Merge remote-tracking branch 'remotes/lwthiker-original/main'

# Conflicts: # .github/workflows/build-and-test-make.yml # Dockerfile.template # Makefile.in # README.md # chrome/Dockerfile # chrome/Dockerfile.alpine # chrome/patches/boringssl-old-ciphers.patch # chrome/patches/curl-impersonate.patch
GerHobbelt · Mar 18, 2024 · d4ba4cb · d4ba4cb
2 parents a93d6af + 822dbef
commit d4ba4cb
Show file tree

Hide file tree

Showing 10 changed files with 95 additions and 23 deletions.
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -142,7 +142,8 @@ RUN mkdir out && \
 RUN ./out/curl-impersonate -V | grep -q zlib && \
     ./out/curl-impersonate -V | grep -q brotli && \
     ./out/curl-impersonate -V | grep -q nghttp2 && \
-    ./out/curl-impersonate -V | grep -q -e BoringSSL
+    ./out/curl-impersonate -V | grep -q -e BoringSSL && \
+    ./out/curl-impersonate -V | grep -q -e wss
 
 # Verify that the resulting 'curl' is really statically compiled
 RUN ! (ldd ./out/curl-impersonate | grep -q -e libcurl -e nghttp2 -e brotli -e ssl -e crypto)
@@ -152,6 +153,7 @@ RUN rm -Rf /build/install
 # Re-compile libcurl dynamically
 RUN cd ${CURL_VERSION} && \
     ./configure --prefix=/build/install \
+                --enable-websockets \
                 --with-nghttp2=/build/${NGHTTP2_VERSION}/installed \
                 --with-brotli=/build/brotli-${BROTLI_VERSION}/build/installed \
                 --without-zstd \
@@ -200,7 +202,8 @@ RUN apt-get update && apt-get install -y ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 {{/debian}}
 # Copy curl-impersonate from the builder image
-COPY --from=builder /build/install /usr/local
+COPY --from=builder /build/out/curl-impersonate* /usr/local/bin
+COPY --from=builder /build/out/libcurl-impersonate* /usr/local/lib
 {{#debian}}
 # Update the loader's cache
 RUN ldconfig

diff --git a/INSTALL.md b/INSTALL.md
@@ -135,6 +135,15 @@ cd ../ && rm -Rf build
 
 To compile curl-impersonate statically with libcurl-impersonate, pass `--enable-static` to the `configure` script.
 
+### Configuring curl's build
+
+You might want to configure the underlying curl build to your needs.
+To do that, use the `CURL_CONFIG_FLAGS` variable. These flags will be passed down to curl's `configure` script:
+
+```sh
+../configure CURL_CONFIG_FLAGS="--disable-rtsp"
+```
+
 ### A note about the Firefox version
 
 The Firefox version compiles a static version of nss, Firefox's TLS library.

diff --git a/Makefile.in b/Makefile.in
@@ -58,6 +58,9 @@ CC = @CC@
 CXX = @CXX@
 STRIP = @STRIP@
 
+# Additional flags to be passed down to curl's configure script during build.
+CURL_CONFIG_FLAGS = @CURL_CONFIG_FLAGS@
+
 # Auto-generate Makefile help.
 # Borrowed from https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
 help: ## Show this help message
@@ -362,7 +365,8 @@ $(CURL_VERSION)/.firefox: $(firefox_libs) $(CURL_VERSION).tar.xz $(CURL_VERSION)
 	# If the user provided the --host flag to our configure script
 	# (for cross compilation), then pass it on to curl.
 	{ \
-	  config_flags="--prefix=@prefix@"; \
+	  config_flags="$(CURL_CONFIG_FLAGS)"; \
+	  config_flags+=" --prefix=@prefix@"; \
 	  config_flags+=" --with-nghttp2=$(nghttp2_install_dir)"; \
 	  config_flags+=" --with-brotli=$(brotli_install_dir)"; \
 	  config_flags+=" --with-nss=$(nss_install_dir) --with-nss-deprecated"; \
@@ -405,7 +409,8 @@ $(CURL_VERSION)/.chrome: $(chrome_libs)	$(CURL_VERSION).tar.xz $(CURL_VERSION)/.
 	# If the user provided the --host flag to our configure script
 	# (for cross compilation), then pass it on to curl.
 	{ \
-	  config_flags="--prefix=@prefix@"; \
+	  config_flags="$(CURL_CONFIG_FLAGS)"; \
+	  config_flags="$$config_flags --prefix=@prefix@"; \
 	  config_flags="$$config_flags --with-nghttp2=$(nghttp2_install_dir)"; \
 	  config_flags="$$config_flags --with-brotli=$(brotli_install_dir)"; \
 	  config_flags="$$config_flags --with-openssl=$(boringssl_install_dir)"; \

