Update contrib/libs/curl to 7.83.1

ref:e0fbfbe6faf65e15f45ef0f846e92356916e91cf

contrib/libs/curl/.yandex_meta/devtools.copyrights.report

@@ -186,7 +186,6 @@ BELONGS ya.make
         lib/md4.c [8:8]
         lib/memdebug.c [8:8]
         lib/multihandle.h [10:10]
-        lib/multiif.h [10:10]
         lib/netrc.c [8:8]
         lib/pingpong.h [10:10]
         lib/progress.c [8:8]
@@ -204,7 +203,6 @@ BELONGS ya.make
         lib/vauth/cram.c [8:8]
         lib/vauth/ntlm_sspi.c [8:8]
         lib/vauth/oauth2.c [8:8]
-        lib/vssh/ssh.h [10:10]
         lib/vtls/gtls.h [10:10]
 
 KEEP     COPYRIGHT_SERVICE_LABEL 1b9e8d9d7c9588e9a9cbcbd17572b2e4
@@ -503,6 +501,7 @@ BELONGS ya.make
         lib/mime.c [8:8]
         lib/mime.h [10:10]
         lib/multi.c [8:8]
+        lib/multiif.h [10:10]
         lib/nonblock.c [8:8]
         lib/pingpong.c [8:8]
         lib/pop3.c [8:8]
@@ -540,6 +539,7 @@ BELONGS ya.make
         lib/vquic/quiche.c [8:8]
         lib/vquic/vquic.c [8:8]
         lib/vssh/libssh2.c [8:8]
+        lib/vssh/ssh.h [10:10]
         lib/vtls/gskit.c [8:8]
         lib/vtls/gtls.c [8:8]
         lib/vtls/hostcheck.c [8:8]

contrib/libs/curl/RELEASE-NOTES

@@ -1,147 +1,54 @@
-curl and libcurl 7.83.0
+curl and libcurl 7.83.1
 
- Public curl releases:         207
+ Public curl releases:         208
  Command line options:         247
  curl_easy_setopt() options:   295
  Public functions in libcurl:  88
- Contributors:                 2625
+ Contributors:                 2632
-
-This release includes the following changes:
-
- o curl: add %header{name} experimental support in -w handling
- o curl: add %{header_json} experimental support in -w handling
- o curl: add --no-clobber [28]
- o curl: add --remove-on-error [11]
- o header api: add curl_easy_header and curl_easy_nextheader [56]
- o msh3: add support for QUIC and HTTP/3 using msh3 [84]
 
 This release includes the following bugfixes:
 
