aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-04-26http2: get rid of another strstr()Daniel Stenberg
Follow-up to 1514c44655e12e: replace another strstr() call done on a buffer that might not be zero terminated - with a memchr() call, even if we know the substring will be found. Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 Closes #2534
2018-04-26cyassl: adapt to libraries without TLS 1.0 support built-inDaniel Stenberg
WolfSSL doesn't enable it by default anymore
2018-04-26configure: provide --with-wolfssl as an alias for --with-cyasslDaniel Stenberg
2018-04-25RELEASE-NOTES: syncedDaniel Stenberg
2018-04-25os400.c: fix ASSIGNWITHINCONDITION checksrc warningsDaniel Gustafsson
All occurrences of assignment within conditional expression in os400sys.c rewritten into two steps: first assignment and then the check on the success of the assignment. Also adjust related incorrect brace positions to match project indentation style. This was spurred by seeing "if((inp = input_token))", but while in there all warnings were fixed. There should be no functional change from these changes. Closes #2525
2018-04-25cookies: ensure that we have cookies before writing jarDaniel Gustafsson
The jar should be written iff there are cookies, so ensure that we still have cookies after expiration to avoid creating an empty file. Closes #2529
2018-04-25strcpy_url: only %-encode values >= 0x80Daniel Stenberg
OSS-Fuzz detected https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 Broke in dd7521bcc1b7
2018-04-24mime: avoid NULL pointer dereference riskDaniel Stenberg
Coverity detected, CID 1435120 Closes #2527
2018-04-24ctype: restore character classification for non-ASCII platformsStephan Mühlstrasser
With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic character classification macros and functions were introduced in curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on non-ASCII, e.g. EBCDIC platforms. This change restores the previous set of character classification macros when CURL_DOES_CONVERSIONS is defined. Closes #2494
2018-04-24ftplistparser: keep state between invokesDaniel Stenberg
Fixes FTP wildcard parsing when done over a number of read buffers. Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2526
2018-04-24examples/http2-upload: expand buffer to avoid silly warningDaniel Stenberg
http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated writing between 2 and 11 bytes into a region of size between 8 and 17
2018-04-24examples/sftpuploadresume: typecast fseek argument to longDaniel Stenberg
/docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long int' from 'curl_off_t {aka long long int}' may alter its value
2018-04-24Revert "ftplistparser: keep state between invokes"Daniel Stenberg
This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. Caused fuzzer problems on travis not seen when this was a PR!
2018-04-24Curl_memchr: zero length input can't matchDaniel Stenberg
Avoids undefined behavior. Reported-by: Geeknik Labs
2018-04-23ftplistparser: keep state between invokesDaniel Stenberg
Fixes FTP wildcard parsing when doing over a number of read buffers. Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2519
2018-04-23ftplistparser: renamed some members and variablesDaniel Stenberg
... to make them better spell out what they're for.
2018-04-23RELEASE-NOTES: syncedDaniel Stenberg
2018-04-23curl_global_sslset: always provide available backendsChristian Schmitz
Closes #2499
2018-04-23http2: convert an assert to run-time checkDaniel Stenberg
Fuzzing has proven we can reach code in on_frame_recv with status_code not having been set, so let's detect that in run-time (instead of with assert) and error error accordingly. (This should no longer happen with the latest nghttp2) Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 Closes #2514
2018-04-23curl.1: clarify that options and URLs can be mixedDaniel Stenberg
Fixes #2515 Closes #2517
2018-04-23CURLOPT_SSLCERT.3: improve WinSSL-specific usage infoArchangel_SDY
Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780 Closes https://github.com/curl/curl/pull/2504
2018-04-23schannel: fix build error on targets <= XPArchangel_SDY
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't support the latter. Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 Closes https://github.com/curl/curl/pull/2504
2018-04-23Revert "ftplistparser: keep state between invokes"Daniel Stenberg
This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. Unfortunately this fix introduces memory leaks I've not been able to fix in several days. Reverting this for now to get the leaks fixed.
2018-04-21tool_help: clarify --max-time unit of time is secondsJay Satiro
Before: -m, --max-time <time> Maximum time allowed for the transfer After: -m, --max-time <seconds> Maximum time allowed for the transfer
2018-04-20http2: handle GOAWAY properlyDaniel Stenberg
When receiving REFUSED_STREAM, mark the connection for close and retry streams accordingly on another/fresh connection. Reported-by: Terry Wu Fixes #2416 Fixes #1618 Closes #2510
2018-04-20http2: clear the "drain counter" when a stream is closedDaniel Stenberg
This fixes the notorious "httpc->drain_total >= data->state.drain" assert. Reported-by: Anders Bakken Fixes #1680 Closes #2509
2018-04-20http2: avoid strstr() on data not zero terminatedDaniel Stenberg
It's not strictly clear if the API contract allows us to call strstr() on a string that isn't zero terminated even when we know it will find the substring, and clang's ASAN check dislikes us for it. Also added a check of the return code in case it fails, even if I can't think of a situation how that can trigger. Detected by OSS-Fuzz Closes #2513 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
2018-04-20openssl: fix subjectAltName check on non-ASCII platformsStephan Mühlstrasser
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison. Closes #2493
2018-04-20openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messagesJay Satiro
- Support handling verbose-mode trace messages of type SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, SSL3_MT_MESSAGE_HASH Reported-by: iz8mbw@users.noreply.github.com Fixes https://github.com/curl/curl/issues/2403
2018-04-19ftplistparser: keep state between invokesDaniel Stenberg
Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2508
2018-04-19detect_proxy: only show proxy use if it had contentsDaniel Stenberg
2018-04-19http2: handle on_begin_headers() called more than onceDaniel Stenberg
