Age | Commit message (Collapse) | Author |
|
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.
The following program reproduces it:
curl_global_init(CURL_GLOBAL_DEFAULT);
CURL* handle=curl_easy_init();
CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
Curl_flush_cookies(handle, true);
Curl_cookie_cleanup(info);
curl_easy_cleanup(handle);
curl_global_cleanup();
This was found through fuzzing.
Closes #4454
|
|
Closes #4446
|
|
|
|
Closes #4011
|
|
|
|
... to make it handle for example (RFC violating) embeded spaces.
Reported-by: momala454 on github
Fixes #4445
Closes #4447
|
|
|
|
|
|
This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting in 7.66.0
when this new handle allocating scheme was introduced.
Reported-by: Peter Sumatra
Fixes #4393
Closes #4438
|
|
Closes #4410
|
|
Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the
response is chunked-encoded.
Reported-by: Ilya Kosarev
Fixes #4310
Closes #4449
|
|
The loop doesn't need to be executed without a file argument.
Closes https://github.com/curl/curl/pull/4444
|
|
`dest` is only used with `ENABLE_IPV6`.
Closes https://github.com/curl/curl/pull/4444
|
|
Closes https://github.com/curl/curl/pull/4444
|
|
With WinSSL and testing enabled so that it would have detected most of
the warnings fixed in [0] and [1].
[0] https://github.com/curl/curl/pull/4398
[1] https://github.com/curl/curl/pull/4415
Closes https://github.com/curl/curl/pull/4433
|
|
It's only used for MSYS2 with MinGW.
Closes
|
|
Closes #4441
|
|
As mandated by the spec. Test 1654 is extended to verify.
Closes #4443
|
|
|
|
|
|
|
|
|
|
Reported-by: Lucas Severo
|
|
Closes #4424
|
|
The 'share object' only sets the storage area for cookies. The "cookie
engine" still needs to be enabled or activated using the normal cookie
options.
This caused the curl command line tool to accidentally use cookies
without having been told to, since curl switched to using shared cookies
in 7.66.0.
Test 1166 verifies
Updated test 506
Fixes #4429
Closes #4434
|
|
|
|
|
|
Closes #4435
|
|
Add libtest 661
Closes #4417
|
|
Closes #4428
|
|
`timediff_t` is 64 bits wide also on 32-bit systems since
commit b1616dad8f0.
Closes https://github.com/curl/curl/pull/4415
|
|
Closes https://github.com/curl/curl/pull/4425
|
|
Closes #4431
|
|
Closes #4430
|
|
|
|
|
|
This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2.
|
|
|
|
|
|
Closes #4423
|
|
Instead of showing the somewhat nonsensical errno number, use strerror()
to provide a more relatable error message.
Closes #4411
|
|
Reported-by: Jeremy Lainé
|
|
Prior to this change non-ssl/non-ssh connections that were reused set
TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH
handshake took place.
[1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in
libcurl and %{time_appconnect} in the curl tool. It is documented as
"the time until the SSL/SSH handshake is completed".
Reported-by: Marcel Hernandez
Ref: https://github.com/curl/curl/issues/3760
Closes https://github.com/curl/curl/pull/3773
|
|
- convert some of them to H3BUF() calls to infof()
- remove some of them completely
- made DEBUG_HTTP3 defined only if CURLDEBUG is set for now
Closes #4421
|
|
Closes #4403
|
|
... to repair the build again
Closes #4403
|
|
|
|
Follow-up to d176a2c7e5
|
|
The parser would check for a query part before fragment, which caused it
to do wrong when the fragment contains a question mark.
Extended test 1560 to verify.
Reported-by: Alex Konev
Fixes #4412
Closes #4413
|
|
- mkdir on OSX/Darwin requires `-p` argument before dir
- portabbly figuring out number of cores is an exercise for somewhere
else
Closes #4407
|