } - - rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, -- SSL_SET_OPTION(username), -- SSL_SET_OPTION(password)); -+ SSL_SET_OPTION(primary.username), -+ SSL_SET_OPTION(primary.password)); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_srp_set_client_cred() failed: %s", - gnutls_strerror(rc)); -@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, - } - #endif - -- if(SSL_SET_OPTION(CRLfile)) { -+ if(SSL_SET_OPTION(primary.CRLfile)) { - /* set the CRL list file */ - rc = gnutls_certificate_set_x509_crl_file(backend->cred, -- SSL_SET_OPTION(CRLfile), -+ SSL_SET_OPTION(primary.CRLfile), - GNUTLS_X509_FMT_PEM); - if(rc < 0) { - failf(data, "error reading crl file %s (%s)", -- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); -+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); - return CURLE_SSL_CRL_BADFILE; - } - else - infof(data, "found %d CRL in %s", -- rc, SSL_SET_OPTION(CRLfile)); -+ rc, SSL_SET_OPTION(primary.CRLfile)); - } - - /* Initialize TLS session as a client */ -@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, - #ifdef USE_GNUTLS_SRP - /* Only add SRP to the cipher list if SRP is requested. Otherwise - * GnuTLS will disable TLS 1.3 support. */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - size_t len = strlen(prioritylist); - - char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); -@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, - - #ifdef USE_GNUTLS_SRP - /* put the credentials to the current session */ -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, - backend->srp_client_cred); - if(rc != GNUTLS_E_SUCCESS) { -@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - SSL_CONN_CONFIG(verifyhost) || - SSL_CONN_CONFIG(issuercert)) { - #ifdef USE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) != NULL - && !SSL_CONN_CONFIG(verifypeer) - && gnutls_cipher_get(session)) { - /* no peer cert, but auth is ok if we have SRP user and cipher and no -@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - failf(data, "server certificate verification failed. CAfile: %s " - "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): - "none", -- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); -+ SSL_SET_OPTION(primary.CRLfile) ? -+ SSL_SET_OPTION(primary.CRLfile) : "none"); - return CURLE_PEER_FAILED_VERIFICATION; - } - else -@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, - gnutls_certificate_free_credentials(backend->cred); - - #ifdef USE_GNUTLS_SRP -- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP -- && SSL_SET_OPTION(username) != NULL) -+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP -+ && SSL_SET_OPTION(primary.username) != NULL) - gnutls_srp_free_client_credentials(backend->srp_client_cred); - #endif - -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index b9fd26a..bd4ad8f 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - const char * const hostname = SSL_HOST_NAME(); - #ifndef CURL_DISABLE_VERBOSE_STRINGS - const long int port = SSL_HOST_PORT(); -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 558e3be..892e7d8 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, - } - } - -- if(SSL_SET_OPTION(CRLfile)) { -- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); -+ if(SSL_SET_OPTION(primary.CRLfile)) { -+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); - if(rv) { - result = rv; - goto error; - } -- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); -+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); - } - - if(SSL_SET_OPTION(primary.clientcert)) { -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 97c5666..a4ef9d1 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #endif - const long int ssl_version = SSL_CONN_CONFIG(version); - #ifdef USE_OPENSSL_SRP -- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); -+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); - #endif - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); -@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); -- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); -+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - char error_buffer[256]; - struct ssl_backend_data *backend = connssl->backend; - bool imported_native_ca = false; -@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, - #ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_allow_auth_to_host(data)) { -- char * const ssl_username = SSL_SET_OPTION(username); -- -+ char * const ssl_username = SSL_SET_OPTION(primary.username); -+ char * const ssl_password = SSL_SET_OPTION(primary.password); - infof(data, "Using TLS-SRP username: %s", ssl_username); - - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { - failf(data, "Unable to set SRP user name"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { -+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { - failf(data, "failed setting SRP password"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index a40ac06..e2d3438 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - { - if((data->version == needle->version) && - (data->version_max == needle->version_max) && -+ (data->ssl_options == needle->ssl_options) && - (data->verifypeer == needle->verifypeer) && - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && -@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - Curl_safecmp(data->clientcert, needle->clientcert) && - Curl_safecmp(data->random_file, needle->random_file) && - Curl_safecmp(data->egdsocket, needle->egdsocket) && -+#ifdef USE_TLS_SRP -+ Curl_safecmp(data->username, needle->username) && -+ Curl_safecmp(data->password, needle->password) && -+ (data->authtype == needle->authtype) && -+#endif - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && -+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) - return TRUE; - -@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - dest->verifyhost = source->verifyhost; - dest->verifystatus = source->verifystatus; - dest->sessionid = source->sessionid; -+ dest->ssl_options = source->ssl_options; -+#ifdef USE_TLS_SRP -+ dest->authtype = source->authtype; -+#endif - - CLONE_BLOB(cert_blob); - CLONE_BLOB(ca_info_blob); -@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - CLONE_STRING(cipher_list13); - CLONE_STRING(pinned_key); - CLONE_STRING(curves); -+ CLONE_STRING(CRLfile); -+#ifdef USE_TLS_SRP -+ CLONE_STRING(username); -+ CLONE_STRING(password); -+#endif - - return TRUE; - } -@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - Curl_safefree(sslc->ca_info_blob); - Curl_safefree(sslc->issuercert_blob); - Curl_safefree(sslc->curves); -+ Curl_safefree(sslc->CRLfile); -+#ifdef USE_TLS_SRP -+ Curl_safefree(sslc->username); -+ Curl_safefree(sslc->password); -+#endif - } - - #ifdef USE_SSL --- -2.34.1 - - -From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 9 May 2022 23:13:53 +0200 -Subject: [PATCH 3/3] url: check SSH config match on connection reuse - -CVE-2022-27782 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2022-27782.html -Closes #8825 - -Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 11 +++++++++++ - lib/vssh/ssh.h | 6 +++--- - 2 files changed, 14 insertions(+), 3 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 5ebf5e2..c713e54 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) - } - } - -+static bool ssh_config_matches(struct connectdata *one, -+ struct connectdata *two) -+{ -+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && -+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); -+} - /* - * Given one filled in connection struct (named needle), this function should - * detect if there already is one that has all the significant details -@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) - continue; - -+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ if(!ssh_config_matches(needle, check)) -+ continue; -+ } -+ - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY - || !needle->bits.httpproxy || needle->bits.tunnel_proxy -diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h -index 7972081..30d82e5 100644 ---- a/lib/vssh/ssh.h -+++ b/lib/vssh/ssh.h -@@ -7,7 +7,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -131,8 +131,8 @@ struct ssh_conn { - - /* common */ - const char *passphrase; /* pass-phrase to use */ -- char *rsa_pub; /* path name */ -- char *rsa; /* path name */ -+ char *rsa_pub; /* strdup'ed public key file */ -+ char *rsa; /* strdup'ed private key file */ - bool authed; /* the connection has been authenticated fine */ - bool acceptfail; /* used by the SFTP_QUOTE (continue if - quote command fails) */ --- -2.34.1 - diff --git a/0010-curl-7.82.0-CVE-2022-32208.patch b/0010-curl-7.82.0-CVE-2022-32208.patch deleted file mode 100644 index 34e7d2e..0000000 --- a/0010-curl-7.82.0-CVE-2022-32208.patch +++ /dev/null @@ -1,70 +0,0 @@ -From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Jun 2022 09:27:24 +0200 -Subject: [PATCH] krb5: return error properly on decode errors - -Bug: https://curl.se/docs/CVE-2022-32208.html -CVE-2022-32208 -Reported-by: Harry Sintonen -Closes #9051 - -Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09 -Signed-off-by: Kamil Dudka ---- - lib/krb5.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - -diff --git a/lib/krb5.c b/lib/krb5.c -index 787137c..6f9e1f7 100644 ---- a/lib/krb5.c -+++ b/lib/krb5.c -@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len, - enc.value = buf; - enc.length = len; - maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); -- if(maj != GSS_S_COMPLETE) { -- if(len >= 4) -- strcpy(buf, "599 "); -+ if(maj != GSS_S_COMPLETE) - return -1; -- } - - memcpy(buf, dec.value, dec.length); - len = curlx_uztosi(dec.length); -@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn, - { - int len; - CURLcode result; -+ int nread; - - result = socket_read(fd, &len, sizeof(len)); - if(result) -@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn, - if(len) { - /* only realloc if there was a length */ - len = ntohl(len); -- buf->data = Curl_saferealloc(buf->data, len); -+ if(len > CURL_MAX_INPUT_LENGTH) -+ len = 0; -+ else -+ buf->data = Curl_saferealloc(buf->data, len); - } - if(!len || !buf->data) - return CURLE_OUT_OF_MEMORY; -@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn, - result = socket_read(fd, buf->data, len); - if(result) - return result; -- buf->size = conn->mech->decode(conn->app_data, buf->data, len, -- conn->data_prot, conn); -+ nread = conn->mech->decode(conn->app_data, buf->data, len, -+ conn->data_prot, conn); -+ if(nread < 0) -+ return CURLE_RECV_ERROR; -+ buf->size = (size_t)nread; - buf->index = 0; - return CURLE_OK; - } --- -2.35.3 - diff --git a/0011-curl-7.82.0-CVE-2022-32206.patch b/0011-curl-7.82.0-CVE-2022-32206.patch deleted file mode 100644 index 07c7fdf..0000000 --- a/0011-curl-7.82.0-CVE-2022-32206.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 16 May 2022 16:28:13 +0200 -Subject: [PATCH 1/2] content_encoding: return error on too many compression - steps - -The max allowed steps is arbitrarily set to 5. - -Bug: https://curl.se/docs/CVE-2022-32206.html -CVE-2022-32206 -Reported-by: Harry Sintonen -Closes #9049 - -Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 -Signed-off-by: Kamil Dudka ---- - lib/content_encoding.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index c03637a..6f994b3 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name, - return NULL; - } - -+/* allow no more than 5 "chained" compression steps */ -+#define MAX_ENCODE_STACK 5 -+ - /* Set-up the unencoding stack from the Content-Encoding header value. - * See RFC 7231 section 3.1.2.2. */ - CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - const char *enclist, int maybechunked) - { - struct SingleRequest *k = &data->req; -+ int counter = 0; - - do { - const char *name; -@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - if(!encoding) - encoding = &error_encoding; /* Defer error at stack use. */ - -+ if(++counter >= MAX_ENCODE_STACK) { -+ failf(data, "Reject response due to %u content encodings", -+ counter); -+ return CURLE_BAD_CONTENT_ENCODING; -+ } - /* Stack the unencoding stage. */ - writer = new_unencoding_writer(data, encoding, k->writer_stack); - if(!writer) --- -2.35.3 - - -From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 16 May 2022 16:29:07 +0200 -Subject: [PATCH 2/2] test387: verify rejection of compression chain attack - -Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 54 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test387 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 98d5516..9b5f4fb 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \ - test361 test362 test363 test364 test365 test366 test367 test368 test369 \ - test370 test371 test372 test373 test374 \ - \ --test380 test381 test383 test384 test385 test386 \ -+test380 test381 test383 test384 test385 test386 test387 \ - \ - test392 test393 test394 test395 test396 test397 \ - \ -diff --git a/tests/data/test387 b/tests/data/test387 -new file mode 100644 -index 0000000..015ec25 ---- /dev/null -+++ b/tests/data/test387 -@@ -0,0 +1,53 @@ -+ -+ -+ -+HTTP -+gzip -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Response with overly long compression chain -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+# CURLE_BAD_CONTENT_ENCODING is 61 -+ -+61 -+ -+ -+curl: (61) Reject response due to 5 content encodings -+ -+ -+ --- -2.35.3 - diff --git a/0012-curl-7.82.0-CVE-2022-32205.patch b/0012-curl-7.82.0-CVE-2022-32205.patch deleted file mode 100644 index 9d78480..0000000 --- a/0012-curl-7.82.0-CVE-2022-32205.patch +++ /dev/null @@ -1,740 +0,0 @@ -From 64ecb3818ca335ce79ef539e962ee5d02f6fb365 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 26 Jun 2022 11:00:48 +0200 -Subject: [PATCH 1/3] cookie: apply limits - -- Send no more than 150 cookies per request -- Cap the max length used for a cookie: header to 8K -- Cap the max number of received Set-Cookie: headers to 50 - -Bug: https://curl.se/docs/CVE-2022-32205.html -CVE-2022-32205 -Reported-by: Harry Sintonen -Closes #9048 - -Upstream-commit: 48d7064a49148f03942380967da739dcde1cdc24 -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 14 ++++++++++++-- - lib/cookie.h | 21 +++++++++++++++++++-- - lib/http.c | 13 +++++++++++-- - lib/urldata.h | 1 + - 4 files changed, 43 insertions(+), 6 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 1b8c8f9..8a6aa1a 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -477,6 +477,10 @@ Curl_cookie_add(struct Curl_easy *data, - (void)data; - #endif - -+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ -+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) -+ return NULL; -+ - /* First, alloc and init a new struct for it */ - co = calloc(1, sizeof(struct Cookie)); - if(!co) -@@ -816,7 +820,7 @@ Curl_cookie_add(struct Curl_easy *data, - freecookie(co); - return NULL; - } -- -+ data->req.setcookies++; - } - else { - /* -@@ -1354,7 +1358,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) - * - * It shall only return cookies that haven't expired. - */ --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, - const char *host, const char *path, - bool secure) - { -@@ -1409,6 +1414,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, - mainco = newco; - - matches++; -+ if(matches >= MAX_COOKIE_SEND_AMOUNT) { -+ infof(data, "Included max number of cookies (%u) in request!", -+ matches); -+ break; -+ } - } - else - goto fail; -diff --git a/lib/cookie.h b/lib/cookie.h -index 0ffe08e..7411980 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h -@@ -81,10 +81,26 @@ struct CookieInfo { - */ - #define MAX_COOKIE_LINE 5000 - --/* This is the maximum length of a cookie name or content we deal with: */ -+/* Maximum length of an incoming cookie name or content we deal with. Longer -+ cookies are ignored. */ - #define MAX_NAME 4096 - #define MAX_NAME_TXT "4095" - -+/* Maximum size for an outgoing cookie line libcurl will use in an http -+ request. This is the default maximum length used in some versions of Apache -+ httpd. */ -+#define MAX_COOKIE_HEADER_LEN 8190 -+ -+/* Maximum number of cookies libcurl will send in a single request, even if -+ there might be more cookies that match. One reason to cap the number is to -+ keep the maximum HTTP request within the maximum allowed size. */ -+#define MAX_COOKIE_SEND_AMOUNT 150 -+ -+/* Maximum number of Set-Cookie: lines accepted in a single response. If more -+ such header lines are received, they are ignored. This value must be less -+ than 256 since an unsigned char is used to count. */ -+#define MAX_SET_COOKIE_AMOUNT 50 -+ - struct Curl_easy; - /* - * Add a cookie to the internal list of cookies. The domain and path arguments -@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, - const char *domain, const char *path, - bool secure); - --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, const char *host, - const char *path, bool secure); - void Curl_cookie_freelist(struct Cookie *cookies); - void Curl_cookie_clearall(struct CookieInfo *cookies); -diff --git a/lib/http.c b/lib/http.c -index 4433824..2c8b0c4 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2709,12 +2709,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - } - - #if !defined(CURL_DISABLE_COOKIES) -+ - CURLcode Curl_http_cookies(struct Curl_easy *data, - struct connectdata *conn, - struct dynbuf *r) - { - CURLcode result = CURLE_OK; - char *addcookies = NULL; -+ bool linecap = FALSE; - if(data->set.str[STRING_COOKIE] && - !Curl_checkheaders(data, STRCONST("Cookie"))) - addcookies = data->set.str[STRING_COOKIE]; -@@ -2732,7 +2734,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - !strcmp(host, "127.0.0.1") || - !strcmp(host, "[::1]") ? TRUE : FALSE; - Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); -- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, -+ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, - secure_context); - Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); - } -@@ -2746,6 +2748,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - if(result) - break; - } -+ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= -+ MAX_COOKIE_HEADER_LEN) { -+ infof(data, "Restricted outgoing cookies due to header size, " -+ "'%s' not sent", co->name); -+ linecap = TRUE; -+ break; -+ } - result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", - co->name, co->value); - if(result) -@@ -2756,7 +2765,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - } - Curl_cookie_freelist(store); - } -- if(addcookies && !result) { -+ if(addcookies && !result && !linecap) { - if(!count) - result = Curl_dyn_addn(r, STRCONST("Cookie: ")); - if(!result) { -diff --git a/lib/urldata.h b/lib/urldata.h -index e006495..54faf7d 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -707,6 +707,7 @@ struct SingleRequest { - #ifndef CURL_DISABLE_DOH - struct dohdata *doh; /* DoH specific data for this request */ - #endif -+ unsigned char setcookies; - BIT(header); /* incoming data has HTTP header */ - BIT(content_range); /* set TRUE if Content-Range: was found */ - BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding --- -2.35.3 - - -From 2aa646531df114b99d19b33071ff53cebbd689ce Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 26 Jun 2022 11:01:01 +0200 -Subject: [PATCH 2/3] test442/443: test cookie caps - -442 - verify that only 150 cookies are sent -443 - verify that the cookie: header remains less than 8K in size - -Upstream-commit: ff2b2bcf687572d173688832f0913a43de1a2bf8 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test442 | 209 ++++++++++++++++++++++++++++++++++++++++ - tests/data/test443 | 78 +++++++++++++++ - 3 files changed, 288 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test442 - create mode 100644 tests/data/test443 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 9b5f4fb..fe04fee 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -72,7 +72,7 @@ test409 test410 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ --test440 test441 \ -+test440 test441 test442 test443 \ - \ - test490 test491 test492 test493 test494 \ - \ -diff --git a/tests/data/test442 b/tests/data/test442 -new file mode 100644 -index 0000000..1b00d20 ---- /dev/null -+++ b/tests/data/test442 -@@ -0,0 +1,209 @@ -+# perl: -+# -+# for(1 .. 