aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-04-21fix_hostname: zero length host name caused -1 index offsetDaniel Stenberg
If a URL is given with a zero-length host name, like in "http://:80" or just ":80", `fix_hostname()` will index the host name pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address. CVE-2015-3144 Bug: http://curl.haxx.se/docs/adv_20150422D.html Reported-by: Hanno Böck
2015-04-21cookie: cookie parser out of boundary memory accessDaniel Stenberg
The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
2015-04-21ConnectionExists: for NTLM re-use, require credentials to matchDaniel Stenberg
CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia
2015-04-21openssl: add OPENSSL_NO_SSL3_METHOD checkbyronhe
2015-04-20CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and descDaniel Stenberg
Bug: https://github.com/bagder/curl/issues/229 Reported-by: bsammon
2015-04-20configure --with-nss: remove unneeded libs from the fallbackMostyn Bramley-Moore
2015-04-20contributors.sh: fix help output, filter out (-prefix from namesDaniel Stenberg
2015-04-20RELEASE-NOTES: synced with cc0e7ebc3be0Daniel Stenberg
2015-04-19CURLMOPT_TIMERFUNCTION.3: Clarify, add an exampleMichael Stapelberg
2015-04-19vtls/openssl: use https in URLs and a comment typo fixedViktor Szakáts
2015-04-18curl_version_info.3: fixed the 'protocols' variable typeDaniel Stenberg
Reported-by: John Marshall Bug: https://github.com/bagder/curl/issues/225
2015-04-18test1423: added missing "file" to server sectionDan Fandrich
2015-04-17TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methodsDaniel Stenberg
... and some minor edits
2015-04-17Revert "HTTP: don't abort connections with pending Negotiate authentication"Daniel Stenberg
This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6. Bug: https://github.com/bagder/curl/issues/223 Reported-by: Michael Osipov
2015-04-17cyassl: Fix include orderJay Satiro
Prior to this change CyaSSL's build options could redefine some generic build symbols. http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-17configure --with-nss: drop redundant if statementKamil Dudka
2015-04-17configure --with-nss=PATH: query pkg-config if availableKamil Dudka
Bug: https://github.com/bagder/curl/pull/171
2015-04-17parsecfg: do not continue past a zero terminationDaniel Stenberg
When a config file line ends without newline, the parsing function could continue reading beyond that point in memory. Reported-by: Hanno Böck
2015-04-16gitignore: Ignore Windows build output directoriesJay Satiro
2015-04-15RELEASE-NOTES: synced with 1ba6e4c88e0Daniel Stenberg
2015-04-15TODO: 17.9 Choose the name of file in braces for complex URLsDaniel Stenberg
2015-04-15TODO: a little caution that maybe not all ideas are still goodDaniel Stenberg
2015-04-15TODO: 17.8 offer color-coded HTTP header outputDaniel Stenberg
2015-04-15TODO: 17.7 warning when sending binary output to terminalDaniel Stenberg
2015-04-15KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxesDaniel Stenberg
2015-04-14cyassl: Add support for TLS extension SNIJay Satiro
2015-04-13gitignore: ignore test-driver fileMatthew Hall
2015-04-13vtls_openssl: improve PKCS#12 load failure error messageMatthew Hall
2015-04-13vtls_openssl: fix minor typo in PKCS#12 load routineMatthew Hall
2015-04-13vtls_openssl: improve client certificate load failure error messagesMatthew Hall
2015-04-13vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constantMatthew Hall
2015-04-13BUGS: refer to the github issue tracker now as primaryDaniel Stenberg
2015-04-13firefox-db2pem: fix wildcard to find Firefox default profileDaniel Stenberg
At some point, Firefox has changed and generates different directory names for the default profile that made this script fail to find them. Bug: https://github.com/bagder/curl/issues/207 Reported-by: sneakyimp
2015-04-11cyassl: Include the CyaSSL build configJay Satiro
CyaSSL >= 2.6.0 may have an options.h that was generated during its build by configure.
2015-04-11build: Generate source prerequisites for Visual Studio in generate.batJay Satiro
Prior to this change Visual Studio builds could fail due to missing prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h. http://curl.haxx.se/mail/lib-2015-04/0034.html
2015-04-09lib/makefile.m32: add missing libs to build libcurl.dllViktor Szakats
Add 'gdi32' and 'crypt32' Windows implibs to avoid failure while building libcurl.dll using the mingw compiler. The same logic is used in 'src/makefile.m32' when building curl.exe.
2015-04-08test142[23]: verify that an empty file is stored on successKamil Dudka
2015-04-08src/tool_operate: create output file on successful downloadKamil Dudka
... of an empty file Bug: https://github.com/bagder/curl/issues/183
2015-04-08src/tool_cb_wrt: separate fnc for output file creationKamil Dudka
2015-04-07lib/transfer.c: Remove factor of 8 from sleep time calculationDa-Yoon Chung
The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and rate_bps are both in bytes. When using the rate limiting option, curl waits 8 times too long, and then transfers very quickly until the average rate reaches the limit. The average rate follows the limit over time, but the actual traffic is bursty. Thanks-to: Benjamin Gilbert
2015-04-06x509asn1: Silence x64 loss-of-data warning on RSA key length assignmentJay Satiro
The key length in bits will always fit in an unsigned long so the loss-of-data warning assigning the result of x64 pointer arithmetic to an unsigned long is unnecessary.
2015-04-06cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer sizeJay Satiro
Also fix it so that all ERR_error_string calls use an error buffer. CyaSSL's implementation of ERR_error_string only writes the error when an error buffer is passed. http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-05cyassl: Remove 'Connecting to' message from cyassl_connect_step2Jay Satiro
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to' messages since cyassl_connect_step2 is called multiple times, typically. The message is superfluous even once since libcurl already informs the user elsewhere in code that it is connecting.
2015-04-05checksrc.bat: quotes to support an SRC_DIR with spacesViktor Szakats
2015-04-03hostip: fix compiler warningsDaniel Stenberg
introduced in the previous mini-series of 3 commits
2015-04-03actually implement CURLOPT_RESOLVE removalsStefan Bühler
- also log when a CURLOPT_RESOLVE entry couldn't get parsed
2015-04-03move Curl_share_lock and ref counting into Curl_fetch_addrStefan Bühler
2015-04-03fix refreshing of obsolete dns cache entriesStefan Bühler
- cache entries must be also refreshed when they are in use - have the cache count as inuse reference too, freeing timestamp == 0 special value - use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed - remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh) - fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special reference anymore, and it would also release non CURLOPT_RESOLVE references - fix locking in Curl_hostcache_clean - fix unit1305.c: hash now keeps a reference, need to set inuse = 1
2015-04-03RELEASE-NOTES: synced with abf6bddc14aDaniel Stenberg
2015-04-03checksrc.bat: Check lib\vtls sourceJay Satiro