lib/fetch: sync again

Author: Duncaen

lib/fetch/common.c

@@ -233,13 +233,19 @@ conn_t *
 fetch_reopen(int sd)
 {
 	conn_t *conn;
+#ifdef SO_NOSIGPIPE
+	int opt = 1;
+#endif
 
 	/* allocate and fill connection structure */
 	if ((conn = calloc(1, sizeof(*conn))) == NULL)
 		return (NULL);
-	conn->next_buf = NULL;
-	conn->next_len = 0;
+	fcntl(sd, F_SETFD, FD_CLOEXEC);
+#ifdef SO_NOSIGPIPE
+	setsockopt(sd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof opt);
+#endif
 	conn->sd = sd;
+	++conn->ref;
 	return (conn);
 }
 
@@ -932,7 +938,7 @@ fetch_ssl_tolower(char in)
  * conversions.
  */
 static int
-fetch_ssl_isalpha(unsigned char in)
+fetch_ssl_isalpha(char in)
 {
 	return ((in >= 'A' && in <= 'Z') || (in >= 'a' && in <= 'z'));
 }
@@ -970,7 +976,7 @@ fetch_ssl_is_trad_domain_label(const char *l, size_t len, int wcok)
 		return (0);
 	for (i = 0; i < len; ++i) {
 		if (!isdigit((unsigned char)l[i]) &&
-		    !fetch_ssl_isalpha((unsigned char)l[i]) &&
+		    !fetch_ssl_isalpha(l[i]) &&
 		    !(l[i] == '*' && wcok) &&
 		    !(l[i] == '-' && l[i - 1] != '-'))
 			return (0);
@@ -1269,7 +1275,7 @@ fetch_ssl_setup_transport_layer(SSL_CTX *ctx, int verbose)
 {
 	long ssl_ctx_options;
 
-	ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_TICKET;
+	ssl_ctx_options = SSL_OP_ALL | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET;
 	if (getenv("SSL_ALLOW_SSL3") == NULL)
 		ssl_ctx_options |= SSL_OP_NO_SSLv3;
 	if (getenv("SSL_NO_TLS1") != NULL)
@@ -1622,7 +1628,7 @@ fetch_read(conn_t *conn, char *buf, size_t len)
 			}
 			timersub(&timeout, &now, &delta);
 			deltams = delta.tv_sec * 1000 +
-			    delta.tv_usec / 1000;;
+			    delta.tv_usec / 1000;
 		}
 		errno = 0;
 		pfd.revents = 0;
@@ -1657,6 +1663,7 @@ fetch_getln(conn_t *conn)
 		conn->bufsize = MIN_BUF_SIZE;
 	}
 
+	conn->buf[0] = '\0';
 	conn->buflen = 0;
 	next = NULL;
 
@@ -1676,7 +1683,7 @@ fetch_getln(conn_t *conn)
 		conn->buflen += len;
 		if (conn->buflen == conn->bufsize && next == NULL) {
 			tmp = conn->buf;
-			tmpsize = conn->bufsize * 2;
+			tmpsize = conn->bufsize * 2 + 1;
 			if (tmpsize < conn->bufsize) {
 				errno = ENOMEM;
 				return (-1);

lib/fetch/fetch.c

@@ -1,7 +1,9 @@
 /*	$FreeBSD: rev 252375 $ */
 /*	$NetBSD: fetch.c,v 1.19 2009/08/11 20:48:06 joerg Exp $	*/
 /*-
- * Copyright (c) 1998-2004 Dag-Erling Coïdan Smørav
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright (c) 1998-2004 Dag-Erling Smørgrav
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>
  * All rights reserved.
  *
@@ -31,8 +33,8 @@
 
 #include "compat.h"
 
-#include <ctype.h>
 #include <errno.h>
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -294,6 +296,9 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
 		    (d2 = fetch_hexval(s[2])) >= 0 && (d1 > 0 || d2 > 0)) {
 			c = d1 << 4 | d2;
 			s += 2;
+		} else if (s[0] == '%') {
+			/* Invalid escape sequence. */
+			return (NULL);
 		} else {
 			c = *s;
 		}
@@ -366,7 +371,7 @@ fetchParseURL(const char *URL)
 
