Age | Commit message (Collapse) | Author |
|
Sessionid cache management is inseparable from managing individual
session lifetimes. E.g. for reference-counted sessions (like those in
SChannel and OpenSSL engines) every session addition and removal
should be accompanied with refcount increment and decrement
respectively. Failing to do so synchronously leads to a race condition
that causes symptoms like use-after-free and memory corruption.
This commit:
- makes existing session cache locking explicit, thus allowing
individual engines to manage lock's scope.
- fixes OpenSSL and SChannel engines by putting refcount management
inside this lock's scope in relevant places.
- adds these explicit locking calls to other engines that use
sessionid cache to accommodate for this change. Note, however,
that it is unknown whether any of these engines could also have
this race.
Bug: https://github.com/curl/curl/issues/815
Fixes #815
Closes #847
|
|
Closes #822
|
|
|
|
... to make it not look like an OpenSSL function
|
|
Closes #844
|
|
This broke in 7.49.0 with commit e200034425a7625
Fixes #842
|
|
Mostly in order to support broken web sites that redirect to broken URLs
that are accepted by browsers.
Browsers are typically even more leniant than this as the WHATWG URL
spec they should allow an _infinite_ amount. I tested 8000 slashes with
Firefox and it just worked.
Added test case 1141, 1142 and 1143 to verify the new parser.
Closes #791
|
|
Closes #837
|
|
Closes #838
|
|
Adds access to the effectively used http version to both libcurl and
curl.
Closes #799
|
|
|
|
With OPENSSL_NO_COMP defined, there is no function
SSL_COMP_free_compression_methods
Closes #836
|
|
Fixes #828
|
|
Closes #834
|
|
|
|
|
|
Inspiration provided by: Daniel Stenberg and Ray Satiro
Bug: https://curl.haxx.se/docs/adv_20160530.html
Ref: Windows DLL hijacking with curl, CVE-2016-4802
|
|
|
|
Bug: https://github.com/curl/curl/issues/826
Reported-by: Michael Wallner
|
|
The statvfs functionality was added to libssh2 in that version, so we
switch off that functionality when built with older libraries.
Fixes #831
|
|
Regression from the previous *printf() rearrangements, this file missed to
include the correct header to make sure snprintf() works universally.
Reported-by: Moti Avrahami
Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
|
|
Added support for checking the tchar, unicode and mbcs variants of
strcat() and strncat() in the banned function list.
|
|
|
|
Now giving credit properly to github user names, fixed some UTF-8 issues
and added names discovered when contrithanks was improved.
|
|
|
|
|
|
|
|
|
|
|
|
from 1577bfa35ba
|
|
Prior to this change if a GitHub contributor's real name was unknown
they would be omitted from the list.
Bug: https://github.com/curl/curl/issues/824
|
|
|
|
- Free compression methods if OpenSSL 1.0.2 to avoid a memory leak.
Bug: https://github.com/curl/curl/issues/817
Reported-by: jveazey@users.noreply.github.com
|
|
While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was
getting:
f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '('
to follow 'CURL_EXTERN'
f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085:
'curl_domalloc': not in formal parameter list
|
|
|
|
Closes #818
|
|
Closes #821
|
|
The connect-to list isn't copied so as long as the handle may be used
for a transfer the list must be valid.
Bug: https://github.com/curl/curl/pull/819
Reported-by: Michael Kaufmann
|
|
|
|
See OpenSSL commit 21e001747d4a
|
|
... when generating them, not "2.0" as the protocol is called just
HTTP/2 and nothing else.
|
|
Closes https://github.com/curl/curl/pull/816
|
|
|
|
The preprocessor check that sets up the 32bit defines for non-configure
builds didn't work properly for MIPS systems as __mips__ is defined for
both 32bit and 64bit. Now __LP64__ is also checked and indicates 64bit.
Reported-by: Tomas Jakobsson
Fixes #813
|
|
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
7.1 is used. In this case, _USING_V110_SDK71_ is defined.
Closes #812
|
|
Reported-by: Paul Howarth
Bug: https://curl.haxx.se/mail/lib-2016-05/0116.html
|
|
Reported-by: Ray Satiro
Bug: https://curl.haxx.se/mail/lib-2016-05/0113.html
|
|
|
|
|
|
...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.
CVE-2016-3739
Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
|