aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-09-19openssl: don't call ERR_remote_thread_state on >= 1.1.0Daniel Stenberg
Follow-up fix to d9321562
2016-09-19openssl: don’t call CRYTPO_cleanup_all_ex_dataDaniel Stenberg
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called multiple times without crashing - and other libs might call it! We basically cannot call it without risking a crash. The function is a no-op since OpenSSL 1.1.0. Not calling this function only risks a small memory leak with OpenSSL < 1.1.0. Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html Reported-by: Todd Short
2016-09-19TODO: Support SSLKEYLOGFILEDaniel Stenberg
2016-09-18CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formattingJay Satiro
2016-09-18darwinssl: disable RC4 cipher-suite supportNick Zitzmann
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-18configure: change "iOS/Mac OS X native" to "Apple OS native"Nick Zitzmann
Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
2016-09-18test2048: fix urlJay Satiro
2016-09-18examples/imap-append: Set size of data to be uploadedJay Satiro
Prior to this commit this example failed with error 'Cannot APPEND with unknown input file size'. Bug: https://github.com/curl/curl/issues/1008 Reported-by: lukaszgn@users.noreply.github.com Closes https://github.com/curl/curl/pull/1011
2016-09-16LICENSE-MIXING.md: update with mbedTLS dual licensingTony Kelman
Recent versions of mbedTLS are available under either Apache 2.0 or GPL 2.0, see https://tls.mbed.org/how-to-get Closes #1019
2016-09-16KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixedDaniel Stenberg
2016-09-16http2: debug ouput sent HTTP/2 request headersDaniel Stenberg
2016-09-16http: accept "Transfer-Encoding: chunked" for HTTP/2 as wellDaniel Stenberg
... but don't send the actual header over the wire as it isn't accepted. Chunked uploading is still triggered using this method. Fixes #1013 Fixes #662
2016-09-14openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2Daniel Stenberg
OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread so we need to clean it when easy handles are freed, in case the thread will be killed in which the easy handle was used. All OpenSSL code in libcurl should extract the error in association with the error already so clearing this queue here should be harmless at worst. Fixes #964
2016-09-14RELEASE-NOTES: reset and go toward 7.51.0 (again)Daniel Stenberg
2016-09-14THANKS: updated with curl 7.50.3 contributorsDaniel Stenberg
2016-09-14RELEASE-NOTES: curl 7.50.3Daniel Stenberg
2016-09-14test1605: verify negative input lengths to (un)escape functionsDaniel Stenberg
2016-09-14curl_easy_unescape: deny negative string lengths as inputDaniel Stenberg
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14curl_easy_escape: deny negative string lengths as inputDaniel Stenberg
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14curl: make --create-dirs on windows grok both forward and backward slashesDaniel Stenberg
Reported-by: Ryan Scott Fixes #1007
2016-09-13RELEASE-NOTES: synced with 665694979b6Daniel Stenberg
2016-09-12mbedtls: switch off NTLM in build if md4 isn't availableTony Kelman
NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS is built with the MD4 functions available, which it isn't in default builds. This now adapts if the funtion isn't there and builds libcurl without NTLM support if so. Fixes #1004
2016-09-12CODE_STYLE: fix long-line guidelineJay Satiro
- Change maximum allowed line length from 80 to 79.
2016-09-11CODE_STYLE: add column alignment sectionJay Satiro
Note that since the added examples are for column alignment I had to encapsulate with ~~~c markdown to preserve their alignment.