151) { -+# print join("\t", -+# "attack.invalid", "TRUE", "/", "FALSE", "0", -+# "name$_", "could-be-large-$_")."\n"; -+# } -+# -+ -+ -+ -+HTTP -+cookies -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Send capped huge number of matching cookies -+ -+ -+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L -+ -+ -+attack.invalid TRUE / FALSE 0 name1 could-be-large-1 -+attack.invalid TRUE / FALSE 0 name2 could-be-large-2 -+attack.invalid TRUE / FALSE 0 name3 could-be-large-3 -+attack.invalid TRUE / FALSE 0 name4 could-be-large-4 -+attack.invalid TRUE / FALSE 0 name5 could-be-large-5 -+attack.invalid TRUE / FALSE 0 name6 could-be-large-6 -+attack.invalid TRUE / FALSE 0 name7 could-be-large-7 -+attack.invalid TRUE / FALSE 0 name8 could-be-large-8 -+attack.invalid TRUE / FALSE 0 name9 could-be-large-9 -+attack.invalid TRUE / FALSE 0 name10 could-be-large-10 -+attack.invalid TRUE / FALSE 0 name11 could-be-large-11 -+attack.invalid TRUE / FALSE 0 name12 could-be-large-12 -+attack.invalid TRUE / FALSE 0 name13 could-be-large-13 -+attack.invalid TRUE / FALSE 0 name14 could-be-large-14 -+attack.invalid TRUE / FALSE 0 name15 could-be-large-15 -+attack.invalid TRUE / FALSE 0 name16 could-be-large-16 -+attack.invalid TRUE / FALSE 0 name17 could-be-large-17 -+attack.invalid TRUE / FALSE 0 name18 could-be-large-18 -+attack.invalid TRUE / FALSE 0 name19 could-be-large-19 -+attack.invalid TRUE / FALSE 0 name20 could-be-large-20 -+attack.invalid TRUE / FALSE 0 name21 could-be-large-21 -+attack.invalid TRUE / FALSE 0 name22 could-be-large-22 -+attack.invalid TRUE / FALSE 0 name23 could-be-large-23 -+attack.invalid TRUE / FALSE 0 name24 could-be-large-24 -+attack.invalid TRUE / FALSE 0 name25 could-be-large-25 -+attack.invalid TRUE / FALSE 0 name26 could-be-large-26 -+attack.invalid TRUE / FALSE 0 name27 could-be-large-27 -+attack.invalid TRUE / FALSE 0 name28 could-be-large-28 -+attack.invalid TRUE / FALSE 0 name29 could-be-large-29 -+attack.invalid TRUE / FALSE 0 name30 could-be-large-30 -+attack.invalid TRUE / FALSE 0 name31 could-be-large-31 -+attack.invalid TRUE / FALSE 0 name32 could-be-large-32 -+attack.invalid TRUE / FALSE 0 name33 could-be-large-33 -+attack.invalid TRUE / FALSE 0 name34 could-be-large-34 -+attack.invalid TRUE / FALSE 0 name35 could-be-large-35 -+attack.invalid TRUE / FALSE 0 name36 could-be-large-36 -+attack.invalid TRUE / FALSE 0 name37 could-be-large-37 -+attack.invalid TRUE / FALSE 0 name38 could-be-large-38 -+attack.invalid TRUE / FALSE 0 name39 could-be-large-39 -+attack.invalid TRUE / FALSE 0 name40 could-be-large-40 -+attack.invalid TRUE / FALSE 0 name41 could-be-large-41 -+attack.invalid TRUE / FALSE 0 name42 could-be-large-42 -+attack.invalid TRUE / FALSE 0 name43 could-be-large-43 -+attack.invalid TRUE / FALSE 0 name44 could-be-large-44 -+attack.invalid TRUE / FALSE 0 name45 could-be-large-45 -+attack.invalid TRUE / FALSE 0 name46 could-be-large-46 -+attack.invalid TRUE / FALSE 0 name47 could-be-large-47 -+attack.invalid TRUE / FALSE 0 name48 could-be-large-48 -+attack.invalid TRUE / FALSE 0 name49 could-be-large-49 -+attack.invalid TRUE / FALSE 0 name50 could-be-large-50 -+attack.invalid TRUE / FALSE 0 name51 could-be-large-51 -+attack.invalid TRUE / FALSE 0 name52 could-be-large-52 -+attack.invalid TRUE / FALSE 0 name53 could-be-large-53 -+attack.invalid TRUE / FALSE 0 name54 could-be-large-54 -+attack.invalid TRUE / FALSE 0 name55 could-be-large-55 -+attack.invalid TRUE / FALSE 0 name56 could-be-large-56 -+attack.invalid TRUE / FALSE 0 name57 could-be-large-57 -+attack.invalid TRUE / FALSE 0 name58 could-be-large-58 -+attack.invalid TRUE / FALSE 0 name59 could-be-large-59 -+attack.invalid TRUE / FALSE 0 name60 could-be-large-60 -+attack.invalid TRUE / FALSE 0 name61 could-be-large-61 -+attack.invalid TRUE / FALSE 0 name62 could-be-large-62 -+attack.invalid TRUE / FALSE 0 name63 could-be-large-63 -+attack.invalid TRUE / FALSE 0 name64 could-be-large-64 -+attack.invalid TRUE / FALSE 0 name65 could-be-large-65 -+attack.invalid TRUE / FALSE 0 name66 could-be-large-66 -+attack.invalid TRUE / FALSE 0 name67 could-be-large-67 -+attack.invalid TRUE / FALSE 0 name68 could-be-large-68 -+attack.invalid TRUE / FALSE 0 name69 could-be-large-69 -+attack.invalid TRUE / FALSE 0 name70 could-be-large-70 -+attack.invalid TRUE / FALSE 0 name71 could-be-large-71 -+attack.invalid TRUE / FALSE 0 name72 could-be-large-72 -+attack.invalid TRUE / FALSE 0 name73 could-be-large-73 -+attack.invalid TRUE / FALSE 0 name74 could-be-large-74 -+attack.invalid TRUE / FALSE 0 name75 could-be-large-75 -+attack.invalid TRUE / FALSE 0 name76 could-be-large-76 -+attack.invalid TRUE / FALSE 0 name77 could-be-large-77 -+attack.invalid TRUE / FALSE 0 name78 could-be-large-78 -+attack.invalid TRUE / FALSE 0 name79 could-be-large-79 -+attack.invalid TRUE / FALSE 0 name80 could-be-large-80 -+attack.invalid TRUE / FALSE 0 name81 could-be-large-81 -+attack.invalid TRUE / FALSE 0 name82 could-be-large-82 -+attack.invalid TRUE / FALSE 0 name83 could-be-large-83 -+attack.invalid TRUE / FALSE 0 name84 could-be-large-84 -+attack.invalid TRUE / FALSE 0 name85 could-be-large-85 -+attack.invalid TRUE / FALSE 0 name86 could-be-large-86 -+attack.invalid TRUE / FALSE 0 name87 could-be-large-87 -+attack.invalid TRUE / FALSE 0 name88 could-be-large-88 -+attack.invalid TRUE / FALSE 0 name89 could-be-large-89 -+attack.invalid TRUE / FALSE 0 name90 could-be-large-90 -+attack.invalid TRUE / FALSE 0 name91 could-be-large-91 -+attack.invalid TRUE / FALSE 0 name92 could-be-large-92 -+attack.invalid TRUE / FALSE 0 name93 could-be-large-93 -+attack.invalid TRUE / FALSE 0 name94 could-be-large-94 -+attack.invalid TRUE / FALSE 0 name95 could-be-large-95 -+attack.invalid TRUE / FALSE 0 name96 could-be-large-96 -+attack.invalid TRUE / FALSE 0 name97 could-be-large-97 -+attack.invalid TRUE / FALSE 0 name98 could-be-large-98 -+attack.invalid TRUE / FALSE 0 name99 could-be-large-99 -+attack.invalid TRUE / FALSE 0 name100 could-be-large-100 -+attack.invalid TRUE / FALSE 0 name101 could-be-large-101 -+attack.invalid TRUE / FALSE 0 name102 could-be-large-102 -+attack.invalid TRUE / FALSE 0 name103 could-be-large-103 -+attack.invalid TRUE / FALSE 0 name104 could-be-large-104 -+attack.invalid TRUE / FALSE 0 name105 could-be-large-105 -+attack.invalid TRUE / FALSE 0 name106 could-be-large-106 -+attack.invalid TRUE / FALSE 0 name107 could-be-large-107 -+attack.invalid TRUE / FALSE 0 name108 could-be-large-108 -+attack.invalid TRUE / FALSE 0 name109 could-be-large-109 -+attack.invalid TRUE / FALSE 0 name110 could-be-large-110 -+attack.invalid TRUE / FALSE 0 name111 could-be-large-111 -+attack.invalid TRUE / FALSE 0 name112 could-be-large-112 -+attack.invalid TRUE / FALSE 0 name113 could-be-large-113 -+attack.invalid TRUE / FALSE 0 name114 could-be-large-114 -+attack.invalid TRUE / FALSE 0 name115 could-be-large-115 -+attack.invalid TRUE / FALSE 0 name116 could-be-large-116 -+attack.invalid TRUE / FALSE 0 name117 could-be-large-117 -+attack.invalid TRUE / FALSE 0 name118 could-be-large-118 -+attack.invalid TRUE / FALSE 0 name119 could-be-large-119 -+attack.invalid TRUE / FALSE 0 name120 could-be-large-120 -+attack.invalid TRUE / FALSE 0 name121 could-be-large-121 -+attack.invalid TRUE / FALSE 0 name122 could-be-large-122 -+attack.invalid TRUE / FALSE 0 name123 could-be-large-123 -+attack.invalid TRUE / FALSE 0 name124 could-be-large-124 -+attack.invalid TRUE / FALSE 0 name125 could-be-large-125 -+attack.invalid TRUE / FALSE 0 name126 could-be-large-126 -+attack.invalid TRUE / FALSE 0 name127 could-be-large-127 -+attack.invalid TRUE / FALSE 0 name128 could-be-large-128 -+attack.invalid TRUE / FALSE 0 name129 could-be-large-129 -+attack.invalid TRUE / FALSE 0 name130 could-be-large-130 -+attack.invalid TRUE / FALSE 0 name131 could-be-large-131 -+attack.invalid TRUE / FALSE 0 name132 could-be-large-132 -+attack.invalid TRUE / FALSE 0 name133 could-be-large-133 -+attack.invalid TRUE / FALSE 0 name134 could-be-large-134 -+attack.invalid TRUE / FALSE 0 name135 could-be-large-135 -+attack.invalid TRUE / FALSE 0 name136 could-be-large-136 -+attack.invalid TRUE / FALSE 0 name137 could-be-large-137 -+attack.invalid TRUE / FALSE 0 name138 could-be-large-138 -+attack.invalid TRUE / FALSE 0 name139 could-be-large-139 -+attack.invalid TRUE / FALSE 0 name140 could-be-large-140 -+attack.invalid TRUE / FALSE 0 name141 could-be-large-141 -+attack.invalid TRUE / FALSE 0 name142 could-be-large-142 -+attack.invalid TRUE / FALSE 0 name143 could-be-large-143 -+attack.invalid TRUE / FALSE 0 name144 could-be-large-144 -+attack.invalid TRUE / FALSE 0 name145 could-be-large-145 -+attack.invalid TRUE / FALSE 0 name146 could-be-large-146 -+attack.invalid TRUE / FALSE 0 name147 could-be-large-147 -+attack.invalid TRUE / FALSE 0 name148 could-be-large-148 -+attack.invalid TRUE / FALSE 0 name149 could-be-large-149 -+attack.invalid TRUE / FALSE 0 name150 could-be-large-150 -+attack.invalid TRUE / FALSE 0 name151 could-be-large-151 -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /a/b/%TESTNUMBER HTTP/1.1 -+Host: attack.invalid:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+Cookie: name150=could-be-large-150; name149=could-be-large-149; name148=could-be-large-148; name147=could-be-large-147; name146=could-be-large-146; name145=could-be-large-145; name144=could-be-large-144; name143=could-be-large-143; name142=could-be-large-142; name141=could-be-large-141; name140=could-be-large-140; name139=could-be-large-139; name138=could-be-large-138; name137=could-be-large-137; name136=could-be-large-136; name135=could-be-large-135; name134=could-be-large-134; name133=could-be-large-133; name132=could-be-large-132; name131=could-be-large-131; name130=could-be-large-130; name129=could-be-large-129; name128=could-be-large-128; name127=could-be-large-127; name126=could-be-large-126; name125=could-be-large-125; name124=could-be-large-124; name123=could-be-large-123; name122=could-be-large-122; name121=could-be-large-121; name120=could-be-large-120; name119=could-be-large-119; name118=could-be-large-118; name117=could-be-large-117; name116=could-be-large-116; name115=could-be-large-115; name114=could-be-large-114; name113=could-be-large-113; name112=could-be-large-112; name111=could-be-large-111; name110=could-be-large-110; name109=could-be-large-109; name108=could-be-large-108; name107=could-be-large-107; name106=could-be-large-106; name105=could-be-large-105; name104=could-be-large-104; name103=could-be-large-103; name102=could-be-large-102; name101=could-be-large-101; name100=could-be-large-100; name99=could-be-large-99; name98=could-be-large-98; name97=could-be-large-97; name96=could-be-large-96; name95=could-be-large-95; name94=could-be-large-94; name93=could-be-large-93; name92=could-be-large-92; name91=could-be-large-91; name90=could-be-large-90; name89=could-be-large-89; name88=could-be-large-88; name87=could-be-large-87; name86=could-be-large-86; name85=could-be-large-85; name84=could-be-large-84; name83=could-be-large-83; name82=could-be-large-82; name81=could-be-large-81; name80=could-be-large-80; name79=could-be-large-79; name78=could-be-large-78; name77=could-be-large-77; name76=could-be-large-76; name75=could-be-large-75; name74=could-be-large-74; name73=could-be-large-73; name72=could-be-large-72; name71=could-be-large-71; name70=could-be-large-70; name69=could-be-large-69; name68=could-be-large-68; name67=could-be-large-67; name66=could-be-large-66; name65=could-be-large-65; name64=could-be-large-64; name63=could-be-large-63; name62=could-be-large-62; name61=could-be-large-61; name60=could-be-large-60; name59=could-be-large-59; name58=could-be-large-58; name57=could-be-large-57; name56=could-be-large-56; name55=could-be-large-55; name54=could-be-large-54; name53=could-be-large-53; name52=could-be-large-52; name51=could-be-large-51; name50=could-be-large-50; name49=could-be-large-49; name48=could-be-large-48; name47=could-be-large-47; name46=could-be-large-46; name45=could-be-large-45; name44=could-be-large-44; name43=could-be-large-43; name42=could-be-large-42; name41=could-be-large-41; name40=could-be-large-40; name39=could-be-large-39; name38=could-be-large-38; name37=could-be-large-37; name36=could-be-large-36; name35=could-be-large-35; name34=could-be-large-34; name33=could-be-large-33; name32=could-be-large-32; name31=could-be-large-31; name30=could-be-large-30; name29=could-be-large-29; name28=could-be-large-28; name27=could-be-large-27; name26=could-be-large-26; name25=could-be-large-25; name24=could-be-large-24; name23=could-be-large-23; name22=could-be-large-22; name21=could-be-large-21; name20=could-be-large-20; name19=could-be-large-19; name18=could-be-large-18; name17=could-be-large-17; name16=could-be-large-16; name15=could-be-large-15; name14=could-be-large-14; name13=could-be-large-13; name12=could-be-large-12; name11=could-be-large-11; name10=could-be-large-10; name9=could-be-large-9; name8=could-be-large-8; name7=could-be-large-7; name6=could-be-large-6; name5=could-be-large-5; name4=could-be-large-4; name3=could-be-large-3; name2=could-be-large-2; name1=could-be-large-1 -+ -+ -+ -+ -diff --git a/tests/data/test443 b/tests/data/test443 -new file mode 100644 -index 0000000..996b1d3 ---- /dev/null -+++ b/tests/data/test443 -@@ -0,0 +1,78 @@ -+# perl: -+# -+#for(1 .. 20) { -+# print join("\t", -+# "attack.invalid", "TRUE", "/", "FALSE", "0", -+# "huge-$_", ('a' x 500)."-$_")."\n"; -+#} -+# -+ -+ -+ -+HTTP -+cookies -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Cookie header in request no longer than 8K -+ -+ -+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L -+ -+ -+attack.invalid TRUE / FALSE 0 huge-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1 -+attack.invalid TRUE / FALSE 0 huge-2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2 -+attack.invalid TRUE / FALSE 0 huge-3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-3 -+attack.invalid TRUE / FALSE 0 huge-4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-4 -+attack.invalid TRUE / FALSE 0 huge-5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5 -+attack.invalid TRUE / FALSE 0 huge-6 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 -+attack.invalid TRUE / FALSE 0 huge-7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7 -+attack.invalid TRUE / FALSE 0 huge-8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8 -+attack.invalid TRUE / FALSE 0 huge-9 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9 -+attack.invalid TRUE / FALSE 0 huge-10 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10 -+attack.invalid TRUE / FALSE 0 huge-11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11 -+attack.invalid TRUE / FALSE 0 huge-12 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12 -+attack.invalid TRUE / FALSE 0 huge-13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13 -+attack.invalid TRUE / FALSE 0 huge-14 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14 -+attack.invalid TRUE / FALSE 0 huge-15 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15 -+attack.invalid TRUE / FALSE 0 huge-16 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16 -+attack.invalid TRUE / FALSE 0 huge-17 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17 -+attack.invalid TRUE / FALSE 0 huge-18 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18 -+attack.invalid TRUE / FALSE 0 huge-19 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19 -+attack.invalid TRUE / FALSE 0 huge-20 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20 -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /a/b/%TESTNUMBER HTTP/1.1 -+Host: attack.invalid:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+Cookie: huge-20=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20; huge-19=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19; huge-18=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18; huge-17=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17; huge-16=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16; huge-15=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15; huge-14=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14; huge-13=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13; huge-12=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12; huge-11=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11; huge-10=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10; huge-9=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9; huge-8=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8; huge-7=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7; huge-6=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 -+ -+ -+ -+ --- -2.35.3 - - -From a09261fa4976562735320e4e953ca4f4c81ec452 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 26 Jun 2022 11:01:01 +0200 -Subject: [PATCH 3/3] test444: test many received Set-Cookie: - -The amount of sent cookies in the test is limited to 80 because hyper -has its own strict limits in how many headers it allows to be received -which triggers at some point beyond this number. - -Upstream-commit: 46f8911d3942dc06fdd67e9f6f3908982e5d2fb4 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test444 | 189 ++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 190 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test444 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index fe04fee..c38f2d2 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -72,7 +72,7 @@ test409 test410 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ --test440 test441 test442 test443 \ -+test440 test441 test442 test443 test444 \ - \ - test490 test491 test492 test493 test494 \ - \ -diff --git a/tests/data/test444 b/tests/data/test444 -new file mode 100644 -index 0000000..9bdd4a7 ---- /dev/null -+++ b/tests/data/test444 -@@ -0,0 +1,189 @@ -+# perl: -+# -+#for(1 .. 