- o appveyor: add Cygwin build [77]
+ o altsvc: fix host name matching for trailing dots [31]
- o appveyor: only add MSYS2 to PATH where required [78]
+ o cirrus: Update to FreeBSD 12.3 [24]
- o BearSSL: add CURLOPT_SSL_CIPHER_LIST support [27]
+ o cirrus: Use pip for Python packages on FreeBSD [23]
- o BearSSL: add CURLOPT_SSL_CTX_FUNCTION support [26]
+ o conn: fix typo 'connnection' -> 'connection' in two function names [1]
- o BINDINGS.md: add Hollywood binding [34]
+ o cookies: make bad_domain() not consider a trailing dot fine [26]
- o CI: Do not use buildconf. Instead, just use: autoreconf -fi [42]
+ o curl: free resource in error path [3]
- o CI: install Python package impacket to run SMB test 1451 [5]
+ o curl: guard against size_t wraparound in no-clobber code [4]
- o configure.ac: move -pthread CFLAGS setting back where it used to be [14]
+ o CURLOPT_DOH_URL.3: mention the known bug [19]
- o configure: bump the copyright year range int the generated output
+ o CURLOPT_HSTS*FUNCTION.3: document the involved structs as well [20]
- o conncache: include the zone id in the "bundle" hashkey [112]
+ o CURLOPT_SSH_AUTH_TYPES.3: fix the default [18]
- o connecache: remove duplicate connc->closure_handle check [90]
+ o data/test376: set a proper name
- o connect: make Curl_getconnectinfo work with conn cache from share handle [22]
+ o GHA/mbedtls: enabled nghttp2 in the build [11]
- o connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined [6]
+ o gha: build msh3 [5]
- o cookie.d: clarify when cookies are sent
+ o gskit: fixed bogus setsockopt calls [17]
- o cookies: improve errorhandling for reading cookiefile [123]
+ o gskit: remove unused function set_callback [2]
- o curl/system.h: update ifdef condition for MCST-LCC compiler [4]
+ o hsts: ignore trailing dots when comparing hosts names [28]
- o curl: error out if -T and -d are used for the same URL [99]
+ o HTTP-COOKIES: add missing CURLOPT_COOKIESESSION [40]
- o curl: error out when options need features not present in libcurl [18]
+ o http: move Curl_allow_auth_to_host() [9]
- o curl: escape '?' in generated --libcurl code [117]
+ o http_proxy/hyper: handle closed connections [34]
- o curl: fix segmentation fault for empty output file names. [60]
+ o hyper: fix test 357 [32]
- o curl_easy_header: fix typos in documentation [74]
+ o Makefile: fix "make ca-firefox" [37]
- o CURLINFO_PRIMARY_PORT.3: clarify which port this is [126]
+ o mbedtls: bail out if rng init fails [14]
- o CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS [105]
+ o mbedtls: fix compile when h2-enabled [12]
- o CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL
+ o mbedtls: fix some error messages
- o CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs [79]
+ o misc: use "autoreconf -fi" instead buildconf [22]
- o CURLOPT_PROGRESSFUNCTION.3: fix typo in example [63]
+ o msh3: get msh3 version from MsH3Version [6]
- o CURLOPT_UNRESTRICTED_AUTH.3: extended explanation [127]
+ o msh3: print boolean value as text representation [10]
- o CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype [9]
+ o msh3: psss remote_port to MsH3ConnectionOpen [7]
- o docs/HYPER.md: updated to reflect current hyper build needs
+ o ngtcp2: add ca-fallback support for OpenSSL backend [35]
- o docs/opts: Mention Schannel client cert type is P12 [50]
+ o nss: return error if seemingly stuck in a cert loop [30]
- o docs: Fix missing semicolon in example code [102]
+ o openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl [8]
- o docs: lots of minor language polish [51]
+ o post_per_transfer: remove the updated file name [27]
- o English: use American spelling consistently [95]
+ o sectransp: bail out if SSLSetPeerDomainName fails [33]
- o fail.d: tweak the description [101]
+ o tests/server: declare variable 'reqlogfile' static [39]
- o firefox-db2pem.sh: make the shell script safer [47]
+ o tests: fix markdown formatting in README [38]
- o ftp: fix error message for partial file upload [61]
+ o test{898,974,976}: add 'HTTP proxy' keywords [16]
- o gen.pl: change wording for mutexed options [98]
+ o tls: check more TLS details for connection reuse [25]
- o GHA: add openssl3 jobs moved over from zuul [88]
+ o url: check SSH config match on connection reuse [21]
- o GHA: build hyper with nightly rustc [7]
+ o urlapi: address (harmless) UndefinedBehavior sanitizer warning [15]
- o GHA: move bearssl jobs over from zuul [85]
+ o urlapi: reject percent-decoding host name into separator bytes [29]
- o gha: move the event-based test over from Zuul [59]
+ o x509asn1: make do_pubkey handle EC public keys [13]
- o gtls: fix build for disabled TLS-SRP [48]
