aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-07-14libcurl: Restrict redirect schemesLinos Giannopoulos
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS counterpart were allowed for redirect. This vastly broadens the exploitation surface in case of a vulnerability such as SSRF [1], where libcurl-based clients are forced to make requests to arbitrary hosts. For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based protocol by URL-encoding a payload in the URI. Gopher will open a TCP connection and send the payload. Only HTTP/HTTPS and FTP are allowed. All other protocols have to be explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr> Closes #4094
2019-07-14openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju
Closes #4100
2019-07-14http: allow overriding timecond with custom headerPeter Simonyi
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. If-Modified-Since). Allow this to be replaced or suppressed with CURLOPT_HTTPHEADER. Fixes #4103 Closes #4109
2019-07-11smb: Use the correct error code for access denied on file openJuergen Hoetzel
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. Closes https://github.com/curl/curl/pull/4095
2019-07-11DEPRECATE: fixup versions and spellingDaniel Gustafsson
Correctly set the July 17 version to 7.65.2, and update spelling to be consistent. Also fix a typo. Closes https://github.com/curl/curl/pull/4107
2019-07-11system_win32: fix clang warningGisle Vanem
- Declare variable in header as extern. Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
2019-07-10headers: Remove no longer exported functionsDaniel Gustafsson
There were a leftover few prototypes of Curl_ functions that we used to export but no longer do, this removes those prototypes and cleans up any comments still referring to them. Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. For the remainder, I didn't trawl the Git logs hard enough to capture their exact time of deletion, but they were all gone: Curl_splayprint(), Curl_http2_send_request(), Curl_global_host_cache_dtor(), Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), Curl_http_auth_stage() and Curl_close_connections(). Closes #4096 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-07-09CMake: fix typos and spellingDaniel Gustafsson
2019-07-09CMake: Convert errant elseif() to else()Kyle Edwards
CMake interprets an elseif() with no arguments as elseif(FALSE), resulting in the elseif() block not being executed. That is not what was intended here. Change the empty elseif() to an else() as it was intended. Closes #4101 Reported-by: Artalus <artalus-mail@yandex.ru> Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2019-07-09buildconf: fix header filenameDaniel Gustafsson
The header file inclusion had a typo, it should be .h and not .hd. Fix by renaming. Fixes #4102 Reported-by: AceCrow on Github
2019-07-09configure: fix --disable-code-coverageJan Chren
This fixes the case when --disable-code-coverage supplied to ./configure would result in coverage="yes" being set. Closes #4099 Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2019-07-08cleanup: fix typo in commentDaniel Gustafsson
2019-07-08RELEASE-NOTES: syncedDaniel Gustafsson
2019-07-06nss: support using libnss on macOSDaniel Gustafsson
The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046
2019-07-06nss: don't set unused parameterDaniel Gustafsson
The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054
2019-07-06nss: only cache valid CRL entriesDaniel Gustafsson
Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
2019-07-06lib: Use UTF-8 encoding in commentsGergely Nagy
Some editors and IDEs assume that source files use UTF-8 file encodings. It also fixes the build with MSVC when /utf-8 command line option is used (this option is mandatory for some other open-source projects, this is useful when using the same options is desired for building all libraries of a project). Closes https://github.com/curl/curl/pull/4087
2019-07-06CURLOPT_HEADEROPT.3: Fix exampleCaleb Raitto
Fix an issue where example builds a curl_slist, but fails to actually use it, or free it. Closes https://github.com/curl/curl/pull/4090
2019-07-06winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIGShankar Jadhavar
- Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - Also removed some ^M chars from file. Prior to this change while building on Windows platform even if we pass the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. Closes https://github.com/curl/curl/pull/4086
2019-07-04doh-url.d: added in 7.62.0Daniel Stenberg
2019-06-30docs: Fix links to OpenSSL docsJay Satiro
OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
2019-06-26curl_multi_wait.3: escape backslash in exampleGaël PORTAY
The backslash in the character Line Feed must be escaped. The current man-page outputs the code as following: fprintf(stderr, "curl_multi failed, code %d.0, mc); The commit fixes it as follow: fprintf(stderr, "curl_multi failed, code %d\n", mc); Closes #4079
2019-06-26openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
2019-06-25test1521: adapt to SLISTPOINTDaniel Stenberg
The header now has the slist-using options marked as SLISTPOINT so this makes sure test 1521 understands that. Follow-up to ae99b4de1c443ae989 Closes #4074
2019-06-25win32: make DLL loading a no-op for UWPDaniel Stenberg
Reported-by: Michael Brehm Fixes #4060 Closes #4072
2019-06-25configure: fix typo '--disable-http-uath'1ocalhost
Closes #4076
2019-06-25docs: fix string suggesting HTTP/2 is not the defaultNiklas Hambüchen
Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the man page that new default is mentioned, but the section at the top contradicted it until now. Also remove claim that setting the HTTP version is not sensible. Closes #4075
2019-06-25RELEASE-NOTES: syncedDaniel Stenberg
2019-06-25tests: update fixed IP for hostip/clientip splitStephan Szabo
These tests give differences for me on linux when using a hostip pointing to the external ip address for the local machine. Closes #4070
2019-06-24http: clarify header buffer size calculationDaniel Gustafsson
The header buffer size calculation can from static analysis seem to overlow as it performs an addition between two size_t variables and stores the result in a size_t variable. Overflow is however guarded against elsewhere since the input to the addition is regulated by the maximum read buffer size. Clarify this with a comment since the question was asked. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-24KNOWN_BUGS: Don't clear digest for single realmDaniel Stenberg
Closes #3267
2019-06-24KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostnameDaniel Stenberg
Closes #3284
2019-06-24http2: call done_sending on end of uploadDaniel Stenberg
To make sure a HTTP/2 stream registers the end of stream. Bug #4043 made me find this problem but this fix doesn't correct the reported issue. Closes #4068
2019-06-24c-ares: honor port numbers in CURLOPT_DNS_SERVERSJames Brown
By using ares_set_servers_ports_csv on new enough c-ares. Fixes #4066 Closes #4067
2019-06-24CURLMOPT_SOCKETFUNCTION.3: fix typoDaniel Gustafsson
2019-06-24curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy buildsKoen Dergent
Closes #4061
2019-06-24test153: fix content-length to avoid occasional hangDaniel Stenberg
Closes #4065
2019-06-24RELEASE-NOTES: syncedDaniel Stenberg
2019-06-23multi: enable multiplexing by default (again)Daniel Stenberg
It was originally made default in d7c4213bd0c (7.62.0) but mistakenly reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. Closes #4051
2019-06-22typecheck: add 3 missing strings and a callback data pointerDaniel Stenberg
Closes #4050
2019-06-21tests: add disable-scan.pl to distDaniel Stenberg
follow-up from 29177f422a5 Closes #4059
2019-06-21http2: don't call stream-close on already closed streamsDaniel Stenberg
Closes #4055
2019-06-20travis: enable alt-svc for coverage buildMarcel Raad
Closes
2019-06-20travis: enable libssh2 for coverage buildMarcel Raad
It was enabled by default before commit c92d2e14cfb. Disable torture tests 600 and 601 because of https://github.com/curl/curl/issues/1678. Closes
2019-06-20travis: disable threaded resolver for coverage buildMarcel Raad
This enables more tests. Closes
2019-06-20travis: enable brotli for all xenial jobsMarcel Raad
There's no need for a separate job, and no need to build it from source with Xenial. Closes
2019-06-20travis: enable warnings-as-errors for coverage buildMarcel Raad
Closes
2019-06-20system_win32: fix typoGisle Vanem
2019-06-20typecheck: CURLOPT_CONNECT_TO takes an slist tooDaniel Stenberg
Additionally, add an alias in curl.h for slist-using options so that we can grep/parse those out at will. Closes #4042
2019-06-20tests: support non-localhost HOSTIP for dict/smb serversStephan Szabo
smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for binding the server which when we were running the tests with a separate HOSTIP and CLIENTIP had failures verifying the server from the device we were testing. This changes them to take the address from runtests.py and default to localhost/127.0.0.1 if none is given. Closes #4048