aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-10-31RELEASE-NOTES: synced with d14538d2501ef0daDaniel Stenberg
2016-10-31configure: raise the default minimum version for macos to 10.8Daniel Stenberg
follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks otherwise. If you build without darwinssl 10.5 works fine.
2016-10-31unit1301: keep testing curl_strequalDaniel Stenberg
as that is still part of the API, fix from 8fe4bd084412f30
2016-10-31ldap: fix includeDaniel Stenberg
Fix bug from 811a693b80
2016-10-31url: remove unconditional idn2.h includeDaniel Stenberg
Mistake brought by 9c91ec778104a
2016-10-31curl_strequal: part of public API/ABI, needs to be keptDaniel Stenberg
These two public functions have been mentioned as deprecated since a very long time but since they are still part of the API and ABI we need to keep them around.
2016-10-31strcase: s/strequal/strcasecompareDaniel Stenberg
some more follow-ups to 811a693b80
2016-10-31ldap: fix strcase useDaniel Stenberg
follow-up to 811a693b80
2016-10-31test165: adapted to the libidn2 use and IDNA2008 fixDaniel Stenberg
2016-10-31cookie: replace use of fgets() with custom versionDaniel Stenberg
... that will ignore lines that are too long to fit in the buffer. CVE-2016-8615 Bug: https://curl.haxx.se/docs/adv_20161102A.html Reported-by: Cure53
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-10-31ftp: check for previous patch must be case sensitive!Daniel Stenberg
... otherwise example.com/PATH and example.com/path would be assumed to be the same and they usually aren't!
2016-10-31SSH: check md5 fingerprint case sensitivelyDaniel Stenberg
2016-10-31connectionexists: use case sensitive user/password comparisonsDaniel Stenberg
CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53
2016-10-31base64: check for integer overflow on large inputDaniel Stenberg
CVE-2016-8617 Bug: https://curl.haxx.se/docs/adv_20161102C.html Reported-by: Cure53
2016-10-31krb5: avoid realloc(0)Daniel Stenberg
If the requested size is zero, bail out with error instead of doing a realloc() that would cause a double-free: realloc(0) acts as a free() and then there's a second free in the cleanup path. CVE-2016-8619 Bug: https://curl.haxx.se/docs/adv_20161102E.html Reported-by: Cure53
2016-10-31aprintf: detect wrap-around when growing allocationDaniel Stenberg
On 32bit systems we could otherwise wrap around after 2GB and allocate 0 bytes and crash. CVE-2016-8618 Bug: https://curl.haxx.se/docs/adv_20161102D.html Reported-by: Cure53
2016-10-31range: reject char globs with missing end like '[L-]'Daniel Stenberg
... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn
2016-10-31glob_next_url: make sure to stay within the given output bufferDaniel Stenberg
2016-10-31range: prevent negative end number in a glob rangeDaniel Stenberg
CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
2016-10-31parsedate: handle cut off numbers betterDaniel Stenberg
... and don't read outside of the given buffer! CVE-2016-8621 bug: https://curl.haxx.se/docs/adv_20161102G.html Reported-by: Luật Nguyễn
2016-10-31escape: avoid using curl_easy_unescape() internallyDaniel Stenberg
Since the internal Curl_urldecode() function has a better API.
2016-10-31unescape: avoid integer overflowDaniel Stenberg
CVE-2016-8622 Bug: https://curl.haxx.se/docs/adv_20161102H.html Reported-by: Cure53
2016-10-31cookies: getlist() now holds deep copies of all cookiesDaniel Stenberg
Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
2016-10-31TODO: remove IDNA2008Daniel Stenberg
2016-10-31idn: switch to libidn2 use and IDNA2008 supportDaniel Stenberg
CVE-2016-8625 Bug: https://curl.haxx.se/docs/adv_20161102K.html Reported-by: Christian Heimes
2016-10-31test1246: verify URL parsing with host name ending with '#'Daniel Stenberg
2016-10-31urlparse: accept '#' as end of host nameDaniel Stenberg
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com for the '/' document with the rest of the URL being a fragment. CVE-2016-8624 Bug: https://curl.haxx.se/docs/adv_20161102J.html Reported-by: Fernando Muñoz
2016-10-31INTERNALS: better markdown (follow-up)Jay Satiro
- Wrap more words with underscores in backticks. Follow-up to 13f4913.
2016-10-30INTERNALS: better markdownDaniel Stenberg
words with underscore need to be within `these` Bug: https://github.com/curl/curl-www/issues/19 Reported-by : Jay Satiro
2016-10-30mk-ca-bundle.vbs: Fix UTF-8 outputJay Satiro
- Change initial message box to mention delay when downloading/parsing. Since there is no progress meter it was somewhat unexpected that after choosing a filename nothing appears to happen, when actually the cert data is in the process of being downloaded and parsed. - Warn if OpenSSL is not present. - Use a UTF-8 stream to make the ca-bundle data. - Save the UTF-8 ca-bundle stream as binary so that no BOM is added. --- This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to ANSI due to corrupt UTF-8 output, now fixed. This change completes making the default certificate bundle output of mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which should make it easier to review any difference between their output. Ref: https://github.com/curl/curl/pull/1012
2016-10-28BINDINGS: converted to markdownDaniel Stenberg
To make it render better on the web site, at the price of it becoming slightly less readable as text.
2016-10-27CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2Jay Satiro
- Clarify that this option is only for HTTP/1.1 pipelining. Bug: https://github.com/curl/curl/issues/1059 Reported-by: Jeroen Ooms Assisted-by: Daniel Stenberg
2016-10-27KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be acceptedDaniel Stenberg
Closes #927
2016-10-27KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778Daniel Stenberg
Closes #893
2016-10-27configure.in: Fix test syntaxMichael Osipov
Some versions of test allow == for equality, but others (such as the HP-UX version) do not. Use a single = for correctness. Error output: checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
2016-10-27SECURITY: minor updatesDaniel Stenberg
- we allow the security push up to 48 hours before the release - add a mention about possible pre-notifications - lower case the 'curl-security' title
2016-10-27docs: fix req->data in multi-uv exampleAndrei Sedoi
Closes #1088
2016-10-26mbedtls: stop using deprecated include fileDaniel Stenberg
Reported-by: wyattoday Fixes #1087
2016-10-25nss: fix tight loop in non-blocking TLS handhsake over proxyMartin Frodl
... in case the handshake completes before entering CURLM_STATE_PROTOCONNECT Bug: https://bugzilla.redhat.com/1388162
2016-10-25mk-ca-bundle: Update the vbscript versionJay Satiro
Bring the VBScript version more in line with the perl version: - Change timestamp to UTC. - Change URL retrieval to HTTPS-only by default. - Comment out the options that disabled SSL cert checking by default. - Assume OpenSSL is present, get SHA256. And add a flag to toggle it. - Fix cert issuer name output. The cert issuer output is now ansi, converted from UTF-8. Prior to this it was corrupt UTF-8. It turns out though we can work with UTF-8 the FSO object that writes ca-bundle can't write UTF-8, so there will have to be some alternative if UTF-8 is needed (like an ADODB.Stream). - Disable the certificate text info feature. The certificate text info doesn't work properly with any recent OpenSSL.
2016-10-24TODO: indent code to make it render properlyDaniel Stenberg
2016-10-24TODO: Remove the generated include fileDaniel Stenberg
2016-10-24TODO: add "--retry should resume"Daniel Stenberg
See #1084
2016-10-24mk-ca-bundle.1: document -kDaniel Stenberg
Brought in 1ad2bdcf110266c. Now does HTTPS by default and needs -k to fall back to plain HTTP.
2016-10-24mk-ca-bundle: Change URL retrieval to HTTPS-only by defaultJay Satiro
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc). - New option -k to allow URLs other than HTTPS and enable HTTP fallback. Prior to this change the default URL retrieval mode was to fall back to HTTP if HTTPS didn't work. Reported-by: Gregory Szorc Closes #1012
2016-10-24RELEASE-NOTES: synced with 50ee3aaf1a9b22dDaniel Stenberg
2016-10-23INSTALL.md: Updated minimum file sizes for 7.50.3Dan Fandrich
2016-10-22multi: force connections to get closed in close_all_connectionsDaniel Stenberg
Several independent reports on infinite loops hanging in the close_all_connections() function when closing a multi handle, can be fixed by first marking the connection to get closed before calling Curl_disconnect. This is more fixing-the-symptom rather than the underlying problem though. Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović