aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-05-17RELEASE-NOTES: 7.49.0Daniel Stenberg
2016-05-17mbedtls/polarssl: set "hostname" unconditionallyDaniel Stenberg
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
2016-05-17CURLOPT_RESOLVE.3: fix typoFrank Gevaerts
Closes #811
2016-05-17docs: CURLOPT_RESOLVE overrides CURLOPT_IPRESOLVEDaniel Stenberg
2016-05-17KNOWN_BUGS: GnuTLS backend skips really long certificate fieldsDaniel Stenberg
Closes #762
2016-05-17CURLOPT_HTTPPOST.3: the data needs to be around while in useDaniel Stenberg
2016-05-17openssl: get_cert_chain: fix NULL dereferenceDaniel Stenberg
CID 1361815: Explicit null dereferenced (FORWARD_NULL)
2016-05-17openssl: get_cert_chain: avoid NULL dereferenceDaniel Stenberg
CID 1361811: Explicit null dereferenced (FORWARD_NULL)
2016-05-17dprintf_formatf: fix (false?) Coverity warningDaniel Stenberg
CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when we run over 'workend' but the condition says <= workend and for all I can see it should be safe. Compensating for the warning by adding a byte margin in the buffer. Also, removed the extra brace level indentation in the code and made it so that 'workend' is only assigned once within the function.
2016-05-16RELEASE-NOTES: synced with 2dcb5adc72d6Daniel Stenberg
2016-05-16THANKS-filter: fixed Jonathan CardosoDaniel Stenberg
2016-05-15ftp: fix incorrect out-of-memory code in Curl_pretransferJay Satiro
- Return value type must match function type. s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/ Caught by Travis CI
2016-05-15ftp wildcard: segfault due to init only in multi_performDaniel Stenberg
The proper FTP wildcard init is now more properly done in Curl_pretransfer() and the corresponding cleanup in Curl_close(). The previous place of init/cleanup code made the internal pointer to be NULL when this feature was used with the multi_socket() API, as it was made within the curl_multi_perform() function. Reported-by: Jonathan Cardoso Machado Fixes #800
2016-05-13libcurl-tlibcurl-thread: Update OpenSSL linksJay Satiro
Because the old OpenSSL link now redirects to their master documentation (currently 1.1.0), which does not document the required actions for OpenSSL <= 1.0.2.
2016-05-13darwinssl.c: fix OS X codename typo in commentViktor Szakats
2016-05-13RELEASE-NOTES: synced with 68701e51c1f7Daniel Stenberg
Added 8 bug fixes and 5 more contrbutors
2016-05-13mprintf: Fix processing of width and prec argsJay Satiro
Prior to this change a width arg could be erroneously output, and also width and precision args could not be used together without crashing. "%0*d%s", 2, 9, "foo" Before: "092" After: "09foo" "%*.*s", 5, 2, "foo" Before: crash After: " fo" Test 557 is updated to verify this and more
2016-05-13ConnectionExists: follow-up fix for proxy re-useMichael Kaufmann
Follow-up commit to 5823179 Closes #648
2016-05-12darwinssl: fix certificate verification disable on OS X 10.8Per Malmberg
The new way of disabling certificate verification doesn't work on Mountain Lion (OS X 10.8) so we need to use the old way in that version too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 and 10.11. Closes #802
2016-05-12http2: Add space between colon and header valueCory Benfield
curl's representation of HTTP/2 responses involves transforming the response to a format that is similar to HTTP/1.1. Prior to this change, curl would do this by separating header names and values with only a colon, without introducing a space after the colon. While this is technically a valid way to represent a HTTP/1.1 header block, it is much more common to see a space following the colon. This change introduces that space, to ensure that incautious tools are safely able to parse the header block. This also ensures that the difference between the HTTP/1.1 and HTTP/2 response layout is as minimal as possible. Bug: https://github.com/curl/curl/issues/797 Closes #798 Fixes #797
2016-05-12openssl: fix compile-time warning in Curl_ossl_check_cxn()Kamil Dudka
... introduced in curl-7_48_0-293-g2968c83: Error: COMPILER_WARNING: lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’ may alter its value [-Wconversion]
2016-05-11openssl: stricter connection check functionJay Satiro