200) { -+# -+#} -+# -+ -+ -+ -+HTTP -+cookies -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Content-Length: 6 -+Set-Cookie: cookie-1=yes; -+Set-Cookie: cookie-2=yes; -+Set-Cookie: cookie-3=yes; -+Set-Cookie: cookie-4=yes; -+Set-Cookie: cookie-5=yes; -+Set-Cookie: cookie-6=yes; -+Set-Cookie: cookie-7=yes; -+Set-Cookie: cookie-8=yes; -+Set-Cookie: cookie-9=yes; -+Set-Cookie: cookie-10=yes; -+Set-Cookie: cookie-11=yes; -+Set-Cookie: cookie-12=yes; -+Set-Cookie: cookie-13=yes; -+Set-Cookie: cookie-14=yes; -+Set-Cookie: cookie-15=yes; -+Set-Cookie: cookie-16=yes; -+Set-Cookie: cookie-17=yes; -+Set-Cookie: cookie-18=yes; -+Set-Cookie: cookie-19=yes; -+Set-Cookie: cookie-20=yes; -+Set-Cookie: cookie-21=yes; -+Set-Cookie: cookie-22=yes; -+Set-Cookie: cookie-23=yes; -+Set-Cookie: cookie-24=yes; -+Set-Cookie: cookie-25=yes; -+Set-Cookie: cookie-26=yes; -+Set-Cookie: cookie-27=yes; -+Set-Cookie: cookie-28=yes; -+Set-Cookie: cookie-29=yes; -+Set-Cookie: cookie-30=yes; -+Set-Cookie: cookie-31=yes; -+Set-Cookie: cookie-32=yes; -+Set-Cookie: cookie-33=yes; -+Set-Cookie: cookie-34=yes; -+Set-Cookie: cookie-35=yes; -+Set-Cookie: cookie-36=yes; -+Set-Cookie: cookie-37=yes; -+Set-Cookie: cookie-38=yes; -+Set-Cookie: cookie-39=yes; -+Set-Cookie: cookie-40=yes; -+Set-Cookie: cookie-41=yes; -+Set-Cookie: cookie-42=yes; -+Set-Cookie: cookie-43=yes; -+Set-Cookie: cookie-44=yes; -+Set-Cookie: cookie-45=yes; -+Set-Cookie: cookie-46=yes; -+Set-Cookie: cookie-47=yes; -+Set-Cookie: cookie-48=yes; -+Set-Cookie: cookie-49=yes; -+Set-Cookie: cookie-50=yes; -+Set-Cookie: cookie-51=yes; -+Set-Cookie: cookie-52=yes; -+Set-Cookie: cookie-53=yes; -+Set-Cookie: cookie-54=yes; -+Set-Cookie: cookie-55=yes; -+Set-Cookie: cookie-56=yes; -+Set-Cookie: cookie-57=yes; -+Set-Cookie: cookie-58=yes; -+Set-Cookie: cookie-59=yes; -+Set-Cookie: cookie-60=yes; -+Set-Cookie: cookie-61=yes; -+Set-Cookie: cookie-62=yes; -+Set-Cookie: cookie-63=yes; -+Set-Cookie: cookie-64=yes; -+Set-Cookie: cookie-65=yes; -+Set-Cookie: cookie-66=yes; -+Set-Cookie: cookie-67=yes; -+Set-Cookie: cookie-68=yes; -+Set-Cookie: cookie-69=yes; -+Set-Cookie: cookie-70=yes; -+Set-Cookie: cookie-71=yes; -+Set-Cookie: cookie-72=yes; -+Set-Cookie: cookie-73=yes; -+Set-Cookie: cookie-74=yes; -+Set-Cookie: cookie-75=yes; -+Set-Cookie: cookie-76=yes; -+Set-Cookie: cookie-77=yes; -+Set-Cookie: cookie-78=yes; -+Set-Cookie: cookie-79=yes; -+Set-Cookie: cookie-80=yes; -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Many Set-Cookie response headers -+ -+ -+http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /a/b/%TESTNUMBER HTTP/1.1 -+Host: attack.invalid:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+# Netscape HTTP Cookie File -+# https://curl.se/docs/http-cookies.html -+# This file was generated by libcurl! Edit at your own risk. -+ -+attack.invalid FALSE /a/b/ FALSE 0 cookie-50 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-49 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-48 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-47 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-46 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-45 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-44 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-43 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-42 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-41 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-40 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-39 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-38 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-37 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-36 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-35 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-34 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-33 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-32 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-31 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-30 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-29 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-28 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-27 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-26 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-25 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-24 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-23 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-22 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-21 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-20 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-19 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-18 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-17 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-16 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-15 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-14 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-13 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-12 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-11 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-10 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-9 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-8 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-7 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-6 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-5 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-4 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-3 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-2 yes -+attack.invalid FALSE /a/b/ FALSE 0 cookie-1 yes -+ -+ -+ --- -2.35.3 - diff --git a/0013-curl-7.82.0-CVE-2022-32207.patch b/0013-curl-7.82.0-CVE-2022-32207.patch deleted file mode 100644 index 4f825a9..0000000 --- a/0013-curl-7.82.0-CVE-2022-32207.patch +++ /dev/null @@ -1,428 +0,0 @@ -From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 25 May 2022 10:09:53 +0200 -Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files - -Bug: https://curl.se/docs/CVE-2022-32207.html -CVE-2022-32207 -Reported-by: Harry Sintonen -Closes #9050 - -Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f -Signed-off-by: Kamil Dudka ---- - CMakeLists.txt | 1 + - configure.ac | 1 + - lib/Makefile.inc | 2 + - lib/cookie.c | 19 ++----- - lib/curl_config.h.cmake | 3 ++ - lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ - lib/fopen.h | 30 +++++++++++ - 7 files changed, 154 insertions(+), 15 deletions(-) - create mode 100644 lib/fopen.c - create mode 100644 lib/fopen.h - -diff --git a/CMakeLists.txt b/CMakeLists.txt -index b77de6d..a0bfaad 100644 ---- a/CMakeLists.txt -+++ b/CMakeLists.txt -@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET) - set(CMAKE_REQUIRED_LIBRARIES socket) - endif() - -+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) - check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) - check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) - check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) -diff --git a/configure.ac b/configure.ac -index d431870..7433bb9 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se - - - AC_CHECK_FUNCS([fnmatch \ -+ fchmod \ - geteuid \ - getpass_r \ - getppid \ -diff --git a/lib/Makefile.inc b/lib/Makefile.inc -index e8f110f..5139b03 100644 ---- a/lib/Makefile.inc -+++ b/lib/Makefile.inc -@@ -133,6 +133,7 @@ LIB_CFILES = \ - escape.c \ - file.c \ - fileinfo.c \ -+ fopen.c \ - formdata.c \ - ftp.c \ - ftplistparser.c \ -@@ -263,6 +264,7 @@ LIB_HFILES = \ - escape.h \ - file.h \ - fileinfo.h \ -+ fopen.h \ - formdata.h \ - ftp.h \ - ftplistparser.h \ -diff --git a/lib/cookie.c b/lib/cookie.c -index 8a6aa1a..cb0c03b 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -96,8 +96,8 @@ Example set of cookies: - #include "curl_get_line.h" - #include "curl_memrchr.h" - #include "parsedate.h" --#include "rand.h" - #include "rename.h" -+#include "fopen.h" - - /* The last 3 #include files should be in this order */ - #include "curl_printf.h" -@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data, - use_stdout = TRUE; - } - else { -- unsigned char randsuffix[9]; -- -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return 2; -- -- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) { -- error = CURLE_WRITE_ERROR; -+ error = Curl_fopen(data, filename, &out, &tempstore); -+ if(error) - goto error; -- } - } - - fputs("# Netscape HTTP Cookie File\n" -@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data, - if(!use_stdout) { - fclose(out); - out = NULL; -- if(Curl_rename(tempstore, filename)) { -+ if(tempstore && Curl_rename(tempstore, filename)) { - unlink(tempstore); - error = CURLE_WRITE_ERROR; - goto error; -diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake -index d2a0f43..c254359 100644 ---- a/lib/curl_config.h.cmake -+++ b/lib/curl_config.h.cmake -@@ -157,6 +157,9 @@ - /* Define to 1 if you have the header file. */ - #cmakedefine HAVE_ASSERT_H 1 - -+/* Define to 1 if you have the `fchmod' function. */ -+#cmakedefine HAVE_FCHMOD 1 -+ - /* Define to 1 if you have the `basename' function. */ - #cmakedefine HAVE_BASENAME 1 - -diff --git a/lib/fopen.c b/lib/fopen.c -new file mode 100644 -index 0000000..ad3691b ---- /dev/null -+++ b/lib/fopen.c -@@ -0,0 +1,113 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+ -+#include "curl_setup.h" -+ -+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ -+ !defined(CURL_DISABLE_HSTS) -+ -+#ifdef HAVE_FCNTL_H -+#include -+#endif -+ -+#include "urldata.h" -+#include "rand.h" -+#include "fopen.h" -+/* The last 3 #include files should be in this order */ -+#include "curl_printf.h" -+#include "curl_memory.h" -+#include "memdebug.h" -+ -+/* -+ * Curl_fopen() opens a file for writing with a temp name, to be renamed -+ * to the final name when completed. If there is an existing file using this -+ * name at the time of the open, this function will clone the mode from that -+ * file. if 'tempname' is non-NULL, it needs a rename after the file is -+ * written. -+ */ -+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, -+ FILE **fh, char **tempname) -+{ -+ CURLcode result = CURLE_WRITE_ERROR; -+ unsigned char randsuffix[9]; -+ char *tempstore = NULL; -+ struct_stat sb; -+ int fd = -1; -+ *tempname = NULL; -+ -+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { -+ /* a non-regular file, fallback to direct fopen() */ -+ *fh = fopen(filename, FOPEN_WRITETEXT); -+ if(*fh) -+ return CURLE_OK; -+ goto fail; -+ } -+ -+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); -+ if(result) -+ goto fail; -+ -+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); -+ if(!tempstore) { -+ result = CURLE_OUT_OF_MEMORY; -+ goto fail; -+ } -+ -+ result = CURLE_WRITE_ERROR; -+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); -+ if(fd == -1) -+ goto fail; -+ -+#ifdef HAVE_FCHMOD -+ { -+ struct_stat nsb; -+ if((fstat(fd, &nsb) != -1) && -+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { -+ /* if the user and group are the same, clone the original mode */ -+ if(fchmod(fd, sb.st_mode) == -1) -+ goto fail; -+ } -+ } -+#endif -+ -+ *fh = fdopen(fd, FOPEN_WRITETEXT); -+ if(!*fh) -+ goto fail; -+ -+ *tempname = tempstore; -+ return CURLE_OK; -+ -+fail: -+ if(fd != -1) { -+ close(fd); -+ unlink(tempstore); -+ } -+ -+ free(tempstore); -+ -+ *tempname = NULL; -+ return result; -+} -+ -+#endif /* ! disabled */ -diff --git a/lib/fopen.h b/lib/fopen.h -new file mode 100644 -index 0000000..289e55f ---- /dev/null -+++ b/lib/fopen.h -@@ -0,0 +1,30 @@ -+#ifndef HEADER_CURL_FOPEN_H -+#define HEADER_CURL_FOPEN_H -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+ -+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, -+ FILE **fh, char **tempname); -+ -+#endif --- -2.35.3 - - -From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 25 May 2022 10:09:53 +0200 -Subject: [PATCH 2/3] altsvc: use Curl_fopen() - -Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2 -Signed-off-by: Kamil Dudka ---- - lib/altsvc.c | 22 ++++++---------------- - 1 file changed, 6 insertions(+), 16 deletions(-) - -diff --git a/lib/altsvc.c b/lib/altsvc.c -index 242733b..4dc4078 100644 ---- a/lib/altsvc.c -+++ b/lib/altsvc.c -@@ -34,7 +34,7 @@ - #include "parsedate.h" - #include "sendf.h" - #include "warnless.h" --#include "rand.h" -+#include "fopen.h" - #include "rename.h" - - /* The last 3 #include files should be in this order */ -@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, - struct Curl_llist_element *n; - CURLcode result = CURLE_OK; - FILE *out; -- char *tempstore; -- unsigned char randsuffix[9]; -+ char *tempstore = NULL; - - if(!altsvc) - /* no cache activated */ -@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, - /* marked as read-only, no file or zero length file name */ - return CURLE_OK; - -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return CURLE_FAILED_INIT; -- -- tempstore = aprintf("%s.%s.tmp", file, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) -- result = CURLE_WRITE_ERROR; -- else { -+ result = Curl_fopen(data, file, &out, &tempstore); -+ if(!result) { - fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" - "# This file was generated by libcurl! Edit at your own risk.\n", - out); -@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data, - break; - } - fclose(out); -- if(!result && Curl_rename(tempstore, file)) -+ if(!result && tempstore && Curl_rename(tempstore, file)) - result = CURLE_WRITE_ERROR; - -- if(result) -+ if(result && tempstore) - unlink(tempstore); - } - free(tempstore); --- -2.35.3 - - -From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 25 May 2022 10:09:54 +0200 -Subject: [PATCH 3/3] hsts: use Curl_fopen() - -Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee -Signed-off-by: Kamil Dudka ---- - lib/hsts.c | 22 ++++++---------------- - 1 file changed, 6 insertions(+), 16 deletions(-) - -diff --git a/lib/hsts.c b/lib/hsts.c -index b9fa6f7..9d54c82 100644 ---- a/lib/hsts.c -+++ b/lib/hsts.c -@@ -35,7 +35,7 @@ - #include "sendf.h" - #include "strtoofft.h" - #include "parsedate.h" --#include "rand.h" -+#include "fopen.h" - #include "rename.h" - #include "strtoofft.h" - -@@ -354,8 +354,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, - struct Curl_llist_element *n; - CURLcode result = CURLE_OK; - FILE *out; -- char *tempstore; -- unsigned char randsuffix[9]; -+ char *tempstore = NULL; - - if(!h) - /* no cache activated */ -@@ -369,17 +368,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, - /* marked as read-only, no file or zero length file name */ - goto skipsave; - -- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) -- return CURLE_FAILED_INIT; -- -- tempstore = aprintf("%s.%s.tmp", file, randsuffix); -- if(!tempstore) -- return CURLE_OUT_OF_MEMORY; -- -- out = fopen(tempstore, FOPEN_WRITETEXT); -- if(!out) -- result = CURLE_WRITE_ERROR; -- else { -+ result = Curl_fopen(data, file, &out, &tempstore); -+ if(!result) { - fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" - "# This file was generated by libcurl! Edit at your own risk.\n", - out); -@@ -391,10 +381,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h, - break; - } - fclose(out); -- if(!result && Curl_rename(tempstore, file)) -+ if(!result && tempstore && Curl_rename(tempstore, file)) - result = CURLE_WRITE_ERROR; - -- if(result) -+ if(result && tempstore) - unlink(tempstore); - } - free(tempstore); --- -2.35.3 - diff --git a/0014-curl-7.82.0-CVE-2022-35252.patch b/0014-curl-7.82.0-CVE-2022-35252.patch deleted file mode 100644 index b9d599b..0000000 --- a/0014-curl-7.82.0-CVE-2022-35252.patch +++ /dev/null @@ -1,136 +0,0 @@ -From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 29 Aug 2022 00:09:17 +0200 -Subject: [PATCH 1/2] cookie: reject cookies with "control bytes" - -Rejects 0x01 - 0x1f (except 0x09) plus 0x7f - -Reported-by: Axel Chong - -Bug: https://curl.se/docs/CVE-2022-35252.html - -CVE-2022-35252 - -Closes #9381 - -Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3 -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/lib/cookie.c b/lib/cookie.c -index cb0c03b..e0470a1 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain) - return TRUE; - } - -+/* -+ RFC 6265 section 4.1.1 says a server should accept this range: -+ -+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E -+ -+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes -+ fine. The prime reason for filtering out control bytes is that some HTTP -+ servers return 400 for requests that contain such. -+*/ -+static int invalid_octets(const char *p) -+{ -+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ -+ static const char badoctets[] = { -+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" -+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" -+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" -+ }; -+ size_t vlen, len; -+ /* scan for all the octets that are *not* in cookie-octet */ -+ len = strcspn(p, badoctets); -+ vlen = strlen(p); -+ return (len != vlen); -+} -+ - /* - * Curl_cookie_add - * -@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data, - badcookie = TRUE; - break; - } -+ if(invalid_octets(whatptr) || invalid_octets(name)) { -+ infof(data, "invalid octets in name/value, cookie dropped"); -+ badcookie = TRUE; -+ break; -+ } - } - else if(!len) { - /* --- -2.37.1 - - -From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 29 Aug 2022 00:09:17 +0200 -Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored - -Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 -Signed-off-by: Kamil Dudka ---- - tests/data/test8 | 32 +++++++++++++++++++++++++++++++- - 1 file changed, 31 insertions(+), 1 deletion(-) - -diff --git a/tests/data/test8 b/tests/data/test8 -index a8548e6..8587611 100644 ---- a/tests/data/test8 -+++ b/tests/data/test8 -@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; - Set-Cookie: nocookie=yes; path=/WE; - Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; - Set-Cookie: partialip=nono; domain=.0.0.1; -+Set-Cookie: cookie1=%hex[%01-junk]hex% -+Set-Cookie: cookie2=%hex[%02-junk]hex% -+Set-Cookie: cookie3=%hex[%03-junk]hex% -+Set-Cookie: cookie4=%hex[%04-junk]hex% -+Set-Cookie: cookie5=%hex[%05-junk]hex% -+Set-Cookie: cookie6=%hex[%06-junk]hex% -+Set-Cookie: cookie7=%hex[%07-junk]hex% -+Set-Cookie: cookie8=%hex[%08-junk]hex% -+Set-Cookie: cookie9=%hex[junk-%09-]hex% -+Set-Cookie: cookie11=%hex[%0b-junk]hex% -+Set-Cookie: cookie12=%hex[%0c-junk]hex% -+Set-Cookie: cookie14=%hex[%0e-junk]hex% -+Set-Cookie: cookie15=%hex[%0f-junk]hex% -+Set-Cookie: cookie16=%hex[%10-junk]hex% -+Set-Cookie: cookie17=%hex[%11-junk]hex% -+Set-Cookie: cookie18=%hex[%12-junk]hex% -+Set-Cookie: cookie19=%hex[%13-junk]hex% -+Set-Cookie: cookie20=%hex[%14-junk]hex% -+Set-Cookie: cookie21=%hex[%15-junk]hex% -+Set-Cookie: cookie22=%hex[%16-junk]hex% -+Set-Cookie: cookie23=%hex[%17-junk]hex% -+Set-Cookie: cookie24=%hex[%18-junk]hex% -+Set-Cookie: cookie25=%hex[%19-junk]hex% -+Set-Cookie: cookie26=%hex[%1a-junk]hex% -+Set-Cookie: cookie27=%hex[%1b-junk]hex% -+Set-Cookie: cookie28=%hex[%1c-junk]hex% -+Set-Cookie: cookie29=%hex[%1d-junk]hex% -+Set-Cookie: cookie30=%hex[%1e-junk]hex% -+Set-Cookie: cookie31=%hex[%1f-junk]hex% -+Set-Cookie: cookie31=%hex[%7f-junk]hex% - - - -@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 - Host: %HOSTIP:%HTTPPORT - User-Agent: curl/%VERSION - Accept: */* --Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes -+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - - - - --- -2.37.1 - diff --git a/0015-curl-7.82.0-CVE-2022-32221.patch b/0015-curl-7.82.0-CVE-2022-32221.patch deleted file mode 100644 index e608abd..0000000 --- a/0015-curl-7.82.0-CVE-2022-32221.