aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-09-16smb: check for full size message before reading message detailsDaniel Stenberg
To avoid reading of uninitialized data. Assisted-by: Max Dymond Bug: https://crbug.com/oss-fuzz/16907 Closes #4363
2019-09-16quiche: persist connection detailsDaniel Stenberg
... like we do for other protocols at connect time. This makes "curl -I" and other things work. Reported-by: George Liu Fixes #4358 Closes #4360
2019-09-16openssl: fix warning with boringssl and SSL_CTX_set_min_proto_versionDaniel Stenberg
Follow-up to ffe34b7b59 Closes #4359
2019-09-15doh: fix undefined behaviour and open up for gcc and clang optimizationPaul Dreik
The undefined behaviour is annoying when running fuzzing with sanitizers. The codegen is the same, but the meaning is now not up for dispute. See https://cppinsights.io/s/516a2ff4 By incrementing the pointer first, both gcc and clang recognize this as a bswap and optimizes it to a single instruction. See https://godbolt.org/z/994Zpx Closes #4350
2019-09-15doh: fix (harmless) buffer overrunPaul Dreik
Added unit test case 1655 to verify. Close #4352 the code correctly finds the flaws in the old code, if one temporarily restores doh.c to the old version.
2019-09-15docs: remove trailing ':' from section names in CURLOPT_TRAILER* manAlessandro Ghedini
2019-09-15docs: fix typo in CURLOPT_HTTP_VERSION manAlessandro Ghedini
2019-09-14CI: inintial github action jobDaniel Stenberg
First shot at a CI build on github actions
2019-09-13appveyor: add a winbuildDaniel Stenberg
Assisted-by: Marcel Raad Assisted-by: Jay Satiro Closes #4324
2019-09-13FTP: allow "rubbish" prepended to the SIZE responseDaniel Stenberg
This is a protocol violation but apparently there are legacy proprietary servers doing this. Added test 336 and 337 to verify. Reported-by: Philippe Marguinaud Closes #4339
2019-09-13FTP: skip CWD to entry dir when target is absoluteZenju
Closes #4332
2019-09-13curl: fix memory leaked by parse_metalink()Kamil Dudka
This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind and libmetalink enabled. Closes #4326
2019-09-13parsedate: still provide the name arrays when disabledDaniel Stenberg
If FILE or FTP are enabled, since they also use them! Reported-by: Roland Hieber Fixes #4325 Closes #4343
2019-09-13curl:file2string: load large files much fasterGilles Vollant
... by using a more efficient realloc scheme. Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html Closes #4336
2019-09-13openssl: close_notify on the FTP data connection doesn't mean closureDaniel Stenberg
For FTPS transfers, curl gets close_notify on the data connection without that being a signal to close the control connection! Regression since 3f5da4e59a556fc (7.65.0) Reported-by: Zenju on github Reviewed-by: Jay Satiro Fixes #4329 Closes #4340
2019-09-12docs/HTTP3: fix `--with-ssl` ngtcp2 configure flagJimmy Gaussen
Closes #4338
2019-09-12RELEASE-NOTES: syncedDaniel Stenberg
2019-09-12curlver: bump to 7.66.1Daniel Stenberg
2019-09-12setopt: make it easier to add new enum valuesZenju
... by using the *_LAST define names better. Closes #4321
2019-09-12asyn-thread: s/AF_LOCAL/AF_UNIX for SolarisDaniel Stenberg
Reported-by: Dagobert Michelsen Fixes #4328 Closes #4333
2019-09-11winbuild/MakefileBuild.vc: Add vsshBernhard Walle
Without that modification, the Windows build using the makefiles doesn't work. Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu> Fixes #4322 Closes #4323
2019-09-11winbuild/MakefileBuild.vc: Fix line endingsBernhard Walle
The file had mixed line endings. Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
2019-09-11ldap: Stop using wide char version of ldapp_err2stringJay Satiro
Despite ldapp_err2string being documented by MS as returning a PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and returns PWCHAR (wchar_t *). We have lots of code that expects ldap_err2string to return char *, most of it failf used like this: failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); Closes https://github.com/curl/curl/pull/4272
2019-09-10RELEASE-NOTES: curl 7.66.0Daniel Stenberg
2019-09-10THANKS: from the 7.66.0 releaseDaniel Stenberg
2019-09-10curl: make sure the parallel transfers do them allDaniel Stenberg
The logic could erroneously break the loop too early before all transfers had been transferred. Reported-by: Tom van der Woerdt Fixes #4316 Closes #4317
2019-09-10urlapi: one colon is enough for the strspn() input (typo)Daniel Stenberg
2019-09-10urlapi: verify the IPv6 numerical addressDaniel Stenberg
It needs to parse correctly. Otherwise it could be tricked into letting through a-f using host names that libcurl would then resolve. Like '[ab.be]'. Reported-by: Thomas Vegas Closes #4315
2019-09-10openssl: use SSL_CTX_set_<min|max>_proto_version() when availableClément Notin
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL. Closes #4304
2019-09-10openssl: indent, re-organize and add commentsClément Notin
2019-09-10sspi: fix memory leaksmigueljcrum
Closes #4299
2019-09-10travis: disable ngtcp2 builds (again)Daniel Stenberg
2019-09-09Curl_fillreadbuffer: avoid double-free trailer buf on errorDaniel Stenberg
Reviewed-by: Jay Satiro Reported-by: Thomas Vegas Closes #4307
2019-09-09tool_setopt: handle a libcurl build without netrc supportDaniel Stenberg
Reported-by: codesniffer13 on github Fixes #4302 Closes #4305
2019-09-09security:read_data fix bad realloc()Daniel Stenberg
... that could end up a double-free CVE-2019-5481 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
2019-09-09tftp: Alloc maximum blksize, and use default unless OACK is receivedThomas Vegas
Fixes potential buffer overflow from 'recvfrom()', should the server return an OACK without blksize. Bug: https://curl.haxx.se/docs/CVE-2019-5482.html CVE-2019-5482
2019-09-09tftp: return error when packet is too small for optionsThomas Vegas
2019-09-05KNOWN_BUGS/TODO: cleanup and remove outdated issuesDaniel Stenberg
2019-09-04RELEASE-NOTES: syncedDaniel Stenberg
2019-09-03netrc: free 'home' on errorDaniel Stenberg
Follow-up to f9c7ba9096ec2 Coverity CID 1453474 Closes #4291
2019-09-03urldata: avoid 'generic', use dedicated pointersDaniel Stenberg
For the 'proto' union within the connectdata struct. Closes #4290
2019-09-03cleanup: move functions out of url.c and make them staticDaniel Stenberg
Closes #4289
2019-09-03smtp: check for and bail out on too short EHLO responseDaniel Stenberg
Otherwise, a three byte response would make the smtp_state_ehlo_resp() function misbehave. Credit to OSS-Fuzz Bug: https://crbug.com/oss-fuzz/16918 Assisted-by: Max Dymond Closes #4287
2019-09-02smb: init *msg to NULL in smb_send_and_recv()Daniel Stenberg
... it might otherwise return OK from this function leaving that pointer uninitialized. Bug: https://crbug.com/oss-fuzz/16907 Closes #4286
2019-09-02ROADMAP: updated after recent user pollDaniel Stenberg
In rough prio order
2019-08-31THANKS: remove duplicateDaniel Stenberg
2019-08-31Curl_addr2string: take an addrlen argument tooDaniel Stenberg
This allows the function to figure out if a unix domain socket has a file name or not associated with it! When a socket is created with socketpair(), as done in the fuzzer testing, the path struct member is uninitialized and must not be accessed. Bug: https://crbug.com/oss-fuzz/16699 Closes #4283
2019-08-31CMake: remove needless newlines at end of gss variablesRolf Eike Beer
2019-08-31CI: remove duplicate configure flag for LGTM.comRolf Eike Beer
2019-08-31CMake: use platform dependent name for dlopen() libraryRolf Eike Beer
Closes #4279