aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-05CONTRIBUTE.md: Fix grammatical errorsEtienne Simard
Fix grammatical errors making the document read better. Also fixes a typo. Closes #3525 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2019-02-04docs: use $(INSTALL_DATA) to install man pageJulian Z
Fixes #3518 Closes #3522
2019-02-04runtests.pl: Fix perl call to include srcdirLadar Levison
- Use explicit include opt for perl calls. Prior to this change some scripts couldn't find their dependencies. At the top, perl is called using with the "-Isrcdir" option, and it works: https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183 But on line 3868, that option is omitted. This caused problems for me, as the symbol-scan.pl script in particular couldn't find its dependencies properly: https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868 This patch fixes that oversight by making calls to perl sub-shells uniform. Closes https://github.com/curl/curl/pull/3496
2019-02-04smtp: avoid risk of buffer overflow in strtolDaniel Gustafsson
If the incoming len 5, but the buffer does not have a termination after 5 bytes, the strtol() call may keep reading through the line buffer until is exceeds its boundary. Fix by ensuring that we are using a bounded read with a temporary buffer on the stack. Bug: https://curl.haxx.se/docs/CVE-2019-3823.html Reported-by: Brian Carpenter (Geeknik Labs) CVE-2019-3823
2019-02-04ntlm: fix *_type3_message size check to avoid buffer overflowDaniel Stenberg
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html Reported-by: Wenxiang Qian CVE-2019-3822
2019-02-04NTLM: fix size check condition for type2 received dataDaniel Stenberg
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html Reported-by: Wenxiang Qian CVE-2018-16890
2019-02-01spnego_sspi: add support for channel bindinggeorgeok
Attempt to add support for Secure Channel binding when negotiate authentication is used. The problem to solve is that by default IIS accepts channel binding and curl doesn't utilise them. The result was a 401 response. Scope affects only the Schannel(winssl)-SSPI combination. Fixes https://github.com/curl/curl/issues/3503 Closes https://github.com/curl/curl/pull/3509
2019-02-01RELEASE-NOTES: syncedDaniel Stenberg
2019-02-01schannel: stop calling it "winssl"Daniel Stenberg
Stick to "Schannel" everywhere. The configure option --with-winssl is kept to allow existing builds to work but --with-schannel is added as an alias. Closes #3504
2019-02-01multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE timeDaniel Stenberg
To make sure Curl_timeleft() also thinks the timeout has been reached when one of the EXPIRE_*TIMEOUTs expires. Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html Reported-by: Zhao Yisha Closes #3501
2019-01-31doc: use meaningless port number in CURLOPT_LOCALPORT exampleJohn Marshall
Use an ephemeral port number here; previously the example had 8080 which could be confusing as the common web server port number might be misinterpreted as suggesting this option affects the remote port. URL: https://curl.haxx.se/mail/lib-2019-01/0084.html Closes #3513
2019-01-29Escape the '\'Gisle Vanem
A backslash should be escaped in Roff / Troff.
2019-01-29TODO: WinSSL: 'Add option to disable client cert auto-send'Jay Satiro
By default WinSSL selects and send a client certificate automatically, but for privacy and consistency we should offer an option to disable the default auto-send behavior. Reported-by: Jeroen Ooms Closes https://github.com/curl/curl/issues/2262
2019-01-28sigpipe: if mbedTLS is used, ignore SIGPIPEJeremie Rapin
mbedTLS doesn't have a sigpipe management. If a write/read occurs when the remote closes the socket, the signal is raised and kills the application. Use the curl mecanisms fix this behavior. Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com> Closes #3502
2019-01-28unit1653: make it survive torture testsDaniel Stenberg
2019-01-28timeval: Disable MSVC Analyzer GetTickCount warningMichael Kujawa
Compiling with msvc /analyze and a recent Windows SDK warns against using GetTickCount (Suggests to use GetTickCount64 instead.) Since GetTickCount is only being used when GetTickCount64 isn't available, I am disabling that warning. Fixes https://github.com/curl/curl/issues/3437 Closes https://github.com/curl/curl/pull/3440
2019-01-26configure: rewrite --enable-code-coverageDaniel Stenberg
The previously used ax_code_coverage.m4 is not license compatible and must not be used. Reported-by: William A. Rowe Jr Fixes #3497 Closes #3499
2019-01-24setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libsshFelix Hädicke
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for libssh as well. So accepting these options only when compiling with libssh2 is wrong here. Fixes #3493 Closes #3494
2019-01-24libssh: do not let libssh create socketFelix Hädicke
By default, libssh creates a new socket, instead of using the socket created by curl for SSH connections. Pass the socket created by curl to libssh using ssh_options_set() with SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket instead of creating a new one. This approach is very similar to what is done in the libssh2 code, where the socket created by curl is passed to libssh2 when libssh2_session_startup() is called. Fixes #3491 Closes #3495
2019-01-21RELEASE-NOTES: syncedDaniel Stenberg
2019-01-21schannel: preserve original certificate path parameterArchangel_SDY
Fixes #3480 Closes #3487
2019-01-21KNOWN_BUGS: tests not compatible with python3Daniel Stenberg
Closes #3289 [skip ci]
2019-01-20memcmp: avoid doing single char memcmpDaniel Gustafsson
There is no real gain in performing memcmp() comparisons on single characters, so change these to array subscript inspections which saves a call and makes the code clearer. Closes #3486 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2019-01-19COPYING: it's 2019Daniel Stenberg
[skip ci]
2019-01-19configure: fix recv/send/select detection on Androidhhb
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9. The overloadable attribute is removed again starting from NDK17. Actually they only exist in two NDK versions (15 and 16). With overloadable, the first condition tried will succeed. Results in wrong detection result. Closes #3484
2019-01-19ntlm_sspi: add support for channel bindinggeorgeok
Windows extended potection (aka ssl channel binding) is required to login to ntlm IIS endpoint, otherwise the server returns 401 responses. Fixes #3280 Closes #3321
2019-01-18schannel: on connection close there might not be a transferDaniel Stenberg
Reported-by: Marcel Raad Fixes #3412 Closes #3483
2019-01-17ssh: log the libssh2 error message when ssh session startup failsJDepooter
When a ssh session startup fails, it is useful to know why it has failed. This commit changes the message from: "Failure establishing ssh session" to something like this, for example: "Failure establishing ssh session: -5, Unable to exchange encryption keys" Closes #3481
2019-01-16Fix typo in manpageAlessandro Ghedini
2019-01-16RELEASE-NOTES: syncedDaniel Stenberg
2019-01-16cmake: updated check for HAVE_POLL_FINE to match autotoolsSergei Nikulov
2019-01-16curl-compilers.m4: check for __ibmxl__ to detect xlclangDaniel Stenberg
Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a particular flag is used for legacy macros. Fixes #3474 Closes #3479
2019-01-16openssl: fix the SSL_get_tlsext_status_ocsp_resp callDaniel Stenberg
.... to not pass in a const in the second argument as that's not how it is supposed to be used and might cause compiler warnings. Reported-by: Pavel Pavlov Fixes #3477 Closes #3478
2019-01-15curl-compilers.m4: detect xlclangDaniel Stenberg
Since it isn't totally clang compatible, we detect this IBM clang front-end and if detected, avoids some clang specific magic. Reported-by: Kees Dekker Fixes #3474 Closes #3476
2019-01-15README: add codacy code quality badgeDaniel Stenberg
[skip ci]
2019-01-15extract_if_dead: follow-up to 54b201b48c90aDaniel Stenberg
extract_if_dead() dead is called from two functions, and only one of them should get conn->data updated and now neither call path clears it. scan-build found a case where conn->data would be NULL dereferenced in ConnectionExists() otherwise. Closes #3473
2019-01-15multi: remove "Dead assignment"Daniel Stenberg
Found by scan-build. Follow-up to 4c35574bb785ce. Closes #3471
2019-01-15tests: move objnames-* from lib into testsDaniel Stenberg
Since they're used purely for testing purposes, I think they should rather be stored there. Closes #3470
2019-01-15travis: added cmake build for osxSergei Nikulov
2019-01-14cookie: fix comment typo (url_path_len -> uri_path_len)Frank Gevaerts
Closes #3469
2019-01-14winbuild: conditionally use /DZLIB_WINAPIMarcel Raad
zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have the ZLIB_WINAPI define set by default. Using them requires that define too. Ref: https://zlib.net/DLL_FAQ.txt Fixes https://github.com/curl/curl/issues/3133 Closes https://github.com/curl/curl/pull/3460
2019-01-14src/Makefile: make 'tidy' target work for metalink buildsDaniel Stenberg
2019-01-13extract_if_dead: use a known working transfer when checking connectionsDaniel Stenberg
Make sure that this function sets a proper "live" transfer for the connection before calling the protocol-specific connection check function, and then clear it again afterward as a non-used connection has no current transfer. Reported-by: Jeroen Ooms Reviewed-by: Marcel Raad Reviewed-by: Daniel Gustafsson Fixes #3463 Closes #3464
2019-01-13openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecatedDaniel Stenberg
OpenSSL_version() replaces OpenSSL_version_num() Closes #3462
2019-01-11cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCCSergei Nikulov
2019-01-11urldata: rename easy_conn to just connDaniel Stenberg
We use "conn" everywhere to be a pointer to the connection. Introduces two functions that "attaches" and "detaches" the connection to and from the transfer. Going forward, we should favour using "data->conn" (since a transfer always only has a single connection or none at all) to "conn->data" (since a connection can have none, one or many transfers associated with it and updating conn->data to be correct is error prone and a frequent reason for internal issues). Closes #3442
2019-01-11tool_cb_prg: avoid integer overflowDaniel Stenberg
When calculating the progress bar width. Reported-by: Peng Li Fixes #3456 Closes #3458
2019-01-11travis: turn off copyright year checks in checksrcDaniel Gustafsson
Invoking the maintainer intended COPYRIGHTYEAR check for everyone in the PR pipeline is too invasive, especially at the turn of the year when many files get affected. Remove and leave it as a tool for maintainers to verify patches before commits. This reverts f7bdf4b2e1d81b2652b81b9b3029927589273b41. After discussion with: Daniel Stenberg
2019-01-10KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGWDaniel Stenberg
Closes #3125
2019-01-10KNOWN_BUGS: Improve --data-urlencode space encodingDaniel Stenberg
Closes #3229