aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-08-07curl: detect and bail out early on parameter integer overflowsDaniel Stenberg
Make the number parser aware of the maximum limit curl accepts for a value and return an error immediately if larger, instead of running an integer overflow later. Fixes #1730 Closes #1736
2017-08-07glob: do not continue parsing after a strtoul() overflow rangeDaniel Stenberg
Added test 1289 to verify. CVE-2017-1000101 Bug: https://curl.haxx.se/docs/adv_20170809A.html Reported-by: Brian Carpenter
2017-08-07tftp: reject file name lengths that don't fitDaniel Stenberg
... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery
2017-08-07file: output the correct buffer to the userEven Rouault
Regression brought by 7c312f84ea930d8 (April 2017) CVE-2017-1000099 Bug: https://curl.haxx.se/docs/adv_20170809C.html Credit to OSS-Fuzz for the discovery
2017-08-06easy_events: make event data staticDaniel Stenberg
First: this function is only used in debug-builds and not in release/real builds. It is used to drive tests using the event-based API. A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the CURLMOPT_TIMERFUNCTION calback can in fact be called even after this funtion returns, namely when curl_multi_remove_handle() is called. Reported-by: Brian Carpenter
2017-08-05getparameter: avoid returning uninitialized 'usedarg'Daniel Stenberg
Fixes #1728
2017-08-05gssapi: fix memory leak of output token in multi round contextIsaac Boukris
When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
2017-08-05darwinssl: fix compiler warningMarcel Raad
clang complains: vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive [-Werror,-Wextra-tokens] This breaks the darwinssl build on Travis. Fix it by making this token a comment. Closes https://github.com/curl/curl/pull/1734
2017-08-04CMake: fix CURL_WERROR for MSVCMarcel Raad
When using CURL_WERROR in MSVC builds, the debug flags were overridden by the release flags and /WX got added twice in debug mode. Closes https://github.com/curl/curl/pull/1715
2017-08-04RELEASE-NOTES: synced with 561e9217cDaniel Stenberg
2017-08-04test1010: verify that #1718 is fixedDaniel Stenberg
... by doing two transfers in nocwd mode and check that there's no superfluous CWD command.
2017-08-04FTP: skip unnecessary CWD when in nocwd modeDaniel Stenberg
... when reusing a connection. If it didn't do any CWD previously. Fixes #1718
2017-08-04travis: explicitly specify distMarcel Raad
This makes the builds more reproducible as travis is currently rolling out trusty as default dist [1]. Specifically, this avoids coverage check failures when trusty is used as seen in [2] until we figure out what's wrong. [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming [2] https://github.com/curl/curl/pull/1692 Closes https://github.com/curl/curl/pull/1725
2017-08-04travis: BUILD_TYPE => TDaniel Stenberg
(to make the full line appear nicer on travis web UI)
2017-08-04travis: add osx build with darwinsslDaniel Stenberg
Closes #1706
2017-08-04darwin: silence compiler warningsDaniel Stenberg
With a clang pragma and three type fixes Fixes #1722
2017-08-03BUILD.WINDOWS: mention buildconf.bat for builds off gitDaniel Stenberg
2017-08-03darwinssl: fix curlssl_sha256sum() compiler warnings on first argumentDaniel Stenberg
2017-08-03test130: verify comments in .netrcDaniel Stenberg
2017-08-03netrc: skip lines starting with '#'Gisle Vanem
Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
2017-08-03CMake: set MSVC warning level to 4Marcel Raad
The MSVC warning level defaults to 3 in CMake. Change it to 4, which is consistent with the Visual Studio and NMake builds. Disable level 4 warning C4127 for the library and additionally C4306 for the test servers to get a clean CURL_WERROR build as that warning is raised in some macros in older Visual Studio versions. Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 Closes https://github.com/curl/curl/pull/1711
2017-08-02CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2Daniel Stenberg
Reported-by: Viktor Szakats
2017-08-02CURLOPT_NETRC.3: mention the file name on windowsDaniel Stenberg
... and CURLOPT_NETRC_FILE(3).
