diff --git a/backport-Curl_close-call-Curl_resolver_cancel-to-avoid-memory.patch b/backport-Curl_close-call-Curl_resolver_cancel-to-avoid-memory.patch new file mode 100644 index 0000000..2a76581 --- /dev/null +++ b/backport-Curl_close-call-Curl_resolver_cancel-to-avoid-memory.patch @@ -0,0 +1,30 @@ +From 37dbbbb6c14bcbd696441e15b41cc3d1c74c486c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 15 Aug 2022 16:36:33 +0200 +Subject: [PATCH] Curl_close: call Curl_resolver_cancel to avoid memory-leak + +There might be a pending (c-ares) resolve that isn't free'd up yet. + +Closes #9310 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/37dbbbb6c14bcbd696441e15b41cc3d1c74c486c +--- + lib/url.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/url.c b/lib/url.c +index 359e20a7c..44c1d3f37 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -440,6 +440,7 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_safefree(data->info.wouldredirect); + + /* this destroys the channel and we cannot use it anymore after this */ ++ Curl_resolver_cancel(data); + Curl_resolver_cleanup(data->state.async.resolver); + + Curl_http2_cleanup_dependencies(data); +-- +2.33.0 + diff --git a/backport-curl_path-bring-back-support-for-SFTP-path-ending-in.patch b/backport-curl_path-bring-back-support-for-SFTP-path-ending-in.patch new file mode 100644 index 0000000..0650216 --- /dev/null +++ b/backport-curl_path-bring-back-support-for-SFTP-path-ending-in.patch @@ -0,0 +1,71 @@ +From 91b53efa4b6854dc3688f55bfb329b0cafcf5325 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 13:06:01 +0200 +Subject: [PATCH] curl_path: bring back support for SFTP path ending in /~ + +libcurl used to do a directory listing for this case (even though the +documentation says a URL needs to end in a slash for this), but +4e2b52b5f7a3 modified the behavior. + +This change brings back a directory listing for SFTP paths that are +specified exactly as /~ in the URL. + +Reported-by: Pavel Mayorov +Fixes #11001 +Closes #11023 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 +--- + lib/curl_path.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index 977e5336f..b4b48fe86 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -62,24 +62,27 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, + } + } + else if((data->conn->handler->protocol & CURLPROTO_SFTP) && +- (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { +- size_t len; +- const char *p; +- int copyfrom = 3; ++ (!strcmp("/~", working_path) || ++ ((working_path_len > 2) && !memcmp(working_path, "/~/", 3)))) { + if(Curl_dyn_add(&npath, homedir)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- /* Copy a separating '/' if homedir does not end with one */ +- len = Curl_dyn_len(&npath); +- p = Curl_dyn_ptr(&npath); +- if(len && (p[len-1] != '/')) +- copyfrom = 2; +- +- if(Curl_dyn_addn(&npath, +- &working_path[copyfrom], working_path_len - copyfrom)) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; ++ if(working_path_len > 2) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; ++ } + } + } + +-- +2.33.0 + diff --git a/backport-digest-pass-over-leading-spaces-in-qop-values.patch b/backport-digest-pass-over-leading-spaces-in-qop-values.patch new file mode 100644 index 0000000..0e6e08a --- /dev/null +++ b/backport-digest-pass-over-leading-spaces-in-qop-values.patch @@ -0,0 +1,216 @@ +From 0ad7c8d7d599a7b63fb7117b2c59999b55c54c2d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 Aug 2022 00:30:58 +0200 +Subject: [PATCH] digest: pass over leading spaces in qop values + +When parsing the "qop=" parameter of the digest authentication, and the +value is provided within quotes, the list of values can have leading +white space which the parser previously did not handle correctly. + +Add test case 388 to verify. + +Reported-by: vlubart on github +Fixes #9264 +Closes #9270 + +Conflict: context adapt for lib/vauth/digest.c and tests/data/Makefile.inc +Reference: https://github.com/curl/curl/commit/0ad7c8d7d599a7b63fb7117b2c59999b55c54c2d +--- + lib/vauth/digest.c | 3 + + tests/data/Makefile.inc | 2 +- + tests/data/test388 | 156 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 160 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test388 + +diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c +index a04ffab..07b9d46 100644 +--- a/lib/vauth/digest.c ++++ b/lib/vauth/digest.c +@@ -557,6 +557,9 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, + + token = strtok_r(tmp, ",", &tok_buf); + while(token != NULL) { ++ /* Pass additional spaces here */ ++ while(*token && ISSPACE(*token)) ++ token++; + if(strcasecompare(token, DIGEST_QOP_VALUE_STRING_AUTH)) { + foundAuth = TRUE; + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 4ae1b8f..3c3a4cc 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -61,7 +61,7 @@ test334 test335 test336 test337 test338 test339 test340 test341 test342 \ + test343 test344 test345 test346 test347 test348 test349 test350 test351 \ + test352 test353 test354 test355 test356 test357 test358 test359 test360 \ + test361 test362 test363 test364 test365 test366 \ +-test387 \ ++test387 test388 \ + \ + test392 test393 test394 test395 test396 test397 \ + \ +diff --git a/tests/data/test388 b/tests/data/test388 +new file mode 100644 +index 0000000..3a0214a +--- /dev/null ++++ b/tests/data/test388 +@@ -0,0 +1,156 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP Digest auth ++ ++ ++ ++# Server-side ++ ++# First reply back and ask for Digest auth ++ ++HTTP/1.1 401 Authorization Required swsclose ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++This is not the real page ++ ++ ++# second reply back ++ ++HTTP/1.1 401 Authorization Required swsclose ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++This is not the real page ++ ++ ++# This is supposed to be returned when the server gets a ++# Authorization: Digest line passed-in from the client ++ ++HTTP/1.1 200 OK ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 23 ++ ++This IS the real page! ++ ++ ++# ++# This is the second request, and this sends back a response saying that ++# the request contained stale data. We want an update. Set swsbounce to ++# bounce on to data1003 on the second request. ++ ++HTTP/1.1 401 Authorization re-negotiation please swsbounce ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", algorithm=MD5, nonce="999999", stale=true, qop="crazy, auth" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++This is not the real page ++ ++ ++# The second request to the 1002 section will bounce this one back instead ++# thanks to the swsbounce keyword up there ++ ++HTTP/1.1 200 OK ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 30 ++ ++This IS the second real page! ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++!SSPI ++crypto ++ ++ ++HTTP with Digest and multiple qop values with leading space ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER0001 -u testuser:testpass --digest http://%HOSTIP:%HTTPPORT/%TESTNUMBER0002 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^Authorization.*cnonce ++ ++ ++GET /%TESTNUMBER0001 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /%TESTNUMBER0001 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER0001", response="ea598bbfdb5c54b7352c977e3885e44d" ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /%TESTNUMBER0002 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /%TESTNUMBER0002 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/%TESTNUMBER0002", response="921a8e6db782d6359db1f40d9ed7e6a6" ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /%TESTNUMBER0002 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Digest username="testuser", realm="testrealm", nonce="999999", uri="/%TESTNUMBER0002", cnonce="MTA4MzIy", nc="00000001", qop="auth", response="25291c357671604a16c0242f56721c07", algorithm=MD5 ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++HTTP/1.1 401 Authorization Required swsclose ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++HTTP/1.1 200 OK ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 23 ++ ++This IS the real page! ++HTTP/1.1 401 Authorization Required swsclose ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++HTTP/1.1 401 Authorization re-negotiation please swsbounce ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++WWW-Authenticate: Digest realm="testrealm", algorithm=MD5, nonce="999999", stale=true, qop="crazy, auth" ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 26 ++ ++HTTP/1.1 200 OK ++Server: Apache/1.3.27 (Darwin) PHP/4.1.2 ++Content-Type: text/html; charset=iso-8859-1 ++Content-Length: 30 ++ ++This IS the second real page! ++ ++ ++ +-- +2.33.0 + diff --git a/backport-easy-fix-the-altsvc-init-for-curl_easy_duphandle.patch b/backport-easy-fix-the-altsvc-init-for-curl_easy_duphandle.patch new file mode 100644 index 0000000..2c38488 --- /dev/null +++ b/backport-easy-fix-the-altsvc-init-for-curl_easy_duphandle.patch @@ -0,0 +1,31 @@ +From bbdeb4c6736a6e3923765197f0f4659f9d3b44c7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 29 Sep 2022 22:50:45 +0200 +Subject: [PATCH] easy: fix the altsvc init for curl_easy_duphandle + +It was using the old #ifdef which nothing sets anymore + +Closes #9624 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/bbdeb4c6736a6e3923765197f0f4659f9d3b44c7 +--- + lib/easy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/easy.c b/lib/easy.c +index 88159f474..93e8acc8d 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -944,7 +944,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) + goto fail; + } + +-#ifdef USE_ALTSVC ++#ifndef CURL_DISABLE_ALTSVC + if(data->asi) { + outcurl->asi = Curl_altsvc_init(); + if(!outcurl->asi) +-- +2.33.0 + diff --git a/backport-ftp-support-growing-files-with-CURLOPT_IGNORE_CONTEN.patch b/backport-ftp-support-growing-files-with-CURLOPT_IGNORE_CONTEN.patch new file mode 100644 index 0000000..9fd22e5 --- /dev/null +++ b/backport-ftp-support-growing-files-with-CURLOPT_IGNORE_CONTEN.patch @@ -0,0 +1,39 @@ +From 76b3f5f2cf0f091720413690c49f8d0ada5bfae5 Mon Sep 17 00:00:00 2001 +From: fractal-access <116177727+fractal-access@users.noreply.github.com> +Date: Wed, 19 Oct 2022 14:37:44 +0100 +Subject: [PATCH] ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH + +When using the option CURLOPT_IGNORE_CONTENT_LENGTH (set.ignorecl in +code) to support growing files in FTP, the code should ignore the +initial size it gets from the server as this will not be the final size +of the file. This is done in ftp_state_quote() to prevent a size request +being issued in the initial sequence. However, in a later call to +ftp_state_get_resp() the code attempts to get the size of the content +again if it doesn't already have it, by parsing the response from the +RETR request. This fix prevents this parsing of the response to get the +size when the set.ignorecl option is set. This should maintain the size +value as -1, unknown, in this situation. + +Closes #9772 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/76b3f5f2cf0f091720413690c49f8d0ada5bfae5 +--- + lib/ftp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/ftp.c b/lib/ftp.c +index c6e31e1b6..c07bafe17 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2448,6 +2448,7 @@ static CURLcode ftp_state_get_resp(struct Curl_easy *data, + + if((instate != FTP_LIST) && + !data->state.prefer_ascii && ++ !data->set.ignorecl && + (ftp->downloadsize < 1)) { + /* + * It seems directory listings either don't show the size or very +-- +2.33.0 + diff --git a/backport-http-fix-the-1-comparison-for-IPv6-localhost-for-coo.patch b/backport-http-fix-the-1-comparison-for-IPv6-localhost-for-coo.patch new file mode 100644 index 0000000..16dcea4 --- /dev/null +++ b/backport-http-fix-the-1-comparison-for-IPv6-localhost-for-coo.patch @@ -0,0 +1,45 @@ +From 565d0ca2b19682e41878e473d3895f89ba3412cf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 20 Dec 2022 10:07:36 +0100 +Subject: [PATCH] http: fix the ::1 comparison for IPv6 localhost for cookies + +When checking if there is a "secure context", which it is if the +connection is to localhost even if the protocol is HTTP, the comparison +for ::1 was done incorrectly and included brackets. + +Reported-by: BratSinot on github + +Fixes #10120 +Closes #10121 + +Conflict: context adapt +Reference: https://github.com/curl/curl/commit/565d0ca2b19682e41878e473d3895f89ba3412cf +--- + lib/http.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 328dafa..1afbad0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2729,7 +2729,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + conn->handler->protocol&CURLPROTO_HTTPS || + strcasecompare("localhost", host) || + !strcmp(host, "127.0.0.1") || +- !strcmp(host, "[::1]") ? TRUE : FALSE; ++ !strcmp(host, "::1") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); + co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); +@@ -3604,7 +3604,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + conn->handler->protocol&CURLPROTO_HTTPS || + strcasecompare("localhost", host) || + !strcmp(host, "127.0.0.1") || +- !strcmp(host, "[::1]") ? TRUE : FALSE; ++ !strcmp(host, "::1") ? TRUE : FALSE; + + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, + CURL_LOCK_ACCESS_SINGLE); +-- +2.33.0 + diff --git a/backport-http-free-the-url-before-storing-a-new-copy.patch b/backport-http-free-the-url-before-storing-a-new-copy.patch new file mode 100644 index 0000000..ae8f993 --- /dev/null +++ b/backport-http-free-the-url-before-storing-a-new-copy.patch @@ -0,0 +1,33 @@ +From f7170a8f2ed4dc5a4cfb3ef3c002d218c4bcecad Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 9 May 2023 08:31:11 +0200 +Subject: [PATCH] http: free the url before storing a new copy + +To avoid a memory-leak. + +Reported-by: Hiroki Kurosawa + +Closes #11093 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/f7170a8f2ed4dc5a4cfb3ef3c002d218c4bcecad +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index bffdd3468..15cf22c5e 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1010,7 +1010,7 @@ CURLcode Curl_http_input_auth(struct Curl_easy *data, bool proxy, + if(authp->picked == CURLAUTH_NEGOTIATE) { + CURLcode result = Curl_input_negotiate(data, conn, proxy, auth); + if(!result) { +- DEBUGASSERT(!data->req.newurl); ++ free(data->req.newurl); + data->req.newurl = strdup(data->state.url); + if(!data->req.newurl) + return CURLE_OUT_OF_MEMORY; +-- +2.33.0 + diff --git a/backport-libssh-if-sftp_init-fails-don-t-get-the-sftp-error-c.patch b/backport-libssh-if-sftp_init-fails-don-t-get-the-sftp-error-c.patch new file mode 100644 index 0000000..ade106b --- /dev/null +++ b/backport-libssh-if-sftp_init-fails-don-t-get-the-sftp-error-c.patch @@ -0,0 +1,38 @@ +From bdaa6dd5ba9ad63379c73b53fc639ea39df505c4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 16 Oct 2022 12:58:55 +0200 +Subject: [PATCH] libssh: if sftp_init fails, don't get the sftp error code + +This flow extracted the wrong code (sftp code instead of ssh code), and +the code is sometimes (erroneously) returned as zero anyway, so skip +getting it and set a generic error. + +Reported-by: David McLaughlin +Fixes #9737 +Closes #9740 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/bdaa6dd5ba9ad63379c73b53fc639ea39df505c4 +--- + lib/vssh/libssh.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 1afadbfa5..0105e4079 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -963,10 +963,9 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + + rc = sftp_init(sshc->sftp_session); + if(rc != SSH_OK) { +- rc = sftp_get_error(sshc->sftp_session); + failf(data, "Failure initializing sftp session: %s", + ssh_get_error(sshc->ssh_session)); +- MOVE_TO_ERROR_STATE(sftp_error_to_CURLE(rc)); ++ MOVE_TO_ERROR_STATE(sftp_error_to_CURLE(SSH_FX_FAILURE)); + break; + } + state(data, SSH_SFTP_REALPATH); +-- +2.33.0 + diff --git a/backport-multi-free-up-more-data-earleier-in-DONE.patch b/backport-multi-free-up-more-data-earleier-in-DONE.patch new file mode 100644 index 0000000..be11dd0 --- /dev/null +++ b/backport-multi-free-up-more-data-earleier-in-DONE.patch @@ -0,0 +1,59 @@ +From 81b2b577df40262716ff0e1c0e1cebabb99f012d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 15 Apr 2023 21:11:36 +0200 +Subject: [PATCH] multi: free up more data earleier in DONE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before checking for more users of the connection and possibly bailing +out. + +Fixes #10971 +Reported-by: PaweÅ‚ Wegner +Closes #10972 + +Conflict: context adapt +Reference: https://github.com/curl/curl/commit/81b2b577df40262716ff0e1c0e1cebabb99f012d +--- + lib/multi.