summaryrefslogtreecommitdiff
path: root/libfetch/http.c
AgeCommit message (Collapse)AuthorFilesLines
2021-07-26libfetch: fix range checking for http/ftp protocol parsingTimo Teräs1-44/+18
Various parsing of numeric strings were not having adequate range checking causing information leak or potential crash. CVE-2021-36159 fixes #10749 Co-authored-by: Ariadne Conill <ariadne@dereferenced.org> Reported-by: Samanta Navarro <ferivoz@riseup.net>
2021-07-23libfetch: simplify code by merging protocol error handling branchesTimo Teräs1-14/+9
removes some code duplication
2021-03-16libfetch: send Proxy-Authorization also for https connectTimo Teräs1-8/+20
fixes #10738
2021-03-13Use correct port when redirectedMartin Vahlensieck1-1/+1
If server redirects from http to https, libfetch detects this, but wrongly uses the old url scheme to determine the port. This subsequently leads to the following OpenSSL error: 139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331: Using the new scheme fixes this. This error message comes from trying to connect to port 80 with TLS, it can also be observed by issuing $ openssl s_client -connect alpinelinux.org:80 This bug was introduced in commit: 7158474 libfetch: keep http auth only if redirect is for the same host
2021-01-19libfetch: fix connection pooling for proxied http/https requestsTimo Teräs1-10/+9
The connection pooling was broken in two ways: 1. The original URL was always used as the connection pool URL, resulting in duplicate connections to the proxy for http URLs (each http URL would get separate proxy connection) 2. The cache_url stored was always the socket level connect URL. In case of HTTPS, the lookup was done done with the real URL, but the proxy URL was stored as the "cache URL". Thus HTTPS CONNECT connections were never re-used. This fixes the code with following logic: 1. The cache key url is the real URL when no-proxy, or when HTTPS with proxy (the socket is connected to proxy, but logically it is connected to the real URL due to HTTP CONNECT request). And for HTTP with proxy, it's the proxy URL so same proxy connection can be reused for all requests going through it. 2. fetch_connect() now gets cache key URL separately, and it always gets the same value as the fetch_cache_get() calls.
2021-01-19libfetch: fix parsing of proxy response to CONNECT requestsConny Seifert1-6/+1
Instead of skipping just one line, properly parse the response headers. [TT: reworded commit message]
2020-10-06libfetch: keep http auth only if redirect is for the same hostTimo Teräs1-1/+7
fixes #10688
2020-03-25libfetch: fixups to packetization socket option settingTimo Teräs1-26/+22
- split the code to a helper function - do not set sockets to corked state when putting back to cache so socket state is always deterministic - cork/uncork also when sending CONNECT to a proxy, this can reduce a little bit the latency how fast the packet gets sent out - also pair corking with uncorking in http_request to make it more obvious pairing
2020-03-25libfetch: minor HTTP handling improvementAlexander Wauck1-5/+2
The recent TCP_CORK change missed this bit of code. This change should improve performance a bit when making HTTP requests by calling http_cmd only once instead of three times.
2020-02-18libfetch: support TCP_CORKTimo Teräs1-23/+22
Unfortunately libfetch operates on raw sockets and is sending each HTTP request line using separate syscall which causes the HTTP request to be sent as multiple packets over the wire in most configurations. This is not good for performance, but can also cause subtle breakage if there's DPI firewall that does not get the Host header. Incidentally, it seems that on BSDs libfetch already sets TCP_NOPUSH optimize the packetization. This commit adds same logic for using TCP_CORK if available. When using TCP_CORK there is no requirement to set TCP_NODELAY as uncorking will also cause immediate send. Keep TCP_NODELAY in the fallback codepaths. Long term, it might make sense to replace or rewrite libfetch to use application level buffering.
2019-02-13fix strncpy bounds errorsTimo Teräs1-2/+2
error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation] Based on patch by Elan Ruusamäe <glen@delfi.ee>
2018-01-03libfetch: add option to set "Cache-Control: no-cache"Timo Teräs1-1/+4
ref #8161
2018-01-03libfetch: honor https_proxy variable for httpsTimo Teräs1-11/+30
fixes #8160
2017-10-05libfetch: remove unwanted code conditionalsTimo Teräs1-16/+0
2017-10-05build and use bundled libfetch nativelyTimo Teräs1-22/+0
2017-10-05import libfetch-2.38 from NetBSDTimo Teräs1-0/+1552
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files libfetch comes (at least) in netbsd and freebsd flavors which differing functionality. Alpine and Arch package netbsd one, but it's not widely packaged across other distributions. We need NetBSD version as it does not use funopen(3) which is not supported in musl, and supports connection pooling. FreeBSD seems to be the orignal and better maintained version with support for SSL CAs, client certificate authentication, proxy authentication, and improved http redirect handling. So this imports NetBSD version, and future commits will pick up the needed improvements from FreeBSD tree. Incidentally, this also fixes #7857 and likes for good.
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-07 02:21:18 +0000