| Age | Commit message (Collapse) | Author |
|---|
|
Fix theoretical integer overflow in Curl_auth_create_plain_message.
The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.
Closes #5391
|
|
|
|
Follow up to 762a292f.
|
|
Functionally this doesn't change anything as we still use the username
for both the authorisation identity and the authentication identity.
Closes #3757
|
|
CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
|
|
Ensure that the parameters in the comment match the actual names in the
prototype.
Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Make the integer overflow check not rely on the undefined behavior that
a size_t wraps around on overflow.
Detected by lgtm.com
Closes #2408
|
|
See CRL-01-006.
|
|
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
|
|
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
|
|
|
|
Closes #754
|
|
Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.
|
|
As most of this work was performed in 2015 but not pushed until 2016
updated the copyright year to reflect the public facing changes.
|
|
|