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index b2b1d65a3..0be8d0c40 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -699,6 +699,15 @@ static CURLcode multi_done(struct Curl_easy *data, + + process_pending_handles(data->multi); /* connection / multiplex */ + ++ Curl_safefree(data->state.ulbuf); ++ ++ /* if the transfer was completed in a paused state there can be buffered ++ data left to free */ ++ for(i = 0; i < data->state.tempcount; i++) { ++ Curl_dyn_free(&data->state.tempwrite[i].b); ++ } ++ data->state.tempcount = 0; ++ + CONNCACHE_LOCK(data); + Curl_detach_connnection(data); + if(CONN_INUSE(conn)) { +@@ -717,14 +726,6 @@ static CURLcode multi_done(struct Curl_easy *data, + conn->dns_entry = NULL; + } + Curl_hostcache_prune(data); +- Curl_safefree(data->state.ulbuf); +- +- /* if the transfer was completed in a paused state there can be buffered +- data left to free */ +- for(i = 0; i < data->state.tempcount; i++) { +- Curl_dyn_free(&data->state.tempwrite[i].b); +- } +- data->state.tempcount = 0; + + /* if data->set.reuse_forbid is TRUE, it means the libcurl client has + forced us to close this connection. This is ignored for requests taking +-- +2.33.0 + diff --git a/backport-tool_operate-refuse-data-or-form-and-continue-at-com.patch b/backport-tool_operate-refuse-data-or-form-and-continue-at-com.patch new file mode 100644 index 0000000..822f52f --- /dev/null +++ b/backport-tool_operate-refuse-data-or-form-and-continue-at-com.patch @@ -0,0 +1,124 @@ +rom 39a33fcac0e4530ef0c60d3319504e078ea2f137 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 May 2023 00:14:33 +0200 +Subject: [PATCH] tool_operate: refuse (--data or --form) and --continue-at + combo + +libcurl assumes that a --continue-at resumption is done to continue an +upload using the read callback and neither --data nor --form use +that and thus won't do what the user wants. Whatever the user wants +with this strange combination. + +Add test 426 to verify. + +Reported-by: Smackd0wn on github +Fixes #11081 +Closes #11083 + +Conflict: context adapt for tests/data/Makefile.inc +Reference: https://github.com/curl/curl/commit/39a33fcac0e4530ef0c60d3319504e078ea2f137 +--- + src/tool_operate.c | 27 +++++++++++++++++++-------- + tests/data/Makefile.inc | 1 + + tests/data/test426 | 34 ++++++++++++++++++++++++++++++++++ + 3 files changed, 54 insertions(+), 8 deletions(-) + create mode 100644 tests/data/test426 + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index a9f93ef..c97addc 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -1310,19 +1310,30 @@ static CURLcode single_transfer(struct GlobalConfig *global, + + switch(config->httpreq) { + case HTTPREQ_SIMPLEPOST: +- my_setopt_str(curl, CURLOPT_POSTFIELDS, +- config->postfields); +- my_setopt(curl, CURLOPT_POSTFIELDSIZE_LARGE, +- config->postfieldsize); ++ if(config->resume_from) { ++ errorf(global, "cannot mix --continue-at with --data\n"); ++ result = CURLE_FAILED_INIT; ++ } ++ else { ++ my_setopt_str(curl, CURLOPT_POSTFIELDS, ++ config->postfields); ++ my_setopt(curl, CURLOPT_POSTFIELDSIZE_LARGE, ++ config->postfieldsize); ++ } + break; + case HTTPREQ_MIMEPOST: + /* free previous remainders */ + curl_mime_free(config->mimepost); + config->mimepost = NULL; +- result = tool2curlmime(curl, config->mimeroot, &config->mimepost); +- if(result) +- break; +- my_setopt_mimepost(curl, CURLOPT_MIMEPOST, config->mimepost); ++ if(config->resume_from) { ++ errorf(global, "cannot mix --continue-at with --form\n"); ++ result = CURLE_FAILED_INIT; ++ } ++ else { ++ result = tool2curlmime(curl, config->mimeroot, &config->mimepost); ++ if(!result) ++ my_setopt_mimepost(curl, CURLOPT_MIMEPOST, config->mimepost); ++ } + break; + default: + break; +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index d681f92..2d62a6b 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -68,6 +68,7 @@ test392 test393 test394 test395 test396 test397 \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ + test418 \ ++test426 \ + test430 test431 test432 test433 test434 test435 test445 test446\ + \ + test442 test443 test444 \ +diff --git a/tests/data/test426 b/tests/data/test426 +new file mode 100644 +index 0000000..34c80c6 +--- /dev/null ++++ b/tests/data/test426 +@@ -0,0 +1,34 @@ ++ ++ ++ ++error detection ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++try --data with --continue-at ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -d foobar -C 3 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++2 ++ ++ ++ +-- +2.33.0 + diff --git a/backport-tool_progress-avoid-division-by-zero-in-parallel-pro.patch b/backport-tool_progress-avoid-division-by-zero-in-parallel-pro.patch new file mode 100644 index 0000000..2fa0333 --- /dev/null +++ b/backport-tool_progress-avoid-division-by-zero-in-parallel-pro.patch @@ -0,0 +1,32 @@ +From 0defae2fe524230f8b818d406d19e56f360bcc54 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 2 Jul 2022 00:02:04 +0200 +Subject: [PATCH] tool_progress: avoid division by zero in parallel progress + meter + +Reported-by: Brian Carpenter +Fixes #9082 +Closes #9083 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/0defae2fe524230f8b818d406d19e56f360bcc54 +--- + src/tool_progress.