aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-10-09smb: properly check incoming packet boundariesTobias Stoeckmann
Not all reply messages were properly checked for their lengths, which made it possible to access uninitialized memory (but this does not lead to out of boundary accesses). Closes #1052
2016-10-08test557: verify printf() with 128 and 129 argumentsDaniel Stenberg
2016-10-08mprintf: return error on too many argumentsDaniel Stenberg
128 arguments should be enough for everyone
2016-10-08ftp: fix Curl_ftpsendf()Daniel Stenberg
... it no longer takes printf() arguments since it was only really taken advantage by one user and it was not written and used in a safe way. Thus the 'f' is removed from the function name and the proto is changed. Although the current code wouldn't end up in badness, it was a risk that future changes could end up springf()ing too large data or passing in a format string inadvertently.
2016-10-08formpost: avoid silent snprintf() truncationDaniel Stenberg
The previous use of snprintf() could make libcurl silently truncate some input data and not report that back on overly large input, which could make data get sent over the network in a bad format. Example: $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
2016-10-08TODO: build: Enable PIE and RELRO by defaultDaniel Stenberg
2016-10-08TODO: Support better than MD5 hostkey hash (for ssh)Daniel Stenberg
2016-10-08tests: Fix a small typo in the tests README (#1060)Daniel Gustafsson
The subdirectory for logs in tests/ is named log/ without an 's' at the end.
2016-10-06TODO: Introduce --fail-fast to exit on first transfer failDaniel Stenberg
See #1054
2016-10-06TODO: Leave secure cookies aloneDaniel Stenberg
2016-10-06CURLOPT_DEBUGFUNCTION.3: unused argument warning (#1056)Rainer Müller
The 'userp' argument is unused in this example code.
2016-10-05TODO: TCP Fast Open for windowsDaniel Stenberg
2016-10-04RELEASE-NOTES: synced with 8fd2a754f0deDaniel Stenberg
2016-10-04CURLOPT_KEEP_SENDING_ON_ERROR.3: mention when it is addedDaniel Stenberg
2016-10-04memdup: use 'void *' as return and source typeDaniel Stenberg
2016-10-04TODO: Add easy argument to formpost functionsDaniel Stenberg
2016-10-04formpost: trying to attach a directory no longer crashesDaniel Stenberg
The error path would previously add a freed entry to the linked list. Reported-by: Toby Peterson Fixes #1053
2016-10-03cookies: same domain handling changed to match browser behaviorSergei Kuzmin
Cokie with the same domain but different tailmatching property are now considered different and do not replace each other. If header contains following lines then two cookies will be set: Set-Cookie: foo=bar; domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz; domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 This matches Chrome, Opera, Safari, and Firefox behavior. When sending stored tokens to foo.com Chrome, Opera, Firefox store send them in the stored order, while Safari pre-sort the cookies. Closes #1050
2016-10-01FAQ: Fix typos in section 5.14 (#1047)Stephen Brokenshire
Type required for YourClass::func C++ function (using size_t in line with the documentation for CURLOPT_WRITEFUNCTION) and missing second colon when specifying the static function for CURLOPT_WRITEFUNCTION.
2016-09-30KNOWN_BUGS: Fix typos in section 5.8.Sebastian Mundry
Closes #1046
2016-09-30CONTRIBUTE.md: Fix typo in 'About pull requests' section. (#1045)mundry
2016-09-30curl.1: --trace supports % for sending to stderr!Daniel Stenberg
2016-09-26KNOWN_BUGS: 5.8 configure finding libs in wrong directoryDaniel Stenberg
2016-09-24configure: Fixed builds with libssh2 in a custom locationDan Fandrich
A libssh2 library in the standard system location was being used in preference to the desired one while linking.
