Age | Commit message (Collapse) | Author |
|
- Fix potential crashes in schannel shutdown.
Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.
Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531
|
|
The Kerberos subsection was mistakenly a subsubsection under FTP, and
the curlx subsection was missing an anchor for the TOC link.
Closes #3529
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
|
|
|
|
|
|
Commit 7a09b52c98ac8d840a8a9907b1a1d9a9e684bcf5 introduced support
for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while
the entry was removed from the TODO it was mistakenly left here.
Fix by removing and rewording the entry slightly.
Closes #3530
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Fix grammatical errors making the document read better. Also fixes
a typo.
Closes #3525
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
|
|
Fixes #3518
Closes #3522
|
|
- Use explicit include opt for perl calls.
Prior to this change some scripts couldn't find their dependencies.
At the top, perl is called using with the "-Isrcdir" option, and it
works:
https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183
But on line 3868, that option is omitted. This caused problems for me,
as the symbol-scan.pl script in particular couldn't find its
dependencies properly:
https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868
This patch fixes that oversight by making calls to perl sub-shells
uniform.
Closes https://github.com/curl/curl/pull/3496
|
|
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.
Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
Reported-by: Brian Carpenter (Geeknik Labs)
CVE-2019-3823
|
|
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
|
|
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
|
|
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.
Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
|
|
|
|
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.
Closes #3504
|
|
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.
Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
|
|
Use an ephemeral port number here; previously the example had 8080
which could be confusing as the common web server port number might
be misinterpreted as suggesting this option affects the remote port.
URL: https://curl.haxx.se/mail/lib-2019-01/0084.html
Closes #3513
|
|
A backslash should be escaped in Roff / Troff.
|
|
By default WinSSL selects and send a client certificate automatically,
but for privacy and consistency we should offer an option to disable the
default auto-send behavior.
Reported-by: Jeroen Ooms
Closes https://github.com/curl/curl/issues/2262
|
|
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application. Use the curl mecanisms fix this behavior.
Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>
Closes #3502
|
|
|
|
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)
Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.
Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
|
|
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.
Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
|
|
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.
Fixes #3493
Closes #3494
|
|
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.
Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.
This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.
Fixes #3491
Closes #3495
|
|
|
|
Fixes #3480
Closes #3487
|
|
Closes #3289
[skip ci]
|
|
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.
Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
|
|
[skip ci]
|
|
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9.
The overloadable attribute is removed again starting from
NDK17. Actually they only exist in two NDK versions (15 and 16). With
overloadable, the first condition tried will succeed. Results in wrong
detection result.
Closes #3484
|
|
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.
Fixes #3280
Closes #3321
|
|
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
|
|
When a ssh session startup fails, it is useful to know why it has
failed. This commit changes the message from:
"Failure establishing ssh session"
to something like this, for example:
"Failure establishing ssh session: -5, Unable to exchange encryption keys"
Closes #3481
|
|
|
|
|
|
|
|
Follow-up to 2fa0d57e2e3. The __xlc__ symbol is only defined there if a
particular flag is used for legacy macros.
Fixes #3474
Closes #3479
|
|
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.
Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
|
|
Since it isn't totally clang compatible, we detect this IBM clang
front-end and if detected, avoids some clang specific magic.
Reported-by: Kees Dekker
Fixes #3474
Closes #3476
|
|
[skip ci]
|
|
extract_if_dead() dead is called from two functions, and only one of
them should get conn->data updated and now neither call path clears it.
scan-build found a case where conn->data would be NULL dereferenced in
ConnectionExists() otherwise.
Closes #3473
|
|
Found by scan-build. Follow-up to 4c35574bb785ce.
Closes #3471
|
|
Since they're used purely for testing purposes, I think they should
rather be stored there.
Closes #3470
|
|
|
|
Closes #3469
|
|
zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have
the ZLIB_WINAPI define set by default. Using them requires that define
too.
Ref: https://zlib.net/DLL_FAQ.txt
Fixes https://github.com/curl/curl/issues/3133
Closes https://github.com/curl/curl/pull/3460
|
|
|
|
Make sure that this function sets a proper "live" transfer for the
connection before calling the protocol-specific connection check
function, and then clear it again afterward as a non-used connection has
no current transfer.
Reported-by: Jeroen Ooms
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Gustafsson
Fixes #3463
Closes #3464
|
|
OpenSSL_version() replaces OpenSSL_version_num()
Closes #3462
|