aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-08-09curl: do bounds check using a double comparisonAdam Sampson
The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't complete: if the parsed number in num is larger than will fit in a long, the conversion is undefined behaviour (causing test1427 to fail for me on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting rid of the cast means the comparison will be done using doubles. It might make more sense for the max argument to also be a double... Fixes #1750 Closes #1749
2017-08-09make install: add 8 missing man pages to the installationDaniel Stenberg
2017-08-09build: fix 'make install' with configure, install docs/libcurl/* tooDaniel Stenberg
Broken since d24838d4da9faa Reported-by: Bernard Spil
2017-08-09RELEASE-NOTES: curl 7.55.0Daniel Stenberg
2017-08-09THANKS: 20 new contributors in 7.55.0Daniel Stenberg
2017-08-08docs/comments: Update to secure URL versionsViktor Szakats
Closes #1741
2017-08-08configure: fix recv/send/select detection on AndroidDaniel Stenberg
... since they now provide several functions as __attribute__((overloadable)), the argument detection logic need updates. Patched-by: destman at github Fixes #1738 Closes #1739
2017-08-08ax_code_coverage.m4: update to latest versionMarcel Raad
This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d from August 01, 2017. Notably, this removes the lconv version whitelist. Closes https://github.com/curl/curl/pull/1716
2017-08-07test1427: verify command line parser integer overflow detectionDaniel Stenberg
2017-08-07curl: detect and bail out early on parameter integer overflowsDaniel Stenberg
Make the number parser aware of the maximum limit curl accepts for a value and return an error immediately if larger, instead of running an integer overflow later. Fixes #1730 Closes #1736
2017-08-07glob: do not continue parsing after a strtoul() overflow rangeDaniel Stenberg
Added test 1289 to verify. CVE-2017-1000101 Bug: https://curl.haxx.se/docs/adv_20170809A.html Reported-by: Brian Carpenter
2017-08-07tftp: reject file name lengths that don't fitDaniel Stenberg
... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery
2017-08-07file: output the correct buffer to the userEven Rouault
Regression brought by 7c312f84ea930d8 (April 2017) CVE-2017-1000099 Bug: https://curl.haxx.se/docs/adv_20170809C.html Credit to OSS-Fuzz for the discovery
2017-08-06easy_events: make event data staticDaniel Stenberg
First: this function is only used in debug-builds and not in release/real builds. It is used to drive tests using the event-based API. A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the CURLMOPT_TIMERFUNCTION calback can in fact be called even after this funtion returns, namely when curl_multi_remove_handle() is called. Reported-by: Brian Carpenter
2017-08-05getparameter: avoid returning uninitialized 'usedarg'Daniel Stenberg
Fixes #1728
2017-08-05gssapi: fix memory leak of output token in multi round contextIsaac Boukris
When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
2017-08-05darwinssl: fix compiler warningMarcel Raad
clang complains: vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive [-Werror,-Wextra-tokens] This breaks the darwinssl build on Travis. Fix it by making this token a comment. Closes https://github.com/curl/curl/pull/1734
2017-08-04CMake: fix CURL_WERROR for MSVCMarcel Raad
When using CURL_WERROR in MSVC builds, the debug flags were overridden by the release flags and /WX got added twice in debug mode. Closes https://github.com/curl/curl/pull/1715
2017-08-04RELEASE-NOTES: synced with 561e9217cDaniel Stenberg
2017-08-04test1010: verify that #1718 is fixedDaniel Stenberg
... by doing two transfers in nocwd mode and check that there's no superfluous CWD command.
2017-08-04FTP: skip unnecessary CWD when in nocwd modeDaniel Stenberg
... when reusing a connection. If it didn't do any CWD previously. Fixes #1718
2017-08-04travis: explicitly specify distMarcel Raad
This makes the builds more reproducible as travis is currently rolling out trusty as default dist [1]. Specifically, this avoids coverage check failures when trusty is used as seen in [2] until we figure out what's wrong. [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming [2] https://github.com/curl/curl/pull/1692 Closes https://github.com/curl/curl/pull/1725
2017-08-04travis: BUILD_TYPE => TDaniel Stenberg
(to make the full line appear nicer on travis web UI)
2017-08-04travis: add osx build with darwinsslDaniel Stenberg
Closes #1706
2017-08-04darwin: silence compiler warningsDaniel Stenberg
With a clang pragma and three type fixes Fixes #1722
2017-08-03BUILD.WINDOWS: mention buildconf.bat for builds off gitDaniel Stenberg
2017-08-03darwinssl: fix curlssl_sha256sum() compiler warnings on first argumentDaniel Stenberg
2017-08-03test130: verify comments in .netrcDaniel Stenberg
2017-08-03netrc: skip lines starting with '#'Gisle Vanem
Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
2017-08-03CMake: set MSVC warning level to 4Marcel Raad
The MSVC warning level defaults to 3 in CMake. Change it to 4, which is consistent with the Visual Studio and NMake builds. Disable level 4 warning C4127 for the library and additionally C4306 for the test servers to get a clean CURL_WERROR build as that warning is raised in some macros in older Visual Studio versions. Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 Closes https://github.com/curl/curl/pull/1711
2017-08-02CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2Daniel Stenberg
Reported-by: Viktor Szakats
2017-08-02CURLOPT_NETRC.3: mention the file name on windowsDaniel Stenberg
... and CURLOPT_NETRC_FILE(3).
2017-08-02travis: build osx with libressl tooDaniel Stenberg
2017-08-02travis: build osx with openssl tooDaniel Stenberg
2017-08-02tests/server/util: fix curltime mistake from 4dee50b9c80f9Daniel Stenberg
2017-08-01curl_threads: fix MSVC compiler warningMarcel Raad
Use LongToHandle to convert from long to HANDLE in the Win32 implementation. This should fix the following warning when compiling with MSVC 11 (2012) in 64-bit mode: lib\curl_threads.c(113): warning C4306: 'type cast' : conversion from 'long' to 'HANDLE' of greater size Closes https://github.com/curl/curl/pull/1717
2017-08-01BUGS: improved phrasing about security bugsDaniel Stenberg
Reported-by: Max Dymond
2017-08-01BUGS: clarify how to report security related bugsDaniel Stenberg
2017-08-01multi: fix request timer managementBrad Spencer
There are some bugs in how timers are managed for a single easy handle that causes the wrong "next timeout" value to be reported to the application when a new minimum needs to be recomputed and that new minimum should be an existing timer that isn't currently set for the easy handle. When the application drives a set of easy handles via the `curl_multi_socket_action()` API (for example), it gets told to wait the wrong amount of time before the next call, which causes requests to linger for a long time (or, it is my guess, possibly forever). Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
2017-08-01curl_setup: Define CURL_NO_OLDIES for building libcurlJay Satiro
.. to catch accidental use of deprecated error codes. Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
2017-08-01configure: fix the check for IdnToUnicodeJeremy Tan
Fixes #1669 Closes #1713
2017-07-31http: fix response code parser to avoid integer overflowDaniel Stenberg
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2017-07-31libcurl: Stop using error codes defined under CURL_NO_OLDIESDwarakanath Yadavalli
Fixes https://github.com/curl/curl/issues/1688 Closes https://github.com/curl/curl/pull/1712
2017-07-30include.d: clarify --include is only for response headersJay Satiro
Follow-up to 171f8de and de6de94. Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851 Reported-by: Daniel Stenberg
2017-07-30cmake: support make uninstalljasjuang
Closes #1674
2017-07-30RELEASE-NOTES: synced with 001701c47Daniel Stenberg
2017-07-29AppVeyor: now really use CURL_WERRORMarcel Raad
It was misspelled as CURL_ERROR in commit 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4. Closes https://github.com/curl/curl/pull/1686
2017-07-29tool_help: clarify --include is only for response headersJay Satiro
Follow-up to 171f8de. Ref: https://github.com/curl/curl/issues/1704
2017-07-29splay: fix signed/unsigned mismatch warningJay Satiro
Follow-up to 4dee50b. Ref: https://github.com/curl/curl/pull/1693
2017-07-28include.d: clarify that it concerns the response headersDaniel Stenberg
Reported-by: olesteban at github Fixes #1704