Age | Commit message (Collapse) | Author |
|
|
|
Suggested-by: Dan Jacobson
Issue: https://github.com/curl/curl/issues/1097
|
|
... since the curlx_* code no longer provides one and we don't link
libcurl to these test servers.
|
|
As they are after all part of the public API. Saves space and reduces
complexity. Remove the strcase defines from the curlx_ family.
Suggested-by: Dan Fandrich
Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
|
|
follow-up to 811a693b80
|
|
This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
link error on Windows because of the missing CURL_EXTERN on the
prototype.
|
|
|
|
Follow-up to 811a693b
|
|
This is a followup to commit 811a693b
|
|
Fix compile break from 811a693b80
|
|
The internal version strcasecompare isn't available outside libcurl
|
|
|
|
follow-up to 4f8d0b6f02aa7043. Since the darwinssl code breaks
otherwise. If you build without darwinssl 10.5 works fine.
|
|
as that is still part of the API, fix from 8fe4bd084412f30
|
|
Fix bug from 811a693b80
|
|
Mistake brought by 9c91ec778104a
|
|
These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.
|
|
some more follow-ups to 811a693b80
|
|
follow-up to 811a693b80
|
|
|
|
... that will ignore lines that are too long to fit in the buffer.
CVE-2016-8615
Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
|
|
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
|
|
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
|
|
... otherwise example.com/PATH and example.com/path would be assumed to
be the same and they usually aren't!
|
|
|
|
CVE-2016-8616
Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
|
|
CVE-2016-8617
Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
|
|
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
CVE-2016-8619
Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
|
|
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.
CVE-2016-8618
Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
|
|
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
|
|
|
|
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
|
|
... and don't read outside of the given buffer!
CVE-2016-8621
bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
|
|
Since the internal Curl_urldecode() function has a better API.
|
|
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
|
|
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
|
|
|
|
CVE-2016-8625
Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
|
|
|
|
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.
CVE-2016-8624
Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
|
|
- Wrap more words with underscores in backticks.
Follow-up to 13f4913.
|
|
words with underscore need to be within `these`
Bug: https://github.com/curl/curl-www/issues/19
Reported-by : Jay Satiro
|
|
- Change initial message box to mention delay when downloading/parsing.
Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.
- Warn if OpenSSL is not present.
- Use a UTF-8 stream to make the ca-bundle data.
- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
---
This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.
This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.
Ref: https://github.com/curl/curl/pull/1012
|
|
To make it render better on the web site, at the price of it becoming
slightly less readable as text.
|
|
- Clarify that this option is only for HTTP/1.1 pipelining.
Bug: https://github.com/curl/curl/issues/1059
Reported-by: Jeroen Ooms
Assisted-by: Daniel Stenberg
|
|
Closes #927
|
|
Closes #893
|
|
Some versions of test allow == for equality, but others (such as the HP-UX
version) do not. Use a single = for correctness.
Error output:
checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
|
|
- we allow the security push up to 48 hours before the release
- add a mention about possible pre-notifications
- lower case the 'curl-security' title
|
|
Closes #1088
|