aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-03-12limit-rate: fix compiler warningMichael Kaufmann
follow-up to 72a0f62
2018-03-12checksrc.pl: add -i and -m optionsViktor Szakats
To sync it with changes made for the libssh2 project. Also cleanup some whitespace.
2018-03-12curl-openssl.m4: fix spelling [ci skip]Viktor Szakats
2018-03-12FAQ: fix a broken URL [ci skip]Viktor Szakats
2018-03-12http2: mark the connection for close on GOAWAYDaniel Stenberg
... don't consider it an error! Assisted-by: Jay Satiro Reported-by: Łukasz Domeradzki Fixes #2365 Closes #2375
2018-03-12credits: Viktor prefers without accentDaniel Stenberg
2018-03-12openldap: white space changes, fixed up the copyright yearsDaniel Stenberg
2018-03-12openldap: check ldap_get_attribute_ber() results for NULL before usingDaniel Stenberg
CVE-2018-1000121 Reported-by: Dario Weisser Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
2018-03-12FTP: reject path components with control codesDaniel Stenberg
Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
2018-03-12readwrite: make sure excess reads don't go beyond buffer endDaniel Stenberg
CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz
2018-03-12BUGS: updated link to security processDaniel Stenberg
2018-03-11limit-rate: kick in even before "limit" data has been receivedDaniel Stenberg
... and make sure to avoid integer overflows with really large values. Reported-by: 刘佩东 Fixes #2371 Closes #2373
2018-03-11docs/SECURITY.md -> docs/SECURITY-PROCESS.mdDaniel Stenberg
2018-03-11SECURITY.md: call it the security processDaniel Stenberg
2018-03-11Curl_range: fix FTP-only and FILE-only buildsMichael Kaufmann
follow-up to e04417d
2018-03-11hostip: fix compiler warning: 'variable set but not used'Michael Kaufmann
2018-03-11HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg
Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
2018-03-10http2: verbose output new MAX_CONCURRENT_STREAMS valuesDaniel Stenberg
... as it is interesting for many users.
2018-03-09SECURITY: distros' max embargo time is 14 days nowDaniel Stenberg
2018-03-08curl tool: accept --compressed also if Brotli is enabled and zlib is not.Patrick Monnerat
2018-03-05THANKS + mailmap: remove duplicates, fixup full namesDaniel Stenberg
2018-03-05WolfSSL: adding TLSv1.3sergii.kavunenko
Closes #2349
2018-03-04RELEASE-NOTES/THANKS: synced with cc1d4c505Daniel Stenberg
2018-03-04winbuild: prefer documented zlib library namesrichardthe3rd
Check for existence of import and static libraries with documented names and use them if they do. Fallback to previous names. According to https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on Windows, the names of the import library is "zdll.lib" and static library is "zlib.lib". closes #2354
2018-03-04krb5: use nondeprecated functionsMarcel Raad
gss_seal/gss_unseal have been deprecated in favor of gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and "GSS_Unwrap() (formerly GSS_Unseal())". Use the nondeprecated functions to avoid deprecation warnings. [1] https://tools.ietf.org/html/rfc2078 [2] https://tools.ietf.org/html/rfc1964 Closes https://github.com/curl/curl/pull/2356
2018-03-04curl.1: mention how to add numerical IP addresses in NO_PROXYDaniel Stenberg
2018-03-04CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addressesDaniel Stenberg
2018-03-04NO_PROXY: fix for IPv6 numericals in the URLDaniel Stenberg
Added test 1265 that verifies. Reported-by: steelman on github Fixes #2353 Closes #2355
2018-03-04build: get CFLAGS (including -werror) used for examples and testsDaniel Stenberg
... so that the CI and more detects compiler warnings/errors properly! Closes #2337
2018-03-03curl_ctype: fix macro redefinition warningsMarcel Raad
On MinGW and Cygwin, GCC and clang have been complaining about macro redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this by undefining the macros before redefining them as suggested in https://github.com/curl/curl/pull/2269. Suggested-by: Daniel Stenberg
2018-03-02unit1307: proper cleanup on OOM to fix torture testsDan Fandrich
2018-02-28unit1309: fix warning on Windows x64Marcel Raad
When targeting x64, MinGW-w64 complains about conversions between 32-bit long and 64-bit pointers. Fix this by reusing the GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / CURLX_INTEGER_TO_POINTER_CAST. Closes https://github.com/curl/curl/pull/2341
2018-02-28travis: update compiler versionsMarcel Raad
Update clang to version 3.9 and GCC to version 6. Closes https://github.com/curl/curl/pull/2345
2018-02-26docs/MANUAL: formfind.pl is not accessible on the site anymoreDaniel Stenberg
Fixes #2342
2018-02-24curl-openssl.m4: Fix version check for OpenSSL 1.1.1Jay Satiro
- Add OpenSSL 1.1.1 to the header/library version lists. - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark, which was added in that version. Prior to this change an erroneous header/library mismatch was caused by lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
2018-02-23lib655: silence compiler warningViktor Szakats
Closes https://github.com/curl/curl/pull/2335
2018-02-23spelling fixesViktor Szakats
Detected using the `codespell` tool. Also contains one URL protocol upgrade. Closes https://github.com/curl/curl/pull/2334
2018-02-24projects/README: remove reference to dead IDN link/packageDaniel Stenberg
Reported-by: Stefan Kanthak and Rod Widdowson Fixes #2325
2018-02-23winbuild: Use macros for the names of some build utilitiesRod Widdowson
- Add macros to the top of the makefile for rc and mt utilities so that it is easier to change their locations. Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html Reported-by: Stefan Kanthak Closes https://github.com/curl/curl/issues/2329
2018-02-23TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2Daniel Stenberg
2018-02-23curl_share_setopt.3: connection cache is shared within multi handlesDaniel Stenberg
2018-02-22winbuild: Use CALL to run batch scriptsRod Widdowson
Co-authored-by: Stefan Kanthak Closes https://github.com/curl/curl/issues/2330 Closes https://github.com/curl/curl/pull/2331
2018-02-22os400: add curl_resolver_start_callback type to ILE/RPG bindingPatrick Monnerat
2018-02-22form.d: rephrased somewhat, added two example command linesDaniel Stenberg
2018-02-21url: Add option CURLOPT_RESOLVER_START_FUNCTIONFrancisco Sedano
- Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that will be called every time before a new resolve request is started (ie before a host is resolved) with a pointer to backend-specific resolver data. Currently this is only useful for ares. - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to pass to the resolver start callback. Closes https://github.com/curl/curl/pull/2311
2018-02-21lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MSJay Satiro
- In keeping with the naming of our other connect timeout options rename CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS. This change adds the _MS suffix since the option expects milliseconds. This is more intuitive for our users since other connect timeout options that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS, CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS. The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms. Follow-up to 2427d94 which added the lib and tool option yesterday. Ref: https://github.com/curl/curl/pull/2260
2018-02-21sasl: prefer PLAIN mechanism over LOGINPatrick Monnerat
SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says PLAIN should be used instead if available.
2018-02-21RELEASE-NOTES: synced with 2427d94c6Daniel Stenberg
2018-02-20url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUTAnders Bakken
- Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy eyeball timeout value. - Add new optval macro CURL_HET_DEFAULT to represent the default happy eyeballs timeout value (currently 200 ms). - Add new tool option --happy-eyeballs-timeout-ms to expose CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the other -timeout options in the tool expect seconds not milliseconds. Closes https://github.com/curl/curl/pull/2260
2018-02-20hostip: fix 'potentially uninitialized variable' warningJay Satiro
Follow-up to 50d1b33. Caught by AppVeyor.