2016-09-23SECURITY: remove the top ascii logoDaniel Stenberg
2016-09-22New libcurl option to keep sending on errorMichael Kaufmann
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether sending the request body shall be completed when the server responds early with an error status code. This is suitable for manual NTLM authentication. Reviewed-by: Jay Satiro Closes https://github.com/curl/curl/pull/904
2016-09-22nss: add chacha20-poly1305 cipher suites if supported by NSSKamil Dudka
2016-09-22nss: add cipher suites using SHA384 if supported by NSSKamil Dudka
2016-09-22nss: fix typo in ecdhe_rsa_null cipher suite stringKamil Dudka
As it seems to be a rarely used cipher suite (for securely established but _unencrypted_ connections), I believe it is fine not to provide an alias for the misspelled variant.
2016-09-21docs: Remove that --proto is just used for initial retrievalJay Satiro
.. and add that --proto-redir and CURLOPT_REDIR_PROTOCOLS do not override protocols denied by --proto and CURLOPT_PROTOCOLS. - Add a test to enforce: --proto deny must override --proto-redir allow Closes https://github.com/curl/curl/pull/1031
2016-09-21dist: add CurlSymbolHiding.cmake to the tarballDaniel Stenberg
Follow-up to 6140dfcf3e784 Reported-by: Alexander Sinditskiy
2016-09-20curl_global_cleanup.3: don't unload the lib with sub threads runningDaniel Stenberg
Discussed in #997 Assisted-by: Jay Satiro
2016-09-20MAIL-ETIQUETTE: languageDaniel Stenberg
2016-09-20easy: Reset all statistical session info in curl_easy_resetJay Satiro
Bug: https://github.com/curl/curl/issues/1017 Reported-by: Jeroen Ooms
2016-09-19RELEASE-NOTES: synced with 79607eec51055Daniel Stenberg
2016-09-19darwinssl: Fix typo in commentDaniel Gustafsson
Closes https://github.com/curl/curl/pull/1028
2016-09-19libressl: fix version outputBernard Spil
LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all versions returning `LibreSSL/2.0.0` for any LibreSSL version. This change provides a local OpenSSL_version_num function replacement returning LIBRESSL_VERSION_NUMBER instead. Closes #1029
2016-09-19TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKPrugk
Closes #1025 Closes #1026 Closes #1027
2016-09-19openssl: don't call ERR_remote_thread_state on >= 1.1.0Daniel Stenberg
Follow-up fix to d9321562
2016-09-19openssl: don’t call CRYTPO_cleanup_all_ex_dataDaniel Stenberg
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called multiple times without crashing - and other libs might call it! We basically cannot call it without risking a crash. The function is a no-op since OpenSSL 1.1.0. Not calling this function only risks a small memory leak with OpenSSL < 1.1.0. Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html Reported-by: Todd Short
2016-09-19TODO: Support SSLKEYLOGFILEDaniel Stenberg
2016-09-18CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formattingJay Satiro
2016-09-18darwinssl: disable RC4 cipher-suite supportNick Zitzmann
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-18configure: change "iOS/Mac OS X native" to "Apple OS native"Nick Zitzmann
Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
2016-09-18test2048: fix urlJay Satiro
2016-09-18examples/imap-append: Set size of data to be uploadedJay Satiro
Prior to this commit this example failed with error 'Cannot APPEND with unknown input file size'. Bug: https://github.com/curl/curl/issues/1008 Reported-by: lukaszgn@users.noreply.github.com Closes https://github.com/curl/curl/pull/1011
2016-09-16LICENSE-MIXING.md: update with mbedTLS dual licensingTony Kelman
Recent versions of mbedTLS are available under either Apache 2.0 or GPL 2.0, see https://tls.mbed.org/how-to-get Closes #1019
2016-09-16KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixedDaniel Stenberg
2016-09-16http2: debug ouput sent HTTP/2 request headersDaniel Stenberg
2016-09-16http: accept "Transfer-Encoding: chunked" for HTTP/2 as wellDaniel Stenberg
... but don't send the actual header over the wire as it isn't accepted. Chunked uploading is still triggered using this method. Fixes #1013 Fixes #662