aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-10-02detect_proxy: fix possible single-byte memory leakDaniel Stenberg
Coverity CID 1202836. If the proxy environment variable returned an empty string, it would be leaked. While an empty string is not really a proxy, other logic in this function already allows a blank string to be returned so allow that here to avoid the leak.
2014-10-02multi_runsingle: fix memory leakDaniel Stenberg
Coverity CID 1202837. There's a potential risk that 'newurl' gets overwritten when it was already pointing to allocated memory.
2014-10-02pop3_perform_authentication: fix memory leakDaniel Stenberg
Coverity CID 1215287. There's a potential risk for a memory leak in here, and moving the free call to be unconditional seems like a cheap price to remove the risk.
2014-10-02imap_perform_authentication: fix memory leakDaniel Stenberg
Coverity CID 1215296. There's a potential risk for a memory leak in here, and moving the free call to be unconditional seems like a cheap price to remove the risk.
2014-10-02wait_or_timeout: return failure when Curl_poll() failsDaniel Stenberg
Coverity detected this. CID 1241954. When Curl_poll() returns a negative value 'mcode' was uninitialized. Pretty harmless since this is debug code only and would at worst cause an error to _not_ be returned...
2014-10-01curl.1: mention quoting in the URL sectionDaniel Stenberg
and separate the example URLs with newlines
2014-09-30smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" errorBill Nagel
This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL appears to require the same pointer on a write that follows a retry (CURLE_AGAIN) as discussed here: http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
2014-09-30RELEASE-NOTES: synced with 53cbea22310f15Daniel Stenberg
2014-09-30file: reject paths using embedded %00Daniel Stenberg
Mostly because we use C strings and they end at a binary zero so we know we can't open a file name using an embedded binary zero. Reported-by: research@g0blin.co.uk
2014-09-26test506: Fixed a couple of memory leaks in testDan Fandrich
2014-09-25CURLOPT_COOKIELIST: Added "RELOAD" commandYousuke Kimoto
2014-09-25CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303Michael Wallner
2014-09-23threaded-resolver: revert Curl_expire_latest() switchDaniel Stenberg
The switch to using Curl_expire_latest() in commit cacdc27f52b was a mistake and was against the advice even mentioned in that commit. The comparison in asyn-thread.c:Curl_resolver_is_resolved() makes Curl_expire() the suitable function to use. Bug: http://curl.haxx.se/bug/view.cgi?id=1426 Reported-By: graysky
2014-09-19libcurl docs: improvements all overDaniel Stenberg
2014-09-19build: Added WinIDN build configuration optionsSteve Holme
Added initial support for WinIDN build configurations to the VC10+ project files.
2014-09-19tutorial: signals aren't used for the threaded resolverDaniel Stenberg
2014-09-19FAQ: update the pronunciation sectionDaniel Stenberg
As we weren't using the correct phonetic description and doing it correctly involves funny letters that I'm sure will cause problems for people in a text document so I instead rephrased it and link to a WAV file with a person actually saying 'curl'. Reported-By: Dimitar Boevski
2014-09-18CURLOPT_COOKIE*: added more cross-referencesDaniel Stenberg
2014-09-18BINDINGS: add node-libcurlDaniel Stenberg
Reported-By: Jonathan Cardoso Machado URL: http://curl.haxx.se/mail/lib-2014-09/0102.html
2014-09-15README.http2: updated to reflect current statusDaniel Stenberg
2014-09-13formdata: removed unnecessary USE_SSLEAY useDaniel Stenberg
2014-09-13curlssl: make tls backend symbols use curlssl in the nameDaniel Stenberg
2014-09-13url: let the backend decide CURLOPT_SSL_CTX_ supportDaniel Stenberg
... to further remove specific TLS backend knowledge from url.c
2014-09-13vtls: have the backend tell if it supports CERTINFODaniel Stenberg
2014-09-13configure: allow --with-ca-path with PolarSSL tooCatalin Patulea
Missed this in af45542c. Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
2014-09-13CURLOPT_CAPATH: return failure if set without backend supportDaniel Stenberg
2014-09-13http2: Fix busy loop when EOF is encounteredTatsuhiro Tsujikawa
Previously we did not handle EOF from underlying transport socket and wrongly just returned error code CURL_AGAIN from http2_recv, which caused busy loop since socket has been closed. This patch adds the code to handle EOF situation and tells the upper layer that we got EOF.
2014-09-13build: Added batch wrapper to checksrc.plSteve Holme
2014-09-13RELEASE-NOTES: Synced with bd3df5ec6dSteve Holme
2014-09-13sasl_sspi: Fixed Unicode buildMarcel Raad
Bug: http://curl.haxx.se/bug/view.cgi?id=1422 Verified-by: Steve Holme
2014-09-12libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelinesDaniel Stenberg
The former link was turned into a 404 at some point. Reported-By: Askar Safin
2014-09-12contributors.sh: split list of names at commaDaniel Stenberg
... to support a list of names provided in a commit message.
2014-09-12ntlm: Fixed HTTP proxy authentication when using Windows SSPIUlrich Telle
Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix bug in NTLM handshake for HTTP proxy authentication. NTLM handshake for HTTP proxy authentication failed with error SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy servers on generating the NTLM Type-3 message. The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according to the observations and suggestions made in a bug report for the QT project (https://bugreports.qt-project.org/browse/QTBUG-17322). Removing all the flags solved the problem. Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html Reported-by: Ulrich Telle Assisted-by: Steve Holme, Daniel Stenberg
2014-09-12newlines: fix mixed newlines to LF-onlyRay Satiro
I use the curl repo mainly on Windows with the typical Windows git checkout which converts the LF line endings in the curl repo to CRLF automatically on checkout. The automatic conversion is not done on files in the repo with mixed line endings. I recently noticed some weird output with projects/build-openssl.bat that I traced back to mixed line endings, so I scanned the repo and there are files (excluding the test data) that have mixed line endings. I used this command below to do the scan. Unfortunately it's not as easy as git grep, at least not on Windows. This gets the names of all the files in the repo's HEAD, gets each of those files raw from HEAD, checks for mixed line endings of both LF and CRLF, and prints the name if mixed. I excluded path tests/data/test* because those can have mixed line endings if I understand correctly. for f in `git ls-tree --name-only --full-tree -r HEAD`; do if [ -n "${f##tests/data/test*}" ]; then git show "HEAD:$f" | \ perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/'; if [ $? -ne 0 ]; then echo "$f"; fi; fi; done
2014-09-11mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spacesViktor Szakáts
2014-09-11ROADMAP: markdown eats underscoresDaniel Stenberg
It interprets them as italic indictors unless we backtick the word.
2014-09-11ROADMAP: tiny formatting edit for nicer web outputDaniel Stenberg
2014-09-10ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additionsSteve Holme
2014-09-10INTERNALS: Added email and updated Kerberos detailsSteve Holme
2014-09-10FEATURES: Updated Kerberos detailsSteve Holme
Added support for Kerberos 5 to the email protocols following the recent additions in 7.38.0. Removed Kerberos 4 as this has been gone for a while now.
2014-09-10openssl: build fix for versions < 0.9.8ePaul Howarth
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-10mk-ca-bundle.pl: first, try downloading HTTPS with curlDaniel Stenberg
As a sort of step forward, this script will now first try to get the data from the HTTPS URL using curl, and only if that fails it will switch back to the HTTP transfer using perl's native LWP functionality. To reduce the risk of this script being tricked. Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so we can't really ever completely disable HTTP, but chances are that most users already have a ca cert bundle that trusts the mozilla.org site that this script downloads from. A future version of this script will probably switch to require a dedicated "insecure" command line option to allow downloading over HTTP (or unverified HTTPS).
2014-09-10LICENSE-MIXING: removed krb4 infoDaniel Stenberg
krb4 has been dropped since a while now
2014-09-10bump: on the 7.38.1-DEV train now!Daniel Stenberg
2014-09-10SSLCERTS: minor updatesDaniel Stenberg
Edited format to look better on the web, added a "it is about trust" section.
2014-09-10dist: two cmake files are no moreDaniel Stenberg
CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c117b
2014-09-10RELEASE-NOTES: final update for 7.38.0Daniel Stenberg
2014-09-10cookies: reject incoming cookies set for TLDsDaniel Stenberg
Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.html
2014-09-10cookies: only use full host matches for hosts used as IP addressTim Ruehsen
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10HISTORY: fix the 1998 title positionDaniel Stenberg