Age | Commit message (Collapse) | Author |
|
... since it would cause an integer overflow if longer than (max size_t
/ 2).
This is CVE-2018-14618
Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu
|
|
Closes #2928
|
|
"precheck command error" is not very helpful.
|
|
Assisted-by: Rikard Falkeborn
Closes #2922
|
|
|
|
|
|
According to RFC6265 section 5.4, cookies with equal path lengths
SHOULD be sorted by creation-time (earlier first). This adds a
creation-time record to the cookie struct in order to make cookie
sorting more deterministic. The creation-time is defined as the
order of the cookies in the jar, the first cookie read fro the
jar being the oldest. The creation-time is thus not serialized
into the jar. Also remove the strcmp() matching in the sorting as
there is no lexicographic ordering in RFC6265. Existing tests are
updated to match.
Closes #2524
|
|
All these tests failed on Windows because something like
sftp://%HOSTIP:%SSHPORT%PWD/
expanded to
sftp://127.0.0.1:1234c:/msys64/home/bla/curl
and then curl complained about the port number ending with a letter.
Use the original POSIX path instead of the Windows path created in
checksystem to fix this.
Closes https://github.com/curl/curl/pull/2920
|
|
Reported-by: Daniel Stenberg
Closes https://github.com/curl/curl/issues/2916
|
|
|
|
|
|
|
|
Added a warning!
Closes #2915
|
|
Patch-by: Jay Satiro
Detected by Coverity
Fixes #2739
Closes #2912
|
|
There was a missing newline.
follow-up to a7ba60bb7250
|
|
Reported-by: Kirill Marchuk
Fixes #2773
Closes #2911
|
|
CURLOPT_POSTFIELDSIZE is a long option.
|
|
As uintptr_t and HANDLE are always the same size, this warning is
harmless. Just silence it using an intermediate uintptr_t variable.
Closes https://github.com/curl/curl/pull/2908
|
|
Closes #2913
|
|
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
while opening certificate store would be sufficient in this scenario and
less-demanding in sense of required user credentials ( for example,
IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore
call without any of flags mentioned above ),
2) as 'cert_store_name' is a DWORD, attempt to format its value like a
string ( in "Failed to open cert store" error message ) will throw null
pointer exception
3) adding GetLastError(), in my opinion, will make error message more
useful.
Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html
Closes #2909
|
|
Since GOPHER support was added in curl `?' character was automatically
translated to `%09' (`\t').
However, this behaviour does not seems documented in RFC 4266 and for
search selectors it is documented to directly use `%09' in the URL.
Apart that several gopher servers in the current gopherspace have CGI
support where `?' is used as part of the selector and translating it to
`%09' often leads to surprising results.
Closes #2910
|
|
Fixes test failures because of wrong line endings on Windows.
|
|
Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to
avoid the risk of getting a SIGPIPE.
Either way, a multi-threaded application that uses libcurl/openssl needs
to have a signhandler for or ignore SIGPIPE on its own.
Based on discussions in #2800
Closes #2904
|
|
|
|
- test 1268 requires unix sockets
- test 2072 must be disabled also for MSYS/MinGW
|
|
When Curl_http2_done() gets called before the http2 data is setup all
the way, we cannot send anything and this should just return an error.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
|
|
Closes #2903
|
|
... as no other comments are accepted since 014ed7c22f51463
|
|
Modifying the locale with environment variables doesn't work for native
Windows applications. Just disable the test in this case if the decimal
separator is something different than a point. Use a precheck with a
small C program to achieve that.
Closes https://github.com/curl/curl/pull/2786
|
|
This enables the following additional warnings:
-Wold-style-definition
-Warray-bounds=2 instead of the default 1
-Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not
respected for older versions
-Wunused-const-variable, which enables level 2 instead of the default 1
-Warray-bounds also in debug mode through -ftree-vrp
-Wnull-dereference also in debug mode through
-fdelete-null-pointer-checks
Closes https://github.com/curl/curl/pull/2747
|
|
This enables level 4 instead of the default level 3, which of the
currently used comments only allows /* FALLTHROUGH */ to silence the
warning.
Closes https://github.com/curl/curl/pull/2747
|
|
This warning used to be enabled only for clang as it's a bit stricter
on GCC. Silence the remaining occurrences and enable it on GCC too.
Closes https://github.com/curl/curl/pull/2747
|
|
Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5,
pedantic-errors was synonymous to -Werror=pedantic [0], which is still
the case for clang [1]. With GCC 5, it became complementary [2].
Also fix a resulting error in acinclude.m4 as main's return type was
missing, which is illegal in C99.
[0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html
[1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages
[2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html
Closes https://github.com/curl/curl/pull/2747
|
|
Closes https://github.com/curl/curl/pull/2747
|
|
and remove the private SIZE_T_MAX define and use the generic one.
Closes #2902
|
|
Since the public pinning support was brought in e644866caf4. GnuTLS
2.11.3 was released in October 2010.
Figured out in #2890
|
|
... before the stream is started, we have it set to -1.
Fixes #2894
Closes #2898
|
|
... for extracting certs from a live HTTPS server to make a cacerts.pem
from them.
|
|
|
|
|
|
To make uploads significantly faster in some circumstances.
Part 2 of #2888
Closes #2892
|
|
Saves 16KB on the easy handle for operations that don't need that
buffer.
Part 1 of #2888
|
|
Handles created with curl_easy_duphandle do not use the SSL engine set
up in the original handle. This fixes the issue by storing the engine
name in the internal url state and setting the engine from its name
inside curl_easy_duphandle.
Reported-by: Anton Gerasimov
Signed-of-by: Laurent Bonnans
Fixes #2829
Closes #2833
|
|
If this is the last stream on this connection, the RST_STREAM might not
get pushed to the wire otherwise.
Fixes #2882
Closes #2887
Researched-by: Michael Kaufmann
|
|
Follow-up to 099f37e9c57
Pointed-out-by: Marcel Raad
|
|
This struct field is never set TRUE in any existing code path. This
change removes the field completely.
Closes #2871
|
|
... simply because this is usually a sign of the user having omitted the
file name and the next option is instead "eaten" by the parser as a file
name.
Add test1268 to verify
Closes #2885
|
|
Might help bug #2688 debugging
Closes #2880
|
|
... since the gcc-8 ones seem to fail frequently.
Follow-up from b85207199544ca
Closes #2886
|
|
... and now listed in alphabetical order!
|