summaryrefslogtreecommitdiff
path: root/libfetch/http.c
AgeCommit message (Collapse)AuthorFilesLines
2021-07-26libfetch: fix range checking for http/ftp protocol parsingTimo Teräs1-44/+18
Various parsing of numeric strings were not having adequate range checking causing information leak or potential crash. CVE-2021-36159 fixes #10749 Co-authored-by: Ariadne Conill <ariadne@dereferenced.org> Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-07-23libfetch: simplify code by merging protocol error handling branchesTimo Teräs1-14/+9
removes some code duplication
2021-04-11libfetch: send Proxy-Authorization also for https connectTimo Teräs1-8/+20
fixes #10738 (cherry picked from commit 358c3172ef57b7e7616cbaaad582cab908097694)
2021-04-11Use correct port when redirectedMartin Vahlensieck1-1/+1
If server redirects from http to https, libfetch detects this, but wrongly uses the old url scheme to determine the port. This subsequently leads to the following OpenSSL error: 139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331: Using the new scheme fixes this. This error message comes from trying to connect to port 80 with TLS, it can also be observed by issuing $ openssl s_client -connect alpinelinux.org:80 This bug was introduced in commit: 7158474 libfetch: keep http auth only if redirect is for the same host (cherry picked from commit 63d05ee450c1a810cc33f7dfad9d660f993a9d1c)
2021-04-11libfetch: fix connection pooling for proxied http/https requestsTimo Teräs1-10/+9
The connection pooling was broken in two ways: 1. The original URL was always used as the connection pool URL, resulting in duplicate connections to the proxy for http URLs (each http URL would get separate proxy connection) 2. The cache_url stored was always the socket level connect URL. In case of HTTPS, the lookup was done done with the real URL, but the proxy URL was stored as the "cache URL". Thus HTTPS CONNECT connections were never re-used. This fixes the code with following logic: 1. The cache key url is the real URL when no-proxy, or when HTTPS with proxy (the socket is connected to proxy, but logically it is connected to the real URL due to HTTP CONNECT request). And for HTTP with proxy, it's the proxy URL so same proxy connection can be reused for all requests going through it. 2. fetch_connect() now gets cache key URL separately, and it always gets the same value as the fetch_cache_get() calls. (cherry picked from commit aa1f935c05129288f1550782e34d529fc77dda0a)
2021-04-11libfetch: fix parsing of proxy response to CONNECT requestsConny Seifert1-6/+1
Instead of skipping just one line, properly parse the response headers. [TT: reworded commit message] (cherry picked from commit b1935a1e79854b332b04916a2829b0c09d1b26c9)
2021-04-11libfetch: keep http auth only if redirect is for the same hostTimo Teräs1-1/+7
fixes #10688 (cherry picked from commit 7158474f1ba2bd24c6a9b2b1bbd53984414c0343)
2021-04-11libfetch: fixups to packetization socket option settingTimo Teräs1-26/+22
- split the code to a helper function - do not set sockets to corked state when putting back to cache so socket state is always deterministic - cork/uncork also when sending CONNECT to a proxy, this can reduce a little bit the latency how fast the packet gets sent out - also pair corking with uncorking in http_request to make it more obvious pairing (cherry picked from commit eae92bbacf3c005bf12f8f5f5555bff953ebb5d7)
2021-04-11libfetch: minor HTTP handling improvementAlexander Wauck1-5/+2
The recent TCP_CORK change missed this bit of code. This change should improve performance a bit when making HTTP requests by calling http_cmd only once instead of three times. (cherry picked from commit 09dbe46a7608f56f07914137834e7ddda15c4837)
2020-02-18libfetch: support TCP_CORKTimo Teräs1-23/+22
Unfortunately libfetch operates on raw sockets and is sending each HTTP request line using separate syscall which causes the HTTP request to be sent as multiple packets over the wire in most configurations. This is not good for performance, but can also cause subtle breakage if there's DPI firewall that does not get the Host header. Incidentally, it seems that on BSDs libfetch already sets TCP_NOPUSH optimize the packetization. This commit adds same logic for using TCP_CORK if available. When using TCP_CORK there is no requirement to set TCP_NODELAY as uncorking will also cause immediate send. Keep TCP_NODELAY in the fallback codepaths. Long term, it might make sense to replace or rewrite libfetch to use application level buffering. (cherry picked from commit 271047cc930150a2972573625124b0c097ad322a)
2019-02-13fix strncpy bounds errorsTimo Teräs1-2/+2
error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation] Based on patch by Elan Ruusamäe <glen@delfi.ee>
2018-01-03libfetch: add option to set "Cache-Control: no-cache"Timo Teräs1-1/+4
ref #8161
2018-01-03libfetch: honor https_proxy variable for httpsTimo Teräs1-11/+30
fixes #8160
2017-10-05libfetch: remove unwanted code conditionalsTimo Teräs1-16/+0
2017-10-05build and use bundled libfetch nativelyTimo Teräs1-22/+0
2017-10-05import libfetch-2.38 from NetBSDTimo Teräs1-0/+1552
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files libfetch comes (at least) in netbsd and freebsd flavors which differing functionality. Alpine and Arch package netbsd one, but it's not widely packaged across other distributions. We need NetBSD version as it does not use funopen(3) which is not supported in musl, and supports connection pooling. FreeBSD seems to be the orignal and better maintained version with support for SSL CAs, client certificate authentication, proxy authentication, and improved http redirect handling. So this imports NetBSD version, and future commits will pick up the needed improvements from FreeBSD tree. Incidentally, this also fixes #7857 and likes for good.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-04-20 20:47:53 +0000