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tool_progress.c b/src/tool_progress.c +index da5317b92..46185c0d3 100644 +--- a/src/tool_progress.c ++++ b/src/tool_progress.c +@@ -268,6 +268,8 @@ bool progress_meter(struct GlobalConfig *global, + dl = all_dlnow; + ul = all_ulnow; + } ++ if(!deltams) /* no division by zero please */ ++ deltams++; + dls = (curl_off_t)((double)dl / ((double)deltams/1000.0)); + uls = (curl_off_t)((double)ul / ((double)deltams/1000.0)); + speed = dls > uls ? dls : uls; +-- +2.33.0 + diff --git a/backport-transfer-refuse-POSTFIELDS-RESUME_FROM-combo.patch b/backport-transfer-refuse-POSTFIELDS-RESUME_FROM-combo.patch new file mode 100644 index 0000000..bef3524 --- /dev/null +++ b/backport-transfer-refuse-POSTFIELDS-RESUME_FROM-combo.patch @@ -0,0 +1,42 @@ +From fb7886b9c95009a837f584caf4943a455f3daa60 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 8 May 2023 00:12:25 +0200 +Subject: [PATCH] transfer: refuse POSTFIELDS + RESUME_FROM combo + +The code assumes that such a resume is wanting to continue an upload +using the read callback, and since POSTFIELDS is done without callback +libcurl will just misbehave. + +This combo will make the transfer fail with CURLE_BAD_FUNCTION_ARGUMENT +with an explanation in the error message. + +Reported-by: Smackd0wn on github +Fixes #11081 +Closes #11083 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/fb7886b9c95009a837f584caf4943a455f3daa60 +--- + lib/transfer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 947070956..d2ff0c24c 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1325,6 +1325,12 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + } + } + ++ if(data->set.postfields && data->set.set_resume_from) { ++ /* we can't */ ++ failf(data, "cannot mix POSTFIELDS with RESUME_FROM"); ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ } ++ + data->state.prefer_ascii = data->set.prefer_ascii; + data->state.list_only = data->set.list_only; + data->state.httpreq = data->set.method; +-- +2.33.0 + diff --git a/backport-url-fix-null-dispname-for-connect-to-option.patch b/backport-url-fix-null-dispname-for-connect-to-option.patch new file mode 100644 index 0000000..873c799 --- /dev/null +++ b/backport-url-fix-null-dispname-for-connect-to-option.patch @@ -0,0 +1,44 @@ +From ac5ad5214261a2237bdbe344708f9d32c9393fd6 Mon Sep 17 00:00:00 2001 +From: Shohei Maeda <11495867+smaeda-ks@users.noreply.github.com> +Date: Fri, 12 May 2023 21:06:26 +0900 +Subject: [PATCH] url: fix null dispname for --connect-to option + +Closes #11106 + +Conflict: context adapt +Reference: https://github.com/curl/curl/commit/ac5ad5214261a2237bdbe344708f9d32c9393fd6 +--- + lib/url.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 71ca1b64e..de70eee23 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1816,11 +1816,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + result = Curl_idnconvert_hostname(data, &conn->host); + if(result) + return result; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- return result; +- } + + #ifndef CURL_DISABLE_HSTS + /* HSTS upgrade */ +@@ -3480,6 +3475,11 @@ static CURLcode create_conn(struct Curl_easy *data, + return result; + } + #endif ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } + + /************************************************************* + * Check whether the host and the "connect to host" are equal. +-- +2.33.0 + diff --git a/backport-url-move-back-the-IDN-conversion-of-proxy-names.patch b/backport-url-move-back-the-IDN-conversion-of-proxy-names.patch new file mode 100644 index 0000000..476c436 --- /dev/null +++ b/backport-url-move-back-the-IDN-conversion-of-proxy-names.patch @@ -0,0 +1,72 @@ +From 37ca6f0f9a0040b6dc2d5f108cebaa4f7f6abced Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 17 Nov 2022 23:55:26 +0100 +Subject: [PATCH] url: move back the IDN conversion of proxy names + +Regression: in commit 53bcf55 we moved the IDN conversion calls to +happen before the HSTS checks. But the HSTS checks are only done on the +server host name, not the proxy names. By moving the proxy name IDN +conversions, we accidentally broke the verbose output showing the proxy +name. + +This change moves back the IDN conversions for the proxy names to the +place in the code path they were before 53bcf55. + +Reported-by: Andy Stamp +Fixes #9937 +Closes #9939 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/37ca6f0f9a0040b6dc2d5f108cebaa4f7f6abced +--- + lib/url.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index f2ad31742..78f01c442 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2060,18 +2060,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + if(result) + return result; + } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- return result; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- return result; +- } +-#endif + + #ifndef CURL_DISABLE_HSTS + /* HSTS upgrade */ +@@ -3731,6 +3719,21 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + ++ /************************************************************* ++ * IDN-convert the proxy hostnames ++ *************************************************************/ ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. +-- +2.33.0 + diff --git a/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch b/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch new file mode 100644 index 0000000..903a8fa --- /dev/null +++ b/backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch @@ -0,0 +1,116 @@ +From 49e244318672c688097c1bf601a110005cd9a6a8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 31 Jul 2023 10:07:35 +0200 +Subject: [PATCH] urlapi: make sure zoneid is also duplicated in curl_url_dup + +Add several curl_url_dup() tests to the general lib1560 test. + +Reported-by: Rutger Broekhoff +Bug: https://curl.se/mail/lib-2023-07/0047.html +Closes #11549 + +Conflict: tests/libtest/lib1560.c for context adapt +Reference: https://github.com/curl/curl/commit/49e244318672c688097c1bf601a110005cd9a6a8 +--- + lib/urlapi.c | 1 + + tests/libtest/lib1560.c | 68 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 69 insertions(+) + +diff --git a/lib/urlapi.c b/lib/urlapi.c +index 7f03862..b676c4d 100644 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -1096,6 +1096,7 @@ CURLU *curl_url_dup(CURLU *in) + DUP(u, in, path); + DUP(u, in, query); + DUP(u, in, fragment); ++ DUP(u, in, zoneid); + u->portnum = in->portnum; + } + return u; +diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c +index b822004..960ee50 100644 +--- a/tests/libtest/lib1560.c ++++ b/tests/libtest/lib1560.c +@@ -1129,10 +1129,78 @@ static int scopeid(void) + return error; + } + ++ ++static int urldup(void) ++{ ++ const char *url[] = { ++ "http://" ++ "user:pwd@" ++ "[2a04:4e42:e00::347%25eth0]" ++ ":80" ++ "/path" ++ "?query" ++ "#fraggie", ++ "https://example.com", ++ "https://user@example.com", ++ "https://user.pwd@example.com", ++ "https://user.pwd@example.com:1234", ++ "https://example.com:1234", ++ "example.com:1234", ++ "https://user.pwd@example.com:1234/path?query#frag", ++ NULL ++ }; ++ CURLU *copy = NULL; ++ char *h_str = NULL, *copy_str = NULL; ++ CURLU *h = curl_url(); ++ int i; ++ ++ if(!h) ++ goto err; ++ ++ for(i = 0; url[i]; i++) { ++ CURLUcode rc = curl_url_set(h, CURLUPART_URL, url[i], ++ CURLU_GUESS_SCHEME); ++ if(rc) ++ goto err; ++ copy = curl_url_dup(h); ++ ++ rc = curl_url_get(h, CURLUPART_URL, &h_str, 0); ++ if(rc) ++ goto err; ++ ++ rc = curl_url_get(copy, CURLUPART_URL, ©_str, 0); ++ if(rc) ++ goto err; ++ ++ if(strcmp(h_str, copy_str)) { ++ printf("Original: %s\nParsed: %s\nCopy: %s\n", ++ url[i], h_str, copy_str); ++ goto err; ++ } ++ curl_free(copy_str); ++ curl_free(h_str); ++ curl_url_cleanup(copy); ++ copy_str = NULL; ++ h_str = NULL; ++ copy = NULL; ++ } ++ curl_url_cleanup(h); ++ return 0; ++err: ++ curl_free(copy_str); ++ curl_free(h_str); ++ curl_url_cleanup(copy); ++ curl_url_cleanup(h); ++ return 1; ++} ++ + int test(char *URL) + { + (void)URL; /* not used */ + ++ if(urldup()) ++ return 11; ++ + if(scopeid()) + return 6; + +-- +2.33.0 + diff --git a/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch b/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch new file mode 100644 index 0000000..383e3ba --- /dev/null +++ b/backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch @@ -0,0 +1,44 @@ +From a4a5e438ae533c9af5e97457ae424c9189545105 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 12 Jun 2023 14:10:37 +0200 +Subject: [PATCH] vtls: avoid memory leak if sha256 call fails + +... in the pinned public key handling function. + +Reported-by: lizhuang0630 on github +Fixes #11306 +Closes #11307 + +Conflict: Curl_base64_encode function adapt +Reference: https://github.com/curl/curl/commit/a4a5e438ae533c9af5e97457ae424c9189545105 +--- + lib/vtls/vtls.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a4ff7d61a..cdd3a4fdc 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -907,14 +907,12 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, + if(!sha256sumdigest) + return CURLE_OUT_OF_MEMORY; + encode = Curl_ssl->sha256sum(pubkey, pubkeylen, +- sha256sumdigest, CURL_SHA256_DIGEST_LENGTH); ++ sha256sumdigest, CURL_SHA256_DIGEST_LENGTH); + +- if(encode != CURLE_OK) +- return encode; +- +- encode = Curl_base64_encode(data, (char *)sha256sumdigest, +- CURL_SHA256_DIGEST_LENGTH, &encoded, +- &encodedlen); ++ if(!encode) ++ encode = Curl_base64_encode(data, (char *)sha256sumdigest, ++ CURL_SHA256_DIGEST_LENGTH, &encoded, ++ &encodedlen); + Curl_safefree(sha256sumdigest); + + if(encode) +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index 0ce8985..cfd5bde 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 25 +Release: 26 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -78,6 +78,22 @@ Patch64: backport-CVE-2023-38546.patch Patch65: backport-CVE-2023-46218.patch Patch66: backport-0001-CVE-2023-46219.patch Patch67: backport-0002-CVE-2023-46219.patch +Patch68: backport-tool_progress-avoid-division-by-zero-in-parallel-pro.patch +Patch69: backport-digest-pass-over-leading-spaces-in-qop-values.patch +Patch70: backport-Curl_close-call-Curl_resolver_cancel-to-avoid-memory.patch +Patch71: backport-easy-fix-the-altsvc-init-for-curl_easy_duphandle.patch +Patch72: backport-libssh-if-sftp_init-fails-don-t-get-the-sftp-error-c.patch +Patch73: backport-url-move-back-the-IDN-conversion-of-proxy-names.patch +Patch74: backport-ftp-support-growing-files-with-CURLOPT_IGNORE_CONTEN.patch +Patch75: backport-http-fix-the-1-comparison-for-IPv6-localhost-for-coo.patch +Patch76: backport-multi-free-up-more-data-earleier-in-DONE.patch +Patch77: backport-curl_path-bring-back-support-for-SFTP-path-ending-in.patch +Patch78: backport-transfer-refuse-POSTFIELDS-RESUME_FROM-combo.patch +Patch79: backport-tool_operate-refuse-data-or-form-and-continue-at-com.patch +Patch80: backport-http-free-the-url-before-storing-a-new-copy.patch +Patch81: backport-url-fix-null-dispname-for-connect-to-option.patch +Patch82: backport-vtls-avoid-memory-leak-if-sha256-call-fails.patch +Patch83: backport-urlapi-make-sure-zoneid-is-also-duplicated-in-curl_u.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -246,6 +262,27 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Jan 03 2024 zhouyihang - 7.79.1-26 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:tool_progress: avoid division by zero in parallel progress + digest: pass over leading spaces in qop values + Curl_close: call Curl_resolver_cancel to avoid memory-leak + easy: fix the altsvc init for curl_easy_duphandle + libssh: if sftp_init fails, don't get the sftp error code + url: move back the IDN conversion of proxy names + ftp: support growing files with CURLOPT_IGNORE_CONTENT_LENGTH + http: fix the ::1 comparison for IPv6 localhost for cookies + multi: free up more data earleier in DONE + curl_path: bring back support for SFTP path ending in /~ + transfer: refuse POSTFIELDS + RESUME_FROM combo + tool_operate: refuse (--data or --form) and --continue-at + http: free the url before storing a new copy + url: fix null dispname for --connect-to option + vtls: avoid memory leak if sha256 call fails + urlapi: make sure zoneid is also duplicated in curl_url_dup + * Fri Dec 08 2023 zhouyihang - 7.79.1-25 - Type:CVE - CVE:CVE-2023-46218 CVE-2023-46219