2017-08-02travis: build osx with libressl tooDaniel Stenberg
2017-08-02travis: build osx with openssl tooDaniel Stenberg
2017-08-02tests/server/util: fix curltime mistake from 4dee50b9c80f9Daniel Stenberg
2017-08-01curl_threads: fix MSVC compiler warningMarcel Raad
Use LongToHandle to convert from long to HANDLE in the Win32 implementation. This should fix the following warning when compiling with MSVC 11 (2012) in 64-bit mode: lib\curl_threads.c(113): warning C4306: 'type cast' : conversion from 'long' to 'HANDLE' of greater size Closes https://github.com/curl/curl/pull/1717
2017-08-01BUGS: improved phrasing about security bugsDaniel Stenberg
Reported-by: Max Dymond
2017-08-01BUGS: clarify how to report security related bugsDaniel Stenberg
2017-08-01multi: fix request timer managementBrad Spencer
There are some bugs in how timers are managed for a single easy handle that causes the wrong "next timeout" value to be reported to the application when a new minimum needs to be recomputed and that new minimum should be an existing timer that isn't currently set for the easy handle. When the application drives a set of easy handles via the `curl_multi_socket_action()` API (for example), it gets told to wait the wrong amount of time before the next call, which causes requests to linger for a long time (or, it is my guess, possibly forever). Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
2017-08-01curl_setup: Define CURL_NO_OLDIES for building libcurlJay Satiro
.. to catch accidental use of deprecated error codes. Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
2017-08-01configure: fix the check for IdnToUnicodeJeremy Tan
Fixes #1669 Closes #1713
2017-07-31http: fix response code parser to avoid integer overflowDaniel Stenberg
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2017-07-31libcurl: Stop using error codes defined under CURL_NO_OLDIESDwarakanath Yadavalli
Fixes https://github.com/curl/curl/issues/1688 Closes https://github.com/curl/curl/pull/1712
2017-07-30include.d: clarify --include is only for response headersJay Satiro
Follow-up to 171f8de and de6de94. Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851 Reported-by: Daniel Stenberg
2017-07-30cmake: support make uninstalljasjuang
Closes #1674
2017-07-30RELEASE-NOTES: synced with 001701c47Daniel Stenberg
2017-07-29AppVeyor: now really use CURL_WERRORMarcel Raad
It was misspelled as CURL_ERROR in commit 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4. Closes https://github.com/curl/curl/pull/1686
2017-07-29tool_help: clarify --include is only for response headersJay Satiro
Follow-up to 171f8de. Ref: https://github.com/curl/curl/issues/1704
2017-07-29splay: fix signed/unsigned mismatch warningJay Satiro
Follow-up to 4dee50b. Ref: https://github.com/curl/curl/pull/1693
2017-07-28include.d: clarify that it concerns the response headersDaniel Stenberg
Reported-by: olesteban at github Fixes #1704
2017-07-28curl_rtmp: fix a compiler warningJohannes Schindelin
The headers of librtmp declare the socket as `int`, and on Windows, that disagrees with curl_socket_t. Bug: #1652 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-07-28test1323: verify curlx_tvdiffDaniel Stenberg
2017-07-28timeval: struct curltime is a struct timeval replacementDaniel Stenberg
... to make all libcurl internals able to use the same data types for the struct members. The timeval struct differs subtly on several platforms so it makes it cumbersome to use everywhere. Ref: #1652 Closes #1693
2017-07-27darwinssl: fix variable type mistake (regression)Daniel Stenberg
... which made --tlsv1.2 not work because it would blank the max tls version variable. Reported-by: Nick Miyake Bug: #1703
2017-07-27multi: mention integer overflow risk if using > 500 million socketsDaniel Stenberg
Reported-by: ovidiu-benea@users.noreply.github.com Closes #1675 Closes #1683
2017-07-27checksrc: escape open brace in regexDaniel Stenberg
... to silence warning.
2017-07-20nss: fix a possible use-after-free in SelectClientCert()Kamil Dudka
... causing a SIGSEGV in showit() in case the handle used to initiate the connection has already been freed. This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803. Reported-by: Rob Sanders Bug: https://bugzilla.redhat.com/1436158
2017-07-20nss: unify the coding style of nss_send() and nss_recv()Kamil Dudka
No changes in behavior intended by this commit.
2017-07-18tests/server/resolve.c: fix deprecation warningMarcel Raad
MSVC warns that gethostbyname is deprecated. Always use getaddrinfo instead to fix this when IPv6 is enabled, also for IPv4 resolves. This is also consistent with what libcurl does. Closes https://github.com/curl/curl/pull/1682