2016-09-11cmake: fix curl-config --static-libsPeter Wu
The `curl-config --static-libs` command should not output paths like -l/usr/lib/libssl.so, instead print the absolute path without `-l`. This also removes the confusing message "Static linking is broken" which was printed because curl-config --static-libs was disfunctional even though the static libcurl.a library works properly. Fixes https://github.com/curl/curl/issues/841
2016-09-11http: refuse to pass on response body with NO_NODY was setDaniel Stenberg
... like when a HTTP/0.9 response comes back without any headers at all and just a body this now prevents that body from being sent to the callback etc. Adapted test 1144 to verify. Fixes #973 Assisted-by: Ray Satiro
2016-09-11RELEASE-NOTES: synced with 257bf3ac67eb6Daniel Stenberg
2016-09-10CMake: Don't build unit tests if private symbols are hiddenJakub Zakrzewski
This only excludes building unit tests from default build ( 'all' Make target or "Build Solution" in VisualStudio). The projects and Make targets will still be generated and shown in supporting IDEs. Fixes https://github.com/curl/curl/issues/981 Reported-by: Randy Armstrong Closes https://github.com/curl/curl/pull/990
2016-09-10CMake: Try to (un-)hide private library symbolsJakub Zakrzewski
Detect support for compiler symbol visibility flags and apply those according to CURL_HIDDEN_SYMBOLS option. It should work true to the autotools build except it tries to unhide symbols on Windows when requested and prints warning if it fails. Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951 Reported-by: Daniel Stenberg
2016-09-09openssl: fix bad memory free (regression)Daniel Stenberg
... by partially reverting f975f06033b1. The allocation could be made by OpenSSL so the free must be made with OPENSSL_free() to avoid problems. Reported-by: Harold Stuart Fixes #1005
2016-09-09http2: support > 64bit sized uploadsDaniel Stenberg
... by making sure we don't count down the "upload left" counter when the uploaded size is unknown and then it can be allowed to continue forever. Fixes #996
2016-09-07errors: new alias CURLE_WEIRD_SERVER_REPLY (8)Jay Satiro
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as more of a generic "failed to parse" introduce an alias without FTP in the name. Closes https://github.com/curl/curl/pull/975
2016-09-07bump: toward 7.51.0Daniel Stenberg
2016-09-07HISTORY: remove ascii logo to render nicer on webDaniel Stenberg
2016-09-07curl: whitelist use of strtok() in non-threaded contextDaniel Stenberg
2016-09-07checksrc: detect strtok() useDaniel Stenberg
... as that function slipped through once before.
2016-09-07mk-ca-bundle.pl: use SHA256 instead of SHA1Viktor Szakats
This hash is used to verify the original downloaded certificate bundle and also included in the generated bundle's comment header. Also rename related internal symbols to algorithm-agnostic names.
2016-09-07RELEASE-NOTES: curl 7.50.2 releaseDaniel Stenberg
2016-09-07THANKS: updated for 7.50.2Daniel Stenberg
2016-09-06openssl: fix CURLINFO_SSL_VERIFYRESULTGaurav Malhotra
CURLINFO_SSL_VERIFYRESULT does not get the certificate verification result when SSL_connect fails because of a certificate verification error. This fix saves the result of SSL_get_verify_result so that it is returned by CURLINFO_SSL_VERIFYRESULT. Closes https://github.com/curl/curl/pull/995
2016-09-06darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)Daniel Gustafsson
While noErr and errSecSuccess are defined as the same value, the API documentation states that SecPKCS12Import() returns errSecSuccess if there were no errors in importing. Ensure that a future change of the defined value doesn't break (however unlikely) and be consistent with the API docs.
2016-09-06docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994)Daniel Gustafsson
2016-09-05openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000LMarcel Raad
With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is now called OpenSSL_version_num(). [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html Closes #992
2016-09-05RELEASE-NOTES: synced with 3d4c0c8b9bc1dDaniel Stenberg
2016-09-05http2: return EOF when done uploading without known sizeDaniel Stenberg
Fixes #982
2016-09-05http2: skip the content-length parsing, detect unknown sizeDaniel Stenberg
2016-09-05http2: minor white space editDaniel Stenberg
2016-09-05http2: use named define instead of magic constant in read callbackDaniel Stenberg
2016-09-05configure: make the cpp -P detection not clobber CPPFLAGSCraig Davison
CPPPFLAGS is now CPPPFLAG. Fixes CURL_CHECK_DEF. Fixes #958
2016-09-04speed caps: not based on average speeds anymoreOlivier Brunel
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE & CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits with the cumulative average speed of the entire transfer; While this might work at times with good/constant connections, in other cases it can result to the limits simply being "ignored" for more than "short bursts" (as told in man page). Consider a download that goes on much slower than the limit for some time (because bandwidth is used elsewhere, server is slow, whatever the reason), then once things get better, curl would simply ignore the limit up until the average speed (since the beginning of the transfer) reached the limit. This could prove the limit useless to effectively avoid using the entire bandwidth (at least for quite some time). So instead, we now use a "moving starting point" as reference, and every time at least as much as the limit as been transferred, we can reset this starting point to the current position. This gets a good limiting effect that applies to the "current speed" with instant reactivity (in case of sudden speed burst). Closes #971