Age | Commit message (Collapse) | Author |
|
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.
Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.
Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com
The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
|
|
X.509 certificates carry public keys, not private keys. Fields
corresponding to the private half of the key will always be NULL.
Closes #1425
|
|
ERR_error_string with NULL parameter is not thread-safe. The library
writes the string into some static buffer. Two threads doing this at
once may clobber each other and run into problems. Switch to
ERR_error_string_n which avoids this problem and is explicitly
bounds-checked.
Also clean up some remnants of OpenSSL 0.9.5 around here. A number of
comments (fixed buffer size, explaining that ERR_error_string_n was
added in a particular version) date to when ossl_strerror tried to
support pre-ERR_error_string_n OpenSSLs.
Closes #1424
|
|
Rather than making assumptions about the values, use a switch-case.
Closes #1424
|
|
A few random typos, and minor whitespace cleanups, found in comments
while reading code.
Closes #1423
|
|
This makes test 1135 pass with CRLF checkouts.
Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166
Closes https://github.com/curl/curl/pull/1422
|
|
Ignore everything after the version numbers in LIBCURL_VERSION and
LIBCURL_VERSION_NUM to ged rid of the extra CR character.
This makes tests 1022 and 1023 pass on Linux with a CRLF checkout.
Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166
Closes https://github.com/curl/curl/pull/1422
|
|
Bash on Linux errors out on CR characters.
This makes tests 1221 and 1222 pass on Linux with a CRLF checkout.
Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166
Closes https://github.com/curl/curl/pull/1422
|
|
MinGW-w64 complains:
warning: conversion to 'long int' from 'time_t {aka long long int}' may
alter its value [-Wconversion]
Fix this by using the correct type.
|
|
|
|
Add missing newhandle free call in push_promise().
Closes #1416
|
|
Add missing our_ssl_sessionid free call in mbed_connect_step3().
Closes #1417
|
|
This adds -Werror-implicit-function-declaration for GCC 2.95+ so that
these errors are visible at the point where they occur instead of only
at link time.
Implicit function declarations are illegal in C99 and C++ anyway, and
the same warning has been turned into an error for ICC in commit
3072c5b8a127057aa922b7c51051bbb4a630b091.
Ref: https://gcc.gnu.org/onlinedocs/gcc-2.95.2/gcc_2.html#SEC8
Ref: https://curl.haxx.se/mail/lib-2017-04/0001.html
Closes https://github.com/curl/curl/pull/1419
|
|
Ref: https://github.com/curl/curl/issues/1408
Closes https://github.com/curl/curl/pull/1412
|
|
Follow-up to aa573c3c55cda72ec5ef677d87f6f46a53385f0c
Ref: https://github.com/curl/curl/pull/1406
|
|
If the existing timer is still in there but has expired, the new timer
should be added.
Reported-by: Rainer Canavan
Bug: https://curl.haxx.se/mail/lib-2017-04/0030.html
Closes #1407
|
|
Reported-by: Marcel Raad
Fixes #1408
Closes #1409
|
|
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.
Suggested-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1401
|
|
The POSIX standard location is <poll.h>. Using <sys/poll.h> results in
warning spam when using the musl standard library.
Closes https://github.com/curl/curl/pull/1406
|
|
Closes #1402
|
|
... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.
Reported-by: thraidh
Closes #851
|
|
|
|
|
|
Reported-by: Alex Bligh
Bug: https://curl.haxx.se/mail/lib-2017-04/0044.html
|
|
Issues and PRs with no activity for 180 days will get marked as stale,
and if no further activity happens within 14 more days, the issue gets
closed.
This follows our established policy of not letting stalled bugs "get in
the way": https://curl.haxx.se/docs/bugs.html#Closing_off_stalled_bugs
Closes #1398
|
|
- Change documented param type to char ** from incorrect long *.
|
|
--without-ssl is needed instead of --with-winssl.
|
|
... by moving the variables into the correct #ifdef block.
|
|
|
|
Closes #1397
|
|
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps
directly to its argument. As it is declared as a pointer to const and
InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW
issue a warning about implicitly casting away the const. Fix this by declaring
the variables as pointers to non-const.
Closes https://github.com/curl/curl/pull/1394
|
|
Reported-by: Carsten (talksinmath)
Fixes #1384
Closes #1395
|
|
Curl_timeleft returns time_t instead of long since commit
21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
|
|
|
|
Previously, periods of fast speed between periods of slow speed would
not count and could still erroneously trigger a timeout.
Reported-by: Paul Harris
Fixes #1345
Closes #1390
|
|
Triggered a test failure on test 1541 for the build known as
"Linux 4.4 i686 tcc 0.9.26 glibc 2.20"
|
|
Curl_llist_alloc is now Curl_llist_init.
Closes https://github.com/curl/curl/pull/1391
|
|
and mention specific issues where they are discussed
|
|
... the sizes and the formatting strings are what's really important and
avoids problems with int64_t vs "long long".
Bug: https://curl.haxx.se/mail/lib-2017-04/0019.html
|
|
This reverts commit 81284374bf3c670d2050f8562edeb69f060b07cc.
Due to mingw32 brekage.
|
|
MinGW complains:
tool_operate.c:197:15: error: comparison is always true due to limited range
of data type [-Werror=type-limits]
Fix this by only doing the comparison if 'long' is large enough to hold the
constant it is compared with.
Closes https://github.com/curl/curl/pull/1378
|
|
Ref: https://github.com/curl/curl/pull/1378
|
|
Since it is a native type and it makes it less complicated to find a
matching one in system.h
Bug: https://curl.haxx.se/mail/lib-2017-04/0010.html
Reported-by: Dan Fandrich
Closes #1388
|
|
This checks the new behavior of Curl_splaygetbest, so that the smallest
node not larger than the key is removed, and FIFO behavior is kept even
when there are multiple nodes with the same key.
Closes #1358
|
|
Multi handles repeatedly invert the queue of pending easy handles when
used with CURLMOPT_MAX_TOTAL_CONNECTIONS. This is caused by a multistep
process involving Curl_splaygetbest and violates the FIFO property of
the multi handle.
This patch fixes this issue by redefining the "best" node in the
context of timeouts as the "smallest not larger than now", and
implementing the necessary data structure modifications to do this
effectively, namely:
- splay nodes with the same key are now stored in a doubly-linked
circular list instead of a non-circular one to enable O(1)
insertion to the tail of the list
- Curl_splayinsert inserts nodes with the same key to the tail of
the same list
- in case of multiple nodes with the same key, the one on the head of
the list gets selected
|
|
... by explicitly calling the ANSI versions of Windows API functions where
required.
|
|
struct mechtable is only used locally here. It can be declared static.
|
|
- Don't free postponed data on a connection that will be reused since
doing so can cause data loss when pipelining.
Only Windows builds are affected by this.
Closes https://github.com/curl/curl/issues/1380
|
|
|
|
This removes one tiny malloc for each hash struct allocated. In a simple
case like "curl localhost", this save three mallocs.
Closes #1376
|