- o http2: handle DONE called for the paused stream [69]
- o http2: RST the stream if we stop it on our own will [67]
- o http: avoid auth/cookie on redirects same host diff port [110]
- o http: close the stream (not connection) on time condition abort [68]
- o http: reject header contents with nul bytes [41]
- o http: return error on colon-less HTTP headers [31]
- o http: streamclose "already downloaded" [57]
- o hyper: fix status_line() return code [13]
- o hyper: fix tests 580 and 581 for hyper [107]
- o hyper: no h2c support [33]
- o infof: consistent capitalization of warning messages [103]
- o ipv4/6.d: clarify that they are about using IP addresses [3]
- o json.d: fix typo (overriden -> overridden) [24]
- o keepalive-time.d: It takes many probes to detect brokenness [29]
- o lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 [45]
- o lib670: avoid double check result [71]
- o lib: #ifdef on USE_HTTP2 better [65]
- o lib: fix some misuse of curlx_convert_wchar_to_UTF8 [38]
- o lib: remove exclamation marks [100]
- o libssh2: compare sha256 strings case sensitively [114]
- o libssh2: make the md5 comparison fail if wrong length [111]
- o libssh: fix build with old libssh versions [12]
- o libssh: fix double close [124]
- o libssh: Improve fix for missing SSH_S_ stat macros [10]
- o libssh: unstick SFTP transfers when done event-based [58]
- o macos: set .plist version in autoconf [122]
- o mbedtls: remove 'protocols' array from backend when ALPN is not used [66]
- o mbedtls: remove server_fd from backend [91]
- o mk-ca-bundle.pl: Use stricter logic to process the certificates [39]
- o mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl [8]
- o mlc_config.json: add file to ignore known troublesome URLs [35]
- o mqtt: better handling of TCP disconnect mid-message [55]
- o ngtcp2: add client certificate authentication for OpenSSL [15]
- o ngtcp2: avoid busy loop in low CWND situation [119]
- o ngtcp2: deal with sub-millisecond timeout [116]
- o ngtcp2: disconnect the QUIC connection proper [19]
- o ngtcp2: enlarge H3_SEND_SIZE [82]
- o ngtcp2: fix HTTP/3 upload stall and avoid busy loop [83]
- o ngtcp2: fix memory leak [80]
- o ngtcp2: fix QUIC_IDLE_TIMEOUT [94]
- o ngtcp2: make curl 1ms faster [93]
- o ngtcp2: remove remote_addr which is not used in a meaningful way [81]
- o ngtcp2: update to work after recent ngtcp2 updates [62]
- o ngtcp2: use token when detecting :status header field [92]
- o nonblock: restore setsockopt method to curlx_nonblock [20]
- o openssl: check SSL_get_peer_cert_chain return value [1]
- o openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL [23]
- o openssl: fix CN check error code [21]
- o options: remove mistaken space before paren in prototype
- o perl: removed a double semicolon at end of line [64]
- o pop3/smtp: return *WEIRD_SERVER_REPLY when not understood [43]
- o projects/README: converted to markdown [76]
- o projects: Update VC version names for VS2017, VS2022 [52]
- o rtsp: don't let CSeq error override earlier errors [37]
- o runtests: add 'bearssl' as testable feature [87]
- o runtests: make 'oldlibssh' be before 0.9.4 [2]
- o schannel: remove dead code that will never run [89]
- o scripts/copyright.pl: ignore the new mlc_config.json file
- o scripts: move three scripts from lib/ to scripts/ [44]
- o test1135: sync with recent API updates [54]
- o test1459: disable for oldlibssh [53]
- o test375: fix line endings on Windows [40]
- o test386: Fix an incorrect test markup tag
- o test718: edited slightly to return better HTTP [32]
- o tests/server/util.h: align WIN32 condition with util.c [46]
- o tests: refactor server/socksd.c to support --unix-socket [96]
- o timediff.[ch]: add curlx helper functions for timeval conversions [86]
- o tls: make mbedtls and NSS check for h2, not nghttp2 [70]
- o tool and tests: force flush of all buffers at end of program [17]
- o tool_cb_hdr: Turn the Location: into a terminal hyperlink [30]
- o tool_getparam: error out on missing -K file [115]
- o tool_listhelp.c: uppercase URL
- o tool_operate: fix a scan-build warning [16]
- o tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) [97]
- o transfer: redirects to other protocols or ports clear auth [109]
- o unit1620: call global_init before calling Curl_open [125]
- o url: check sasl additional parameters for connection reuse. [113]
- o vtls: provide a unified APLN-disagree string for all backends [75]
- o vtls: use a backend standard message for "ALPN: offers %s" [73]
- o vtls: use a generic "ALPN, server accepted" message [72]
- o winbuild/README.md: fixup dead link [36]
- o winbuild: Add a Visual Studio example to the README [49]
- o wolfssl: fix compiler error without IPv6 [25]
 
