Age | Commit message (Collapse) | Author |
|
|
|
Bug born in changes made several days ago 9a91e80.
Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
|
|
Bug: http://curl.haxx.se/mail/lib-2015-04/0191.html
Reported-by: Michael Osipov
|
|
This fixes using a multi-target mingw distro to build curl .dll for the
non-default target.
(mirroring the same patch present in src/makefile.m32)
|
|
I've not mentioned the bug fixes that were shipped in 7.42.1 from the
7_42 branch.
|
|
|
|
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
|
|
|
|
|
|
|
|
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
|
|
|
|
So that it fits HTTP/2 as well
|
|
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
|
|
It would otherwise cause problems when running tests after 1801 etc.
|
|
... as it was previouly undocumented what the pointer was.
|
|
... and have git ignore that. Allows for a dev to add tests to ignore in
local tests and yet don't obstruct a normal git work flow.
|
|
|
|
Reported-by: Brian Chrisman
|
|
white space changes only
|
|
To have engine modules work, we must tell openssl to load builtin
modules first.
Bug: https://github.com/bagder/curl/pull/206
|
|
commit 5b66860652 was incomplete so here's a follow-up fix
Reported-by: Dagobert Michelsen
Bug: https://github.com/bagder/curl/commit/5b668606527613179d0349f21b4ab0df2971e3d2#commitcomment-10473445
|
|
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
|
|
Without this, SSPI based digest auth was broken.
Bug: https://github.com/bagder/curl/pull/141.patch
|
|
Add new option --data-raw which is almost the same as --data but does
not have a special interpretation of the @ character.
Prior to this change there was no (easy) way to pass the @ character as
the first character in POST data without it being interpreted as a
special character.
Bug: https://github.com/bagder/curl/issues/198
Reported-by: Jens Rantil
|
|
|
|
|
|
The 'default' token has no argument and means to match _any_ domain.
It must be placed last if there are 'machine <name>' tokens in the same file.
See full description here:
https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html
|
|
Elaborated on several of the remaining HTTP/2 parts and made document
use a format that ends up nicer on the web page:
http://curl.haxx.se/dev/roadmap.html
|
|
This commit fixes a regression introduced in curl-7_41_0-186-g261a0fe.
It also introduces a regression test 1424 based on tests 78 and 1423.
Reported-by: Viktor Szakats
Bug: https://github.com/bagder/curl/issues/237
|
|
|
|
|
|
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
|
|
|
|
|
|
|
|
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
|
|
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
|
|
|
|
Bug: https://bugzilla.redhat.com/1195771
|
|
|
|
|
|
|
|
|
|
|
|
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.
CVE-2015-3148
Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
|
|
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.
CVE-2015-3144
Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
|
|
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.
CVE-2015-3145
Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
|
|
CVE-2015-3143
Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
|
|
|