aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-05-14mailmap: James FullerDaniel Stenberg
2020-05-14vauth/cleartext: fix theoretical integer overflowMajor_Tom
Fix theoretical integer overflow in Curl_auth_create_plain_message. The security impact of the overflow was discussed on hackerone. We agreed this is more of a theoretical vulnerability, as the integer overflow would only be triggerable on systems using 32-bits size_t with over 4GB of available memory space for the process. Closes #5391
2020-05-13curl.1: Quote globbed URLsJay Satiro
- Quote the globbing example URLs that contain characters [] {} since otherwise they may be interpreted as shell metacharacters. Bug: https://github.com/curl/curl/issues/5388 Reported-by: John Simpson Closes https://github.com/curl/curl/pull/5394
2020-05-14checksrc: enhance the ASTERISKSPACE and update code accordinglyDaniel Stenberg
Fine: "struct hello *world" Not fine: "struct hello* world" (and variations) Closes #5386
2020-05-13docs/options-in-versions: which version added each cmdline optionDaniel Stenberg
Added test 971 to verify that the list is in sync with the files in cmdline-opts. The check also verifies that .d-files that uses Added: specify the same version number as the options-in-versions file does. Closes #5381
2020-05-13docs: unify protocol listsDaniel Stenberg
We boast support for 25 transfer protocols. Make sure the lists are consistent Closes #5384
2020-05-13OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAINDaniel Stenberg
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376
2020-05-13tls13-ciphers.d: shorten the ArgDaniel Stenberg
2020-05-13sasl-authzid.d: add Arg: and shorten the descDaniel Stenberg
2020-05-13cert-type.d: mention the available types in the descDaniel Stenberg
2020-05-13tool: shorten 3 --help descriptionsDaniel Stenberg
--happy-eyeballs-timeout-ms, --resolve and --ssl-revoke-best-effort gen.pl already warned about these lines but we didn't listen Closes #5379
2020-05-13configure: the wolfssh backend does not provide SCPDaniel Stenberg
Closes #5387
2020-05-13RELEASE-NOTES: syncedDaniel Stenberg
2020-05-13url: reject too long input when parsing credentialsDaniel Stenberg
Since input passed to libcurl with CURLOPT_USERPWD and CURLOPT_PROXYUSERPWD circumvents the regular string length check we have in Curl_setstropt(), the input length limit is enforced in Curl_parse_login_details too, separately. Reported-by: Thomas Bouzerar Closes #5383
2020-05-12list-only.d: this option existed already in 4.0Daniel Stenberg
2020-05-12retry-all-errors.d: Shorten the summary lineJay Satiro
Follow-up to b995bb5 from a few moments ago. Reported-by: Daniel Stenberg Ref: https://github.com/curl/curl/commit/b995bb5#r39108929
2020-05-12easy: fix dangling pointer on easy_perform faildenzor
Closes https://github.com/curl/curl/pull/5363
2020-05-12tool: Add option --retry-all-errors to retry on any errorJay Satiro
The "sledgehammer" of retrying. Closes https://github.com/curl/curl/pull/5185
2020-05-12libcurl.pc: Merge Libs.private into Libs for static-only buildsJames Le Cuirot
A project being built entirely statically will call pkg-config with --static, which utilises the Libs.private field. Conversely it will not use --static when not being built entirely statically, even if there is only a static build of libcurl available. This will most likely cause the build to fail due to underlinking unless we merge the Libs fields. Consider that this is what the Meson build system does when it generates pkg-config files. I have also reflected this in the --libs argument of curl-config even though REQUIRE_LIB_DEPS always seems to be "yes" anyway. Closes #5373
2020-05-12CMake: fix runtests.pl with CMake, add new test targetsPeter Wu
* runtests.pl: - Fix out-of-tree build under CMake when srcdir is not set. Default srcdir to the location of runtests.pl. - Add a hack to allow CMake to use the TFLAGS option as documented in tests/README and used in scripts/travis/script.sh. * Bump CMake version to 3.2 for USES_TERMINAL, dropping Debian Jessie support (no one should care, it is already EOL.). * Remove CTest since it defines its own 'test' target with no tests since all unittests are already broken and not built by default. * Add new test targets based on the options from Makefile.am. Since new test targets are rarely added, I opted for duplicating the runtests.pl options as opposed to creating a new Makefile.inc file. Use top-level target names (test-x) instead of x-test since that is used by CI and others. Closes #5358
2020-05-12CMake: do not build test programs by defaultPeter Wu
The default target should only build libcurl and curl. Add a dedicated 'testdeps' target which will be used later when running tests. Note that unittests are currently broken in CMake and already excluded. Closes #5368
2020-05-12FILEFORMAT: moved up the variables section and further polishedDaniel Stenberg
2020-05-12runtests: remove ftp2 support, not usedDaniel Stenberg
We once supported two separate ftp instances in the test suite. Has not been used the last decade. Closes #5375
2020-05-12url: sort the protocol schemes in rough popularity orderDaniel Stenberg
When looking for a protocol match among supported schemes, check the most "popular" schemes first. It has zero functionality difference and for all practical purposes a speed difference will not be measureable but it still think it makes sense to put the least likely matches last. "Popularity" based on the 2019 user survey. Closes #5377
2020-05-11test1238: avoid tftpd being busy for tests shortly followingMarc Hoersken
The tftpd server may still be busy if the total timeout of 25 seconds has not been reached or no sread error was received during or after the execution of the timeout test 1238. Once the next TFTP test comes around (eg. 1242 or 1243), those will fail because the tftpd server is still waiting on data from curl due to the UDP protocol being stateless and having no connection close. On Linux this error may not happen, because ICMP errors generated due to a swrite error can also be returned async on the next sread call instead. Therefore we will now just kill the tftpd server after test 1238 to make sure that the following tests are not affected. This enables us to no longer ignore tests 1242, 1243, 2002 and 2003 on the CI platforms CirrusCI and AppVeyor. Assisted-by: Peter Wu Closes #5364
2020-05-11write-out.d: added "response_code"Daniel Stenberg
2020-05-11KNOWN_BUGS: Build with staticly built dependencyDaniel Stenberg
I rewrote the item 5.4 to be more generic about static dependencies.