diff --git a/README.md b/README.md
@@ -99,6 +99,9 @@ Pre-compiled binaries for Windows, Linux and macOS are available at the [GitHub
 * Archlinux - `pacman -S nss ca-certificates`
 * macOS - `brew install nss ca-certificates`
 
+Also ensure you have zlib installed on your system.
+zlib is almost always present, but on some minimal systems it might be missing.
+
 The pre-compiled binaries contain libcurl-impersonate and a statically compiled curl-impersonate for ease of use.
 
 The pre-compiled Linux binaries are built for Ubuntu systems. On other distributions if you have errors with certificate verification you may have to tell curl where to find the CA certificates. For example:
@@ -122,12 +125,12 @@ Docker images based on Alpine Linux and Debian with `curl-impersonate` compiled
 
 ```bash
 # Firefox version, Alpine Linux
-docker pull lwthiker/curl-impersonate:0.5-ff
-docker run --rm lwthiker/curl-impersonate:0.5-ff curl_ff109 https://www.wikipedia.org
+docker pull lwthiker/curl-impersonate:0.6-ff
+docker run --rm lwthiker/curl-impersonate:0.6-ff curl_ff109 https://www.wikipedia.org
 
 # Chrome version, Alpine Linux
-docker pull lwthiker/curl-impersonate:0.5-chrome
-docker run --rm lwthiker/curl-impersonate:0.5-chrome curl_chrome110 https://www.wikipedia.org
+docker pull lwthiker/curl-impersonate:0.6-chrome
+docker run --rm lwthiker/curl-impersonate:0.6-chrome curl_chrome110 https://www.wikipedia.org
 ```
 
 ### Distro packages
@@ -137,6 +140,12 @@ AUR packages are available to Archlinux users:
 * Pre-compiled package: [curl-impersonate-bin](https://aur.archlinux.org/packages/curl-impersonate-bin), [libcurl-impersonate-bin](https://aur.archlinux.org/packages/libcurl-impersonate-bin).
 * Build from source code: [curl-impersonate-chrome](https://aur.archlinux.org/packages/curl-impersonate-chrome), [curl-impersonate-firefox](https://aur.archlinux.org/packages/curl-impersonate-firefox).
 
+Unofficial Homebrew receipts for Mac (Chrome only) are available [here](https://github.com/shakacode/homebrew-brew/blob/main/Formula/curl-impersonate.rb):
+```
+brew tap shakacode/brew
+brew install curl-impersonate
+```
+
 ## Advanced usage
 