 	/* hostname */
 	if (*p == '[') {
-		q = p + 1 + strspn(p + 1, ":0123456789ABCDEFabcdef");
+		q = p + 1 + strspn(p + 1, ":0123456789ABCDEFabcdef.");
 		if (*q++ != ']')
 			goto ouch;
 	} else {
@@ -419,7 +424,10 @@ fetchParseURL(const char *URL)
 			goto ouch;
 		}
 		u->doc = doc;
-		while (*p != '\0') {
+		/* fragments are reserved for client-side processing, see
+		 * https://www.rfc-editor.org/rfc/rfc9110.html#section-7.1
+		 */
+		while (*p != '\0' && *p != '#') {
 			if (!isspace((unsigned char)*p)) {
 				*doc++ = *p++;
 			} else {
@@ -458,12 +466,10 @@ fetchParseURL(const char *URL)
 void
 fetchFreeURL(struct url *u)
 {
-	if (!u) {
+	if (!u)
 		return;
-	}
-	if (u->doc) {
+	if (u->doc)
 		free(u->doc);
-	}
 	free(u);
 }
 

lib/fetch/http.c

@@ -70,6 +70,7 @@
 #include <locale.h>
 #include <netdb.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -1310,8 +1311,7 @@ http_digest_auth(conn_t *conn, const char *hdr, http_auth_challenge_t *c,
 		 http_auth_params_t *parms, struct url *url)
 {
 	HASHHEX HA1;
-	HASHHEX digest;
-	HASHHEX empty = {0};
+	HASHHEX digest, null;
 	int r;
 	char noncecount[10];
 	char cnonce[40];
@@ -1343,8 +1343,9 @@ http_digest_auth(conn_t *conn, const char *hdr, http_auth_challenge_t *c,
 	DigestCalcHA1(c->algo, parms->user, c->realm,
 		      parms->password, c->nonce, cnonce, HA1);
 	DEBUGF("HA1: [%s]\n", HA1);
+	memset(null, 0, sizeof(null));
 	DigestCalcResponse(HA1, c->nonce, noncecount, cnonce, c->qop,
-			   "GET", url->doc, empty, digest);
+			   "GET", url->doc, null, digest);
 
 	if (c->qop[0]) {
 		r = http_cmd(conn, "%s: Digest username=\"%s\",realm=\"%s\","
@@ -1449,6 +1450,8 @@ http_connect(struct url *URL, struct url *purl, const char *flags)
 	int val;
 #endif
 	int serrno;
+	bool isproxyauth = false;
+	http_auth_challenges_t proxy_challenges;
 
 #ifdef INET6
 	af = AF_UNSPEC;
@@ -1466,21 +1469,63 @@ http_connect(struct url *URL, struct url *purl, const char *flags)
 
 	curl = (purl != NULL) ? purl : URL;
 
+
 	if ((conn = fetch_cache_get(curl, af)) != NULL)
 		return (conn);
 
+retry:
 	if ((conn = fetch_connect(curl, af, verbose)) == NULL)
 		/* fetch_connect() has already set an error code */
 		return (NULL);
 	init_http_headerbuf(&headerbuf);
 	if (strcmp(URL->scheme, SCHEME_HTTPS) == 0 && purl) {
-		http_cmd(conn, "CONNECT %s:%d HTTP/1.1",
-		    URL->host, URL->port);
-		http_cmd(conn, "Host: %s:%d",
-		    URL->host, URL->port);
+		int httpreply;
+		init_http_auth_challenges(&proxy_challenges);
+		http_cmd(conn, "CONNECT %s:%d HTTP/1.1", URL->host, URL->port);
+		http_cmd(conn, "Host: %s:%d", URL->host, URL->port);
+		if (isproxyauth) {
+			http_auth_params_t aparams;
+			init_http_auth_params(&aparams);
+			if (*purl->user || *purl->pwd) {
+				aparams.user = strdup(purl->user);
+				aparams.password = strdup(purl->pwd);
+			} else if ((p = getenv("HTTP_PROXY_AUTH")) != NULL &&
+				    *p != '\0') {
+				if (http_authfromenv(p, &aparams) < 0) {
+					http_seterr(HTTP_NEED_PROXY_AUTH);
+					fetch_syserr();
+					goto ouch;
+				}
+			} else if (fetch_netrc_auth(purl) == 0) {
+				aparams.user = strdup(purl->user);
+				aparams.password = strdup(purl->pwd);
+			} else {
+				/*
+				 * No auth information found in system - exiting
+				 * with warning.
+				 */
+				http_seterr(HTTP_NEED_PROXY_AUTH);
+				fetch_syserr();
+				goto ouch;
+			}
+			http_authorize(conn, "Proxy-Authorization",
+			    &proxy_challenges, &aparams, purl);
+			clean_http_auth_params(&aparams);
+		}
 		http_cmd(conn, "%s", "");
-		if (http_get_reply(conn, NULL) != HTTP_OK) {
-			http_seterr(conn->err);
+		/* Get reply from CONNECT Tunnel attempt */
+		httpreply = http_get_reply(conn, NULL);
+		if (httpreply != HTTP_OK) {
+			http_seterr(httpreply);
+			/* If the error is a 407/HTTP_NEED_PROXY_AUTH */
+			if (httpreply == HTTP_NEED_PROXY_AUTH &&
+			    ! isproxyauth) {
+				/* Try again with authentication. */
+				clean_http_headerbuf(&headerbuf);
+				fetch_close(conn);
+				isproxyauth = true;
+				goto retry;
+			}
 			goto ouch;
 		}
 		/* Read and discard the rest of the proxy response */