Age | Commit message (Collapse) | Author |
|
RNG structure must be freed by call to FreeRng after its use in
Curl_cyassl_random. This call fixes Valgrind failures when running the
test suite with wolfSSL.
Closes #2784
|
|
This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with
connection reuse.
I found this with oss-fuzz on GDAL and curl master:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582
I couldn't reproduce with the oss-fuzz original test case, but looking
at curl source code pointed to this well reproducable leak.
Closes #2790
|
|
In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false
when run on windows 10.0. This patch addresses that error.
Closes https://github.com/curl/curl/pull/2792
|
|
So far, the code tries to pick an authentication method only if
user/password credentials are available, which is not the case for
Bearer authentictation...
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
|
|
The Bearer authentication was added to cURL 7.61.0, but there is a
problem: if CURLAUTH_ANY is selected, and the server supports multiple
authentication methods including the Bearer method, we strongly prefer
that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer
authentication fails, we will never even try to attempt any other
method.
This is particularly unfortunate when we already know that we do not
have any Bearer token to work with.
Such a scenario happens e.g. when using Git to push to Visual Studio
Team Services (which supports Basic and Bearer authentication among
other methods) and specifying the Personal Access Token directly in the
URL (this aproach is frequently taken by automated builds).
Let's make sure that we have a Bearer token to work with before we
select the Bearer authentication among the available authentication
methods.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #2754
|
|
Otherwise, LF line endings are converted to CRLF on Windows,
but no conversion is done for the reply, so the test case fails.
Closes https://github.com/curl/curl/pull/2776
|
|
Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS
layer for a connection still needs a Curl_easy handle for the session_id
cache etc.
Fixes #2764
Closes #2771
|
|
Set mode="text" when line endings depend on the system representation.
Closes https://github.com/curl/curl/pull/2772
|
|
By default, the MSYS2 bash converts all backslashes to forward slashes
in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
|
|
- separate easy handle from connections better
- added asserts on a number of places
- added sanity check of pipelines for debug builds
Closes #2751
|
|
... the protocol is doing read/write a lot, so it needs to write often
even when downloading. A more proper fix could check for eactly when it
wants to write and only ask for it then.
Without this fix, an SMB download could easily get stuck when the event-driven
API was used.
Closes #2768
|
|
By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143
as a POSIX file list and converts it to a Windows file list.
Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
Closes https://github.com/curl/curl/pull/2765
|
|
... and work toward 7.61.1
|
|
Closes #2727
Reviewed-by: Sergei Nikulov
|
|
... the "unbold" sequence doesn't work on the mac Terminal.
Reported-by: Zero King
Fixes #2736
Closes #2738
|
|
|
|
curl configured with --enable-debug --disable-file currently complains
on test1422:
Info: Protocol "file" not supported or disabled in libcurl
Make test1422 dependend on enabled FILE protocol to fix this.
Fixes https://github.com/curl/curl/issues/2741
Closes https://github.com/curl/curl/pull/2742
|
|
Some servers issue raw deflate data that may be followed by an undocumented
trailer. This commit makes curl tolerate such a trailer of up to 4 bytes
before considering the data is in error.
Reported-by: clbr on github
Fixes #2719
|
|
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
Closes #2740
|
|
The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5
|
|
+ The hackerone bounty and its process
- We don't and can't handle pre-notification
|
|
It was previously erroneously skipped in some situations.
libtest/libntlmconnect.c wrongly depended on wrong behavior (that it
would get a zero timeout) when no handles are "running" in a multi
handle. That behavior is no longer present with this fix. Now libcurl
will always return a -1 timeout when all handles are completed.
Closes #2733
|
|
On multiplexed connections, transfers can be removed from anywhere not
just at the head as for pipelines.
|
|
|
|
... as the usage needs to be counted.
|
|
Commit 38203f1585da changed engine detection to be version-based,
with a baseline of openssl 1.0.1. This does in fact break builds
with openssl 1.0.0, which has engine support - the configure script
detects that ENGINE_cleanup() is available - but <openssl/engine.h>
doesn't get included to declare it.
According to upstream documentation, engine support was added to
mainstream openssl builds as of version 0.9.7:
https://github.com/openssl/openssl/blob/master/README.ENGINE
This commit drops the version test down to 1.0.0 as version 1.0.0d
is the oldest version I have to test with.
Closes #2732
|
|
Original MinGW's w32api has a sytax error in its definition of
CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
until this bug [1] is fixed.
[0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h
[1] https://osdn.net/projects/mingw/ticket/38391
Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
Closes https://github.com/curl/curl/pull/2728
|
|
Apparently the C => HTML converter on the web site doesn't quite like it
otherwise.
Reported-by: Jeroen Ooms
|
|
|
|
Closes #2724
|
|
... and not the other way around, which this previously said.
Reported-by: Vasiliy Faronov
Fixes #2723
Closes #2726
|
|
Reviewed-by: Jakub Zakrzewski
Closes #2715
|
|
Follow-up to 82ce416.
Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818
|
|
|
|
MinGW warns:
/lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
conditional expression [-Wsign-compare]
Fix this by casting the ptrdiff_t to size_t as we know it's positive.
Closes https://github.com/curl/curl/pull/2721
|
|
Original MinGW's w32api has CryptHashData's second parameter as BYTE *
instead of const BYTE *.
Closes https://github.com/curl/curl/pull/2721
|
|
They are not defined in the original MinGW's <wincrypt.h>.
Closes https://github.com/curl/curl/pull/2721
|
|
Otherwise, only part of it gets pulled in through <windows.h> on
original MinGW.
Fixes https://github.com/curl/curl/issues/2361
Closes https://github.com/curl/curl/pull/2721
|
|
When size_t is not a typedef for unsigned long (as usually the case on
Windows), GCC emits -Wformat warnings when using lu and lx format
specifiers with size_t. Silence them with explicit casts to
unsigned long.
Closes https://github.com/curl/curl/pull/2721
|
|
... not the read buffer size, as that can be set smaller and thus cause
a buffer overflow! CVE-2018-0500
Reported-by: Peter Wu
Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
|
|
Closes #2718
|
|
...but GCC users lose out on TLS 1.3 support, since we can't weak-link
enumeration constants.
Fixes #2656
Closes #2703
|
|
Variable 'output_var' is not used and can be removed.
Function 'collect_true' renamed to 'count_true'.
|
|
Closes #2711
|
|
|
|
... because otherwise not everything get closed down correctly.
Fixes #2708
Closes #2712
|
|
Closes #2713
|
|
|
|
Closes #2706
|
|
|