2020-05-11ROADMAP: remove old entriesDaniel Stenberg
MQTT - the start has already landed tiny-curl - also mostly landed and is a continuous work make menuconfig - basically no interest from users, not pushing there
2020-05-10travis: Add ngtcp2 and quiche tests for CMakePeter Wu
To avoid an explosion of jobs, extend the existing CMake tests with ngtcp2 and quiche support. macOS was previously moved to GitHub actions, so the non-Linux case can be dropped.
2020-05-10CMake: add ENABLE_ALT_SVC optionPeter Wu
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting (not tested).
2020-05-10CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)Peter Wu
Add three new CMake Find modules (using the curl license, but I grant others the right to apply the CMake BSD license instead). This CMake config is simpler than the autotools one because it assumes ngtcp2 and nghttp3 to be used together. Another difference is that this CMake config checks whether QUIC is actually supported by the TLS library (patched OpenSSL or boringssl) since this can be a common configuration mistake that could result in build errors later. Unlike autotools, CMake does not warn you that the features are experimental. The user is supposed to already know that and read the documentation. It requires a very special build environment anyway. Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure out which features (libldap-2.4, libssh2) to disable due to conflicts with boringssl. Closes #5359
2020-05-10tests/server/tftpd.c: fix include and enhance debug loggingMarc Hoersken
setjmp.h should only be included if HAVE_SETJMP_H is defined. Add additional log statements to see wether reads and writes are blocking or finishing before an alarm signal is received. Assisted-by: Peter Wu Part of #5364
2020-05-10tool_operate: only set CURLOPT_SSL_OPTIONS if SSL support is presentDaniel Stenberg
Reported-by: Marcel Raad Follow-up to 148534db5 Fixes #5367 Closes #5369
2020-05-09appveyor: update comments to be clear about toolchainMarc Hoersken
- CMake-based MSYS builds use mingw-w64 to cross-compile. - autotools-based builds are compiled using msys2-devel. The difference is that the later ones are not cross-compiled to Windows and instead require the msys2 runtime to be present. At the moment only the Azure Pipelines CI builds actually run autotools-based cross-compilation builds for Windows.
2020-05-09TODO: update regarding missing Schannel featuresMarc Hoersken
Some aspects have already been implemented over the years. 15.1 Client certificates are now supported: - System stores via e35b0256eb34f1fe562e3e2a2615beb50a391c52 - PKCS#12 files via 0fdf96512613574591f501d63fe49495ba40e1d5 15.2 Ciphers can now be specified through: - Algorithms via 9aefbff30d280c60fc9d8cc3e0b2f19fc70a2f28 Reviewed-by: Daniel Stenberg and Marcel Raad Closes #5358
2020-05-08checksrc: close the .checksrc file handle when done readingDaniel Stenberg
2020-05-08RELEASE-NOTES: syncedDaniel Stenberg
And bumped next version to 7.71.0
2020-05-08CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)Gilles Vollant
Closes #4346
2020-05-08TODO: native IDN support on macOSDaniel Stenberg
2020-05-08urlapi: accept :: as a valid IPv6 addressDaniel Stenberg
Text 1560 is extended to verify. Reported-by: Pavel Volgarev Fixes #5344 Closes #5351
2020-05-08THANKS-filter: Peter WangDaniel Stenberg
2020-05-08*_sspi: fix bad uses of CURLE_NOT_BUILT_INPeter Wang
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other instances of QuerySecurityPackageInfo failing, as in commit 2a81439553286f12cd04a4bdcdf66d8e026d8201. Closes #5355
2020-05-07docs/HTTP3: add qlog to the quiche build instructionDaniel Stenberg
2020-05-07ngtcp2: introduce qlog supportDaniel Stenberg
If the QLOGDIR environment variable is set, enable qlogging. ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for QUIC functions that are backend independent. Closes #5353
2020-05-07ntlm_sspi: fix bad use of CURLE_NOT_BUILT_INDaniel Stenberg
That return code is reserved for build-time conditional code not being present while this was a regular run-time error from a Windows API. Reported-by: wangp on github Fixes #5349 Closes #5350
2020-05-07runtests: show elapsed test time with higher precision (ms)Daniel Stenberg
2020-05-07RELEASE-NOTES: syncedDaniel Stenberg
2020-05-07http2: simplify and clean up trailer handlingDaniel Stenberg
Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in ed35d6590e72. This should make the trailer handling more straight forward and hopefully less error-prone. Deliver the trailer header to the callback already at receive-time. No longer caches the trailers to get delivered at end of stream. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030 Closes #5348
2020-05-07appveyor: disable test 1139 instead of ignoring itMarc Hoersken
Spending time on manpage checking makes no sense for these builds due to lacking manpage support.
2020-05-07appveyor: disable flaky test 1501 and ignore broken 1056Marc Hoersken
Test 1501 is flaky on Windows CI due to being time sensitive and the testsuite relying on taskkill.exe to check for the existance of processes which can take to much time itself. Test 1056 is broken in autotools-based Windows builds due to scope ID support missing in these builds at the moment.