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 15 Sep 2022 09:22:45 +0200 -Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field - -Reported-by: RobBotic1 on github -Fixes #9507 -Closes #9511 - -Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9 -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/setopt.c b/lib/setopt.c -index d5e3b50..b8793b4 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -625,6 +625,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - } - else - data->set.method = HTTPREQ_GET; -+ data->set.upload = FALSE; - break; - - case CURLOPT_HTTPPOST: --- -2.37.3 - - -From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 15 Sep 2022 09:23:33 +0200 -Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle - -Reproduced #9507, verifies the fix - -Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 1 + - tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ - tests/libtest/Makefile.inc | 5 +++ - tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ - 4 files changed, 158 insertions(+) - create mode 100644 tests/data/test1948 - create mode 100644 tests/libtest/lib1948.c - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 818ee08..0cfab9b 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -220,6 +220,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ - test1916 test1917 test1918 \ - \ - test1933 test1934 test1935 test1936 test1937 test1938 test1939 \ -+test1948 \ - \ - test2000 test2001 test2002 test2003 test2004 \ - \ -diff --git a/tests/data/test1948 b/tests/data/test1948 -new file mode 100644 -index 0000000..639523d ---- /dev/null -+++ b/tests/data/test1948 -@@ -0,0 +1,73 @@ -+ -+ -+ -+HTTP -+HTTP POST -+HTTP PUT -+ -+ -+ -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 01 Nov 2001 14:49:00 GMT -+Content-Type: text/html -+Content-Length: 6 -+ -+hello -+ -+ -+HTTP/1.1 200 OK -+Date: Thu, 01 Nov 2001 14:49:00 GMT -+Content-Type: text/html -+Content-Length: 6 -+ -+hello -+HTTP/1.1 200 OK -+Date: Thu, 01 Nov 2001 14:49:00 GMT -+Content-Type: text/html -+Content-Length: 6 -+ -+hello -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+ -+CURLOPT_POST after CURLOPT_UPLOAD reusing handle -+ -+ -+lib%TESTNUMBER -+ -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+PUT /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Accept: */* -+Content-Length: 22 -+Expect: 100-continue -+ -+This is test PUT data -+POST /1948 HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+Accept: */* -+Content-Length: 22 -+Content-Type: application/x-www-form-urlencoded -+ -+This is test PUT data -+ -+ -+ -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index 83a8af4..3192eca 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -62,6 +62,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ - lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ - lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ - lib1937 lib1938 lib1939 \ -+ lib1948 \ - lib3010 lib3025 - - chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ -@@ -724,6 +725,10 @@ lib1939_SOURCES = lib1939.c $(SUPPORTFILES) - lib1939_LDADD = $(TESTUTIL_LIBS) - lib1939_CPPFLAGS = $(AM_CPPFLAGS) - -+lib1948_SOURCES = lib1948.c $(SUPPORTFILES) -+lib1948_LDADD = $(TESTUTIL_LIBS) -+lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948 -+ - lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib3010_LDADD = $(TESTUTIL_LIBS) - lib3010_CPPFLAGS = $(AM_CPPFLAGS) -diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c -new file mode 100644 -index 0000000..7c891a2 ---- /dev/null -+++ b/tests/libtest/lib1948.c -@@ -0,0 +1,79 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ * SPDX-License-Identifier: curl -+ * -+ ***************************************************************************/ -+ -+#include "test.h" -+ -+typedef struct -+{ -+ char *buf; -+ size_t len; -+} put_buffer; -+ -+static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) -+{ -+ put_buffer *putdata = (put_buffer *)stream; -+ size_t totalsize = size * nmemb; -+ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; -+ memcpy(ptr, putdata->buf, tocopy); -+ putdata->len -= tocopy; -+ putdata->buf += tocopy; -+ return tocopy; -+} -+ -+int test(char *URL) -+{ -+ CURL *curl; -+ CURLcode res = CURLE_OUT_OF_MEMORY; -+ -+ curl_global_init(CURL_GLOBAL_DEFAULT); -+ -+ curl = curl_easy_init(); -+ if(curl) { -+ const char *testput = "This is test PUT data\n"; -+ put_buffer pbuf; -+ -+ /* PUT */ -+ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); -+ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); -+ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); -+ pbuf.buf = (char *)testput; -+ pbuf.len = strlen(testput); -+ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); -+ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); -+ res = curl_easy_setopt(curl, CURLOPT_URL, URL); -+ if(!res) -+ res = curl_easy_perform(curl); -+ if(!res) { -+ /* POST */ -+ curl_easy_setopt(curl, CURLOPT_POST, 1L); -+ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); -+ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); -+ res = curl_easy_perform(curl); -+ } -+ curl_easy_cleanup(curl); -+ } -+ -+ curl_global_cleanup(); -+ return (int)res; -+} --- -2.37.3 - diff --git a/0016-curl-7.82.0-CVE-2022-35260.patch b/0016-curl-7.82.0-CVE-2022-35260.patch deleted file mode 100644 index 0e969b9..0000000 --- a/0016-curl-7.82.0-CVE-2022-35260.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 54dcd2334220ad965ef81130ba8ddf90b30c987c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 4 Oct 2022 14:37:24 +0200 -Subject: [PATCH] netrc: replace fgets with Curl_get_line - -Make the parser only accept complete lines and avoid problems with -overly long lines. - -Reported-by: Hiroki Kurosawa - -Closes #9789 - -Upstream-commit: c97ec984fb2bc919a3aa863e0476dffa377b184c -Signed-off-by: Kamil Dudka ---- - lib/curl_get_line.c | 6 +++--- - lib/netrc.c | 5 +++-- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c -index 6a26bb2..22e3705 100644 ---- a/lib/curl_get_line.c -+++ b/lib/curl_get_line.c -@@ -23,7 +23,7 @@ - #include "curl_setup.h" - - #if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ -- !defined(CURL_DISABLE_HSTS) -+ !defined(CURL_DISABLE_HSTS) || !defined(CURL_DISABLE_NETRC) - - #include "curl_get_line.h" - #include "curl_memory.h" -@@ -31,8 +31,8 @@ - #include "memdebug.h" - - /* -- * get_line() makes sure to only return complete whole lines that fit in 'len' -- * bytes and end with a newline. -+ * Curl_get_line() makes sure to only return complete whole lines that fit in -+ * 'len' bytes and end with a newline. - */ - char *Curl_get_line(char *buf, int len, FILE *input) - { -diff --git a/lib/netrc.c b/lib/netrc.c -index 62a6a10..5d17482 100644 ---- a/lib/netrc.c -+++ b/lib/netrc.c -@@ -31,6 +31,7 @@ - #include "netrc.h" - #include "strtok.h" - #include "strcase.h" -+#include "curl_get_line.h" - - /* The last 3 #include files should be in this order */ - #include "curl_printf.h" -@@ -84,7 +85,7 @@ static int parsenetrc(const char *host, - char netrcbuffer[4096]; - int netrcbuffsize = (int)sizeof(netrcbuffer); - -- while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { -+ while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { - if(state == MACDEF) { - if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r')) - state = NOTHING; -@@ -186,7 +187,7 @@ static int parsenetrc(const char *host, - - tok = strtok_r(NULL, " \t\n", &tok_buf); - } /* while(tok) */ -- } /* while fgets() */ -+ } /* while Curl_get_line() */ - - out: - if(!retcode) { --- -2.37.3 - diff --git a/0017-curl-7.82.0-CVE-2022-42915.patch b/0017-curl-7.82.0-CVE-2022-42915.patch deleted file mode 100644 index db3c235..0000000 --- a/0017-curl-7.82.0-CVE-2022-42915.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 6 Oct 2022 14:13:36 +0200 -Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error - -Reported-by: Trail of Bits - -Closes #9790 - -Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 -Signed-off-by: Kamil Dudka ---- - lib/http_proxy.c | 6 ++---- - lib/url.c | 9 --------- - 2 files changed, 2 insertions(+), 13 deletions(-) - -diff --git a/lib/http_proxy.c b/lib/http_proxy.c -index 1f87f6c..cc20b3a 100644 ---- a/lib/http_proxy.c -+++ b/lib/http_proxy.c -@@ -210,10 +210,8 @@ void Curl_connect_done(struct Curl_easy *data) - Curl_dyn_free(&s->rcvbuf); - Curl_dyn_free(&s->req); - -- /* restore the protocol pointer, if not already done */ -- if(s->prot_save) -- data->req.p.http = s->prot_save; -- s->prot_save = NULL; -+ /* restore the protocol pointer */ -+ data->req.p.http = s->prot_save; - data->info.httpcode = 0; /* clear it as it might've been used for the - proxy */ - data->req.ignorebody = FALSE; -diff --git a/lib/url.c b/lib/url.c -index bfc784f..61c99d2 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -728,15 +728,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) - DEBUGASSERT(data); - infof(data, "Closing connection %ld", conn->connection_id); - --#ifndef USE_HYPER -- if(conn->connect_state && conn->connect_state->prot_save) { -- /* If this was closed with a CONNECT in progress, cleanup this temporary -- struct arrangement */ -- data->req.p.http = NULL; -- Curl_safefree(conn->connect_state->prot_save); -- } --#endif -- - /* possible left-overs from the async name resolvers */ - Curl_resolver_cancel(data); - --- -2.37.3 - - -From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 6 Oct 2022 14:14:25 +0200 -Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and - fix - -Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.inc | 2 +- - tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 62 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test445 - -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 0cfab9b..14c1b0c 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -72,7 +72,7 @@ test409 test410 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ --test440 test441 test442 test443 test444 \ -+test440 test441 test442 test443 test444 test445 \ - \ - test490 test491 test492 test493 test494 \ - \ -diff --git a/tests/data/test445 b/tests/data/test445 -new file mode 100644 -index 0000000..0406c0f ---- /dev/null -+++ b/tests/data/test445 -@@ -0,0 +1,61 @@ -+ -+ -+ -+HTTP -+HTTP proxy -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 503 no just no -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+gopher -+dict -+http -+ftp -+imap -+ldap -+mqtt -+pop3 -+rtsp -+scp -+sftp -+smb -+smtp -+ -+ -+http-proxy -+ -+ -+Refuse tunneling protocols through HTTP proxy -+ -+ -+-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# refused in the CONNECT -+ -+56 -+ -+ -+ --- -2.37.3 - diff --git a/0018-curl-7.82.0-CVE-2022-42916.patch b/0018-curl-7.82.0-CVE-2022-42916.patch deleted file mode 100644 index a2234b5..0000000 --- a/0018-curl-7.82.0-CVE-2022-42916.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 8c1f295ec343bad073a41f62de5f4c4ddd579e41 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 12 Oct 2022 10:47:59 +0200 -Subject: [PATCH] url: use IDN decoded names for HSTS checks - -Reported-by: Hiroki Kurosawa - -Closes #9791 - -Upstream-commit: 53bcf55b4538067e6dc36242168866becb987bb7 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- - 1 file changed, 47 insertions(+), 44 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 61c99d2..6426fa7 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -2003,10 +2003,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, - if(!strcasecompare("file", data->state.up.scheme)) - return CURLE_OUT_OF_MEMORY; - } -+ hostname = data->state.up.hostname; -+ -+ if(hostname && hostname[0] == '[') { -+ /* This looks like an IPv6 address literal. See if there is an address -+ scope. */ -+ size_t hlen; -+ conn->bits.ipv6_ip = TRUE; -+ /* cut off the brackets! */ -+ hostname++; -+ hlen = strlen(hostname); -+ hostname[hlen - 1] = 0; -+ -+ zonefrom_url(uh, data, conn); -+ } -+ -+ /* make sure the connect struct gets its own copy of the host name */ -+ conn->host.rawalloc = strdup(hostname ? hostname : ""); -+ if(!conn->host.rawalloc) -+ return CURLE_OUT_OF_MEMORY; -+ conn->host.name = conn->host.rawalloc; -+ -+ /************************************************************* -+ * IDN-convert the hostnames -+ *************************************************************/ -+ result = Curl_idnconvert_hostname(data, &conn->host); -+ if(result) -+ return result; -+ if(conn->bits.conn_to_host) { -+ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); -+ if(result) -+ return result; -+ } -+#ifndef CURL_DISABLE_PROXY -+ if(conn->bits.httpproxy) { -+ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); -+ if(result) -+ return result; -+ } -+ if(conn->bits.socksproxy) { -+ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); -+ if(result) -+ return result; -+ } -+#endif - - #ifndef CURL_DISABLE_HSTS -+ /* HSTS upgrade */ - if(data->hsts && strcasecompare("http", data->state.up.scheme)) { -- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { -+ /* This MUST use the IDN decoded name */ -+ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { - char *url; - Curl_safefree(data->state.up.scheme); - uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); -@@ -2111,26 +2157,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, - - (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); - -- hostname = data->state.up.hostname; -- if(hostname && hostname[0] == '[') { -- /* This looks like an IPv6 address literal. See if there is an address -- scope. */ -- size_t hlen; -- conn->bits.ipv6_ip = TRUE; -- /* cut off the brackets! */ -- hostname++; -- hlen = strlen(hostname); -- hostname[hlen - 1] = 0; -- -- zonefrom_url(uh, data, conn); -- } -- -- /* make sure the connect struct gets its own copy of the host name */ -- conn->host.rawalloc = strdup(hostname ? hostname : ""); -- if(!conn->host.rawalloc) -- return CURLE_OUT_OF_MEMORY; -- conn->host.name = conn->host.rawalloc; -- - #ifdef ENABLE_IPV6 - if(data->set.scope_id) - /* Override any scope that was set above. */ -@@ -3705,29 +3731,6 @@ static CURLcode create_conn(struct Curl_easy *data, - if(result) - goto out; - -- /************************************************************* -- * IDN-convert the hostnames -- *************************************************************/ -- result = Curl_idnconvert_hostname(data, &conn->host); -- if(result) -- goto out; -- if(conn->bits.conn_to_host) { -- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); -- if(result) -- goto out; -- } --#ifndef CURL_DISABLE_PROXY -- if(conn->bits.httpproxy) { -- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); -- if(result) -- goto out; -- } -- if(conn->bits.socksproxy) { -- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); -- if(result) -- goto out; -- } --#endif - - /************************************************************* - * Check whether the host and the "connect to host" are equal. --- -2.37.3 - diff --git a/0019-curl-7.82.0-http2-whitespace.patch b/0019-curl-7.82.0-http2-whitespace.patch deleted file mode 100644 index 40389bb..0000000 --- a/0019-curl-7.82.0-http2-whitespace.patch +++ /dev/null @@ -1,266 +0,0 @@ -From 99e014bfacfb1f572d3fd710e567faee38bf1c2f Mon Sep 17 00:00:00 2001 -From: lwthiker -Date: Sun, 17 Jul 2022 19:11:33 +0300 -Subject: [PATCH 1/3] h2h3: fix overriding the 'TE: Trailers' header - -A 'TE: Trailers' header is explicitly replaced by 'te: trailers' -(lowercase) in Curl_pseudo_headers() when building the list of HTTP/2 or -HTTP/3 headers. However, this is then replaced again by the original -value due to a bug, resulting in the uppercased version being sent. Some -HTTP/2 servers reject the whole HTTP/2 stream when this is the case. - -Closes #9170 - -Upstream-commit: b9b6148c45a00d675d5bb261bf4cbb45468ad807 -Signed-off-by: Kamil Dudka ---- - lib/h2h3.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/lib/h2h3.c b/lib/h2h3.c -index cf8d156..bbf4ae5 100644 ---- a/lib/h2h3.c -+++ b/lib/h2h3.c -@@ -256,9 +256,6 @@ CURLcode Curl_pseudo_headers(struct Curl_easy *data, - nva[i].valuelen = (end - hdbuf); - } - -- nva[i].value = hdbuf; -- nva[i].valuelen = (end - hdbuf); -- - ++i; - } - --- -2.37.3 - - -From 239ed36b2dcb0234ab1c98fce4abf40fe6ec86b5 Mon Sep 17 00:00:00 2001 -From: Jay Satiro -Date: Thu, 25 Aug 2022 03:46:42 -0400 -Subject: [PATCH 2/3] tests: fix http2 tests to use CRLF headers - -Prior to this change some tests that rely on nghttpx proxy did not use -CRLF headers everywhere. A recent change in nghttp2, which updated its -version of llhttp (HTTP parser), requires curl's HTTP/1.1 test server to -use CRLF headers. - -Ref: https://github.com/nghttp2/nghttp2/commit/9d389e8 - -Fixes https://github.com/curl/curl/issues/9364 -Closes https://github.com/curl/curl/pull/9365 - -Upstream-commit: ef121401d6eabed204a716f16b2776ededc75c0e -Signed-off-by: Kamil Dudka ---- - tests/data/test1700 | 34 +++++++++++++++++----------------- - tests/data/test1701 | 22 +++++++++++----------- - tests/data/test358 | 16 ++++++++-------- - tests/data/test359 | 16 ++++++++-------- - 4 files changed, 44 insertions(+), 44 deletions(-) - -diff --git a/tests/data/test1700 b/tests/data/test1700 -index 9cf8739..2815775 100644 ---- a/tests/data/test1700 -+++ b/tests/data/test1700 -@@ -11,26 +11,26 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+ - -maa- - - -diff --git a/tests/data/test1701 b/tests/data/test1701 -index c4687d9..5859cff 100644 ---- a/tests/data/test1701 -+++ b/tests/data/test1701 -@@ -11,17 +11,17 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Server: test-server/fake --Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT --ETag: "21025-dc7-39462498" --Accept-Ranges: bytes --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Server: test-server/fake -+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT -+ETag: "21025-dc7-39462498" -+Accept-Ranges: bytes -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+ - -foo- - - -diff --git a/tests/data/test358 b/tests/data/test358 -index d1ddc1b..ce20b17 100644 ---- a/tests/data/test358 -+++ b/tests/data/test358 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - -diff --git a/tests/data/test359 b/tests/data/test359 -index c1b1cb8..e624f7d 100644 ---- a/tests/data/test359 -+++ b/tests/data/test359 -@@ -12,14 +12,14 @@ HTTP/2 - # Server-side - - --HTTP/1.1 200 OK --Date: Tue, 09 Nov 2010 14:49:00 GMT --Content-Length: 6 --Connection: close --Content-Type: text/html --Funny-head: yesyes --Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -- -+HTTP/1.1 200 OK -+Date: Tue, 09 Nov 2010 14:49:00 GMT -+Content-Length: 6 -+Connection: close -+Content-Type: text/html -+Funny-head: yesyes -+Alt-Svc: h2=":%HTTP2PORT", ma=315360000; persist=0 -+ - -foo- - - --- -2.37.3 - - -From a1eaad81dc6c8d1e562b685d3136f24aeb12dcb4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 7 Sep 2022 15:41:03 +0200 -Subject: [PATCH 3/3] http2: make nghttp2 less picky about field whitespace - -In nghttp2 1.49.0 it returns error on leading and trailing whitespace in -header fields according to language in the recently shipped RFC 9113. - -nghttp2 1.50.0 introduces an option to switch off this strict check and -this change enables this option by default which should make curl behave -more similar to how it did with nghttp2 1.48.0 and earlier. - -We might want to consider making this an option in the future. - -Closes #9448 - -Upstream-commit: eafc2b14ac9e40377168b46cab3f1d90c3f32f45 -Signed-off-by: Kamil Dudka ---- - lib/http2.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/lib/http2.c b/lib/http2.c -index f6364d0..3a70528 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -1258,6 +1258,27 @@ void Curl_http2_done(struct Curl_easy *data, bool premature) - } - } - -+static int client_new(struct connectdata *conn, -+ nghttp2_session_callbacks *callbacks) -+{ -+#if NGHTTP2_VERSION_NUM < 0x013200 -+ /* before 1.50.0 */ -+ return nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); -+#else -+ nghttp2_option *o; -+ int rc = nghttp2_option_new(&o); -+ if(rc) -+ return rc; -+ /* turn off RFC 9113 leading and trailing white spaces validation against -+ HTTP field value. */ -+ nghttp2_option_set_no_rfc9113_leading_and_trailing_ws_validation(o, 1); -+ rc = nghttp2_session_client_new2(&conn->proto.httpc.h2, callbacks, conn, -+ o); -+ nghttp2_option_del(o); -+ return rc; -+#endif -+} -+ - /* - * Initialize nghttp2 for a Curl connection - */ -@@ -1298,7 +1319,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn) - nghttp2_session_callbacks_set_error_callback(callbacks, error_callback); - - /* The nghttp2 session is not yet setup, do it */ -- rc = nghttp2_session_client_new(&conn->proto.httpc.h2, callbacks, conn); -+ rc = client_new(conn, callbacks); - - nghttp2_session_callbacks_del(callbacks); - --- -2.37.3 - diff --git a/0020-curl-7.85.0-CVE-2022-43551.patch b/0020-curl-7.85.0-CVE-2022-43551.patch deleted file mode 100644 index a55f3cc..0000000 --- a/0020-curl-7.85.0-CVE-2022-43551.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3fe91ee75b9f663b7a303ef14e07e28184d1450c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 19 Dec 2022 08:36:55 +0100 -Subject: [PATCH] http: use the IDN decoded name in HSTS checks - -Otherwise it stores the info HSTS into the persistent cache for the IDN -name which will not match when the HSTS status is later checked for -using the decoded name. - -Reported-by: Hiroki Kurosawa - -Closes #10111 - -Upstream-commit: 9e71901634e276dd050481c4320f046bebb1bc28 -Signed-off-by: Kamil Dudka ---- - lib/http.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/http.c b/lib/http.c -index b0ad28e..8b18e8d 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, - else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && - (conn->handler->flags & PROTOPT_SSL)) { - CURLcode check = -- Curl_hsts_parse(data->hsts, data->state.up.hostname, -+ Curl_hsts_parse(data->hsts, conn->host.name, - headp + strlen("Strict-Transport-Security:")); - if(check) - infof(data, "Illegal STS header skipped"); --- -2.38.1 - diff --git a/0021-curl-7.85.0-CVE-2022-43552.patch b/0021-curl-7.85.0-CVE-2022-43552.patch deleted file mode 100644 index 10b51ef..0000000 --- a/0021-curl-7.85.0-CVE-2022-43552.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 5cdcf1dbd39c64e18a81fc912a36942a3ec87565 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 19 Dec 2022 08:38:37 +0100 -Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() - -It is managed by the generic layer. - -Reported-by: Trail of Bits - -Closes #10112 - -Upstream-commit: 4f20188ac644afe174be6005ef4f6ffba232b8b2 -Signed-off-by: Kamil Dudka ---- - lib/smb.c | 14 ++------------ - lib/telnet.c | 3 --- - 2 files changed, 2 insertions(+), 15 deletions(-) - -diff --git a/lib/smb.c b/lib/smb.c -index 039d680..f682c1f 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); - static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); - static CURLcode smb_do(struct Curl_easy *data, bool *done); - static CURLcode smb_request_state(struct Curl_easy *data, bool *done); --static CURLcode smb_done(struct Curl_easy *data, CURLcode status, -- bool premature); - static CURLcode smb_disconnect(struct Curl_easy *data, - struct connectdata *conn, bool dead); - static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, -@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { - "SMB", /* scheme */ - smb_setup_connection, /* setup_connection */ - smb_do, /* do_it */ -- smb_done, /* done */ -+ ZERO_NULL, /* done */ - ZERO_NULL, /* do_more */ - smb_connect, /* connect_it */ - smb_connection_state, /* connecting */ -@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { - "SMBS", /* scheme */ - smb_setup_connection, /* setup_connection */ - smb_do, /* do_it */ -- smb_done, /* done */ -+ ZERO_NULL, /* done */ - ZERO_NULL, /* do_more */ - smb_connect, /* connect_it */ - smb_connection_state, /* connecting */ -@@ -939,14 +937,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) - return CURLE_OK; - } - --static CURLcode smb_done(struct Curl_easy *data, CURLcode status, -- bool premature) --{ -- (void) premature; -- Curl_safefree(data->req.p.smb); -- return status; --} -- - static CURLcode smb_disconnect(struct Curl_easy *data, - struct connectdata *conn, bool dead) - { -diff --git a/lib/telnet.c b/lib/telnet.c -index 923c7f8..48cd0d7 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -1246,9 +1246,6 @@ static CURLcode telnet_done(struct Curl_easy *data, - - curl_slist_free_all(tn->telnet_vars); - tn->telnet_vars = NULL; -- -- Curl_safefree(data->req.p.telnet); -- - return CURLE_OK; - } - --- -2.38.1 - diff --git a/0022-curl-7.82.0-CVE-2023-23916.patch b/0022-curl-7.82.0-CVE-2023-23916.patch deleted file mode 100644 index 07e0ec5..0000000 --- a/0022-curl-7.82.0-CVE-2023-23916.patch +++ /dev/null @@ -1,566 +0,0 @@ -From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 1 Dec 2022 09:21:04 +0100 -Subject: [PATCH 1/3] runtests: do CRLF replacements per section only - -The `crlf="yes"` attribute and "hyper mode" are now only applied on a -subset of dedicated sections: data, datacheck, stdout and protocol. - -Updated test 2500 accordingly. - -Also made test1 use crlf="yes" for , mostly because it is -often used as a template test case. Going forward, using this attribute -we should be able to write test cases using linefeeds only and avoid -mixed line ending encodings. - -Follow-up to ca15b7512e8d11 - -Fixes #10009 -Closes #10010 - -Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd -Signed-off-by: Kamil Dudka ---- - tests/FILEFORMAT.md | 22 ++++++++++++++------ - tests/data/test1 | 14 ++++++------- - tests/runtests.pl | 49 +++++++++++++++++++++++++++++++++++++++++---- - 3 files changed, 68 insertions(+), 17 deletions(-) - -diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md -index c1fbc57..dcb5695 100644 ---- a/tests/FILEFORMAT.md -+++ b/tests/FILEFORMAT.md -@@ -188,7 +188,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for - 'hyper mode' to kick in and make line ending checks work for tests. - ## `` - --### `` -+### `` - - data to be sent to the client on its request and later verified that it - arrived safely. Set `nocheck="yes"` to prevent the test script from verifying -@@ -217,12 +217,16 @@ and used as "raw" data. - `nonewline=yes` means that the last byte (the trailing newline character) - should be cut off from the data before sending or comparing it. - -+`crlf=yes` forces *header* newlines to become CRLF even if not written so in -+the source file. Note that this makes runtests.pl parse and "guess" what is a -+header and what is not in order to apply the CRLF line endings appropriately. -+ - For FTP file listings, the `` section will be used *only* if you make - sure that there has been a CWD done first to a directory named `test-[num]` - where [num] is the test case number. Otherwise the ftp server can't know from - which test file to load the list content. - --### `` -+### `` - - Send back this contents instead of the one. The num is set by: - -@@ -249,7 +253,7 @@ a connect prefix. - ### `` - Address type and address details as logged by the SOCKS proxy. - --### `` -+### `` - if the data is sent but this is what should be checked afterwards. If - `nonewline=yes` is set, runtests will cut off the trailing newline from the - data before comparing with the one actually received by the client. -@@ -257,7 +261,7 @@ data before comparing with the one actually received by the client. - Use the `mode="text"` attribute if the output is in text mode on platforms - that have a text/binary difference. - --### `` -+### `` - The contents of numbered datacheck sections are appended to the non-numbered - one. - -@@ -540,13 +544,16 @@ changing protocol data such as port numbers or user-agent strings. - One perl op per line that operates on the protocol dump. This is pretty - advanced. Example: `s/^EPRT .*/EPRT stripped/`. - --### `` -+### `` - - the protocol dump curl should transmit, if 'nonewline' is set, we will cut off - the trailing newline of this given data before comparing with the one actually - sent by the client The `` and `` rules are applied before - comparisons are made. - -+`crlf=yes` forces the newlines to become CRLF even if not written so in the -+test. -+ - ### `` - - The protocol dump curl should transmit to a HTTP proxy (when the http-proxy -@@ -563,7 +570,7 @@ have a text/binary difference. - If 'nonewline' is set, we will cut off the trailing newline of this given data - before comparing with the one actually received by the client - --### `` -+### `` - This verifies that this data was passed to stdout. - - Use the mode="text" attribute if the output is in text mode on platforms that -@@ -572,6 +579,9 @@ have a text/binary difference. - If 'nonewline' is set, we will cut off the trailing newline of this given data - before comparing with the one actually received by the client - -+`crlf=yes` forces the newlines to become CRLF even if not written so in the -+test. -+ - ### `` - The file's contents must be identical to this after the test is complete. Use - the mode="text" attribute if the output is in text mode on platforms that have -diff --git a/tests/data/test1 b/tests/data/test1 -index f39a08b..700bed8 100644 ---- a/tests/data/test1 -+++ b/tests/data/test1 -@@ -9,7 +9,7 @@ HTTP GET - # - # Server-side - -- -+ - HTTP/1.1 200 OK - Date: Tue, 09 Nov 2010 14:49:00 GMT - Server: test-server/fake -@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER - # - # Verify data after the test has been "shot" - -- --GET /%TESTNUMBER HTTP/1.1 --Host: %HOSTIP:%HTTPPORT --User-Agent: curl/%VERSION --Accept: */* -- -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ - - - -diff --git a/tests/runtests.pl b/tests/runtests.pl -index 72a9989..b12a42d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -3462,7 +3462,13 @@ sub subBase64 { - - my $prevupdate; - sub subNewlines { -- my ($thing) = @_; -+ my ($force, $thing) = @_; -+ -+ if($force) { -+ # enforce CRLF newline -+ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; -+ return; -+ } - - # When curl is built with Hyper, it gets all response headers delivered as - # name/value pairs and curl "invents" the newlines when it saves the -@@ -3476,7 +3482,7 @@ sub subNewlines { - # skip curl error messages - ($$thing !~ /^curl: \(\d+\) /))) { - # enforce CRLF newline -- $$thing =~ s/\x0a/\x0d\x0a/; -+ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; - $prevupdate = 1; - } - else { -@@ -3548,6 +3554,7 @@ sub prepro { - my (@entiretest) = @_; - my $show = 1; - my @out; -+ my $data_crlf; - for my $s (@entiretest) { - my $f = $s; - if($s =~ /^ *%if (.*)/) { -@@ -3571,10 +3578,19 @@ sub prepro { - next; - } - if($show) { -+ # The processor does CRLF replacements in the sections if -+ # necessary since those parts might be read by separate servers. -+ if($s =~ /^ */) { -+ if($1 =~ /crlf="yes"/ || $has_hyper) { -+ $data_crlf = 1; -+ } -+ } -+ elsif(($s =~ /^ *<\/data/) && $data_crlf) { -+ $data_crlf = 0; -+ } - subVariables(\$s, $testnum, "%"); - subBase64(\$s); -- subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} || -- $keywords{"HTTPS"})); -+ subNewlines(0, \$s) if($data_crlf); - push @out, $s; - } - } -@@ -3890,6 +3906,11 @@ sub singletest { - # of the datacheck - chomp($replycheckpart[$#replycheckpart]); - } -+ if($replycheckpartattr{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} -+ || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @replycheckpart; -+ } - push(@reply, @replycheckpart); - } - } -@@ -3911,6 +3932,11 @@ sub singletest { - map s/\r\n/\n/g, @reply; - map s/\n/\r\n/g, @reply; - } -+ if($replyattr{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} -+ || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @reply; -+ } - } - - # this is the valid protocol blurb curl should generate -@@ -4366,6 +4392,12 @@ sub singletest { - chomp($validstdout[$#validstdout]); - } - -+ if($hash{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} -+ || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @validstdout; -+ } -+ - $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); - if($res) { - return $errorreturncode; -@@ -4466,6 +4498,10 @@ sub singletest { - } - } - -+ if($hash{'crlf'}) { -+ map subNewlines(1, \$_), @protstrip; -+ } -+ - if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { - logmsg "\n $testnum: protocol FAILED!\n". - " There was no content at all in the file $SERVERIN.\n". -@@ -4597,6 +4633,11 @@ sub singletest { - map s/\r\n/\n/g, @outfile; - map s/\n/\r\n/g, @outfile; - } -+ if($hash{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} -+ || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @outfile; -+ } - - my $strip; - for $strip (@stripfile) { --- -2.39.1 - - -From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 27 Dec 2022 11:50:23 +0100 -Subject: [PATCH 2/3] runtests: support crlf="yes" for verify/proxy - -Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0 -Signed-off-by: Kamil Dudka ---- - tests/FILEFORMAT.md | 4 ++-- - tests/runtests.pl | 5 +++++ - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md -index dcb5695..6646793 100644 ---- a/tests/FILEFORMAT.md -+++ b/tests/FILEFORMAT.md -@@ -544,7 +544,7 @@ changing protocol data such as port numbers or user-agent strings. - One perl op per line that operates on the protocol dump. This is pretty - advanced. Example: `s/^EPRT .*/EPRT stripped/`. - --### `` -+### `` - - the protocol dump curl should transmit, if 'nonewline' is set, we will cut off - the trailing newline of this given data before comparing with the one actually -@@ -554,7 +554,7 @@ comparisons are made. - `crlf=yes` forces the newlines to become CRLF even if not written so in the - test. - --### `` -+### `` - - The protocol dump curl should transmit to a HTTP proxy (when the http-proxy - server is used), if 'nonewline' is set, we will cut off the trailing newline -diff --git a/tests/runtests.pl b/tests/runtests.pl -index b12a42d..5cdc83d 100755 ---- a/tests/runtests.pl -+++ b/tests/runtests.pl -@@ -4594,6 +4594,11 @@ sub singletest { - } - } - -+ if($hash{'crlf'} || -+ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { -+ map subNewlines(0, \$_), @protstrip; -+ } -+ - $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); - if($res) { - return $errorreturncode; --- -2.39.1 - - -From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Mon, 13 Feb 2023 08:33:09 +0100 -Subject: [PATCH 3/3] content_encoding: do not reset stage counter for each - header - -Test 418 verifies - -Closes #10492 - -Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9 -Signed-off-by: Kamil Dudka ---- - lib/content_encoding.c | 7 +- - lib/urldata.h | 1 + - tests/data/Makefile.inc | 1 + - tests/data/test387 | 2 +- - tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ - 5 files changed, 158 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test418 - -diff --git a/lib/content_encoding.c b/lib/content_encoding.c -index bfc13e2..94344d6 100644 ---- a/lib/content_encoding.c -+++ b/lib/content_encoding.c -@@ -1035,7 +1035,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - const char *enclist, int maybechunked) - { - struct SingleRequest *k = &data->req; -- int counter = 0; - - do { - const char *name; -@@ -1070,9 +1069,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, - if(!encoding) - encoding = &error_encoding; /* Defer error at stack use. */ - -- if(++counter >= MAX_ENCODE_STACK) { -- failf(data, "Reject response due to %u content encodings", -- counter); -+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { -+ failf(data, "Reject response due to more than %u content encodings", -+ MAX_ENCODE_STACK); - return CURLE_BAD_CONTENT_ENCODING; - } - /* Stack the unencoding stage. */ -diff --git a/lib/urldata.h b/lib/urldata.h -index 5b4b34f..8c8c20b 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -708,6 +708,7 @@ struct SingleRequest { - struct dohdata *doh; /* DoH specific data for this request */ - #endif - unsigned char setcookies; -+ unsigned char writer_stack_depth; /* Unencoding stack depth. */ - BIT(header); /* incoming data has HTTP header */ - BIT(content_range); /* set TRUE if Content-Range: was found */ - BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index fb51cd6..86b6f85 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -69,6 +69,7 @@ test392 test393 test394 test395 test396 test397 \ - \ - test400 test401 test402 test403 test404 test405 test406 test407 test408 \ - test409 test410 \ -+ test418 \ - \ - test430 test431 test432 test433 test434 test435 test436 \ - \ -diff --git a/tests/data/test387 b/tests/data/test387 -index 015ec25..644fc7f 100644 ---- a/tests/data/test387 -+++ b/tests/data/test387 -@@ -47,7 +47,7 @@ Accept: */* - 61 - - --curl: (61) Reject response due to 5 content encodings -+curl: (61) Reject response due to more than 5 content encodings - - - -diff --git a/tests/data/test418 b/tests/data/test418 -new file mode 100644 -index 0000000..50e974e ---- /dev/null -+++ b/tests/data/test418 -@@ -0,0 +1,152 @@ -+ -+ -+ -+HTTP -+gzip -+ -+ -+ -+# -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+Transfer-Encoding: gzip -+ -+-foo- -+ -+ -+ -+# -+# Client-side -+ -+ -+http -+ -+ -+Response with multiple Transfer-Encoding headers -+ -+ -+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+ -+GET /%TESTNUMBER HTTP/1.1 -+Host: %HOSTIP:%HTTPPORT -+User-Agent: curl/%VERSION -+Accept: */* -+ -+ -+ -+# CURLE_BAD_CONTENT_ENCODING is 61 -+ -+61 -+ -+ -+curl: (61) Reject response due to more than 5 content encodings -+ -+ -+ --- -2.39.1 - diff --git a/0023-curl-7.87.0-CVE-2023-27533.patch b/0023-curl-7.87.0-CVE-2023-27533.patch deleted file mode 100644 index e8cc257..0000000 --- a/0023-curl-7.87.0-CVE-2023-27533.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c9828d86040737a47da862197b5def7ff6b0e3c4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 6 Mar 2023 12:07:33 +0100 -Subject: [PATCH] telnet: only accept option arguments in ascii - -To avoid embedded telnet negotiation commands etc. - -Reported-by: Harry Sintonen -Closes #10728 - -Upstream-commit: 538b1e79a6e7b0bb829ab4cecc828d32105d0684 -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/lib/telnet.c b/lib/telnet.c -index 22bc81e..baea885 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -768,6 +768,17 @@ static void printsub(struct Curl_easy *data, - } - } - -+static bool str_is_nonascii(const char *str) -+{ -+ size_t len = strlen(str); -+ while(len--) { -+ if(*str & 0x80) -+ return TRUE; -+ str++; -+ } -+ return FALSE; -+} -+ - static CURLcode check_telnet_options(struct Curl_easy *data) - { - struct curl_slist *head; -@@ -782,6 +793,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) - /* Add the user name as an environment variable if it - was given on the command line */ - if(data->state.aptr.user) { -+ if(str_is_nonascii(data->conn->user)) -+ return CURLE_BAD_FUNCTION_ARGUMENT; - msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); - beg = curl_slist_append(tn->telnet_vars, option_arg); - if(!beg) { -@@ -796,6 +809,8 @@ static CURLcode check_telnet_options(struct Curl_easy *data) - for(head = data->set.telnet_options; head; head = head->next) { - if(sscanf(head->data, "%127[^= ]%*[ =]%255s", - option_keyword, option_arg) == 2) { -+ if(str_is_nonascii(option_arg)) -+ continue; - - /* Terminal type */ - if(strcasecompare(option_keyword, "TTYPE")) { --- -2.39.2 - diff --git a/0024-curl-7.82.0-CVE-2023-27534.patch b/0024-curl-7.82.0-CVE-2023-27534.patch deleted file mode 100644 index ec75630..0000000 --- a/0024-curl-7.82.0-CVE-2023-27534.patch +++ /dev/null @@ -1,1164 +0,0 @@ -From 47000e434395d7f50b62df7b1183594d1d858f7d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 16 Oct 2022 18:09:14 +0200 -Subject: [PATCH 1/4] curl_path: return error if given a NULL homedir - -Closes #9740 - -Upstream-commit: 025bad1182ff87facbddd280dd07a0fc26b99f45 -Signed-off-by: Kamil Dudka ---- - lib/curl_path.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/lib/curl_path.c b/lib/curl_path.c -index a1669d1..e69545d 100644 ---- a/lib/curl_path.c -+++ b/lib/curl_path.c -@@ -120,7 +120,8 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) - bool relativePath = false; - static const char WHITESPACE[] = " \t\r\n"; - -- if(!*cp) { -+ DEBUGASSERT(homedir); -+ if(!*cp || !homedir) { - *cpp = NULL; - *path = NULL; - return CURLE_QUOTE_ERROR; --- -2.39.2 - - -From 602badf0069c7d52ff50976e35fa13b8c6b0f4ef Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 30 Oct 2022 17:38:16 +0100 -Subject: [PATCH 2/4] style: use space after comment start and before comment - end - -/* like this */ - -/*not this*/ - -checksrc is updated accordingly - -Closes #9828 - -Upstream-commit: 52cc4a85fd7e5265ba8ff0f08adf4858f6773a11 -Signed-off-by: Kamil Dudka ---- - docs/examples/ephiperfifo.c | 4 +- - docs/examples/usercertinmem.c | 12 +-- - include/curl/curl.h | 10 +-- - include/curl/typecheck-gcc.h | 2 +- - lib/c-hyper.c | 4 +- - lib/curl_path.c | 4 - - lib/curl_rtmp.c | 12 +-- - lib/curl_setup.h | 2 +- - lib/curl_sha256.h | 2 +- - lib/dict.c | 2 +- - lib/file.c | 2 +- - lib/ftp.c | 2 +- - lib/gopher.c | 2 +- - lib/http.c | 4 +- - lib/http_chunks.c | 2 +- - lib/mqtt.c | 4 +- - lib/rtsp.c | 4 +- - lib/rtsp.h | 2 +- - lib/telnet.c | 2 +- - lib/urldata.h | 4 +- - lib/vauth/digest.c | 4 +- - lib/vauth/krb5_sspi.c | 2 +- - lib/vssh/libssh2.c | 4 +- - lib/vtls/schannel.c | 4 +- - lib/vtls/sectransp.c | 2 - - src/tool_cfgable.h | 5 +- - src/tool_getparam.c | 4 +- - tests/libtest/lib1156.c | 2 +- - tests/libtest/lib1525.c | 2 +- - tests/libtest/lib1526.c | 2 +- - tests/libtest/lib1527.c | 2 +- - tests/libtest/lib1528.c | 2 +- - tests/libtest/lib1591.c | 2 +- - tests/libtest/lib506.c | 2 +- - tests/libtest/lib557.c | 2 +- - tests/libtest/lib586.c | 2 +- - tests/libtest/stub_gssapi.h | 160 +++++++++++++++++----------------- - tests/server/tftp.h | 2 +- - tests/server/util.c | 2 +- - tests/unit/unit1300.c | 4 +- - 40 files changed, 142 insertions(+), 151 deletions(-) - -diff --git a/docs/examples/ephiperfifo.c b/docs/examples/ephiperfifo.c -index af13169..c496200 100644 ---- a/docs/examples/ephiperfifo.c -+++ b/docs/examples/ephiperfifo.c -@@ -164,7 +164,7 @@ static int multi_timer_cb(CURLM *multi, long timeout_ms, GlobalInfo *g) - memset(&its, 0, sizeof(struct itimerspec)); - } - -- timerfd_settime(g->tfd, /*flags=*/0, &its, NULL); -+ timerfd_settime(g->tfd, /* flags= */0, &its, NULL); - return 0; - } - -@@ -195,7 +195,7 @@ static void check_multi_info(GlobalInfo *g) - } - } - --/* Called by libevent when we get action on a multi socket filedescriptor*/ -+/* Called by libevent when we get action on a multi socket filedescriptor */ - static void event_cb(GlobalInfo *g, int fd, int revents) - { - CURLMcode rc; -diff --git a/docs/examples/usercertinmem.c b/docs/examples/usercertinmem.c -index a31cbfc..ab9f1d5 100644 ---- a/docs/examples/usercertinmem.c -+++ b/docs/examples/usercertinmem.c -@@ -92,7 +92,7 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) - "omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD\n"\ - "-----END CERTIFICATE-----\n"; - --/*replace the XXX with the actual RSA key*/ -+/* replace the XXX with the actual RSA key */ - const char *mykey = - "-----BEGIN RSA PRIVATE KEY-----\n"\ - "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"\ -@@ -131,25 +131,25 @@ static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) - printf("PEM_read_bio_X509 failed...