aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-09-03Curl_ntlm_core_mk_nt_hash: return error on too long passwordDaniel Stenberg
... since it would cause an integer overflow if longer than (max size_t / 2). This is CVE-2018-14618 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html Closes #2756 Reported-by: Zhaoyang Wu
2018-09-02http2: Use correct format identifier for stream_idRikard Falkeborn
Closes #2928
2018-09-02test1148: fix precheck outputMarcel Raad
"precheck command error" is not very helpful.
2018-09-01all: s/int/size_t cleanupDaniel Stenberg
Assisted-by: Rikard Falkeborn Closes #2922
2018-09-01ssh-libssh: use FALLTHROUGH to silence gcc8Daniel Stenberg
2018-08-31tool_operate: Fix setting proxy TLS 1.3 ciphersJay Satiro
2018-08-31cookies: support creation-time attribute for cookiesDaniel Gustafsson
According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
2018-08-31Don't use Windows path %PWD for SSH testsMarcel Raad
All these tests failed on Windows because something like sftp://%HOSTIP:%SSHPORT%PWD/ expanded to sftp://127.0.0.1:1234c:/msys64/home/bla/curl and then curl complained about the port number ending with a letter. Use the original POSIX path instead of the Windows path created in checksystem to fix this. Closes https://github.com/curl/curl/pull/2920
2018-08-29CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warningJay Satiro
Reported-by: Daniel Stenberg Closes https://github.com/curl/curl/issues/2916
2018-08-28THANKS-filter: dedup Daniel JeliƄskiDaniel Stenberg
2018-08-27RELEASE-NOTES: syncedDaniel Stenberg
2018-08-27CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip]Daniel Stenberg
2018-08-27CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip]Daniel Stenberg
Added a warning! Closes #2915
2018-08-25curl: fix time-of-check, time-of-use race in dir creationDaniel Stenberg
Patch-by: Jay Satiro Detected by Coverity Fixes #2739 Closes #2912
2018-08-25cmdline-opts/page-footer: fix edit mistakeDaniel Stenberg
There was a missing newline. follow-up to a7ba60bb7250
2018-08-24docs: clarify NO_PROXY env variable functionalityDaniel Stenberg
Reported-by: Kirill Marchuk Fixes #2773 Closes #2911
2018-08-24lib1522: fix curl_easy_setopt argument typeMarcel Raad
CURLOPT_POSTFIELDSIZE is a long option.
2018-08-24curl_threads: silence bad-function-cast warningMarcel Raad
As uintptr_t and HANDLE are always the same size, this warning is harmless. Just silence it using an intermediate uintptr_t variable. Closes https://github.com/curl/curl/pull/2908
2018-08-24README: add appveyor build badge [ci skip]Daniel Stenberg
Closes #2913
2018-08-24schannel: client certificate store opening fixIhor Karpenko
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html Closes #2909
2018-08-24gopher: Do not translate `?' to `%09'Leonardo Taccari
Since GOPHER support was added in curl `?' character was automatically translated to `%09' (`\t'). However, this behaviour does not seems documented in RFC 4266 and for search selectors it is documented to directly use `%09' in the URL. Apart that several gopher servers in the current gopherspace have CGI support where `?' is used as part of the selector and translating it to `%09' often leads to surprising results. Closes #2910
2018-08-23cookie tests: treat files as textMarcel Raad
Fixes test failures because of wrong line endings on Windows.
2018-08-23libcurl-thread.3: expand somewhat on the NO_SIGNAL motivationDaniel Stenberg
Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to avoid the risk of getting a SIGPIPE. Either way, a multi-threaded application that uses libcurl/openssl needs to have a signhandler for or ignore SIGPIPE on its own. Based on discussions in #2800 Closes #2904
2018-08-22RELEASE-NOTES: syncedDaniel Stenberg
2018-08-22Tests: fixes for WindowsMarcel Raad
- test 1268 requires unix sockets - test 2072 must be disabled also for MSYS/MinGW
2018-08-22http2: abort the send_callback if not setup yetDaniel Stenberg
When Curl_http2_done() gets called before the http2 data is setup all the way, we cannot send anything and this should just return an error. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
2018-08-21http2: remove four unused nghttp2 callbacksDaniel Stenberg
Closes #2903
2018-08-21x509asn1: use FALLTHROUGHDaniel Stenberg
... as no other comments are accepted since 014ed7c22f51463
2018-08-21test1148: disable if decimal separator is not pointMarcel Raad
Modifying the locale with environment variables doesn't work for native Windows applications. Just disable the test in this case if the decimal separator is something different than a point. Use a precheck with a small C program to achieve that. Closes https://github.com/curl/curl/pull/2786
2018-08-21Enable more GCC warningsMarcel Raad
This enables the following additional warnings: -Wold-style-definition -Warray-bounds=2 instead of the default 1 -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not respected for older versions -Wunused-const-variable, which enables level 2 instead of the default 1 -Warray-bounds also in debug mode through -ftree-vrp -Wnull-dereference also in debug mode through -fdelete-null-pointer-checks Closes https://github.com/curl/curl/pull/2747
2018-08-21curl-compilers: enable -Wimplicit-fallthrough=4 for GCCMarcel Raad
This enables level 4 instead of the default level 3, which of the currently used comments only allows /* FALLTHROUGH */ to silence the warning. Closes https://github.com/curl/curl/pull/2747
2018-08-21curl-compilers: enable -Wbad-function-cast on GCCMarcel Raad
This warning used to be enabled only for clang as it's a bit stricter on GCC. Silence the remaining occurrences and enable it on GCC too. Closes https://github.com/curl/curl/pull/2747
2018-08-21configure: conditionally enable pedantic-errorsMarcel Raad
Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5, pedantic-errors was synonymous to -Werror=pedantic [0], which is still the case for clang [1]. With GCC 5, it became complementary [2]. Also fix a resulting error in acinclude.m4 as main's return type was missing, which is illegal in C99. [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html Closes https://github.com/curl/curl/pull/2747
2018-08-21Remove unused definitionsMarcel Raad
Closes https://github.com/curl/curl/pull/2747
2018-08-21x509asn1: make several functions staticDaniel Stenberg
and remove the private SIZE_T_MAX define and use the generic one. Closes #2902
2018-08-21INTERNALS: require GnuTLS >= 2.11.3Daniel Stenberg
Since the public pinning support was brought in e644866caf4. GnuTLS 2.11.3 was released in October 2010. Figured out in #2890
2018-08-21http2: avoid set_stream_user_data() before stream is assignedDaniel Stenberg
... before the stream is started, we have it set to -1. Fixes #2894 Closes #2898
2018-08-20SSLCERTS: improve the openssl command lineDaniel Stenberg
... for extracting certs from a live HTTPS server to make a cacerts.pem from them.
2018-08-20docs/SECURITY-PROCESS: now we name the files after the CVE idDaniel Stenberg
2018-08-19RELEASE-NOTES: syncedDaniel Stenberg
2018-08-18upload: change default UPLOAD_BUFSIZE to 64KBDaniel Stenberg
To make uploads significantly faster in some circumstances. Part 2 of #2888 Closes #2892
2018-08-18upload: allocate upload buffer on-demandDaniel Stenberg
Saves 16KB on the easy handle for operations that don't need that buffer. Part 1 of #2888
2018-08-18vtls: reinstantiate engine on duplicated handlesLaurent Bonnans
Handles created with curl_easy_duphandle do not use the SSL engine set up in the original handle. This fixes the issue by storing the engine name in the internal url state and setting the engine from its name inside curl_easy_duphandle. Reported-by: Anton Gerasimov Signed-of-by: Laurent Bonnans Fixes #2829 Closes #2833
2018-08-17http2: make sure to send after RST_STREAMDaniel Stenberg
If this is the last stream on this connection, the RST_STREAM might not get pushed to the wire otherwise. Fixes #2882 Closes #2887 Researched-by: Michael Kaufmann
2018-08-16test1268: check the stderr output as "text"Daniel Stenberg
Follow-up to 099f37e9c57 Pointed-out-by: Marcel Raad
2018-08-16urldata: remove unused pipe_broke struct fieldDaniel Stenberg
This struct field is never set TRUE in any existing code path. This change removes the field completely. Closes #2871
2018-08-15curl: warn the user if a given file name looks like an optionDaniel Stenberg
... simply because this is usually a sign of the user having omitted the file name and the next option is instead "eaten" by the parser as a file name. Add test1268 to verify Closes #2885
2018-08-15http2: check nghttp2_session_set_stream_user_data return codeDaniel Stenberg
Might help bug #2688 debugging Closes #2880
2018-08-15travis: revert back to gcc-7 for coverage buildsDaniel Stenberg
... since the gcc-8 ones seem to fail frequently. Follow-up from b85207199544ca Closes #2886
2018-08-15RELEASE-NOTES: syncedDaniel Stenberg
... and now listed in alphabetical order!