| Age | Commit message (Collapse) | Author |
|---|
|
Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1)
Reported-by: Jonathan Cardoso Machado
Assisted-by: Jay Satiro
Fixes #4136
Closes #4162
|
|
|
|
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
before push...
|
|
|
|
Closes #4157
|
|
... to avoid integer overflows later when multiplying with 1000 to
convert seconds to milliseconds.
Added test 1269 to verify.
Reported-by: Jason Lee
Closes #4166
|
|
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.
Fixed-by: Ironbars13 on github
Fixes #4084
Closes #4161
|
|
... so that end-of-stream is detected properly.
Reported-by: Tom van der Woerdt
Fixes #4043
Closes #4160
|
|
When curl_multi_wait() returns OK without file descriptors to wait for,
it might already have done a long timeout.
Closes #4159
|
|
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update
test 1514 according to the new behaviour.
Closes #4138
|
|
This fixes the winbuild build method which broke several days ago
when experimental quic support was added in 3af0e76.
Reported-by: Michael Lee
Fixes https://github.com/curl/curl/issues/4158
|
|
- In curl_easy_reset attempt to resize the receive buffer to its default
size. If realloc fails then continue using the previous size.
Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.
Reported-by: Felix Hädicke
Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
|
|
- Trade in __attribute__((unused)) for the classic (void)x to silence
unused symbols.
Because the classic way is not gcc specific. Also because the prior
method mapped to symbol _Unused, which starts with _ and a capital
letter which is reserved.
Assisted-by: The Infinnovation team
Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108
Closes https://github.com/curl/curl/pull/4153
|
|
|
|
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).
Fixes #4147
Closes #4148
|
|
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.
Fixes #4144
Closes #4151
|
|
easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not
defined, and prior to this change would be called regardless.
Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637
Reported-by: Marcel Raad
Closes https://github.com/curl/curl/pull/4142
|
|
From commit b8894085
Pointed out by Coverity CID 1451703
Closes #4134
|
|
USe configure --with-ngtcp2 or --with-quiche
Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>
Closes #3500
|
|
The loop never loops (since b889408500), pointed out by Coverity (CID
1451702)
Closes #4133
|
|
|
|
|
|
This is done by making sure each individual transfer is first added to a
linked list as then they can be performed serially, or at will, in
parallel.
Closes #3804
|
|
... will make it render as a nicer web page.
Closes #4131
|
|
Introducing CURLVERSION_SIXTH with nghttp2 info.
Closes #4121
|
|
|
|
Several reasons:
- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons
Assisted-by: Daniel Gustafsson
Closes #4129
|
|
|
|
|
|
Fix regression caused by 21080e1
Reported-by: Chih-Hsuan Yen
Fixes #4122
Closes #4124
|
|
|
|
|
|
|
|
|
|
- Find package "Brotli" instead of "BROTLI" since the former is the
casing used for CMake/FindBrotli.cmake, and otherwise find_package
may fail on a case-sensitive file system.
Fixes https://github.com/curl/curl/issues/4117
|
|
AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've
cautioned against using it for that purpose and included a workaround.
Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html
Reported-by: Christopher Head
Closes https://github.com/curl/curl/issues/3814
|
|
Closes https://github.com/curl/curl/pull/4118
|
|
If the SSL backend is Schannel and the user specifies an Schannel CALG_
that is not supported by the protocol or the server then curl returns
CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH.
Fixes https://github.com/curl/curl/issues/3389
Closes https://github.com/curl/curl/pull/4106
|
|
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call. Should it
return false, we should however treat it as an error and bail out.
Closes https://github.com/curl/curl/pull/4110
|
|
Since 7.54 --tlsv1. options use the specified version or later, however
older versions of curl documented it as using just the specified version
which may or may not have happened depending on the TLS library.
Document this discrepancy to allay confusion for users familiar with the
old documentation that expect just the specified version.
Fixes https://github.com/curl/curl/issues/4097
Closes https://github.com/curl/curl/pull/4119
|
|
- Allow FTPS on redirect.
- Update default allowed redirect protocols in documentation.
Follow-up to 6080ea0.
Ref: https://github.com/curl/curl/pull/4094
Closes https://github.com/curl/curl/pull/4115
|
|
... and adjust those that cause errors
Closes #4116
|
|
... as larger values would rather indicate something silly (and could
potentially cause buffer problems).
Reported-by: pendrek at hackerone
Closes #4114
|
|
follow-up to 7fb66c403
|
|
Triggered by PR #4111
Closes #4113
|
|
- Escape apostrophes at line start.
Some lines begin with a "'" (apostrophe, single quote), which is then
interpreted as a control character in *roff.
Such lines are interpreted as being a call to a macro, and if
undefined, the lines are removed from the output.
Bug: https://bugs.debian.org/926352
Signed-off-by: Bjarni Ingi Gislason <bjarniig@rhi.hi.is>
Submitted-by: Alessandro Ghedini
Closes https://github.com/curl/curl/pull/4111
|
|
follow-up to 6080ea098
|
|
The testcase ensures that redirects to CURLPROTO_GOPHER won't be
allowed, by default, in the future. Also, curl is being used
for convenience while keeping the testcases DRY.
The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is
redirected to CURLPROTO_GOPHER
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
|
|
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.
For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.
Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.
[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>
Closes #4094
|
|
Closes #4100
|
