summaryrefslogtreecommitdiff
path: root/libfetch/common.h
AgeCommit message (Collapse)AuthorFilesLines
2021-07-26libfetch: fix range checking for http/ftp protocol parsingTimo Teräs1-1/+11
Various parsing of numeric strings were not having adequate range checking causing information leak or potential crash. CVE-2021-36159 fixes #10749 Co-authored-by: Ariadne Conill <ariadne@dereferenced.org> Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-01-19libfetch: fix connection pooling for proxied http/https requestsTimo Teräs1-1/+1
The connection pooling was broken in two ways: 1. The original URL was always used as the connection pool URL, resulting in duplicate connections to the proxy for http URLs (each http URL would get separate proxy connection) 2. The cache_url stored was always the socket level connect URL. In case of HTTPS, the lookup was done done with the real URL, but the proxy URL was stored as the "cache URL". Thus HTTPS CONNECT connections were never re-used. This fixes the code with following logic: 1. The cache key url is the real URL when no-proxy, or when HTTPS with proxy (the socket is connected to proxy, but logically it is connected to the real URL due to HTTP CONNECT request). And for HTTP with proxy, it's the proxy URL so same proxy connection can be reused for all requests going through it. 2. fetch_connect() now gets cache key URL separately, and it always gets the same value as the fetch_cache_get() calls.
2020-05-29libfetch: implement default port for HTTPS.Ariadne Conill1-0/+1
If getservbyname() fails, libfetch will attempt to connect to port 0.
2017-10-06libfetch: improve openssl/libressl compatibilityTimo Teräs1-6/+1
X509_check_host() is introduced in libressl-2.5.0 and openssl-1.0.2 which are not yet universally available. Add support for building against the older versions.
2017-10-05libfetch: improve ssl connectionsTimo Teräs1-0/+1
loosely based on the freebsd implementation, implement https connection settings to override CA, and use client certificate. new files supported in /etc/apk/: ca.pem - if exists, it contains CAs acceptable for https (otherwise system wide CAs are used) crl.pem - if ca.pem is used, this is the (optional) CRL for it cert.pem - used as client authentication certificate (+ key) cert.key - used as client key (can be also inside cert.pem)
2017-10-05libfetch: remove unwanted code conditionalsTimo Teräs1-10/+0
2017-10-05import libfetch-2.38 from NetBSDTimo Teräs1-0/+147
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files libfetch comes (at least) in netbsd and freebsd flavors which differing functionality. Alpine and Arch package netbsd one, but it's not widely packaged across other distributions. We need NetBSD version as it does not use funopen(3) which is not supported in musl, and supports connection pooling. FreeBSD seems to be the orignal and better maintained version with support for SSL CAs, client certificate authentication, proxy authentication, and improved http redirect handling. So this imports NetBSD version, and future commits will pick up the needed improvements from FreeBSD tree. Incidentally, this also fixes #7857 and likes for good.
generated by cgit v1.2.3-60-g2f50 (git 2.42.0) at 2024-07-23 10:31:03 +0000