This triggered an assert if called more than once in debug mode (and a memory leak if not debug build). With the right sequence of HTTP/2 headers incoming it can happen. Detected by OSS-Fuzz Closes #2507 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
2018-04-18schannel: add support for CURLOPT_CAINFODan McNulty
- Move verify_certificate functionality in schannel.c into a new file called schannel_verify.c. Additionally, some structure defintions from schannel.c have been moved to schannel.h to allow them to be used in schannel_verify.c. - Make verify_certificate functionality for Schannel available on all versions of Windows instead of just Windows CE. verify_certificate will be invoked on Windows CE or when the user specifies CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. - In verify_certificate, create a custom certificate chain engine that exclusively trusts the certificate store backed by the CURLOPT_CAINFO file. - doc updates of --cacert/CAINFO support for schannel - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString when available. This implements a TODO in schannel.c to improve handling of multiple SANs in a certificate. In particular, all SANs will now be searched instead of just the first name. - Update tool_operate.c to not search for the curl-ca-bundle.crt file when using Schannel to maintain backward compatibility. Previously, any curl-ca-bundle.crt file found in that search would have been ignored by Schannel. But, with CAINFO support, the file found by that search would have been used as the certificate store and could cause issues for any users that have curl-ca-bundle.crt in the search path. - Update url.c to not set the build time CURL_CA_BUNDLE if the selected SSL backend is Schannel. We allow setting CA location for schannel only when explicitly specified by the user via CURLOPT_CAINFO / --cacert. - Add new test cases 3000 and 3001. These test cases check that the first and last SAN, respectively, matches the connection hostname. New test certificates have been added for these cases. For 3000, the certificate prefix is Server-localhost-firstSAN and for 3001, the certificate prefix is Server-localhost-secondSAN. - Remove TODO 15.2 (Add support for custom server certificate validation), this commit addresses it. Closes https://github.com/curl/curl/pull/1325
2018-04-17schannel: fix warningJay Satiro
- Fix warning 'integer from pointer without a cast' on 3rd arg in CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer type of the same size. Follow-up to e35b025. Caught by Marc's CI builds.
2018-04-17docs: fix typosJakub Wilk
Closes https://github.com/curl/curl/pull/2503
2018-04-17RELEASE-NOTES: syncedDaniel Stenberg
2018-04-17winbuild: Support custom devel paths for each dependencykdekker
- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2, OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH, NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH. - Use lib.exe for making the static library instead of link.exe /lib. The latter is undocumented and could cause problems as noted in the comments. - Remove a dangling URL that no longer worked. (I was not able to find the IDN download at MSDN/microsoft.com, so it seems to be removed.) - Remove custom override for release-ssh2-ssl-dll-zlib configuration. Nobody knows why it was there and as far as we can see is unnecessary. Closes https://github.com/curl/curl/pull/2474
2018-04-17README.md: add backers and sponsorsJess
Closes #2484
2018-04-17schannel: add client certificate authenticationArchangel_SDY
Users can now specify a client certificate in system certificates store explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` Closes #2376
2018-04-16ntlm_sspi: fix authentication using Credential Managertoughengineer
If you pass empty user/pass asking curl to use Windows Credential Storage (as stated in the docs) and it has valid credentials for the domain, e.g. curl -v -u : --ntlm example.com currently authentication fails. This change fixes it by providing proper SPN string to the SSPI API calls. Fixes https://github.com/curl/curl/issues/1622 Closes https://github.com/curl/curl/pull/1660
2018-04-16configure: keep LD_LIBRARY_PATH changes localDaniel Stenberg
... only set it when we actually have to run tests to reduce its impact on for example build commands etc. Fixes #2490 Closes #2492 Reported-by: Dmitry Mikhirev
2018-04-16urldata: make service names unconditionalMarcel Raad
The ifdefs have become quite long. Also, the condition for the definition of CURLOPT_SERVICE_NAME and for setting it from CURLOPT_SERVICE_NAME have diverged. We will soon also need the two options for NTLM, at least when using SSPI, for https://github.com/curl/curl/pull/1660. Just make the definitions unconditional to make that easier. Closes https://github.com/curl/curl/pull/2479
2018-04-16test1148: tolerate progress updates betterDaniel Stenberg
Fixes #2446 Closes #2488
2018-04-16ssh: show libSSH2 error code when closing failsChristian Schmitz
Closes #2500
2018-04-15vauth: Fix typoDaniel Gustafsson
Address various spellings of "credentials". Closes https://github.com/curl/curl/pull/2496
2018-04-15system.h: Add sparcv8plus to oracle/sunpro 32-bit detectionDagobert Michelsen
With specific compiler options selecting the arch like -xarch=sparc on newer compilers like Oracle Studio 12.4 there is no definition of __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the 32ÎíÎñbit subset defined by the V8plus ISA specification, without the Visual Instruction Set (VIS), and without other implementation-specific ISA extensions. So it should be the same as __sparcv8. Closes https://github.com/curl/curl/pull/2491
2018-04-15checksrc: Fix typoDaniel Gustafsson
Fix typo in "semicolon" spelling and remove stray tab character. Closes https://github.com/curl/curl/pull/2498
2018-04-15all: Refactor malloc+memset to use callocDaniel Gustafsson
When a zeroed out allocation is required, use calloc() rather than malloc() followed by an explicit memset(). The result will be the same, but using calloc() everywhere increases consistency in the codebase and avoids the risk of subtle bugs when code is injected between malloc and memset by accident. Closes https://github.com/curl/curl/pull/2497
2018-04-12duphandle: make sure CURLOPT_RESOLVE is duplicated fine tooDaniel Stenberg
Verified in test 1502 now Fixes #2485 Closes #2486 Reported-by: Ernst Sjöstrand
2018-04-12mailmap: add a monnerat fixup [ci skip]Daniel Stenberg