aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-07-14url.c: fix parse_url_login() OOM handlingYang Tse
2013-07-12http_digest.c: SIGSEGV and OOM handling fixesYang Tse
2013-07-12url.c: fix parse_login_details() OOM handlingYang Tse
2013-07-12setup-vms.h: sk_pop symbol tweakJohn E. Malmberg
Newer versions of curl are referencing a sk_pop symbol while the HP OpenSSL library has the symbol in uppercase only.
2013-07-11getinfo.c: fix enumerated type mixed with another typeYang Tse
2013-07-11test 1511: fix enumerated type mixed with another typeYang Tse
2013-07-11url.c: fix SIGSEGVYang Tse
2013-07-11dotdot.c: fix global declaration shadowingYang Tse
2013-07-11easy.c: fix global declaration shadowingYang Tse
2013-07-09Revert "curl.1: document the --time-cond option in the man page"Kamil Dudka
This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because the documentation of --time-cond was duplicated by mistake. Reported by: Dave Reisner
2013-07-09curl.1: document the --sasl-ir option in the man pageKamil Dudka
2013-07-09curl.1: document the --post303 option in the man pageKamil Dudka
2013-07-09curl.1: document the --time-cond option in the man pageKamil Dudka
2013-07-09configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE)Yang Tse
2013-07-09xc-am-iface.m4: provide XC_AUTOMAKE macroYang Tse
2013-07-08Added winssl-zlib target to VC builds.Guenter Knauf
2013-07-08Synced Makefile.vc6 with recent changes.Guenter Knauf
Issue posted to the list by malinowsky AT FTW DOT at.
2013-07-04Added libmetalink URL; added Android versions.Guenter Knauf
2013-07-03examples: Moved usercertinmem.c to COMPLICATED_EXAMPLESDan Fandrich
This prevents it from being built during a "make check" since it depends on OpenSSL.
2013-07-02Merge branch 'master' of https://github.com/bagder/curlNick Zitzmann
2013-07-02darwinssl: SSLv2 connections are aborted if unsupported by the OSNick Zitzmann
I just noticed that OS X no longer supports SSLv2. Other TLS engines return an error if the requested protocol isn't supported by the underlying engine, so we do that now for SSLv2 if the framework returns an error when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is only enabled in curl when starting the app with the -2 argument; it's off by default. SSLv2 is really old and insecure.)
2013-07-01lib506.c: Fixed possible use of uninitialized variablesMarc Hoersken
2013-06-30url: restore the functionality of 'curl -u :'Kamil Dudka
This commit fixes a regression introduced in fddb7b44a79d78e05043e1c97e069308b6b85f79. Reported by: Markus Moeller Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
2013-06-25digest: append the timer to the random for the nonceDaniel Stenberg
2013-06-25digest: improve nonce generationDaniel Stenberg
Use the new improved Curl_rand() to generate better random nonce for Digest auth.
2013-06-25curl.1: fix typo in --xattr descriptionDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1252 Reported-by: Jean-Noël Rouvignac
2013-06-25RELEASE-NOTES: synced with 365c5ba39591Daniel Stenberg
The 10 first bug fixes for the pending release...
2013-06-25formpost: better random boundariesDaniel Stenberg
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
2013-06-25printf: make sure %x are treated unsignedDaniel Stenberg
When using %x, the number must be treated as unsigned as otherwise it would get sign-extended on for example 64bit machines and do wrong output. This problem showed when doing printf("%08x", 0xffeeddcc) on a 64bit host.
2013-06-24tests: add test1395 to the tarballDaniel Stenberg
2013-06-24SIGPIPE: don't use 'data' in sigpipe restoreDaniel Stenberg
Follow-up fix from 7d80ed64e43515. The SessionHandle may not be around to use when we restore the sigpipe sighandler so we store the no_signal boolean in the local struct to know if/how to restore.
2013-06-23TODO: 1.8 Modified buffer size approachDaniel Stenberg
Thoughts around buffer sizes and what might be possible to do...
2013-06-23c-ares: improve error message on failed resolveDaniel Stenberg
When the c-ares based resolver backend failed to resolve a name, it tried to show the name that failed from existing structs. This caused the wrong output and shown hostname when for example --interface [hostname] was used and that name resolving failed. Now we use the hostname used in the actual resolve attempt in the error message as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1191 Reported-by: Kim Vandry
2013-06-23ossl_recv: check for an OpenSSL error, don't assumeDaniel Stenberg
When we recently started to treat a zero return code from SSL_read() as an error we also got false positives - which primarily looks to be because the OpenSSL documentation is wrong and a zero return code is not at all an error case in many situations. Now ossl_recv() will check with ERR_get_error() to see if there is a stored error and only then consider it to be a true error if SSL_read() returned zero. Bug: http://curl.haxx.se/bug/view.cgi?id=1249 Reported-by: Nach M. S. Patch-by: Nach M. S.
2013-06-22Merge branch 'master' of https://github.com/bagder/curlNick Zitzmann
2013-06-22darwinssl: fix crash that started happening in LionNick Zitzmann
Something (a recent security update maybe?) changed in Lion, and now it has changed SSLCopyPeerTrust such that it may return noErr but also give us a null trust, which caught us off guard and caused an eventual crash.
2013-06-22SIGPIPE: ignored while inside the libraryDaniel Stenberg
... and restore the ordinary handling again when it returns. This is done for curl_easy_perform() and curl_easy_cleanup() only for now - and only when built to use OpenSSL as backend as this is the known culprit for the spurious SIGPIPEs people have received. Bug: http://curl.haxx.se/bug/view.cgi?id=1180 Reported by: Lluís Batlle i Rossell
2013-06-22KNOWN_BUGS: #83 unable to load non-default openssl enginesDaniel Stenberg
2013-06-22test1396: invoke the correct test tool!Daniel Stenberg
This erroneously run unit test 1310 instead of 1396!
2013-06-22test1230: avoid using hard-wired port numberKamil Dudka
... to prevent failure when a non-default -b option is given
2013-06-22curl-config.in: replace tabs by spacesKamil Dudka
2013-06-22darwinssl: reform OS-specific #definesNick Zitzmann
This doesn't need to be in the release notes. I cleaned up a lot of the #if lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like __MAC_10_6 or whatever were defined, because for some SDKs Apple has released they were defined out of place.
2013-06-22docs: fix typo in curl_easy_getinfo manpageAlessandro Ghedini
2013-06-22dotdot: introducing dot file path cleanupDaniel Stenberg
RFC3986 details how a path part passed in as part of a URI should be "cleaned" from dot sequences before getting used. The described algorithm is now implemented in lib/dotdot.c with the accompanied test case in test 1395. Bug: http://curl.haxx.se/bug/view.cgi?id=1200 Reported-by: Alex Vinnik
2013-06-22bump: start working towards what most likely will become 7.32.0Daniel Stenberg
2013-06-22THANKS: added 24 new contributors from the 7.31.0 releaseDaniel Stenberg
2013-06-22RELEASE-NOTES: synced with 0de7249bb39a2 - 7.31.0Daniel Stenberg
2013-06-22unit1396: unit tests to verify curl_easy_(un)escapeDaniel Stenberg
2013-06-22Curl_urldecode: no peeking beyond end of input bufferDaniel Stenberg
Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen
2013-06-20Use opened body.out file and write content to it.Guenter Knauf