CVE-2023-38545 is a high severity heap overflow affecting curl 7.69.0 to
8.3.0, including 8.1.1 which we use for curl-impersonate. Patches were
released for older versions. Apply the patch for our version.
For more details, see https://curl.se/docs/CVE-2023-38545.html
Libraries present on the CI runner system might affect the released
binaries. Specifically, the MacOS runner in GitHub has librtsp, libidn2
and zstd installed, which makes curl link against them.
Explicitly disable these linking, as we want to keep the precompiled
binaries in our releases with minimal requirements. A user wishing to
use these specific features can build from source on a system with these
libraries present.
The Docker image first builds a static curl-impersonate, then builds
libcurl-impersonate separately. However, the second build overrode the
binary created in the first one, and was configured without websocket
support in addition. This commit fixes both:
* The second build does not override the first, static build.
* The second build is configured with websockets.
Update Docker base images to debian bookworm.
Reduce size of Debian image (remove apt cache) by 10MB
And also minor Markdown lint of INSTALL.md
---------
Co-authored-by: lwthiker <lwt@lwthiker.com>
Remove the --false-start flag completely. In the Chrome version it has
no affect, and in the Firefox version it may cause connection errors.
This flag doesn't seem to affect TLS or HTTP signatures so is safe to
remove.
The flag seems to cause connection errors with some
http/2 servers. The server chooses http/2 based on alpn but curl
initiates a http/1.1 connection instead. This is an upstream bug in curl
that affects us as well.
* Upgrade baseline curl to 8.1.1
New curl version includes bugfixes, new options but mainly websocket
support which was long requested in curl impersonate. Upstream curl
reworked a lot of their http2 code which necessitated a lot of changes
on our side as well.
* Fix build on mac due to bad header priorities
On macos, clang gives priority to /usr/local/include
over locations specified with -isystem for some unknown reason. In turn
this causes clang to use the system's openssl, which conflicts with
curl-impersonate's boringssl headers.
To prevent that, disable curl's automatic conversion of -I flags to
-isystem.
* Upgrade zlib version
* Upgrade GitHub Mac runner to macos-12
* Upgrade nghttp2 version to 1.56.0
curl-8.1.1 uses an nghttp2 function that only exists in newer versions
of nghttp2.
Add support for impersonating Chrome 110. Chrome 110 comes with TLS
extension permutation enabled by default. We mimic this behavior in libcurl with
the new CURLOPT_SSL_PERMUTE_EXTENSIONS option, which enables the
corresponding flag in BoringSSL.
---------
Co-authored-by: Johann Saunier <saunier.johann@gmail.com>
Firefox impersonation was not updated in a long while. Add impersonation
for Firefox 109. The TLS signature is identical to previous versions,
with the usual changes to the HTTP headers.
Update NSS to the latest version as well, even though it is not
strictly necessary for the impersonation.
Python 3.11 breaks the gyp-next pip package which is used in the build
process to compile nss. It seems that gyp-next has no updated version to
fix that. Use Python 3.10 instead as a temporary fix.
Chrome 107 was recently released. The only difference in signature from
previous Chrome versions is that an HTTP2_NO_SERVER_PUSH setting is sent
in the HTTP2 SETTINGS frame.
