aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-02-07RELEASE-NOTES: synced with d6a8869ea34Daniel Stenberg
2016-02-06openssl: Fix signed/unsigned mismatch warning in X509V3_extJay Satiro
sk_X509_EXTENSION_num may return an unsigned integer, however the value will fit in an int. Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896 Reported-by: Gisle Vanem
2016-02-07TODO: 17.11 -w output to stderrDaniel Stenberg
2016-02-06idn_win32: Better error checkingMichael Kaufmann
.. also fix a conversion bug in the unused function curl_win32_ascii_to_idn(). And remove wprintfs on error (Jay). Bug: https://github.com/curl/curl/pull/637
2016-02-06examples/asiohiper: Avoid function name collision on WindowsGisle Vanem
closesocket => close_socket Winsock already has the former. Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
2016-02-06examples/htmltitle: Use _stricmp on WindowsGisle Vanem
Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
2016-02-06COPYING: clarify that Daniel is not the sole authorDaniel Stenberg
... done on request and as it is a fair point.
2016-02-05unit1604: Fix unit setup return codeJay Satiro
2016-02-05tool_doswin: Use type SANITIZEcode in sanitize_file_nameJay Satiro
2016-02-05tool_doswin: Improve sanitization processingJay Satiro
- Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes https://github.com/curl/curl/issues/624 Reported-by: Octavio Schroeder
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-04sasl_sspi: Fix memory leak in domain populateJay Satiro
Free an existing domain before replacing it. Bug: https://github.com/curl/curl/issues/635 Reported-by: silveja1@users.noreply.github.com
2016-02-04URLs: follow GitHub project rename (also Travis CI)Viktor Szakats
Closes #632
2016-02-03CHANGES.o: fix references to curl.haxx.nuDaniel Stenberg
I removed the scheme prefix from the URLs references this host name, as we don't own/run that anymore but the name is kept for historic reasons.
2016-02-03HISTORY: add some info about when we used which host namesDaniel Stenberg
2016-02-02URLs: change more http to httpsViktor Szakats
2016-02-03URLs: Change more haxx.se URLs from http: to https:Dan Fandrich
2016-02-03RELEASE-NOTES: synced with 4af40b364Daniel Stenberg
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-02-02configure: update the copyright year range in outputDaniel Stenberg
2016-02-02dotdot: allow an empty input string tooDaniel Stenberg
It isn't used by the code in current conditions but for safety it seems sensible to at least not crash on such input. Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-02-02HTTPS: update a bunch of URLs from HTTP to HTTPSDaniel Stenberg
2016-02-01AppVeyor: updated to handle OpenSSL/WinSSL buildsSergei Nikulov
Closes #621
2016-02-01tool_operate: Don't sanitize --output path (Windows)Jay Satiro
Due to path separators being incorrectly sanitized in --output pathnames, eg -o c:\foo => c__foo This is a partial revert of 3017d8a until I write a proper fix. The remote-name will continue to be sanitized, but if the user specified an --output with string replacement (#1, #2, etc) that data is unsanitized until I finish a fix. Bug: https://github.com/bagder/curl/issues/624 Reported-by: Octavio Schroeder
2016-01-29curl.1: Explain remote-name behavior if file already existsJay Satiro
.. also warn about letting the server pick the filename.
2016-01-29urldata: Error on missing SSL backend-specific connect infoGisle Vanem
2016-01-28bump: towards the next (7.47.1 ?)Daniel Stenberg
2016-01-28cmake: fixed when OpenSSL enabled on Windows and schannel detectedSergei Nikulov
Closes #617
2016-01-28urldata: moved common variable out of ifdefSergei Nikulov
Closes https://github.com/bagder/curl/pull/618
2016-01-28tool_doswin: silence unused function warningViktor Szakats
tool_doswin.c:185:14: warning: 'msdosify' defined but not used [-Wunused-function] Closes https://github.com/bagder/curl/pull/616
2016-01-27getredirect.c: fix variable nameDaniel Stenberg
Reported-by: Bernard Spil
2016-01-27examples/Makefile.inc: specify programs without .c!Daniel Stenberg
2016-01-26THANKS: 6 new contributors from 7.47.0 release notesDaniel Stenberg
2016-01-26NTLM: Fix ConnectionExists to compare Proxy credentialsIsaac Boukris
Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] CVE-2016-0755 Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26curl: avoid local drive traversal when saving file (Windows)Ray Satiro
curl does not sanitize colons in a remote file name that is used as the local file name. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows/DOS is the only OS where this vulnerability applies. CVE-2016-0754 Bug: http://curl.haxx.se/docs/adv_20160127B.html
2016-01-26RELEASE-NOTES: 7.47.0Daniel Stenberg
2016-01-25FAQ: language fix in 4.19Daniel Stenberg
2016-01-24FAQ: Update to point to GitHubpaulehoffman
Current FAQ didn't make it clear where the main repo is. Closes #612
2016-01-24maketgz: generate date stamp with LC_TIME=CDaniel Stenberg
bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
2016-01-24curl_multi_socket_action.3: line wrapDaniel Stenberg
2016-01-24RELEASE-NOTES: synced with d58ba66eecebDaniel Stenberg
2016-01-21TODO: "Create remote directories" for SMBSteve Holme
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-18tests: Add a test for pinnedpubkey fail even when insecureJay Satiro
Because disabling the peer verification (--insecure) must not disable the public key pinning check (--pinnedpubkey).
2016-01-16CURLINFO_RESPONSE_CODE.3: add exampleDaniel Schauenberg
2016-01-15ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULLKamil Dudka
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-14RELEASE-NOTES: synced with 35083ca60ed035aDaniel Stenberg
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-13CURLOPT_RESOLVE.3: minor language polishDaniel Stenberg