\n"); - } - -- /*tell SSL to use the X509 certificate*/ -+ /* tell SSL to use the X509 certificate */ - ret = SSL_CTX_use_certificate((SSL_CTX*)sslctx, cert); - if(ret != 1) { - printf("Use certificate failed\n"); - } - -- /*create a bio for the RSA key*/ -+ /* create a bio for the RSA key */ - kbio = BIO_new_mem_buf((char *)mykey, -1); - if(!kbio) { - printf("BIO_new_mem_buf failed\n"); - } - -- /*read the key bio into an RSA object*/ -+ /* read the key bio into an RSA object */ - rsa = PEM_read_bio_RSAPrivateKey(kbio, NULL, 0, NULL); - if(!rsa) { - printf("Failed to create key bio\n"); - } - -- /*tell SSL to use the RSA key from memory*/ -+ /* tell SSL to use the RSA key from memory */ - ret = SSL_CTX_use_RSAPrivateKey((SSL_CTX*)sslctx, rsa); - if(ret != 1) { - printf("Use Key failed\n"); -@@ -190,7 +190,7 @@ int main(void) - curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM"); - - /* both VERIFYPEER and VERIFYHOST are set to 0 in this case because there is -- no CA certificate*/ -+ no CA certificate */ - - curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 0L); - curl_easy_setopt(ch, CURLOPT_SSL_VERIFYHOST, 0L); -diff --git a/include/curl/curl.h b/include/curl/curl.h -index 2e260d5..d74d0cd 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -365,7 +365,7 @@ typedef int (*curl_seek_callback)(void *instream, - #define CURL_READFUNC_PAUSE 0x10000001 - - /* Return code for when the trailing headers' callback has terminated -- without any errors*/ -+ without any errors */ - #define CURL_TRAILERFUNC_OK 0 - /* Return code for when was an error in the trailing header's list and we - want to abort the request */ -@@ -447,7 +447,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); - #define CURL_DID_MEMORY_FUNC_TYPEDEFS - #endif - --/* the kind of data that is passed to information_callback*/ -+/* the kind of data that is passed to information_callback */ - typedef enum { - CURLINFO_TEXT = 0, - CURLINFO_HEADER_IN, /* 1 */ -@@ -693,7 +693,7 @@ typedef enum { - #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 - #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 - --#endif /*!CURL_NO_OLDIES*/ -+#endif /* !CURL_NO_OLDIES */ - - /* - * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was -@@ -838,7 +838,7 @@ enum curl_khstat { - CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now so - this causes a CURLE_DEFER error but otherwise the - connection will be left intact etc */ -- CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ -+ CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ - CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ - }; - -@@ -916,7 +916,7 @@ typedef enum { - #define CURLFTPSSL_ALL CURLUSESSL_ALL - #define CURLFTPSSL_LAST CURLUSESSL_LAST - #define curl_ftpssl curl_usessl --#endif /*!CURL_NO_OLDIES*/ -+#endif /* !CURL_NO_OLDIES */ - - /* parameter for the CURLOPT_FTP_SSL_CCC option */ - typedef enum { -diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h -index 9e14d8a..f63c481 100644 ---- a/include/curl/typecheck-gcc.h -+++ b/include/curl/typecheck-gcc.h -@@ -431,7 +431,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, - (CURLINFO_OFF_T < (info)) - - --/* typecheck helpers -- check whether given expression has requested type*/ -+/* typecheck helpers -- check whether given expression has requested type */ - - /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, - * otherwise define a new macro. Search for __builtin_types_compatible_p -diff --git a/lib/c-hyper.c b/lib/c-hyper.c -index 8015de2..57c5cc8 100644 ---- a/lib/c-hyper.c -+++ b/lib/c-hyper.c -@@ -653,7 +653,7 @@ static int uploadpostfields(void *userdata, hyper_context *ctx, - return HYPER_POLL_ERROR; - } - /* increasing the writebytecount here is a little premature but we -- don't know exactly when the body is sent*/ -+ don't know exactly when the body is sent */ - data->req.writebytecount += (size_t)data->req.p.http->postsize; - Curl_pgrsSetUploadCounter(data, data->req.writebytecount); - data->req.upload_done = TRUE; -@@ -697,7 +697,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, - return HYPER_POLL_ERROR; - } - /* increasing the writebytecount here is a little premature but we -- don't know exactly when the body is sent*/ -+ don't know exactly when the body is sent */ - data->req.writebytecount += fillcount; - Curl_pgrsSetUploadCounter(data, fillcount); - } -diff --git a/lib/curl_path.c b/lib/curl_path.c -index e69545d..8dc9101 100644 ---- a/lib/curl_path.c -+++ b/lib/curl_path.c -@@ -146,15 +146,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) - break; - } - if(cp[i] == '\0') { /* End of string */ -- /*error("Unterminated quote");*/ - goto fail; - } - if(cp[i] == '\\') { /* Escaped characters */ - i++; - if(cp[i] != '\'' && cp[i] != '\"' && - cp[i] != '\\') { -- /*error("Bad escaped character '\\%c'", -- cp[i]);*/ - goto fail; - } - } -@@ -162,7 +159,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) - } - - if(j == 0) { -- /*error("Empty quotes");*/ - goto fail; - } - *cpp = cp + i + strspn(cp + i, WHITESPACE); -diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c -index 2fa0267..8caba76 100644 ---- a/lib/curl_rtmp.c -+++ b/lib/curl_rtmp.c -@@ -83,7 +83,7 @@ const struct Curl_handler Curl_handler_rtmp = { - PORT_RTMP, /* defport */ - CURLPROTO_RTMP, /* protocol */ - CURLPROTO_RTMP, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - const struct Curl_handler Curl_handler_rtmpt = { -@@ -106,7 +106,7 @@ const struct Curl_handler Curl_handler_rtmpt = { - PORT_RTMPT, /* defport */ - CURLPROTO_RTMPT, /* protocol */ - CURLPROTO_RTMPT, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - const struct Curl_handler Curl_handler_rtmpe = { -@@ -129,7 +129,7 @@ const struct Curl_handler Curl_handler_rtmpe = { - PORT_RTMP, /* defport */ - CURLPROTO_RTMPE, /* protocol */ - CURLPROTO_RTMPE, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - const struct Curl_handler Curl_handler_rtmpte = { -@@ -152,7 +152,7 @@ const struct Curl_handler Curl_handler_rtmpte = { - PORT_RTMPT, /* defport */ - CURLPROTO_RTMPTE, /* protocol */ - CURLPROTO_RTMPTE, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - const struct Curl_handler Curl_handler_rtmps = { -@@ -175,7 +175,7 @@ const struct Curl_handler Curl_handler_rtmps = { - PORT_RTMPS, /* defport */ - CURLPROTO_RTMPS, /* protocol */ - CURLPROTO_RTMP, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - const struct Curl_handler Curl_handler_rtmpts = { -@@ -198,7 +198,7 @@ const struct Curl_handler Curl_handler_rtmpts = { - PORT_RTMPS, /* defport */ - CURLPROTO_RTMPTS, /* protocol */ - CURLPROTO_RTMPT, /* family */ -- PROTOPT_NONE /* flags*/ -+ PROTOPT_NONE /* flags */ - }; - - static CURLcode rtmp_setup_connection(struct Curl_easy *data, -diff --git a/lib/curl_setup.h b/lib/curl_setup.h -index 25c6674..e6696b1 100644 ---- a/lib/curl_setup.h -+++ b/lib/curl_setup.h -@@ -658,7 +658,7 @@ - # define UNUSED_PARAM __attribute__((__unused__)) - # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) - #else --# define UNUSED_PARAM /*NOTHING*/ -+# define UNUSED_PARAM /* NOTHING */ - # define WARN_UNUSED_RESULT - #endif - -diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h -index 2b7890a..68ee7d3 100644 ---- a/lib/curl_sha256.h -+++ b/lib/curl_sha256.h -@@ -30,7 +30,7 @@ extern const struct HMAC_params Curl_HMAC_SHA256[1]; - - #ifdef USE_WOLFSSL - /* SHA256_DIGEST_LENGTH is an enum value in wolfSSL. Need to import it from -- * sha.h*/ -+ * sha.h */ - #include - #include - #else -diff --git a/lib/dict.c b/lib/dict.c -index e23e661..f16e53d 100644 ---- a/lib/dict.c -+++ b/lib/dict.c -@@ -317,4 +317,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) - - return CURLE_OK; - } --#endif /*CURL_DISABLE_DICT*/ -+#endif /* CURL_DISABLE_DICT */ -diff --git a/lib/file.c b/lib/file.c -index 3da79a2..97efecb 100644 ---- a/lib/file.c -+++ b/lib/file.c -@@ -311,7 +311,7 @@ static CURLcode file_upload(struct Curl_easy *data) - - nread = readcount; - -- /*skip bytes before resume point*/ -+ /* skip bytes before resume point */ - if(data->state.resume_from) { - if((curl_off_t)nread <= data->state.resume_from) { - data->state.resume_from -= nread; -diff --git a/lib/ftp.c b/lib/ftp.c -index c6efaed..a43eadc 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1163,7 +1163,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, - port++; - } - -- /* maybe all ports were in use already*/ -+ /* maybe all ports were in use already */ - if(port > port_max) { - failf(data, "bind() failed, we ran out of ports!"); - Curl_closesocket(data, conn, portsock); -diff --git a/lib/gopher.c b/lib/gopher.c -index 0a3ba8f..6227124 100644 ---- a/lib/gopher.c -+++ b/lib/gopher.c -@@ -234,4 +234,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) - Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); - return CURLE_OK; - } --#endif /*CURL_DISABLE_GOPHER*/ -+#endif /* CURL_DISABLE_GOPHER */ -diff --git a/lib/http.c b/lib/http.c -index 04afced..dfed5a0 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2085,7 +2085,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) - { - const char *ptr; - if(!data->state.this_is_a_follow) { -- /* Free to avoid leaking memory on multiple requests*/ -+ /* Free to avoid leaking memory on multiple requests */ - free(data->state.first_host); - - data->state.first_host = strdup(conn->host.name); -@@ -3054,7 +3054,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) - /* continue with HTTP/1.1 when explicitly requested */ - break; - default: -- /* Check if user wants to use HTTP/2 with clear TCP*/ -+ /* Check if user wants to use HTTP/2 with clear TCP */ - #ifdef USE_NGHTTP2 - if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { - #ifndef CURL_DISABLE_PROXY -diff --git a/lib/http_chunks.c b/lib/http_chunks.c -index 7edfd64..913bf8e 100644 ---- a/lib/http_chunks.c -+++ b/lib/http_chunks.c -@@ -112,7 +112,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, - *wrote = 0; /* nothing's written yet */ - - /* the original data is written to the client, but we go on with the -- chunk read process, to properly calculate the content length*/ -+ chunk read process, to properly calculate the content length */ - if(data->set.http_te_skip && !k->ignorebody) { - result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); - if(result) { -diff --git a/lib/mqtt.c b/lib/mqtt.c -index e79bd3b..de8a00b 100644 ---- a/lib/mqtt.c -+++ b/lib/mqtt.c -@@ -240,7 +240,7 @@ static int init_connpack(char *packet, char *remain, int remain_pos) - /* keep-alive 0 = disabled */ - packet[remain_pos + 9] = 0x00; - packet[remain_pos + 10] = 0x3c; -- /*end of variable header*/ -+ /* end of variable header */ - return remain_pos + 10; - } - -@@ -249,7 +249,7 @@ static CURLcode mqtt_connect(struct Curl_easy *data) - CURLcode result = CURLE_OK; - int pos = 0; - int rc = 0; -- /*remain length*/ -+ /* remain length */ - int remain_pos = 0; - char remain[4] = {0}; - size_t packetlen = 0; -diff --git a/lib/rtsp.c b/lib/rtsp.c -index f16e87c..7d41da8 100644 ---- a/lib/rtsp.c -+++ b/lib/rtsp.c -@@ -309,7 +309,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) - break; - case RTSPREQ_RECEIVE: - p_request = ""; -- /* Treat interleaved RTP as body*/ -+ /* Treat interleaved RTP as body */ - data->set.opt_no_body = FALSE; - break; - case RTSPREQ_LAST: -@@ -648,7 +648,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, - rtp_length = RTP_PKT_LENGTH(rtp); - - if(rtp_dataleft < rtp_length + 4) { -- /* Need more - incomplete payload*/ -+ /* Need more - incomplete payload */ - *readmore = TRUE; - break; - } -diff --git a/lib/rtsp.h b/lib/rtsp.h -index da11ade..4771afb 100644 ---- a/lib/rtsp.h -+++ b/lib/rtsp.h -@@ -60,7 +60,7 @@ struct RTSP { - * HTTP functions can safely treat this as an HTTP struct, but RTSP aware - * functions can also index into the later elements. - */ -- struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ -+ struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ - - long CSeq_sent; /* CSeq of this request */ - long CSeq_recv; /* CSeq received */ -diff --git a/lib/telnet.c b/lib/telnet.c -index 7e217b6..bcf39bb 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -569,7 +569,7 @@ void rec_do(struct Curl_easy *data, int option) - sendsuboption(data, option); - } - else if(tn->subnegotiation[option] == CURL_YES) { -- /* send information to achieve this option*/ -+ /* send information to achieve this option */ - tn->us[option] = CURL_YES; - send_negotiation(data, CURL_WILL, option); - sendsuboption(data, option); -diff --git a/lib/urldata.h b/lib/urldata.h -index 251651f..94a9684 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -243,7 +243,7 @@ struct ssl_connect_data { - - struct ssl_primary_config { - long version; /* what version the client wants to use */ -- long version_max; /* max supported version the client wants to use*/ -+ long version_max; /* max supported version the client wants to use */ - char *CApath; /* certificate dir (doesn't work on windows) */ - char *CAfile; /* certificate to verify peer against */ - char *issuercert; /* optional issuer certificate filename */ -@@ -282,7 +282,7 @@ struct ssl_config_data { - char *key_passwd; /* plain text private key password */ - BIT(certinfo); /* gather lots of certificate info */ - BIT(falsestart); -- BIT(enable_beast); /* allow this flaw for interoperability's sake*/ -+ BIT(enable_beast); /* allow this flaw for interoperability's sake */ - BIT(no_revoke); /* disable SSL certificate revocation checks */ - BIT(no_partialchain); /* don't accept partial certificate chains */ - BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation -diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c -index d461609..8284da5 100644 ---- a/lib/vauth/digest.c -+++ b/lib/vauth/digest.c -@@ -125,7 +125,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, - } - - #if !defined(USE_WINDOWS_SSPI) --/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ -+/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ - static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ - unsigned char *dest) /* 33 bytes */ - { -@@ -134,7 +134,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ - msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); - } - --/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ -+/* Convert sha256 chunk to RFC7616 -suitable ascii string */ - static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ - unsigned char *dest) /* 65 bytes */ - { -diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c -index c652fd7..deb6656 100644 ---- a/lib/vauth/krb5_sspi.c -+++ b/lib/vauth/krb5_sspi.c -@@ -469,4 +469,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) - krb5->token_max = 0; - } - --#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ -+#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ -diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c -index db3967f..bf20607 100644 ---- a/lib/vssh/libssh2.c -+++ b/lib/vssh/libssh2.c -@@ -577,9 +577,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) - /* remove old host+key that doesn't match */ - if(host) - libssh2_knownhost_del(sshc->kh, host); -- /*FALLTHROUGH*/ -+ /* FALLTHROUGH */ - case CURLKHSTAT_FINE: -- /*FALLTHROUGH*/ -+ /* FALLTHROUGH */ - case CURLKHSTAT_FINE_ADD_TO_FILE: - /* proceed */ - if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { -diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c -index 04c8f3b..581dfae 100644 ---- a/lib/vtls/schannel.c -+++ b/lib/vtls/schannel.c -@@ -203,7 +203,7 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, - return CURLE_OK; - } - --/*longest is 26, buffer is slightly bigger*/ -+/* longest is 26, buffer is slightly bigger */ - #define LONGEST_ALG_ID 32 - #define CIPHEROPTION(X) \ - if(strcmp(#X, tmp) == 0) \ -@@ -226,7 +226,7 @@ get_alg_id_by_name(char *name) - CIPHEROPTION(CALG_MAC); - CIPHEROPTION(CALG_RSA_SIGN); - CIPHEROPTION(CALG_DSS_SIGN); --/*ifdefs for the options that are defined conditionally in wincrypt.h*/ -+/* ifdefs for the options that are defined conditionally in wincrypt.h */ - #ifdef CALG_NO_SIGN - CIPHEROPTION(CALG_NO_SIGN); - #endif -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index b2e1727..ae04133 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -834,7 +834,6 @@ static OSStatus SocketRead(SSLConnectionRef connection, - size_t bytesToGo = *dataLength; - size_t initLen = bytesToGo; - UInt8 *currData = (UInt8 *)data; -- /*int sock = *(int *)connection;*/ - struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; - struct ssl_backend_data *backend = connssl->backend; - int sock; -@@ -897,7 +896,6 @@ static OSStatus SocketWrite(SSLConnectionRef connection, - size_t *dataLength) /* IN/OUT */ - { - size_t bytesSent = 0; -- /*int sock = *(int *)connection;*/ - struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; - struct ssl_backend_data *backend = connssl->backend; - int sock; -diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h -index a06ef60..4f03f36 100644 ---- a/src/tool_cfgable.h -+++ b/src/tool_cfgable.h -@@ -260,11 +260,8 @@ struct OperationConfig { - bool xattr; /* store metadata in extended attributes */ - long gssapi_delegation; - bool ssl_allow_beast; /* allow this SSL vulnerability */ -- bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy*/ -- -+ bool proxy_ssl_allow_beast; /* allow this SSL vulnerability for proxy */ - bool ssl_no_revoke; /* disable SSL certificate revocation checks */ -- /*bool proxy_ssl_no_revoke; */ -- - bool ssl_revoke_best_effort; /* ignore SSL revocation offline/missing - revocation list errors */ - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 5696439..29e58d0 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -1110,7 +1110,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - /* This specifies the noproxy list */ - GetStr(&config->noproxy, nextarg); - break; -- case '7': /* --socks5-gssapi-nec*/ -+ case '7': /* --socks5-gssapi-nec */ - config->socks5_gssapi_nec = toggle; - break; - case '8': /* --proxy1.0 */ -@@ -1255,7 +1255,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - config->httpversion = CURL_HTTP_VERSION_2_0; - break; - case '3': /* --http2-prior-knowledge */ -- /* HTTP version 2.0 over clean TCP*/ -+ /* HTTP version 2.0 over clean TCP */ - config->httpversion = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE; - break; - case '4': /* --http3 */ -diff --git a/tests/libtest/lib1156.c b/tests/libtest/lib1156.c -index 21d4e87..27609d2 100644 ---- a/tests/libtest/lib1156.c -+++ b/tests/libtest/lib1156.c -@@ -127,7 +127,7 @@ static int onetest(CURL *curl, const char *url, const struct testparams *p, - } - - /* for debugging: */ --/*#define SINGLETEST 9*/ -+/* #define SINGLETEST 9 */ - - int test(char *URL) - { -diff --git a/tests/libtest/lib1525.c b/tests/libtest/lib1525.c -index a2a4db2..912372f 100644 ---- a/tests/libtest/lib1525.c -+++ b/tests/libtest/lib1525.c -@@ -48,7 +48,7 @@ int test(char *URL) - { - CURL *curl = NULL; - CURLcode res = CURLE_FAILED_INIT; -- /* http and proxy header list*/ -+ /* http and proxy header list */ - struct curl_slist *hhl = NULL; - - if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { -diff --git a/tests/libtest/lib1526.c b/tests/libtest/lib1526.c -index 37abc61..b287277 100644 ---- a/tests/libtest/lib1526.c -+++ b/tests/libtest/lib1526.c -@@ -46,7 +46,7 @@ int test(char *URL) - { - CURL *curl = NULL; - CURLcode res = CURLE_FAILED_INIT; -- /* http and proxy header list*/ -+ /* http and proxy header list */ - struct curl_slist *hhl = NULL, *phl = NULL, *tmp = NULL; - - if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { -diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c -index 9e0e452..2f7c91b 100644 ---- a/tests/libtest/lib1527.c -+++ b/tests/libtest/lib1527.c -@@ -47,7 +47,7 @@ int test(char *URL) - { - CURL *curl = NULL; - CURLcode res = CURLE_FAILED_INIT; -- /* http header list*/ -+ /* http header list */ - struct curl_slist *hhl = NULL, *tmp = NULL; - - if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { -diff --git a/tests/libtest/lib1528.c b/tests/libtest/lib1528.c -index 98a332c..52dc0a0 100644 ---- a/tests/libtest/lib1528.c -+++ b/tests/libtest/lib1528.c -@@ -28,7 +28,7 @@ int test(char *URL) - { - CURL *curl = NULL; - CURLcode res = CURLE_FAILED_INIT; -- /* http header list*/ -+ /* http header list */ - struct curl_slist *hhl = NULL; - struct curl_slist *phl = NULL; - -diff --git a/tests/libtest/lib1591.c b/tests/libtest/lib1591.c -index 8349b1d..f7149cf 100644 ---- a/tests/libtest/lib1591.c -+++ b/tests/libtest/lib1591.c -@@ -75,7 +75,7 @@ int test(char *URL) - { - CURL *curl = NULL; - CURLcode res = CURLE_FAILED_INIT; -- /* http and proxy header list*/ -+ /* http and proxy header list */ - struct curl_slist *hhl = NULL; - - if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { -diff --git a/tests/libtest/lib506.c b/tests/libtest/lib506.c -index 559e731..acea39a 100644 ---- a/tests/libtest/lib506.c -+++ b/tests/libtest/lib506.c -@@ -347,7 +347,7 @@ int test(char *URL) - printf("-----------------\n"); - curl_slist_free_all(cookies); - -- /* try to free share, expect to fail because share is in use*/ -+ /* try to free share, expect to fail because share is in use */ - printf("try SHARE_CLEANUP...\n"); - scode = curl_share_cleanup(share); - if(scode == CURLSHE_OK) { -diff --git a/tests/libtest/lib557.c b/tests/libtest/lib557.c -index c17fab2..8b94fdf 100644 ---- a/tests/libtest/lib557.c -+++ b/tests/libtest/lib557.c -@@ -1494,7 +1494,7 @@ static int test_weird_arguments(void) - "0123456789" /* 10 7 */ - "0123456789" /* 10 8 */ - "0123456789" /* 10 9 */ -- "0123456789" /* 10 10*/ -+ "0123456789" /* 10 10 */ - "0123456789" /* 10 11 */ - "01234567" /* 8 */ - ); -diff --git a/tests/libtest/lib586.c b/tests/libtest/lib586.c -index da63e7c..8d7822d 100644 ---- a/tests/libtest/lib586.c -+++ b/tests/libtest/lib586.c -@@ -215,7 +215,7 @@ int test(char *URL) - printf("PERFORM\n"); - curl_easy_perform(curl); - -- /* try to free share, expect to fail because share is in use*/ -+ /* try to free share, expect to fail because share is in use */ - printf("try SHARE_CLEANUP...\n"); - scode = curl_share_cleanup(share); - if(scode == CURLSHE_OK) { -diff --git a/tests/libtest/stub_gssapi.h b/tests/libtest/stub_gssapi.h -index 5a89102..735630c 100644 ---- a/tests/libtest/stub_gssapi.h -+++ b/tests/libtest/stub_gssapi.h -@@ -98,85 +98,85 @@ typedef struct gss_channel_bindings_struct { - gss_buffer_desc application_data; - } *gss_channel_bindings_t; - --OM_uint32 gss_release_buffer(OM_uint32 * /*minor_status*/, -- gss_buffer_t /*buffer*/); -- --OM_uint32 gss_init_sec_context(OM_uint32 * /*minor_status*/, -- gss_const_cred_id_t /*initiator_cred_handle*/, -- gss_ctx_id_t * /*context_handle*/, -- gss_const_name_t /*target_name*/, -- const gss_OID /*mech_type*/, -- OM_uint32 /*req_flags*/, -- OM_uint32 /*time_req*/, -- const gss_channel_bindings_t /*input_chan_bindings*/, -- const gss_buffer_t /*input_token*/, -- gss_OID * /*actual_mech_type*/, -- gss_buffer_t /*output_token*/, -- OM_uint32 * /*ret_flags*/, -- OM_uint32 * /*time_rec*/); -- --OM_uint32 gss_delete_sec_context(OM_uint32 * /*minor_status*/, -- gss_ctx_id_t * /*context_handle*/, -- gss_buffer_t /*output_token*/); -- --OM_uint32 gss_inquire_context(OM_uint32 * /*minor_status*/, -- gss_const_ctx_id_t /*context_handle*/, -- gss_name_t * /*src_name*/, -- gss_name_t * /*targ_name*/, -- OM_uint32 * /*lifetime_rec*/, -- gss_OID * /*mech_type*/, -- OM_uint32 * /*ctx_flags*/, -- int * /*locally_initiated*/, -- int * /*open_context*/); -- --OM_uint32 gss_wrap(OM_uint32 * /*minor_status*/, -- gss_const_ctx_id_t /*context_handle*/, -- int /*conf_req_flag*/, -- gss_qop_t /*qop_req*/, -- const gss_buffer_t /*input_message_buffer*/, -- int * /*conf_state*/, -- gss_buffer_t /*output_message_buffer*/); -- --OM_uint32 gss_unwrap(OM_uint32 * /*minor_status*/, -- gss_const_ctx_id_t /*context_handle*/, -- const gss_buffer_t /*input_message_buffer*/, -- gss_buffer_t /*output_message_buffer*/, -- int * /*conf_state*/, -- gss_qop_t * /*qop_state*/); -- --OM_uint32 gss_seal(OM_uint32 * /*minor_status*/, -- gss_ctx_id_t /*context_handle*/, -- int /*conf_req_flag*/, -- int /*qop_req*/, -- gss_buffer_t /*input_message_buffer*/, -- int * /*conf_state*/, -- gss_buffer_t /*output_message_buffer*/); -- --OM_uint32 gss_unseal(OM_uint32 * /*minor_status*/, -- gss_ctx_id_t /*context_handle*/, -- gss_buffer_t /*input_message_buffer*/, -- gss_buffer_t /*output_message_buffer*/, -- int * /*conf_state*/, -- int * /*qop_state*/); -- --OM_uint32 gss_import_name(OM_uint32 * /*minor_status*/, -- const gss_buffer_t /*input_name_buffer*/, -- const gss_OID /*input_name_type*/, -- gss_name_t * /*output_name*/); -- --OM_uint32 gss_release_name(OM_uint32 * /*minor_status*/, -- gss_name_t * /*input_name*/); -- --OM_uint32 gss_display_name(OM_uint32 * /*minor_status*/, -- gss_const_name_t /*input_name*/, -- gss_buffer_t /*output_name_buffer*/, -- gss_OID * /*output_name_type*/); -- --OM_uint32 gss_display_status(OM_uint32 * /*minor_status*/, -- OM_uint32 /*status_value*/, -- int /*status_type*/, -- const gss_OID /*mech_type*/, -- OM_uint32 * /*message_context*/, -- gss_buffer_t /*status_string*/); -+OM_uint32 gss_release_buffer(OM_uint32 * /* minor_status */, -+ gss_buffer_t /* buffer */); -+ -+OM_uint32 gss_init_sec_context(OM_uint32 * /* minor_status */, -+ gss_const_cred_id_t /* initiator_cred_handle */, -+ gss_ctx_id_t * /* context_handle */, -+ gss_const_name_t /* target_name */, -+ const gss_OID /* mech_type */, -+ OM_uint32 /* req_flags */, -+ OM_uint32 /* time_req */, -+ const gss_channel_bindings_t /* input_chan_bindings */, -+ const gss_buffer_t /* input_token */, -+ gss_OID * /* actual_mech_type */, -+ gss_buffer_t /* output_token */, -+ OM_uint32 * /* ret_flags */, -+ OM_uint32 * /* time_rec */); -+ -+OM_uint32 gss_delete_sec_context(OM_uint32 * /* minor_status */, -+ gss_ctx_id_t * /* context_handle */, -+ gss_buffer_t /* output_token */); -+ -+OM_uint32 gss_inquire_context(OM_uint32 * /* minor_status */, -+ gss_const_ctx_id_t /* context_handle */, -+ gss_name_t * /* src_name */, -+ gss_name_t * /* targ_name */, -+ OM_uint32 * /* lifetime_rec */, -+ gss_OID * /* mech_type */, -+ OM_uint32 * /* ctx_flags */, -+ int * /* locally_initiated */, -+ int * /* open_context */); -+ -+OM_uint32 gss_wrap(OM_uint32 * /* minor_status */, -+ gss_const_ctx_id_t /* context_handle */, -+ int /* conf_req_flag */, -+ gss_qop_t /* qop_req */, -+ const gss_buffer_t /* input_message_buffer */, -+ int * /* conf_state */, -+ gss_buffer_t /* output_message_buffer */); -+ -+OM_uint32 gss_unwrap(OM_uint32 * /* minor_status */, -+ gss_const_ctx_id_t /* context_handle */, -+ const gss_buffer_t /* input_message_buffer */, -+ gss_buffer_t /* output_message_buffer */, -+ int * /* conf_state */, -+ gss_qop_t * /* qop_state */); -+ -+OM_uint32 gss_seal(OM_uint32 * /* minor_status */, -+ gss_ctx_id_t /* context_handle n */, -+ int /* conf_req_flag */, -+ int /* qop_req */, -+ gss_buffer_t /* input_message_buffer */, -+ int * /* conf_state */, -+ gss_buffer_t /* output_message_buffer */); -+ -+OM_uint32 gss_unseal(OM_uint32 * /* minor_status */, -+ gss_ctx_id_t /* context_handle */, -+ gss_buffer_t /* input_message_buffer */, -+ gss_buffer_t /* output_message_buffer */, -+ int * /* conf_state */, -+ int * /* qop_state */); -+ -+OM_uint32 gss_import_name(OM_uint32 * /* minor_status */, -+ const gss_buffer_t /* input_name_buffer */, -+ const gss_OID /* input_name_type */, -+ gss_name_t * /* output_name */); -+ -+OM_uint32 gss_release_name(OM_uint32 * /* minor_status */, -+ gss_name_t * /* input_name */); -+ -+OM_uint32 gss_display_name(OM_uint32 * /* minor_status */, -+ gss_const_name_t /* input_name */, -+ gss_buffer_t /* output_name_buffer */, -+ gss_OID * /* output_name_type */); -+ -+OM_uint32 gss_display_status(OM_uint32 * /* minor_status */, -+ OM_uint32 /* status_value */, -+ int /* status_type */, -+ const gss_OID /* mech_type */, -+ OM_uint32 * /* message_context */, -+ gss_buffer_t /* status_string */); - - #endif /* HEADER_CURL_GSSAPI_STUBS_H */ -diff --git a/tests/server/tftp.h b/tests/server/tftp.h -index 5699672..ab59575 100644 ---- a/tests/server/tftp.h -+++ b/tests/server/tftp.h -@@ -32,7 +32,7 @@ - ((__GNUC__ == 2) && defined(__GNUC_MINOR__) && (__GNUC_MINOR__ >= 7))) - # define PACKED_STRUCT __attribute__((__packed__)) - #else --# define PACKED_STRUCT /*NOTHING*/ -+# define PACKED_STRUCT /* NOTHING */ - #endif - - /* Using a packed struct as binary in a program is begging for problems, but -diff --git a/tests/server/util.c b/tests/server/util.c -index cfa8be2..692b20a 100644 ---- a/tests/server/util.c -+++ b/tests/server/util.c -@@ -65,7 +65,7 @@ - ((__W32API_MAJOR_VERSION == 3) && (__W32API_MINOR_VERSION < 6)) - const struct in6_addr in6addr_any = {{ IN6ADDR_ANY_INIT }}; - #endif /* w32api < 3.6 */ --#endif /* ENABLE_IPV6 && __MINGW32__*/ -+#endif /* ENABLE_IPV6 && __MINGW32__ */ - - static struct timeval tvnow(void); - -diff --git a/tests/unit/unit1300.c b/tests/unit/unit1300.c -index aba068a..936c77e 100644 ---- a/tests/unit/unit1300.c -+++ b/tests/unit/unit1300.c -@@ -91,10 +91,10 @@ UNITTEST_START - - fail_unless(Curl_llist_count(&llist) == 1, - "List size should be 1 after adding a new element"); -- /*test that the list head data holds my unusedData */ -+ /* test that the list head data holds my unusedData */ - fail_unless(llist.head->ptr == &unusedData_case1, - "head ptr should be first entry"); -- /*same goes for the list tail */ -+ /* same goes for the list tail */ - fail_unless(llist.tail == llist.head, - "tail and head should be the same"); - --- -2.39.2 - - -From 3823dc906acf117e19c9b6a1c995f3a095f79011 Mon Sep 17 00:00:00 2001 -From: Eric Vigeant -Date: Wed, 2 Nov 2022 11:47:09 -0400 -Subject: [PATCH 3/4] cur_path: do not add '/' if homedir ends with one - -When using SFTP and a path relative to the user home, do not add a -trailing '/' to the user home dir if it already ends with one. - -Closes #9844 - -Upstream-commit: 6c51adeb71da076c5c40a45e339e06bb4394a86b -Signed-off-by: Kamil Dudka ---- - lib/curl_path.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/lib/curl_path.c b/lib/curl_path.c -index 8dc9101..9eafbab 100644 ---- a/lib/curl_path.c -+++ b/lib/curl_path.c -@@ -69,10 +69,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, - /* It is referenced to the home directory, so strip the - leading '/' */ - memcpy(real_path, homedir, homelen); -- real_path[homelen] = '/'; -- real_path[homelen + 1] = '\0'; -+ /* Only add a trailing '/' if homedir does not end with one */ -+ if(homelen == 0 || real_path[homelen - 1] != '/') { -+ real_path[homelen] = '/'; -+ homelen++; -+ real_path[homelen] = '\0'; -+ } - if(working_path_len > 3) { -- memcpy(real_path + homelen + 1, working_path + 3, -+ memcpy(real_path + homelen, working_path + 3, - 1 + working_path_len -3); - } - } --- -2.39.2 - - -From 04879b844a5b554ddf73243cafcc221a0b71363f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Mar 2023 16:22:11 +0100 -Subject: [PATCH 4/4] curl_path: create the new path with dynbuf - -Closes #10729 - -Upstream-commit: 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 -Signed-off-by: Kamil Dudka ---- - lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- - 1 file changed, 35 insertions(+), 40 deletions(-) - -diff --git a/lib/curl_path.c b/lib/curl_path.c -index 9eafbab..038f691 100644 ---- a/lib/curl_path.c -+++ b/lib/curl_path.c -@@ -30,70 +30,65 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct Curl_easy *data, - char *homedir, /* when SFTP is used */ - char **path) /* returns the allocated - real path to work with */ - { -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data->state.up.path, 0, &working_path, - &working_path_len, REJECT_ZERO); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(data->conn->handler->protocol & CURLPROTO_SCP) { -- real_path = malloc(working_path_len + 1); -- if(!real_path) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+ /* It is referenced to the home directory, so strip the leading '/~/' */ -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { - free(working_path); - return CURLE_OUT_OF_MEMORY; - } -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) -- /* It is referenced to the home directory, so strip the leading '/~/' */ -- memcpy(real_path, working_path + 3, working_path_len - 2); -- else -- memcpy(real_path, working_path, 1 + working_path_len); - } -- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { -- if((working_path_len > 1) && (working_path[1] == '~')) { -- size_t homelen = strlen(homedir); -- real_path = malloc(homelen + working_path_len + 1); -- if(!real_path) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- /* It is referenced to the home directory, so strip the -- leading '/' */ -- memcpy(real_path, homedir, homelen); -- /* Only add a trailing '/' if homedir does not end with one */ -- if(homelen == 0 || real_path[homelen - 1] != '/') { -- real_path[homelen] = '/'; -- homelen++; -- real_path[homelen] = '\0'; -- } -- if(working_path_len > 3) { -- memcpy(real_path + homelen, working_path + 3, -- 1 + working_path_len -3); -- } -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { -+ size_t len; -+ const char *p; -+ int copyfrom = 3; -+ if(Curl_dyn_add(&npath, homedir)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } -- else { -- real_path = malloc(working_path_len + 1); -- if(!real_path) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- memcpy(real_path, working_path, 1 + working_path_len); -+ /* Copy a separating '/' if homedir does not end with one */ -+ len = Curl_dyn_len(&npath); -+ p = Curl_dyn_ptr(&npath); -+ if(len && (p[len-1] != '/')) -+ copyfrom = 2; -+ -+ if(Curl_dyn_addn(&npath, -+ &working_path[copyfrom], working_path_len - copyfrom)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } - } - -- free(working_path); -+ if(Curl_dyn_len(&npath)) { -+ free(working_path); - -- /* store the pointer for the caller to receive */ -- *path = real_path; -+ /* store the pointer for the caller to receive */ -+ *path = Curl_dyn_ptr(&npath); -+ } -+ else -+ *path = working_path; - - return CURLE_OK; - } --- -2.39.2 - diff --git a/0025-curl-7.82.0-CVE-2023-27535.patch b/0025-curl-7.82.0-CVE-2023-27535.patch deleted file mode 100644 index a92ca57..0000000 --- a/0025-curl-7.82.0-CVE-2023-27535.patch +++ /dev/null @@ -1,237 +0,0 @@ -From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 6 Oct 2022 00:49:10 +0200 -Subject: [PATCH 1/2] strcase: add Curl_timestrcmp - -This is a strcmp() alternative function for comparing "secrets", -designed to take the same time no matter the content to not leak -match/non-match info to observers based on how fast it is. - -The time this function takes is only a function of the shortest input -string. - -Reported-by: Trail of Bits - -Closes #9658 - -Upstream-commit: ed5095ed94281989e103c72e032200b83be37878 -Signed-off-by: Kamil Dudka ---- - lib/strcase.c | 22 ++++++++++++++++++++++ - lib/strcase.h | 1 + - 2 files changed, 23 insertions(+) - -diff --git a/lib/strcase.c b/lib/strcase.c -index f932485..c73907d 100644 ---- a/lib/strcase.c -+++ b/lib/strcase.c -@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b) - return !a && !b; - } - -+/* -+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this -+ * function spends is a function of the shortest string, not of the contents. -+ */ -+int Curl_timestrcmp(const char *a, const char *b) -+{ -+ int match = 0; -+ int i = 0; -+ -+ if(a && b) { -+ while(1) { -+ match |= a[i]^b[i]; -+ if(!a[i] || !b[i]) -+ break; -+ i++; -+ } -+ } -+ else -+ return a || b; -+ return match; -+} -+ - /* --- public functions --- */ - - int curl_strequal(const char *first, const char *second) -diff --git a/lib/strcase.h b/lib/strcase.h -index d245929..11a67a1 100644 ---- a/lib/strcase.h -+++ b/lib/strcase.h -@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); - void Curl_strntolower(char *dest, const char *src, size_t n); - - bool Curl_safecmp(char *a, char *b); -+int Curl_timestrcmp(const char *first, const char *second); - - #endif /* HEADER_CURL_STRCASE_H */ --- -2.39.2 - - -From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 9 Mar 2023 17:47:06 +0100 -Subject: [PATCH 2/2] ftp: add more conditions for connection reuse - -Reported-by: Harry Sintonen -Closes #10730 - -Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 28 ++++++++++++++++++++++++++-- - lib/ftp.h | 5 +++++ - lib/setopt.c | 2 +- - lib/url.c | 16 +++++++++++++++- - lib/urldata.h | 4 ++-- - 5 files changed, 49 insertions(+), 6 deletions(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index 9442832..df15bc0 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, - } - - freedirs(ftpc); -+ Curl_safefree(ftpc->account); -+ Curl_safefree(ftpc->alternative_to_user); - Curl_safefree(ftpc->prevpath); - Curl_safefree(ftpc->server_os); - Curl_pp_disconnect(pp); -@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, - { - char *type; - struct FTP *ftp; -+ struct ftp_conn *ftpc = &conn->proto.ftpc; - -- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); -+ ftp = calloc(sizeof(struct FTP), 1); - if(!ftp) - return CURLE_OUT_OF_MEMORY; - -+ /* clone connection related data that is FTP specific */ -+ if(data->set.str[STRING_FTP_ACCOUNT]) { -+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); -+ if(!ftpc->account) { -+ free(ftp); -+ return CURLE_OUT_OF_MEMORY; -+ } -+ } -+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { -+ ftpc->alternative_to_user = -+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); -+ if(!ftpc->alternative_to_user) { -+ Curl_safefree(ftpc->account); -+ free(ftp); -+ return CURLE_OUT_OF_MEMORY; -+ } -+ } -+ data->req.p.ftp = ftp; -+ - ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ - - /* FTP URLs support an extension like ";type=" that -@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, - /* get some initial data into the ftp struct */ - ftp->transfer = PPTRANSFER_BODY; - ftp->downloadsize = 0; -- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ -+ ftpc->known_filesize = -1; /* unknown size for now */ -+ ftpc->use_ssl = data->set.use_ssl; -+ ftpc->ccc = data->set.ftp_ccc; - - return CURLE_OK; - } -diff --git a/lib/ftp.h b/lib/ftp.h -index 7f6f432..3f33e27 100644 ---- a/lib/ftp.h -+++ b/lib/ftp.h -@@ -115,6 +115,8 @@ struct FTP { - struct */ - struct ftp_conn { - struct pingpong pp; -+ char *account; -+ char *alternative_to_user; - char *entrypath; /* the PWD reply when we logged on */ - char *file; /* url-decoded file name (or path) */ - char **dirs; /* realloc()ed array for path components */ -@@ -144,6 +146,9 @@ struct ftp_conn { - ftpstate state; /* always use ftp.c:state() to change state! */ - ftpstate state_saved; /* transfer type saved to be reloaded after - data connection is established */ -+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -+ IMAP or POP3 or others! (type: curl_usessl)*/ -+ unsigned char ccc; /* ccc level for this connection */ - curl_off_t retr_size_saved; /* Size of retrieved file saved */ - char *server_os; /* The target server operating system. */ - curl_off_t known_filesize; /* file size is different from -1, if wildcard -diff --git a/lib/setopt.c b/lib/setopt.c -index 3339a67..6fc111d 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -2290,7 +2290,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - arg = va_arg(param, long); - if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) - return CURLE_BAD_FUNCTION_ARGUMENT; -- data->set.use_ssl = (curl_usessl)arg; -+ data->set.use_ssl = (unsigned char)arg; - break; - - case CURLOPT_SSL_OPTIONS: -diff --git a/lib/url.c b/lib/url.c -index 61ba832..4e21838 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1353,10 +1353,24 @@ ConnectionExists(struct Curl_easy *data, - (data->state.httpwant < CURL_HTTP_VERSION_2_0)) - continue; - -- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+#ifdef USE_SSH -+ else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { - if(!ssh_config_matches(needle, check)) - continue; - } -+#endif -+#ifndef CURL_DISABLE_FTP -+ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { -+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ -+ if(Curl_timestrcmp(needle->proto.ftpc.account, -+ check->proto.ftpc.account) || -+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, -+ check->proto.ftpc.alternative_to_user) || -+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || -+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) -+ continue; -+ } -+#endif - - if((needle->handler->flags&PROTOPT_SSL) - #ifndef CURL_DISABLE_PROXY -diff --git a/lib/urldata.h b/lib/urldata.h -index 9d9ca92..4e2f5b9 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1746,8 +1746,6 @@ struct UserDefined { - enum CURL_NETRC_OPTION - use_netrc; /* defined in include/curl.h */ - #endif -- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -- IMAP or POP3 or others! */ - long new_file_perms; /* Permissions to use when creating remote files */ - long new_directory_perms; /* Permissions to use when creating remote dirs */ - long ssh_auth_types; /* allowed SSH auth types */ -@@ -1793,6 +1791,8 @@ struct UserDefined { - CURLU *uh; /* URL handle for the current parsed URL */ - void *trailer_data; /* pointer to pass to trailer data callback */ - curl_trailer_callback trailer_callback; /* trailing data callback */ -+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or -+ IMAP or POP3 or others! (type: curl_usessl)*/ - BIT(is_fread_set); /* has read callback been set to non-NULL? */ - BIT(is_fwrite_set); /* has write callback been set to non-NULL? */ - BIT(free_referer); /* set TRUE if 'referer' points to a string we --- -2.39.2 - diff --git a/0026-curl-7.82.0-CVE-2023-27536.patch b/0026-curl-7.82.0-CVE-2023-27536.patch deleted file mode 100644 index db88a1c..0000000 --- a/0026-curl-7.82.0-CVE-2023-27536.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Mar 2023 09:22:43 +0100 -Subject: [PATCH] url: only reuse connections with same GSS delegation - -Reported-by: Harry Sintonen -Closes #10731 - -Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 6 ++++++ - lib/urldata.h | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/lib/url.c b/lib/url.c -index 3b11b7e..cbbc7f3 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1346,6 +1346,11 @@ ConnectionExists(struct Curl_easy *data, - } - } - -+ /* GSS delegation differences do not actually affect every connection -+ and auth method, but this check takes precaution before efficiency */ -+ if(needle->gssapi_delegation != check->gssapi_delegation) -+ continue; -+ - /* If multiplexing isn't enabled on the h2 connection and h1 is - explicitly requested, handle it: */ - if((needle->handler->protocol & PROTO_FAMILY_HTTP) && -@@ -1817,6 +1822,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) - conn->fclosesocket = data->set.fclosesocket; - conn->closesocket_client = data->set.closesocket_client; - conn->lastused = Curl_now(); /* used now */ -+ conn->gssapi_delegation = data->set.gssapi_delegation; - - return conn; - error: -diff --git a/lib/urldata.h b/lib/urldata.h -index ce90304..9e16f26 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -989,6 +989,7 @@ struct connectdata { - char *sasl_authzid; /* authorisation identity string, allocated */ - char *oauth_bearer; /* OAUTH2 bearer, allocated */ - unsigned char httpversion; /* the HTTP version*10 reported by the server */ -+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */ - struct curltime now; /* "current" time */ - struct curltime created; /* creation time */ - struct curltime lastused; /* when returned to the connection cache */ --- -2.39.2 - diff --git a/0028-curl-7.87.0-CVE-2023-27538.patch b/0028-curl-7.87.0-CVE-2023-27538.patch deleted file mode 100644 index c538b22..0000000 --- a/0028-curl-7.87.0-CVE-2023-27538.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 133e25afe4b8961b9c12334ee0bd3374db9a1fd4 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 10 Mar 2023 08:22:51 +0100 -Subject: [PATCH] url: fix the SSH connection reuse check - -Reported-by: Harry Sintonen -Closes #10735 - -Upstream-commit: af369db4d3833272b8ed443f7fcc2e757a0872eb -Signed-off-by: Kamil Dudka ---- - lib/url.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/url.c b/lib/url.c -index 0c31486..3b11b7e 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1359,7 +1359,7 @@ ConnectionExists(struct Curl_easy *data, - continue; - - #ifdef USE_SSH -- else if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { -+ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { - if(!ssh_config_matches(needle, check)) - continue; - } --- -2.39.2 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index 46c8986..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,84 +1,85 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -76,7 +76,7 @@ while test $# -gt 0; do - ;; +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo 'gcc' + ;; - --prefix) -@@ -155,32 +155,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " +- else +- curllibdir='' +- fi +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo "${curllibdir}-lcurl" +- fi ++ echo '-lcurl' + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo 'curl was built with static libraries disabled' >&2 ++ exit 1 + ;; - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index 12ad245b79..fa0e03d273 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` + + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" + + ## `--version` + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" @@ -87,5 +88,5 @@ index 2ba9c39..f8f8b00 100644 Name: libcurl URL: https://curl.se/ -- -2.26.2 +2.52.0 diff --git a/curl-7.82.0.tar.xz.asc b/curl-7.82.0.tar.xz.asc deleted file mode 100644 index 507084c..0000000 --- a/curl-7.82.0.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce -EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4 -Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh -DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C -AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv -yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq -m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ== -=/k1v ------END PGP SIGNATURE----- diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index a7c4423..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,102 +1,45 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.82.0 -Release: 14%{?dist} -License: MIT -Source0: https://curl.se/download/%{name}-%{version}.tar.xz -Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc +Version: 8.18.0 +Release: 1%{?dist} +License: curl +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc # The curl download page ( https://curl.se/download.html ) links # to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, # which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc Source2: mykey.asc -# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure -Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch - -# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) -Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch - -# fix bad local IPv6 connection reuse (CVE-2022-27775) -Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch - -# fix auth/cookie leak on redirect (CVE-2022-27776) -Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch - -# fix credential leak on redirect (CVE-2022-27774) -Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch - -# reject percent-encoded path separator in URL host (CVE-2022-27780) -Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch - -# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) -Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch - -# do not accept cookies for TLD with trailing dot (CVE-2022-27779) -Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch - -# fix too eager reuse of TLS and SSH connections (CVE-2022-27782) -Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch - -# fix FTP-KRB bad message verification (CVE-2022-32208) -Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch - -# fix HTTP compression denial of service (CVE-2022-32206) -Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch - -# fix Set-Cookie denial of service (CVE-2022-32205) -Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch - -# fix unpreserved file permissions (CVE-2022-32207) -Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch - -# control code in cookie denial of service (CVE-2022-35252) -Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch - -# fix POST following PUT confusion (CVE-2022-32221) -Patch15: 0015-curl-7.82.0-CVE-2022-32221.patch - -# netrc: replace fgets with Curl_get_line (CVE-2022-35260) -Patch16: 0016-curl-7.82.0-CVE-2022-35260.patch - -# http_proxy: restore the protocol pointer on error (CVE-2022-42915) -Patch17: 0017-curl-7.82.0-CVE-2022-42915.patch - -# url: use IDN decoded names for HSTS checks (CVE-2022-42916) -Patch18: 0018-curl-7.82.0-CVE-2022-42916.patch - -# http2: make nghttp2 less picky about field whitespace (#2144277) -Patch19: 0019-curl-7.82.0-http2-whitespace.patch - -# http: use the IDN decoded name in HSTS checks (CVE-2022-43551) -Patch20: 0020-curl-7.85.0-CVE-2022-43551.patch - -# smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) -Patch21: 0021-curl-7.85.0-CVE-2022-43552.patch - -# fix HTTP multi-header compression denial of service (CVE-2023-23916) -Patch22: 0022-curl-7.82.0-CVE-2023-23916.patch - -# fix TELNET option IAC injection (CVE-2023-27533) -Patch23: 0023-curl-7.87.0-CVE-2023-27533.patch - -# fix SFTP path ~ resolving discrepancy (CVE-2023-27534) -Patch24: 0024-curl-7.82.0-CVE-2023-27534.patch - -# fix FTP too eager connection reuse (CVE-2023-27535) -Patch25: 0025-curl-7.82.0-CVE-2023-27535.patch - -# fix GSS delegation too eager connection re-use (CVE-2023-27536) -Patch26: 0026-curl-7.82.0-CVE-2023-27536.patch - -# fix SSH connection too eager reuse still (CVE-2023-27538) -Patch28: 0028-curl-7.87.0-CVE-2023-27538.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient URL: https://curl.se/ + +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -105,14 +48,24 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig BuildRequires: python-unversioned-command @@ -132,6 +85,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -142,6 +98,9 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) +BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) BuildRequires: perl(Digest::SHA) @@ -149,10 +108,15 @@ BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) %if 0%{?fedora} @@ -171,18 +135,27 @@ BuildRequires: valgrind %endif # stunnel is used by upstream tests but it does not seem to work reliably -# on s390x and occasionally breaks some tests (mainly 1561 and 1562) -%ifnarch s390x +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x BuildRequires: stunnel %endif # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + # require at least the version of libnghttp2 that we were built against, # to ensure that we have the necessary symbols available (#2144277) %global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -191,6 +164,10 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) # (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) @@ -207,8 +184,14 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -234,21 +217,6 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} @@ -268,66 +236,16 @@ be installed. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%setup -q +%autosetup -n %{name}-%{version_no_tilde} -p1 -# upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch28 -p1 - -# Fedora patches -%patch101 -p1 - -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# disable tests 320..322 on ppc64le where it started to hang/fail -%ifarch ppc64le -printf "320\n321\n322\n" >> tests/data/DISABLED -%endif - -# temporarily disable flaky tests 582 and 1452 (client times out) -printf "582\n1452\n" >> tests/data/DISABLED - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED -%endif - -# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself) -%ifarch x86_64 -printf "3000\n3001\n" >> tests/data/DISABLED +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c %endif # adapt test 323 for updated OpenSSL @@ -342,13 +260,18 @@ sed -e 's|^35$|35,52|' -i tests/data/test323 eval "$cmd" ) +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in + +%build # regenerate the configure script and Makefile.in files autoreconf -fiv -%build mkdir build-{full,minimal} export common_configure_opts=" \ --cache-file=../config.cache \ + --disable-manual \ --disable-static \ --enable-hsts \ --enable-ipv6 \ @@ -356,8 +279,10 @@ export common_configure_opts=" \ --enable-threaded-resolver \ --without-zstd \ --with-gssapi \ + --with-libidn2 \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ + --with-zsh-functions-dir" %global _configure ../configure @@ -370,10 +295,8 @@ export common_configure_opts=" \ --disable-imap \ --disable-ldap \ --disable-ldaps \ - --disable-manual \ --disable-mqtt \ --disable-ntlm \ - --disable-ntlm-wb \ --disable-pop3 \ --disable-rtsp \ --disable-smb \ @@ -381,8 +304,8 @@ export common_configure_opts=" \ --disable-telnet \ --disable-tftp \ --disable-tls-srp \ + --disable-websockets \ --without-brotli \ - --without-libidn2 \ --without-libpsl \ --without-libssh ) @@ -396,10 +319,8 @@ export common_configure_opts=" \ --enable-imap \ --enable-ldap \ --enable-ldaps \ - --enable-manual \ --enable-mqtt \ --enable-ntlm \ - --enable-ntlm-wb \ --enable-pop3 \ --enable-rtsp \ --enable-smb \ @@ -407,10 +328,14 @@ export common_configure_opts=" \ --enable-telnet \ --enable-tftp \ --enable-tls-srp \ + --enable-websockets \ --with-brotli \ - --with-libidn2 \ --with-libpsl \ - --with-libssh + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -458,10 +383,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -470,28 +391,30 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README %doc docs/BUGS.md -%doc docs/FAQ +%doc docs/DISTROS.md +%doc docs/FAQ.md %doc docs/FEATURES.md -%doc docs/TODO +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md %doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* @@ -513,68 +436,340 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Fri Mar 24 2023 Kamil Dudka - 7.82.0-14 -- fix SSH connection too eager reuse still (CVE-2023-27538) -- fix GSS delegation too eager connection re-use (CVE-2023-27536) -- fix FTP too eager connection reuse (CVE-2023-27535) -- fix SFTP path ~ resolving discrepancy (CVE-2023-27534) -- fix TELNET option IAC injection (CVE-2023-27533) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Wed Feb 15 2023 Kamil Dudka - 7.82.0-13 -- fix HTTP multi-header compression denial of service (CVE-2023-23916) +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate -* Wed Dec 21 2022 Kamil Dudka - 7.82.0-12 -- smb/telnet: fix use-after-free when HTTP proxy denies tunnel (CVE-2022-43552) -- http: use the IDN decoded name in HSTS checks (CVE-2022-43551) +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 -* Thu Nov 24 2022 Kamil Dudka - 7.82.0-11 +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option + +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case +- temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full + +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases +- tests: attempt to fix a conflict on port numbers +- apply patches automatically + +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 - enforce versioned libnghttp2 dependency for libcurl (#2144277) -* Mon Nov 21 2022 Kamil Dudka - 7.82.0-10 -- http2: make nghttp2 less picky about field whitespace (#2144277) +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching -* Wed Oct 26 2022 Kamil Dudka - 7.82.0-9 -- url: use IDN decoded names for HSTS checks (CVE-2022-42916) -- http_proxy: restore the protocol pointer on error (CVE-2022-42915) -- netrc: replace fgets with Curl_get_line (CVE-2022-35260) -- fix POST following PUT confusion (CVE-2022-32221) +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion -* Fri Sep 02 2022 Kamil Dudka - 7.82.0-8 -- control code in cookie denial of service (CVE-2022-35252) +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service -* Mon Jul 18 2022 Kamil Dudka - 7.82.0-7 -- fix build failure with gnutls backend enabled +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 -* Wed Jun 29 2022 Kamil Dudka - 7.82.0-6 -- fix unpreserved file permissions (CVE-2022-32207) -- fix Set-Cookie denial of service (CVE-2022-32205) -- fix HTTP compression denial of service (CVE-2022-32206) -- fix FTP-KRB bad message verification (CVE-2022-32208) +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Wed May 11 2022 Kamil Dudka - 7.82.0-5 -- fix too eager reuse of TLS and SSH connections (CVE-2022-27782) -- do not accept cookies for TLD with trailing dot (CVE-2022-27779) -- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115) -- reject percent-encoded path separator in URL host (CVE-2022-27780) +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification -* Mon May 02 2022 Kamil Dudka - 7.82.0-4 -- fix leak of SRP credentials in redirects (CVE-2022-27774) +* Wed May 11 2022 Kamil Dudka - 7.83.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27782 - fix too eager reuse of TLS and SSH connections + CVE-2022-27779 - do not accept cookies for TLD with trailing dot + CVE-2022-27778 - do not remove wrong file on error + CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names + CVE-2022-27780 - reject percent-encoded path separator in URL host -* Thu Apr 28 2022 Kamil Dudka - 7.82.0-3 -- fix credential leak on redirect (CVE-2022-27774) -- fix auth/cookie leak on redirect (CVE-2022-27776) -- fix bad local IPv6 connection reuse (CVE-2022-27775) -- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) +* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27774 - curl credential leak on redirect + CVE-2022-27776 - curl auth/cookie leak on redirect + CVE-2022-27775 - curl bad local IPv6 connection reuse + CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use * Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 - openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure @@ -582,6 +777,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 - new upstream release +* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 +- enable IDN support also in libcurl-minimal + +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 +- Suggest libcurl-minimal in curl-minimal + * Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild @@ -1281,881 +1482,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools diff --git a/sources b/sources index 7c44f53..002e494 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57 +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh index 0529a12..0d72276 100755 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -31,9 +31,9 @@ PACKAGE="curl" -FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM -CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404 +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure"