aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-10-09RTSP: avoid integer overflow on funny RTSP responseDaniel Stenberg
... like a very large non-existing RTSP version number. Added test 577 to verify. Detected by OSS-fuzz. Closes #1969
2017-10-08ftpserver: properly reset $ftptargetdir.Patrick Monnerat
2017-10-08test643: verify curl_mime_subparts() rejects cyclic additions.Patrick Monnerat
2017-10-08mime: refuse to add subparts to one of their own descendants.Patrick Monnerat
Reported-by: Alexey Melnichuk Fixes #1962
2017-10-08mime: avoid resetting a part's encoder when part's contents change.Patrick Monnerat
2017-10-08mime: improve unbinding top multipart from easy handle.Patrick Monnerat
Also avoid dangling pointers in referencing parts.
2017-10-08RELEASE-NOTES: synced with a4c1c75da30af1Daniel Stenberg
2017-10-08curlver.h: next expected release is 7.57.0Daniel Stenberg
2017-10-08mime: be tolerant about setting twice the same header list in a part.Patrick Monnerat
2017-10-08docs: clarify form/mime usage of non-regular data files.Patrick Monnerat
2017-10-08Revert "multi_done: wait for name resolve to finish if still ongoing"Daniel Stenberg
This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe. Caused memory leaks in the fuzzer, needs to be done differently. Disable test 1553 for now too, as it causes memory leaks without this commit!
2017-10-07remove_handle: call multi_done() first, then clear dns cache pointerDaniel Stenberg
Closes #1960
2017-10-07multi_done: wait for name resolve to finish if still ongoingDaniel Stenberg
... as we must clean up memory.
2017-10-07pingpong: return error when trying to send without connectionDaniel Stenberg
When imap_done() got called before a connection is setup, it would try to "finish up" and dereffed a NULL pointer. Test case 1553 managed to reproduce. I had to actually use a host name to try to resolve to slow it down, as using the normal local server IP will make libcurl get a connection in the first curl_multi_perform() loop and then the bug doesn't trigger. Fixes #1953 Assisted-by: Max Dymond
2017-10-06tests: added flaky keyword to tests 587 and 644Dan Fandrich
These are around 5% flaky in my Linux x86 autobuilds.
2017-10-06vtls: fix warnings with --disable-crypto-authMarcel Raad
When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters are not used.
2017-10-06multi_cleanup: call DONE on handles that never got thatDaniel Stenberg
... fixes a memory leak with at least IMAP when remove_handle is never called and the transfer is abruptly just abandoned early. Test 1552 added to verify Detected by OSS-fuzz Assisted-by: Max Dymond Closes #1954
2017-10-06strtoofft: Remove extraneous null checkBenbuck Nason
Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str' argument. Closes #1952
2017-10-06openssl: fix build without HAVE_OPAQUE_EVP_PKEYDaniel Stenberg
Reported-by: Javier Sixto Fixes #1955 Closes #1956
2017-10-06lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSSViktor Szakats
The source code is now prepared to handle the case when both Win32 Crypto and OpenSSL/NSS crypto backends are enabled at the same time, making it now possible to enable `USE_WIN32_CRYPTO` whenever the targeted Windows version supports it. Since this matches the minimum Windows version supported by curl (Windows 2000), enable it unconditionally for the Win32 platform. This in turn enables SMB (and SMBS) protocol support whenever Win32 Crypto is available, regardless of what other crypto backends are enabled. Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052 Closes https://github.com/curl/curl/pull/1943
2017-10-05build: fix --disable-crypto-authDaniel Stenberg
Reported-by: Wyatt O'Day Fixes #1945 Closes #1947
2017-10-05darwinssl: add support for TLSv1.3Nick Zitzmann
Closes https://github.com/curl/curl/pull/1794
2017-10-04docs: fix typo in curl_mime_data_cb man pageFelix Kaiser
Closes #1946
2017-10-04lib/Makefile.m32: allow customizing dll suffixesViktor Szakats
- New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated libcurl dll name. Useful to add `-x64` to 64-bit builds so that it can live in the same directory as the 32-bit one. By default this is empty. - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the generated import library (implib) for libcurl .dll. It defaults to `dll`, and it's useful to modify that to `.dll` to have the standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`. Closes https://github.com/curl/curl/pull/1942
2017-10-04fuzzer: move to using external curl-fuzzerMax Dymond
Use the external curl-fuzzer repository for fuzzing. Closes #1923
2017-10-04failf: skip the sprintf() if there are no consumersDaniel Stenberg
Closes #1936
2017-10-04ftp: UBsan fixup 'pointer index expression overflowed'Daniel Stenberg
Closes #1939
2017-10-04RELEASE-PROCEDURE: update the release scheduleDaniel Stenberg
2017-10-04RELEASE-NOTES: curl 7.56.0Daniel Stenberg
2017-10-04THANKS: added new 7.56.0 contributorsDaniel Stenberg
2017-10-04build-openssl.bat: Warn OpenSSL 1.1.0 not yet supportedJay Satiro
Ref: https://github.com/curl/curl/issues/1002
2017-10-03idn: fix source code commentMichael Kaufmann
2017-10-03vtls: compare and clone ssl configs properlyMichael Kaufmann
Compare these settings in Curl_ssl_config_matches(): - verifystatus (CURLOPT_SSL_VERIFYSTATUS) - random_file (CURLOPT_RANDOM_FILE) - egdsocket (CURLOPT_EGDSOCKET) Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), and copy the setting "sessionid" unconditionally. This means that reusing connections that are secured with a client certificate is now possible, and the statement "TLS session resumption is disabled when a client certificate is used" in the old advisory at https://curl.haxx.se/docs/adv_20170419.html is obsolete. Reviewed-by: Daniel Stenberg Closes #1917
2017-10-03proxy: read the "no_proxy" variable only if necessaryMichael Kaufmann
Reviewed-by: Daniel Stenberg Closes #1919
2017-10-03libcurl-tutorial: add casts in example to avoid compilation warnings.Patrick Monnerat
2017-10-03examples: bring back curl_formadd-using examplesDaniel Stenberg
... now with a -formadd suffix. While the new mime API is introduced in 7.56.0 we must acknowledge that lots of users can't upgrade their curl versions immediately.
2017-10-02test1153: verify quoted double-qoutes in PWD responseDaniel Stenberg
2017-10-02FTP: zero terminate the entry path even on bad inputDaniel Stenberg
... a single double quote could leave the entry path buffer without a zero terminating byte. CVE-2017-1000254 Test 1152 added to verify. Reported-by: Max Dymond Bug: https://curl.haxx.se/docs/adv_20171004.html
2017-10-02cmake: disable tests and man generation if perl/nroff not foundSergei Nikulov
Fixes https://github.com/curl/curl/issues/1500 Reported-by: Jay Satiro Fixes https://github.com/curl/curl/pull/1662 Assisted-by: Tom Seddon Assisted-by: dpull@users.noreply.github.com Assisted-by: elelel@users.noreply.github.com Closes https://github.com/curl/curl/pull/1924
2017-10-02libcurl-tutorial: fix two typos.Patrick Monnerat
2017-10-01TODO: remove deprecated form API items.Patrick Monnerat
2017-10-01libcurl-tutorial: describe MIME API and deprecate form API.Patrick Monnerat
Include a guide to form/mime API conversion.
2017-09-30cookie: fix memory leak if path was set twice in headerDaniel Stenberg
... this will let the second occurance override the first. Added test 1161 to verify. Reported-by: Max Dymond Fixes #1932 Closes #1933
2017-09-30test650: Use variable replacement to set the host address and portDan Fandrich
Otherwise, the test fails when the -b test option is used to set a different test port range.
2017-09-30Set and use more necessary options when some protocols are disabledDan Fandrich
When curl and libcurl are built with some protocols disabled, they stop setting and receiving some options that don't make sense with those protocols. In particular, when HTTP is disabled many options aren't set that are used only by HTTP. However, some options that appear to be HTTP-only are actually used by other protocols as well (some despite having HTTP in the name) and should be set, but weren't. This change now causes some of these options to be set and used for more (or for all) protocols. In particular, this fixes tests 646 through 649 in an HTTP-disabled build, which use the MIME API in the mail protocols.
2017-09-29test1160: verifies cookie leak for large cookiesDaniel Stenberg
The fix done in 20ea22ff735
2017-09-29cookie: fix memory leak on oversized rejectionDaniel Stenberg
Regression brought by 2bc230de63b Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 Assisted-by: Max Dymond Closes #1930
2017-09-29connect: fix race condition with happy eyeballs timeoutAnders Bakken
The timer should be started after conn->connecttime is set. Otherwise the timer could expire without this condition being true: /* should we try another protocol family? */ if(i == 0 && conn->tempaddr[1] == NULL && curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) { Ref: #1928
2017-09-28docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MSMichael Kaufmann
Closes #1922
2017-09-28docs: clarify the use of environment variables for proxyMichael Kaufmann
Closes #1921