| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Unbreak handling of base 16 in fetch_parseuint(). It is used
only in http chunked mode handling.
Fixes: "libfetch: fix range checking for http/ftp protocol parsing"
|
|
Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.
CVE-2021-36159
fixes #10749
Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
|
|
removes some code duplication
|
|
fixes #10738
(cherry picked from commit 358c3172ef57b7e7616cbaaad582cab908097694)
|
|
If server redirects from http to https, libfetch detects this, but
wrongly uses the old url scheme to determine the port. This subsequently
leads to the following OpenSSL error:
139741541575496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
Using the new scheme fixes this. This error message comes from trying
to connect to port 80 with TLS, it can also be observed by issuing
$ openssl s_client -connect alpinelinux.org:80
This bug was introduced in commit:
7158474 libfetch: keep http auth only if redirect is for the same host
(cherry picked from commit 63d05ee450c1a810cc33f7dfad9d660f993a9d1c)
|
|
Treat URLs with too long individual components as malformed instead
of silently truncating that field. There might be unexpected results
if hostname, username or password field gets truncated.
(cherry picked from commit 5edd60a4e5a996590fed591e7d3a9b8167156daa)
|
|
The connection pooling was broken in two ways:
1. The original URL was always used as the connection pool URL,
resulting in duplicate connections to the proxy for http URLs
(each http URL would get separate proxy connection)
2. The cache_url stored was always the socket level connect URL.
In case of HTTPS, the lookup was done done with the real URL,
but the proxy URL was stored as the "cache URL". Thus HTTPS
CONNECT connections were never re-used.
This fixes the code with following logic:
1. The cache key url is the real URL when no-proxy, or when HTTPS
with proxy (the socket is connected to proxy, but logically it
is connected to the real URL due to HTTP CONNECT request).
And for HTTP with proxy, it's the proxy URL so same proxy
connection can be reused for all requests going through it.
2. fetch_connect() now gets cache key URL separately, and it always
gets the same value as the fetch_cache_get() calls.
(cherry picked from commit aa1f935c05129288f1550782e34d529fc77dda0a)
|
|
fixes #10734
(cherry picked from commit c37b385beefd0e8324bf70f011e52a8c65f7fddf)
|
|
Instead of skipping just one line, properly parse the response headers.
[TT: reworded commit message]
(cherry picked from commit b1935a1e79854b332b04916a2829b0c09d1b26c9)
|
|
Signed-off-by: Mike Detwiler <det@shift5.io>
(cherry picked from commit d438cdfbeb13b0f38c0bef321fc767926df0e4e1)
|
|
fixes #10688
(cherry picked from commit 7158474f1ba2bd24c6a9b2b1bbd53984414c0343)
|
|
If getservbyname() fails, libfetch will attempt to connect to port 0.
(cherry picked from commit ffcdd350d02fb51d91e83a153e58ddbb66bfeb31)
|
|
Fix comparing of the hostname portion that matches exactly.
The no_proxy matching is pretty rudimentary though and probably
could go through a bit of additional rework.
Fixes #10681
(cherry picked from commit d6c54f932054c58aee8f7a6d2bd49b115d804da1)
|
|
- split the code to a helper function
- do not set sockets to corked state when putting back to
cache so socket state is always deterministic
- cork/uncork also when sending CONNECT to a proxy, this
can reduce a little bit the latency how fast the packet
gets sent out
- also pair corking with uncorking in http_request to make
it more obvious pairing
(cherry picked from commit eae92bbacf3c005bf12f8f5f5555bff953ebb5d7)
|
|
The recent TCP_CORK change missed this bit of code. This change
should improve performance a bit when making HTTP requests by calling
http_cmd only once instead of three times.
(cherry picked from commit 09dbe46a7608f56f07914137834e7ddda15c4837)
|
|
Unfortunately libfetch operates on raw sockets and is sending
each HTTP request line using separate syscall which causes the
HTTP request to be sent as multiple packets over the wire in most
configurations. This is not good for performance, but can also
cause subtle breakage if there's DPI firewall that does not get
the Host header.
Incidentally, it seems that on BSDs libfetch already sets
TCP_NOPUSH optimize the packetization. This commit adds same
logic for using TCP_CORK if available. When using TCP_CORK
there is no requirement to set TCP_NODELAY as uncorking will
also cause immediate send. Keep TCP_NODELAY in the fallback
codepaths.
Long term, it might make sense to replace or rewrite libfetch
to use application level buffering.
(cherry picked from commit 271047cc930150a2972573625124b0c097ad322a)
|
|
error: 'strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
Based on patch by Elan Ruusamäe <glen@delfi.ee>
|
|
This is unwanted information disclosure.
Reported-by: Max Justicz <max@justi.cz>
|
|
TLS_client_method is a LibreSSL extension.
SSLv23_client_method is generic, and doesn't mean SSL v2/v3 only.
|
|
ref #8161
|
|
fixes #8160
|
|
OpenSSL allows passing zero-length to indicate "use strlen".
LibreSSL requires using the real length always, so pass the length.
|
|
X509_check_host() is introduced in libressl-2.5.0 and openssl-1.0.2
which are not yet universally available. Add support for building
against the older versions.
|
|
loosely based on the freebsd implementation, implement https
connection settings to override CA, and use client certificate.
new files supported in /etc/apk/:
ca.pem - if exists, it contains CAs acceptable for https
(otherwise system wide CAs are used)
crl.pem - if ca.pem is used, this is the (optional) CRL for it
cert.pem - used as client authentication certificate (+ key)
cert.key - used as client key (can be also inside cert.pem)
|
|
|
|
from freebsd
|
|
|
|
ftp://ftp.fu-berlin.de/unix/NetBSD/packages/current-src/pkgsrc/net/libfetch/files
libfetch comes (at least) in netbsd and freebsd flavors which
differing functionality. Alpine and Arch package netbsd one,
but it's not widely packaged across other distributions.
We need NetBSD version as it does not use funopen(3) which is not
supported in musl, and supports connection pooling.
FreeBSD seems to be the orignal and better maintained version
with support for SSL CAs, client certificate authentication,
proxy authentication, and improved http redirect handling.
So this imports NetBSD version, and future commits will pick up
the needed improvements from FreeBSD tree.
Incidentally, this also fixes #7857 and likes for good.
|