- In the case of recv error, limit returning 'connection still in place' to EINPROGRESS, EAGAIN and EWOULDBLOCK. This is an improvement on the parent commit which changed the openssl connection check to use recv MSG_PEEK instead of SSL_peek. Ref: https://github.com/curl/curl/commit/856baf5#comments
2016-05-11TLS: SSL_peek is not a const operationAnders Bakken
Calling SSL_peek can cause bytes to be read from the raw socket which in turn can upset the select machinery that determines whether there's data available on the socket. Since Curl_ossl_check_cxn only tries to determine whether the socket is alive and doesn't actually need to see the bytes SSL_peek seems like the wrong function to call. We're able to occasionally reproduce a connect timeout due to this bug. What happens is that Curl doesn't know to call SSL_connect again after the peek happens since data is buffered in the SSL buffer and thus select won't fire for this socket. Closes #795
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-08libcurl-thread.3: openssl 1.1.0 is safe, and so is boringsslDaniel Stenberg
2016-05-08connect: fix invalid "Network is unreachable" errorsAntonio Larrosa
Sometimes, in systems with both ipv4 and ipv6 addresses but where the network doesn't support ipv6, Curl_is_connected returns an error (intermittently) even if the ipv4 socket connects successfully. This happens because there's a for-loop that iterates on the sockets but the error variable is not resetted when the ipv4 is checked and is ok. This patch fixes this problem by setting error to 0 when checking the second socket and not having a result yet. Fixes #794
2016-05-05FAQ: refer to thread safety guidelinesJay Satiro
2016-05-03connections: non-HTTP proxies on different ports aren't reused eitherDaniel Stenberg
Reported-by: Oleg Pudeyev and fuchaoqun Fixes #648
2016-05-02http: make sure a blank header overrides accept_decodingDaniel Stenberg
Reported-by: rcanavan Assisted-by: Isaac Boukris Closes #785
2016-05-02CHECKSRC.md: clarified, explained the whitelist fileDaniel Stenberg
2016-05-02nroff-scan.pl: verify that references are made with \fIDaniel Stenberg
2016-05-02docs: unified man page references to use \fIDaniel Stenberg
2016-05-02TODO: 17.14 --fail without --location should treat 3xx as a failureDaniel Stenberg
Closes #727
2016-05-01RELEASE-NOTES: synced with 7987f5cb14dDaniel Stenberg
2016-05-01CURLOPT_ACCEPT_ENCODING.3: Follow-up clarificationIsaac Boukris
Mention possible content-length mismatch with sum of bytes reported by write callbacks when auto decoding is enabled. See #785
2016-05-01test1140: run nroff-scan to verify man pagesDaniel Stenberg
2016-05-01nroff-scan.pl: verify the .BR references as wellDaniel Stenberg
2016-05-01CURLOPT_CONV_TO_NETWORK_FUNCTION.3: fix bad man page referenceDaniel Stenberg
2016-05-01CURLOPT_BUFFERSIZE.3: fix reference to CURLOPT_MAX_RECV_SPEED_LARGEDaniel Stenberg
2016-05-01curl_easy_pause.3: fix man page referenceDaniel Stenberg
2016-05-01tool_cb_hdr: Fix --remote-header-name with schemeless URLJay Satiro
- Move the existing scheme check from tool_operate. In the case of --remote-header-name we want to parse Content-disposition for a filename, but only if the scheme is http or https. A recent adjustment 0dc4d8e was made to account for schemeless URLs however it's not 100% accurate. To remedy that I've moved the scheme check to the header callback, since at that point the library has already determined the scheme. Bug: https://github.com/curl/curl/issues/760 Reported-by: Kai Noda
2016-05-01tls: make setting pinnedkey option fail if not supportedDaniel Stenberg
to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
2016-05-01nroff-scan.pl: verifies nroff pagesDaniel Stenberg
... not used by any test yet but can be used stand-alone.
2016-05-01opts: fix broken/bad referencesDaniel Stenberg
2016-05-01docs: fix bugs in CURLOPT_HTTP_VERSION.3 and CURLOPT_PIPEWAIT.3Michael Kaufmann
Closes #786
2016-05-01CURLOPT_ACCEPT_ENCODING.3: clarifiedDaniel Stenberg
As discussed in #785
2016-04-30curl.1: --mail-rcpt can be used multiple timesDaniel Stenberg
Reported-by: mgendre Closes #784
2016-04-29tests: Use 'pathhelp' for paths conversions in secureserver.plKarlson2k
Closes #675
2016-04-29tests: Use 'pathhelp' for paths conversions in sshserver.plKarlson2k
2016-04-29tests: Use 'pathhelp' for current path in runtests.plKarlson2k