 This release includes the following known bugs:
 
@@ -150,143 +57,51 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Alejandro R. Sedeño, Andreas Falkenhahn, Andrey Alifanov,
+  Adam Rosenfield, Axel Chong, Christian Weisgerber, Daniel Gustafsson,
-  anon00000000 on github, Balakrishnan Balasubramanian, Boris Verkhovskiy,
+  Daniel Stenberg, Fabian Keil, Florian Kohnhäuser, Garrett Squire,
-  Brad Spencer, Christian Schmitz, Christopher Degawa, Colin Leroy,
+  Harry Sintonen, LigH-de on github, Michael Olbrich, Nick Banks,
-  Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Daniel Valenzuela,
+  Patrick Monnerat, Philip H, Prithvi MK, Ray Satiro, Ryan Schmidt,
-  Don J Olmstead, Emanuele Torre, Evangelos Foutras, Francisco Olarte,
+  Sergey Markelov, Tatsuhiro Tsujikawa, Yusuke Nakamura
-  Frank Meier, Gisle Vanem, Harry Sintonen, Ian Blanes, Jan Venekamp,
+  (20 contributors)
-  Jay Dommaschk, Jean-Philippe Menil, Jenny Heino, Joseph Chen,
-  jurisuk on github, Kristoffer Gleditsch, Kushal Das, Leandro Coutinho,
-  Liam Warfield, Marcel Raad, Marc Hörsken, Matteo Baccan,
-  Median Median Stride, mehatzri on github, Michael Kaufmann, Michał Antoniak,
-  Nick Banks, Nick Coghlan, Nick Zitzmann, Patrick Monnerat, Paul Howarth,
-  Paweł Kowalski, Peter Korsgaard, pheiduck on github, r-a-sattarov on github,
-  Ray Satiro, Rianov Viacheslav, Robert Brose, Robert Charles Muir,
-  Robin A. Meade, Samuel Henrique, Sascha Zengler, Taras Kushnir,
-  Tatsuhiro Tsujikawa, Timothe Litt, Viktor Szakats, HexTheDragon
-  (60 contributors)
 
 References to bug reports and discussions on issues:
 