 ### libcurl-impersonate

diff --git a/chrome/patches/curl-CVE-2023-38545.patch b/chrome/patches/curl-CVE-2023-38545.patch
@@ -0,0 +1,17 @@
+diff -u1 -Nar curl-8.1.1/lib/socks.c curl-8.1.1-patched/lib/socks.c
+--- curl-8.1.1/lib/socks.c	2023-05-22 19:15:11.000000000 +0300
++++ curl-8.1.1-patched/lib/socks.c	2024-03-03 13:32:42.814284316 +0200
+@@ -590,5 +590,5 @@
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+@@ -906,3 +906,3 @@
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for curl-impersonate 0.5.0.
+# Generated by GNU Autoconf 2.71 for curl-impersonate 0.6.1.
 #
 # Report bugs to <lwt@lwthiker.com>.
 #
@@ -610,15 +610,16 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='curl-impersonate'
 PACKAGE_TARNAME='curl-impersonate'
-PACKAGE_VERSION='0.5.0'
-PACKAGE_STRING='curl-impersonate 0.5.0'
+PACKAGE_VERSION='0.6.1'
+PACKAGE_STRING='curl-impersonate 0.6.1'
 PACKAGE_BUGREPORT='lwt@lwthiker.com'
 PACKAGE_URL=''
 
 ac_subst_vars='LTLIBOBJS
 LIBOBJS
 ninja
 cmake
+CURL_CONFIG_FLAGS
 with_libnssckbi
 with_ca_path
 with_ca_bundle
@@ -701,7 +702,8 @@ LIBS
 CPPFLAGS
 CXX
 CXXFLAGS
-CCC'
+CCC
+CURL_CONFIG_FLAGS'
 
 
 # Initialize some variables set by options.
@@ -1250,7 +1252,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures curl-impersonate 0.5.0 to adapt to many kinds of systems.
+\`configure' configures curl-impersonate 0.6.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1317,7 +1319,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of curl-impersonate 0.5.0:";;
+     short | recursive ) echo "Configuration of curl-impersonate 0.6.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1354,6 +1356,8 @@ Some influential environment variables:
               you have headers in a nonstandard directory <include dir>
   CXX         C++ compiler command
   CXXFLAGS    C++ compiler flags
+  CURL_CONFIG_FLAGS
+              "configuration flags to be passed down to curls 'configure'"
 
 Use these variables to override the choices made by `configure' or to help
 it to find libraries and programs with nonstandard names/locations.
@@ -1422,7 +1426,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-curl-impersonate configure 0.5.0
+curl-impersonate configure 0.6.1
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -1584,7 +1588,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by curl-impersonate $as_me 0.5.0, which was
+It was created by curl-impersonate $as_me 0.6.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -4859,7 +4863,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by curl-impersonate $as_me 0.5.0, which was
+This file was extended by curl-impersonate $as_me 0.6.1, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -4914,7 +4918,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-curl-impersonate config.status 0.5.0
+curl-impersonate config.status 0.6.1
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([curl-impersonate], [0.5.4], [lwt@lwthiker.com])
+AC_INIT([curl-impersonate], [0.6.1], [lwt@lwthiker.com])
 
 AC_CANONICAL_BUILD
 AC_CANONICAL_HOST
@@ -67,6 +67,8 @@ AC_ARG_WITH([libnssckbi],
     [AC_SUBST([with_libnssckbi], ["$withval"])],
     [AC_SUBST([with_libnssckbi], [""])])
 
+AC_ARG_VAR([CURL_CONFIG_FLAGS], ["configuration flags to be passed down to curls 'configure'"])
+
 # BoringSSL requires cmake 3.5+, which is sometimes available under
 # "cmake3" instead of "cmake"
 AC_CHECK_PROGS([cmake], [cmake3 cmake])

diff --git a/firefox/Dockerfile b/firefox/Dockerfile
@@ -104,7 +104,8 @@ RUN mkdir out && \
 RUN ./out/curl-impersonate -V | grep -q zlib && \
     ./out/curl-impersonate -V | grep -q brotli && \
     ./out/curl-impersonate -V | grep -q nghttp2 && \
-    ./out/curl-impersonate -V | grep -q -e NSS -e BoringSSL
+    ./out/curl-impersonate -V | grep -q -e NSS -e BoringSSL && \
+    ./out/curl-impersonate -V | grep -q -e wss
 
 # Verify that the resulting 'curl' is really statically compiled
 RUN ! (ldd ./out/curl-impersonate | grep -q -e libcurl -e nghttp2 -e brotli -e ssl -e crypto)
@@ -114,6 +115,7 @@ RUN rm -Rf /build/install
 # Re-compile libcurl dynamically
 RUN cd ${CURL_VERSION} && \
     ./configure --prefix=/build/install \
+                --enable-websockets \
                 --with-nghttp2=/build/${NGHTTP2_VERSION}/installed \
                 --with-brotli=/build/brotli-${BROTLI_VERSION}/build/installed \
                 --without-zstd \
@@ -150,7 +152,8 @@ RUN apt-get update && apt-get install -y ca-certificates \
     libnss3 nss-plugin-pem \
     && rm -rf /var/lib/apt/lists/*
 # Copy curl-impersonate from the builder image
-COPY --from=builder /build/install /usr/local
+COPY --from=builder /build/out/curl-impersonate* /usr/local/bin
+COPY --from=builder /build/out/libcurl-impersonate* /usr/local/lib
 # Update the loader's cache
 RUN ldconfig
 # Copy to /build/out as well for backward compatibility with previous versions.

diff --git a/firefox/Dockerfile.alpine b/firefox/Dockerfile.alpine
@@ -93,7 +93,8 @@ RUN mkdir out && \
 RUN ./out/curl-impersonate -V | grep -q zlib && \
     ./out/curl-impersonate -V | grep -q brotli && \
     ./out/curl-impersonate -V | grep -q nghttp2 && \
-    ./out/curl-impersonate -V | grep -q -e NSS -e BoringSSL
+    ./out/curl-impersonate -V | grep -q -e NSS -e BoringSSL && \
+    ./out/curl-impersonate -V | grep -q -e wss
 
 # Verify that the resulting 'curl' is really statically compiled
 RUN ! (ldd ./out/curl-impersonate | grep -q -e libcurl -e nghttp2 -e brotli -e ssl -e crypto)
@@ -103,6 +104,7 @@ RUN rm -Rf /build/install
 # Re-compile libcurl dynamically
 RUN cd ${CURL_VERSION} && \
     ./configure --prefix=/build/install \
+                --enable-websockets \
                 --with-nghttp2=/build/${NGHTTP2_VERSION}/installed \
                 --with-brotli=/build/brotli-${BROTLI_VERSION}/build/installed \
                 --without-zstd \
@@ -139,6 +141,7 @@ FROM alpine:3.18
 # which is supplied by 'nss' on alpine.
 RUN apk add --no-cache nss
 # Copy curl-impersonate from the builder image
-COPY --from=builder /build/install /usr/local
+COPY --from=builder /build/out/curl-impersonate* /usr/local/bin
+COPY --from=builder /build/out/libcurl-impersonate* /usr/local/lib
 # Wrapper scripts
 COPY --from=builder /build/out/curl_* /usr/local/bin/
diff --git a/firefox/patches/curl-CVE-2023-38545.patch b/firefox/patches/curl-CVE-2023-38545.patch
@@ -0,0 +1,17 @@
+diff -u1 -Nar curl-8.1.1/lib/socks.c curl-8.1.1-patched/lib/socks.c
+--- curl-8.1.1/lib/socks.c	2023-05-22 19:15:11.000000000 +0300
++++ curl-8.1.1-patched/lib/socks.c	2024-03-03 13:32:42.814284316 +0200
+@@ -590,5 +590,5 @@
+     if(!socks5_resolve_local && hostname_len > 255) {
+-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-            "length > 255 [actual len=%zu]", hostname_len);
+-      socks5_resolve_local = TRUE;
++      failf(data, "SOCKS5: the destination hostname is too long to be "
++            "resolved remotely by the proxy.");
++      return CURLPX_LONG_HOSTNAME;
+     }
+@@ -906,3 +906,3 @@
+         socksreq[len++] = 3;
+-        socksreq[len++] = (char) hostname_len; /* one byte address length */
++        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */