aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-10-17tool_cb_hdr: handle failure of rename()Kamil Dudka
Detected by Coverity. Closes #3140 Reviewed-by: Jay Satiro
2018-10-17RELEASE-NOTES: syncedDaniel Stenberg
2018-10-17docs/SECURITY-PROCESS: the hackerone IBB program drops curlDaniel Stenberg
... now there's only BountyGraph.
2018-10-16x509asn1: Fix SAN IP address verificationMatthew Whitehead
For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
2018-10-15INSTALL: mention mesalink in TLS sectionDaniel Gustafsson
Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the MesaLink vtls backend, but missed updating the TLS section containing supported backends in the docs. Closes #3134 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-14nonblock: fix unused parameter warningMarcel Raad
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not used.
2018-10-13Curl_follow: Always free the passed new URLMichael Kaufmann
Closes #3124
2018-10-12replace rawgit links [ci skip]Viktor Szakats
Ref: https://rawgit.com/ "RawGit has reached the end of its useful life" Ref: https://news.ycombinator.com/item?id=18202481 Closes https://github.com/curl/curl/pull/3131
2018-10-12docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018Daniel Stenberg
[ci skip]
2018-10-12travis: make distcheck scan for BOM markersDaniel Stenberg
and remove BOM from projects/wolfssl_override.props Closes #3126
2018-10-11CMake: remove BOMMarcel Raad
Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea. Reported-by: Viktor Szakats Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136
2018-10-10transfer: fix typo in commentDaniel Gustafsson
2018-10-10docs: add "see also" links for SSL optionsMichael Kaufmann
- link TLS 1.2 and TLS 1.3 options - link proxy and non-proxy options Closes #3121
2018-10-10AppVeyor: remove BDIR variable that sneaked in againMarcel Raad
Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added again in 9f3be5672dc4dda30ab43e0152e13d714a84d762.
2018-10-10CMake: disable -Wpedantic-ms-formatMarcel Raad
As done in the autotools build. This is required for MinGW, which supports only %I64 for printing 64-bit values, but warns about it. Closes https://github.com/curl/curl/pull/3120
2018-10-09ldap: show precise LDAP call in error message on WindowsViktor Szakats
Also add a unique but common text ('bind via') to make it easy to grep this specific failure regardless of platform. Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 Closes https://github.com/curl/curl/pull/3118 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09docs/DEPRECATE: minor reformat to render nicer on webDaniel Stenberg
2018-10-09CURLOPT_SSL_VERIFYSTATUS: Fix typoDaniel Gustafsson
Changes s/OSCP/OCSP/ and bumps the copyright year due to the change.
2018-10-09curl_setup: define NOGDI on WindowsMarcel Raad
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> on MinGW. Closes https://github.com/curl/curl/pull/3113
2018-10-09Windows: fixes for MinGW targeting Windows VistaMarcel Raad
Classic MinGW has neither InitializeCriticalSectionEx nor GetTickCount64, independent of the target Windows version. Closes https://github.com/curl/curl/pull/3113
2018-10-08TODO: fixed 'API for URL parsing/splitting'Daniel Stenberg
2018-10-08KNOWN_BUGS: Fix various typosDaniel Gustafsson
Closes #3112 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-08spelling fixes [ci skip]Viktor Szakats
as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-08RELEASE-NOTES: syncedDaniel Stenberg
2018-10-08curl_ntlm_wb: check aprintf() return codesDaniel Stenberg
... when they return NULL we're out of memory and MUST return failure. closes #3111
2018-10-08docs/BUG-BOUNTY: proposed additional docsDaniel Stenberg
Bug bounty explainer. See https://bountygraph.com/programs/curl Closes #3067
2018-10-08hostip: fix check on Curl_shuffle_addr return valueRick Deist
Closes #3110
2018-10-08FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER outputDaniel Stenberg
Now FILE transfers send headers to the header callback like HTTP and other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) work for FILE in the callbacks. Makes "curl -i file://.." and "curl -I file://.." work like before again. Applied the bold header logic to them too. Regression from c1c2762 (7.61.0) Reported-by: Shaun Jackman Fixes #3083 Closes #3101
2018-10-07gskit: make sure to terminate version stringDaniel Gustafsson
In case a very small buffer was passed to the version function, it could result in the buffer not being NULL-terminated since strncpy() doesn't guarantee a terminator on an overflowed buffer. Rather than adding code to terminate (and handle zero-sized buffers), move to using snprintf() instead like all the other vtls backends. Closes #3105 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-07TODO: add LD_PRELOAD support on macOSDaniel Gustafsson
Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394.
2018-10-07runtests: skip ld_preload tests on macOSDaniel Gustafsson
The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests requiring it. Fixes #2394 Closes #3106 Reported-by: Github user @jakirkham Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-07AppVeyor: use Debug builds to run testsMarcel Raad
This enables more tests. Closes https://github.com/curl/curl/pull/3104
2018-10-07AppVeyor: add HTTP_ONLY buildMarcel Raad
Closes https://github.com/curl/curl/pull/3104
2018-10-07AppVeyor: add WinSSL buildsMarcel Raad
Use the oldest and latest Windows SDKs for them. Also, remove all but one OpenSSL build. Closes https://github.com/curl/curl/pull/3104
2018-10-07AppVeyor: add remaining Visual Studio versionsMarcel Raad
This adds Visual Studio 9 and 10 builds. There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32 build. Also, VC9 cannot be used for running the test suite. Closes https://github.com/curl/curl/pull/3104
2018-10-07AppVeyor: break long lineMarcel Raad
Closes https://github.com/curl/curl/pull/3104
2018-10-07AppVeyor: remove unused BDIR variableMarcel Raad
Closes https://github.com/curl/curl/pull/3104
2018-10-06test2100: test DoH using IPv4-onlyDaniel Stenberg
To make it only send one DoH request and avoid the race condition that could lead to the requests getting sent in reversed order and thus making it hard to compare in the test case. Fixes #3107 Closes #3108
2018-10-06tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> tooDaniel Stenberg
[ci skip]
2018-10-05RELEASE-NOTES: syncedDaniel Stenberg
2018-10-05timeval: fix use of weak symbol clock_gettime() on Apple platformsdmitrykos
Closes #3048
2018-10-05doh: keep the IPv4 address in (original) network byte orderDaniel Stenberg
Ideally this will fix the reversed order shown in SPARC tests: resp 8: Expected 127.0.0.1 got 1.0.0.127 Closes #3091
2018-10-05INTERNALS.md: wrap lines longer than 79Jay Satiro
2018-10-05INTERNALS: escape reference to parameterDaniel Gustafsson
The parameter reference <string> was causing rendering issues in the generated HTML page, as <string> isn't a valid HTML tag. Fix by back- tick escaping it. Closes #3099 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05checksrc: handle zero scoped ignore commandsDaniel Gustafsson
If a !checksrc! disable command specified to ignore zero errors, it was still added to the ignore block even though nothing was ignored. While there were no blocks ignored that shouldn't be ignored, the processing ended with with a warning: <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) /* !checksrc! disable LONGLINE 0 */ ^ Fix by instead treating a zero ignore as a a badcommand and throw a warning for that one. Closes #3096 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05checksrc: enable strict mode and warningsDaniel Gustafsson
Enable strict and warnings mode for checksrc to ensure we aren't missing anything due to bugs in the checking code. This uncovered a few things which are all fixed in this commit: * several variables were used uninitialized * several variables were not defined in the correct scope * the whitelist filehandle was read even if the file didn't exist * the enable_warn() call when a disable counter had expired was passing incorrect variables, but since the checkwarn() call is unlikely to hit (the counter is only decremented to zero on actual ignores) it didn't manifest a problem. Closes #3090 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05CMake: suppress MSVC warning C4127 for libtestMarcel Raad
It's issued by older Windows SDKs (prior to version 8.0).
2018-10-05Merge branch 'dmitrykos-fix_missing_CMake_defines'Sergei Nikulov
2018-10-05cmake: test and set missed defines during configurationdmitrykos
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. Closes #3097
2018-10-05AppVeyor: disable test 500Marcel Raad
It almost always results in "starttransfer vs total: 0.000001 0.000000". I cannot reproduce this locally, so disable it for now. Closes https://github.com/curl/curl/pull/3100