- [1] = https://curl.se/bug/?i=8579
+ [1] = https://curl.se/bug/?i=8759
- [2] = https://curl.se/bug/?i=8548
+ [2] = https://curl.se/bug/?i=8782
- [3] = https://curl.se/bug/?i=8543
+ [3] = https://curl.se/bug/?i=8770
- [4] = https://curl.se/bug/?i=8546
+ [4] = https://curl.se/bug/?i=8771
- [5] = https://curl.se/bug/?i=8544
+ [5] = https://curl.se/bug/?i=8779
- [6] = https://curl.se/bug/?i=8539
+ [6] = https://curl.se/bug/?i=8762
- [7] = https://curl.se/bug/?i=8545
+ [7] = https://curl.se/bug/?i=8762
- [8] = https://curl.se/bug/?i=8412
+ [8] = https://curl.se/mail/lib-2022-04/0059.html
- [9] = https://curl.se/bug/?i=8573
+ [9] = https://curl.se/bug/?i=8772
- [10] = https://curl.se/bug/?i=8588
+ [10] = https://curl.se/bug/?i=8763
- [11] = https://curl.se/bug/?i=8503
+ [11] = https://curl.se/bug/?i=8767
- [12] = https://curl.se/bug/?i=8574
+ [12] = https://curl.se/bug/?i=8766
- [13] = https://curl.se/bug/?i=8572
+ [13] = https://curl.se/bug/?i=8757
- [14] = https://curl.se/bug/?i=8541
+ [14] = https://curl.se/bug/?i=8796
- [15] = https://curl.se/bug/?i=8522
+ [15] = https://curl.se/bug/?i=8797
- [16] = https://curl.se/bug/?i=8565
+ [16] = https://curl.se/bug/?i=8791
- [17] = https://curl.se/bug/?i=8516
+ [17] = https://curl.se/bug/?i=8793
- [18] = https://curl.se/bug/?i=8565
+ [18] = https://curl.se/bug/?i=8792
- [19] = https://curl.se/bug/?i=8534
+ [19] = https://curl.se/bug/?i=8790
- [20] = https://curl.se/bug/?i=8562
+ [20] = https://curl.se/bug/?i=8788
- [21] = https://curl.se/bug/?i=8559
+ [21] = https://curl.se/docs/CVE-2022-27782.html
- [22] = https://curl.se/bug/?i=8524
+ [22] = https://curl.se/bug/?i=8777
- [23] = https://curl.se/bug/?i=8553
+ [23] = https://curl.se/bug/?i=8783
- [24] = https://curl.se/bug/?i=8557
+ [24] = https://curl.se/bug/?i=8783
- [25] = https://curl.se/bug/?i=8550
+ [25] = https://curl.se/docs/CVE-2022-27782.html
- [26] = https://curl.se/bug/?i=8478
+ [26] = https://curl.se/docs/CVE-2022-27779.html
- [27] = https://curl.se/bug/?i=8477
+ [27] = https://curl.se/docs/CVE-2022-27778.html
- [28] = https://curl.se/bug/?i=7708
+ [28] = https://curl.se/docs/CVE-2022-30115.html
- [29] = https://curl.se/bug/?i=8570
+ [29] = https://curl.se/docs/CVE-2022-27780.html
- [30] = https://curl.se/bug/?i=7963
+ [30] = https://curl.se/docs/CVE-2022-27781.html
- [31] = https://curl.se/bug/?i=8610
+ [31] = https://curl.se/bug/?i=8819
- [32] = https://github.com/hyperium/hyper/issues/2783
+ [32] = https://curl.se/bug/?i=8811
- [33] = https://curl.se/bug/?i=8605
+ [33] = https://curl.se/bug/?i=8798
- [34] = https://curl.se/bug/?i=8609
+ [34] = https://curl.se/bug/?i=8700
- [35] = https://curl.se/bug/?i=8597
+ [35] = https://curl.se/bug/?i=8828
- [36] = https://curl.se/bug/?i=8597
+ [37] = https://curl.se/bug/?i=8804
- [37] = https://curl.se/bug/?i=8525
+ [38] = https://curl.se/bug/?i=8802
- [38] = https://curl.se/bug/?i=8521
+ [39] = https://curl.se/bug/?i=8799
- [39] = https://curl.se/bug/?i=8411
+ [40] = https://curl.se/bug/?i=8795
- [40] = https://curl.se/bug/?i=8599
- [41] = https://curl.se/bug/?i=8601
- [42] = https://curl.se/bug/?i=8596
- [43] = https://curl.se/bug/?i=8506
- [44] = https://curl.se/bug/?i=8625
- [45] = https://curl.se/bug/?i=8594
- [46] = https://curl.se/bug/?i=8594
- [47] = https://curl.se/bug/?i=8616
- [48] = https://curl.se/mail/lib-2022-03/0046.html
- [49] = https://curl.se/bug/?i=8592
- [50] = https://curl.se/bug/?i=8587
- [51] = https://curl.se/bug/?i=8646
- [52] = https://curl.se/bug/?i=8447
- [53] = https://curl.se/bug/?i=8622
- [54] = https://curl.se/bug/?i=8620
- [55] = https://hackerone.com/reports/1521610
- [56] = https://curl.se/bug/?i=8593
- [57] = https://curl.se/bug/?i=8665
- [58] = https://curl.se/bug/?i=8490
- [59] = https://curl.se/bug/?i=8490
- [60] = https://curl.se/bug/?i=8606
- [61] = https://curl.se/bug/?i=8637
- [62] = https://curl.se/bug/?i=8638
- [63] = https://curl.se/bug/?i=8636
- [64] = https://curl.se/bug/?i=8709
- [65] = https://curl.se/bug/?i=8661
- [66] = https://curl.se/bug/?i=8663
- [67] = https://curl.se/bug/?i=8664
- [68] = https://curl.se/bug/?i=8664
- [69] = https://curl.se/bug/?i=8626
- [70] = https://curl.se/bug/?i=8656
- [71] = https://curl.se/bug/?i=8660
- [72] = https://curl.se/bug/?i=8657
- [73] = https://curl.se/bug/?i=8657
- [74] = https://curl.se/bug/?i=8694
- [75] = https://curl.se/bug/?i=8643
- [76] = https://curl.se/bug/?i=8652
- [77] = https://curl.se/bug/?i=8693
- [78] = https://curl.se/bug/?i=8693
- [79] = https://curl.se/bug/?i=8602
- [80] = https://curl.se/bug/?i=8691
- [81] = https://curl.se/bug/?i=8689
- [82] = https://curl.se/bug/?i=8690
- [83] = https://curl.se/bug/?i=8688
- [84] = https://curl.se/bug/?i=8517
- [85] = https://curl.se/bug/?i=8684
- [86] = https://curl.se/bug/?i=8595
- [87] = https://curl.se/bug/?i=8684
- [88] = https://curl.se/bug/?i=8683
- [89] = https://curl.se/bug/?i=8677
- [90] = https://curl.se/bug/?i=8676
- [91] = https://curl.se/bug/?i=8682
- [92] = https://curl.se/bug/?i=8679
- [93] = https://curl.se/bug/?i=8678
- [94] = https://curl.se/bug/?i=8678
- [95] = https://curl.se/bug/?i=8673
- [96] = https://curl.se/bug/?i=8687
- [97] = https://curl.se/bug/?i=8701
- [98] = https://curl.se/bug/?i=8716
- [99] = https://curl.se/bug/?i=8704
- [100] = https://curl.se/bug/?i=8713
- [101] = https://curl.se/bug/?i=8714
- [102] = https://curl.se/bug/?i=8697
- [103] = https://curl.se/bug/?i=8711
- [105] = https://curl.se/bug/?i=8753
- [107] = https://curl.se/bug/?i=8707
- [109] = https://curl.se/docs/CVE-2022-27774.html
- [110] = https://curl.se/docs/CVE-2022-27776.html
- [111] = https://hackerone.com/reports/1549461
- [112] = https://curl.se/docs/CVE-2022-27775.html
- [113] = https://curl.se/docs/CVE-2022-22576.html
- [114] = https://hackerone.com/reports/1549435
- [115] = https://hackerone.com/reports/1542881
- [116] = https://curl.se/bug/?i=8738
- [117] = https://hackerone.com/reports/1548535
- [119] = https://curl.se/bug/?i=8739
- [122] = https://curl.se/bug/?i=8692
- [123] = https://curl.se/bug/?i=8699
- [124] = https://curl.se/bug/?i=8708
- [125] = https://curl.se/bug/?i=8719
- [126] = https://curl.se/bug/?i=8725
- [127] = https://curl.se/bug/?i=8724

contrib/libs/curl/include/curl/curlver.h

@@ -30,13 +30,13 @@
 
 /* This is the version number of the libcurl package from which this header
    file origins: */
-#define LIBCURL_VERSION "7.83.0"
+#define LIBCURL_VERSION "7.83.1"
 
 /* The numeric version number is also available "in parts" by using these
    defines: */
 #define LIBCURL_VERSION_MAJOR 7
 #define LIBCURL_VERSION_MINOR 83
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1
 
 /* This is the numeric version of the libcurl version number, meant for easier
    parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will
@@ -57,7 +57,7 @@
    CURL_VERSION_BITS() macro since curl's own configure script greps for it
    and needs it to contain the full number.
 */
-#define LIBCURL_VERSION_NUM 0x075300
+#define LIBCURL_VERSION_NUM 0x075301
 
 /*
  * This is the date and time when the full source package was created. The
@@ -68,7 +68,7 @@
  *
  * "2007-11-23"
  */
-#define LIBCURL_TIMESTAMP "2022-04-27"
+#define LIBCURL_TIMESTAMP "2022-05-11"
 
 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
 #define CURL_AT_LEAST_VERSION(x,y,z) \

contrib/libs/curl/lib/altsvc.c

@@ -102,12 +102,17 @@ static struct altsvc *altsvc_createid(const char *srchost,
                                       unsigned int dstport)
 {
   struct altsvc *as = calloc(sizeof(struct altsvc), 1);
+  size_t hlen;
   if(!as)
     return NULL;
-
+  hlen = strlen(srchost);
+  DEBUGASSERT(hlen);
   as->src.host = strdup(srchost);
   if(!as->src.host)
     goto error;
+  if(hlen && (srchost[hlen - 1] == '.'))
+    /* strip off trailing any dot */
+    as->src.host[--hlen] = 0;
   as->dst.host = strdup(dsthost);
   if(!as->dst.host)
     goto error;
@@ -398,6 +403,22 @@ static CURLcode getalnum(const char **ptr, char *alpnbuf, size_t buflen)
   return CURLE_OK;
 }
 
+/* hostcompare() returns true if 'host' matches 'check'. The first host
+ * argument may have a trailing dot present that will be ignored.
+ */
+static bool hostcompare(const char *host, const char *check)
+{
+  size_t hlen = strlen(host);
+  size_t clen = strlen(check);
+
+  if(hlen && (host[hlen - 1] == '.'))
+    hlen--;
+  if(hlen != clen)
+    /* they can't match if they have different lengths */
+    return FALSE;
+  return strncasecompare(host, check, hlen);
+}
+
 /* altsvc_flush() removes all alternatives for this source origin from the
    list */
 static void altsvc_flush(struct altsvcinfo *asi, enum alpnid srcalpnid,
@@ -410,7 +431,7 @@ static void altsvc_flush(struct altsvcinfo *asi, enum alpnid srcalpnid,
     n = e->next;
     if((srcalpnid == as->src.alpnid) &&
        (srcport == as->src.port) &&
-       strcasecompare(srchost, as->src.host)) {
+       hostcompare(srchost, as->src.host)) {
       Curl_llist_remove(&asi->list, e, NULL);
       altsvc_free(as);
     }
@@ -635,7 +656,7 @@ bool Curl_altsvc_lookup(struct altsvcinfo *asi,
       continue;
     }
     if((as->src.alpnid == srcalpnid) &&
-       strcasecompare(as->src.host, srchost) &&
+       hostcompare(srchost, as->src.host) &&
        (as->src.port == srcport) &&
        (versions & as->dst.alpnid)) {
       /* match */

contrib/libs/curl/lib/c-hyper.c

@@ -439,6 +439,13 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data,
     reasonp = hyper_response_reason_phrase(resp);
     reason_len = hyper_response_reason_phrase_len(resp);
 
+    if(http_status == 417 && data->state.expect100header) {
+      infof(data, "Got 417 while waiting for a 100");
+      data->state.disableexpect = TRUE;
+      data->req.newurl = strdup(data->state.url);
+      Curl_done_sending(data, k);
+    }
+
     result = status_line(data, conn,
                          http_status, http_version, reasonp, reason_len);
     if(result)
@@ -951,6 +958,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done)
       goto error;
     }
   }
+  else {
+    if(!h2 && !data->state.disableexpect) {
+      data->state.expect100header = TRUE;
+    }
+  }
 
   if(hyper_request_set_method(req, (uint8_t *)method, strlen(method))) {
     failf(data, "error setting method");

contrib/libs/curl/lib/cookie.c

@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
 /* Make sure domain contains a dot or is localhost. */
 static bool bad_domain(const char *domain)
 {
-  return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
+  if(strcasecompare(domain, "localhost"))
+    return FALSE;
+  else {
+    /* there must be a dot present, but that dot must not be a trailing dot */
+    char *dot = strchr(domain, '.');
+    if(dot)
+      return dot[1] ? FALSE : TRUE;
+  }
+  return TRUE;
 }
 
 /*

contrib/libs/curl/lib/easy.c

@@ -1139,7 +1139,7 @@ CURLcode curl_easy_recv(struct Curl_easy *data, void *buffer, size_t buflen,
   if(!data->conn)
     /* on first invoke, the transfer has been detached from the connection and
        needs to be reattached */
-    Curl_attach_connnection(data, c);
+    Curl_attach_connection(data, c);
 
   *n = 0;
   result = Curl_read(data, sfd, buffer, buflen, &n1);
@@ -1175,7 +1175,7 @@ CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer,
   if(!data->conn)
     /* on first invoke, the transfer has been detached from the connection and
        needs to be reattached */
-    Curl_attach_connnection(data, c);
+    Curl_attach_connection(data, c);
 
   *n = 0;
   sigpipe_ignore(data, &pipe_st);
@@ -1209,12 +1209,12 @@ static int conn_upkeep(struct Curl_easy *data,
   if(conn->handler->connection_check) {
     /* briefly attach the connection to this transfer for the purpose of
        checking it */
-    Curl_attach_connnection(data, conn);
+    Curl_attach_connection(data, conn);
 
     /* Do a protocol-specific keepalive check on the connection. */
     conn->handler->connection_check(data, conn, CONNCHECK_KEEPALIVE);
     /* detach the connection again */
-    Curl_detach_connnection(data);
+    Curl_detach_connection(data);
   }
 
   return 0; /* continue iteration */

contrib/libs/curl/lib/hostip.c

@@ -1268,7 +1268,7 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done)
   result = Curl_setup_conn(data, protocol_done);
 
   if(result) {
-    Curl_detach_connnection(data);
+    Curl_detach_connection(data);
     Curl_conncache_remove_conn(data, conn, TRUE);
     Curl_disconnect(data, conn, TRUE);
   }

contrib/libs/curl/lib/hsts.c

@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
                             curl_off_t expires)
 {
   struct stsentry *sts = hsts_entry();
+  char *duphost;
+  size_t hlen;
   if(!sts)
     return CURLE_OUT_OF_MEMORY;
 
-  sts->expires = expires;
+  duphost = strdup(hostname);
-  sts->includeSubDomains = subdomains;
+  if(!duphost) {
-  sts->host = strdup(hostname);
-  if(!sts->host) {
     free(sts);
     return CURLE_OUT_OF_MEMORY;
   }
+
+  hlen = strlen(duphost);
+  if(duphost[hlen - 1] == '.')
+    /* strip off trailing any dot */
+    duphost[--hlen] = 0;
+
+  sts->host = duphost;
+  sts->expires = expires;
+  sts->includeSubDomains = subdomains;
   Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
   return CURLE_OK;
 }
@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
                            bool subdomain)
 {
   if(h) {
+    char buffer[MAX_HSTS_HOSTLEN + 1];
     time_t now = time(NULL);
     size_t hlen = strlen(hostname);
     struct Curl_llist_element *e;
     struct Curl_llist_element *n;
+
+    if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+      return NULL;
+    memcpy(buffer, hostname, hlen);
+    if(hostname[hlen-1] == '.')
+      /* remove the trailing dot */
+      --hlen;
+    buffer[hlen] = 0;
+    hostname = buffer;
+
     for(e = h->list.head; e; e = n) {
       struct stsentry *sts = e->ptr;
       n = e->next;
@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
     CURLSTScode sc;
     DEBUGASSERT(h);
     do {
-      char buffer[257];
+      char buffer[MAX_HSTS_HOSTLEN + 1];
       struct curl_hstsentry e;
       e.name = buffer;
       e.namelen = sizeof(buffer)-1;

contrib/libs/curl/lib/http.c

@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data)
   return result;
 }
 
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
+{
+  struct connectdata *conn = data->conn;
+  return (!data->state.this_is_a_follow ||
+          data->set.allow_auth_to_other_hosts ||
+          (data->state.first_host &&
+           strcasecompare(data->state.first_host, conn->host.name) &&
+           (data->state.first_remote_port == conn->remote_port) &&
+           (data->state.first_remote_protocol == conn->handler->protocol)));
+}
+
 #ifndef CURL_DISABLE_HTTP_AUTH
 /*
  * Output the correct authentication header depending on the auth type
@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data,
   return CURLE_OK;
 }
 
-/*
- * Curl_allow_auth_to_host() tells if authentication, cookies or other
- * "sensitive data" can (still) be sent to this host.
- */
-bool Curl_allow_auth_to_host(struct Curl_easy *data)
-{
-  struct connectdata *conn = data->conn;
-  return (!data->state.this_is_a_follow ||
-          data->set.allow_auth_to_other_hosts ||
-          (data->state.first_host &&
-           strcasecompare(data->state.first_host, conn->host.name) &&
-           (data->state.first_remote_port == conn->remote_port) &&
-           (data->state.first_remote_protocol == conn->handler->protocol)));
-}
-
 /**
  * Curl_http_output_auth() setups the authentication headers for the
  * host/proxy and the correct authentication