Reported-by: Olen Andoni
Fixes #3906
Closes #3907

Closes #3892

Ref: #3905

The longest currently registered URI scheme at IANA is 36 bytes long.

Closes #3905
Closes #3900

Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872

Just initialize word_begin with the correct value.

Closes https://github.com/curl/curl/pull/3873

This way, we need only one call to free.

Closes https://github.com/curl/curl/pull/3873

sock was only used to be assigned to fd_read.

Closes https://github.com/curl/curl/pull/3873

bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436

When running a multi TLS backend build the version string needs more
buffer space. Make the internal ssl_buffer stack buffer match the one
in Curl_multissl_version() to allow for the longer string. For single
TLS backend builds there is no use in extended to buffer. This is a
fallout from #3863 which fixes up the multi_ssl string generation to
avoid a buffer overflow when the buffer is too small.

Closes #3875
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Missed in fe6049f0.

Missed in 50b87c4e.

Missed in fe20826b as it wasn't implemented in http.c in b4d6db83.

Closes #3894

Closes #3844

Approved-by: Daniel Stenberg
Closes #3896

Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135
Approved-by: Daniel Stenberg
Closes #3895

Closes #3887

They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883

... since libcurl has started to be totally unaware of options for
disabled protocols they now return error.

Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937

Reported-by: Marcel Raad
Closes #3886

This brings the code inline with the other HTTP authentication mechanisms.

Closes #3890

Reported-by: Roy Bellingan
Bug: #3885

As we treat a given proxy as a URL we should use the unified URL parser
to extract the parts out of it.

Closes #3878

Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

Closes #3882

Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior
to calling conn_shutdown() and it in turn performs this, there is no
need to perform the same action in conn_shutdown().

Closes #3881

Updated test 1560 to verify.

Closes #3880

If --with-ssl is used and configure still couldn't enable SSL this
creates an error instead of just silently ignoring the fact.

Suggested-by: Isaiah Norton
Fixes #3824
Closes #3830

No need to set variables to zero as calloc() does this for us.

Closes #3879

Clues-provided-by: Jay Satiro
Clues-provided-by: Jeroen Ooms
Fixes #3711
Closes #3874

In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg