aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2017-08-08docs/comments: Update to secure URL versionsViktor Szakats
Closes #1741
2017-08-07tftp: reject file name lengths that don't fitDaniel Stenberg
... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery
2017-08-07file: output the correct buffer to the userEven Rouault
Regression brought by 7c312f84ea930d8 (April 2017) CVE-2017-1000099 Bug: https://curl.haxx.se/docs/adv_20170809C.html Credit to OSS-Fuzz for the discovery
2017-08-06easy_events: make event data staticDaniel Stenberg
First: this function is only used in debug-builds and not in release/real builds. It is used to drive tests using the event-based API. A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the CURLMOPT_TIMERFUNCTION calback can in fact be called even after this funtion returns, namely when curl_multi_remove_handle() is called. Reported-by: Brian Carpenter
2017-08-05gssapi: fix memory leak of output token in multi round contextIsaac Boukris
When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
2017-08-05darwinssl: fix compiler warningMarcel Raad
clang complains: vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive [-Werror,-Wextra-tokens] This breaks the darwinssl build on Travis. Fix it by making this token a comment. Closes https://github.com/curl/curl/pull/1734
2017-08-04FTP: skip unnecessary CWD when in nocwd modeDaniel Stenberg
... when reusing a connection. If it didn't do any CWD previously. Fixes #1718
2017-08-04darwin: silence compiler warningsDaniel Stenberg
With a clang pragma and three type fixes Fixes #1722
2017-08-03darwinssl: fix curlssl_sha256sum() compiler warnings on first argumentDaniel Stenberg
2017-08-03netrc: skip lines starting with '#'Gisle Vanem
Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
2017-08-03CMake: set MSVC warning level to 4Marcel Raad
The MSVC warning level defaults to 3 in CMake. Change it to 4, which is consistent with the Visual Studio and NMake builds. Disable level 4 warning C4127 for the library and additionally C4306 for the test servers to get a clean CURL_WERROR build as that warning is raised in some macros in older Visual Studio versions. Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 Closes https://github.com/curl/curl/pull/1711
2017-08-01curl_threads: fix MSVC compiler warningMarcel Raad
Use LongToHandle to convert from long to HANDLE in the Win32 implementation. This should fix the following warning when compiling with MSVC 11 (2012) in 64-bit mode: lib\curl_threads.c(113): warning C4306: 'type cast' : conversion from 'long' to 'HANDLE' of greater size Closes https://github.com/curl/curl/pull/1717
2017-08-01multi: fix request timer managementBrad Spencer
There are some bugs in how timers are managed for a single easy handle that causes the wrong "next timeout" value to be reported to the application when a new minimum needs to be recomputed and that new minimum should be an existing timer that isn't currently set for the easy handle. When the application drives a set of easy handles via the `curl_multi_socket_action()` API (for example), it gets told to wait the wrong amount of time before the next call, which causes requests to linger for a long time (or, it is my guess, possibly forever). Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
2017-08-01curl_setup: Define CURL_NO_OLDIES for building libcurlJay Satiro
.. to catch accidental use of deprecated error codes. Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
2017-07-31http: fix response code parser to avoid integer overflowDaniel Stenberg
test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
2017-07-31libcurl: Stop using error codes defined under CURL_NO_OLDIESDwarakanath Yadavalli
Fixes https://github.com/curl/curl/issues/1688 Closes https://github.com/curl/curl/pull/1712
2017-07-29splay: fix signed/unsigned mismatch warningJay Satiro
Follow-up to 4dee50b. Ref: https://github.com/curl/curl/pull/1693
2017-07-28curl_rtmp: fix a compiler warningJohannes Schindelin
The headers of librtmp declare the socket as `int`, and on Windows, that disagrees with curl_socket_t. Bug: #1652 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-07-28timeval: struct curltime is a struct timeval replacementDaniel Stenberg
... to make all libcurl internals able to use the same data types for the struct members. The timeval struct differs subtly on several platforms so it makes it cumbersome to use everywhere. Ref: #1652 Closes #1693
2017-07-27darwinssl: fix variable type mistake (regression)Daniel Stenberg
... which made --tlsv1.2 not work because it would blank the max tls version variable. Reported-by: Nick Miyake Bug: #1703
2017-07-27multi: mention integer overflow risk if using > 500 million socketsDaniel Stenberg
Reported-by: ovidiu-benea@users.noreply.github.com Closes #1675 Closes #1683
2017-07-27checksrc: escape open brace in regexDaniel Stenberg
... to silence warning.
2017-07-20nss: fix a possible use-after-free in SelectClientCert()Kamil Dudka
... causing a SIGSEGV in showit() in case the handle used to initiate the connection has already been freed. This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803. Reported-by: Rob Sanders Bug: https://bugzilla.redhat.com/1436158
2017-07-20nss: unify the coding style of nss_send() and nss_recv()Kamil Dudka
No changes in behavior intended by this commit.
2017-07-17darwinssl: fix pinnedpubkey build errorJay Satiro
- s/SessionHandle/Curl_easy/ Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670 Reported-by: Gisle Vanem
2017-07-11build: remove WIN32_LEAN_AND_MEAN from individual build systemsMarcel Raad
It's defined for all build systems in curl_setup.h since commit beb08481d01a07a8b10938b1078a5e298b1c2912. This caused macro redefinition warnings in the configure builds. Closes https://github.com/curl/curl/pull/1677
2017-07-11curl_setup: always define WIN32_LEAN_AND_MEAN on WindowsMarcel Raad
Make sure to always define WIN32_LEAN_AND_MEAN before including any Windows headers to avoid pulling in unnecessary headers. This avoids unnecessary macro clashes and compiler warnings. Ref: https://github.com/curl/curl/issues/1562 Closes https://github.com/curl/curl/pull/1672
2017-07-11strerror: Preserve Windows error code in some functionsJay Satiro
This is a follow-up to af02162 which removed (SET_)ERRNO macros. That commit was an earlier draft that I committed by mistake, which was then remedied by a5834e5 and e909de6, and now this commit. With this commit there is now no difference between the current code and the changes that were approved in the final draft. Thanks-to: Max Dymond, Marcel Raad, Daniel Stenberg, Gisle Vanem Ref: https://github.com/curl/curl/pull/1589
2017-07-10errno: fix non-windows builds after af0216251b94e7Daniel Stenberg
2017-07-10ldap: fix MinGW compiler warningMarcel Raad
ldap_bind_s is marked as deprecated in w32api's winldap.h shipping with the latest original MinGW, resulting in compiler warnings since commit f0fe66f13c93d3d0af45d9fb1231c9164e0f9dc8. Fix this for the non-SSPI case by using ldap_simple_bind_s again instead of ldap_bind_s with LDAP_AUTH_SIMPLE. Closes https://github.com/curl/curl/pull/1664
2017-07-10curl_setup_once: Remove ERRNO/SET_ERRNO macrosJay Satiro
Prior to this change (SET_)ERRNO mapped to GetLastError/SetLastError for Win32 and regular errno otherwise. I reviewed the code and found no justifiable reason for conflating errno on WIN32 with GetLastError/SetLastError. All Win32 CRTs support errno, and any Win32 multithreaded CRT supports thread-local errno. Fixes https://github.com/curl/curl/issues/895 Closes https://github.com/curl/curl/pull/1589
2017-07-09smb: rename variable to fix shadowing warningMarcel Raad
GCC 4.6.3 on travis complains: smb.c: In function ‘get_posix_time’: smb.c:725:13: error: declaration of ‘time’ shadows a global declaration [-Werror=shadow] Fix this by renaming the variable.
2017-07-07cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVCPaul Harris
Removes BUILD_RELEASE_DEBUG_DIRS since it wasn't used anywhere. Closes #1649
2017-07-06memdebug: don't setbuf() if the file open failedGisle Vanem
Bug: https://github.com/curl/curl/issues/828#issuecomment-313475151
2017-07-06asyn-thread.c: fix unused variable warnings on macOSDaniel Stenberg
2017-07-06http: s/TINY_INITIAL_POST_SIZE/EXPECT_100_THRESHOLDDaniel Stenberg
Make the name reflect its use better, and add a short comment describing what it's for.
2017-07-05select.h: avoid macro redefinition harderDaniel Stenberg
... by checking the POLLIN define, as the header file checks don't work on Windows.
2017-07-05inet_pton: fix include on windows to get prototypeDaniel Stenberg
inet_pton() exists on Windows and gets used by our cmake builds. Make sure the correct header file is included to avoid compiler warnings. Closes #1639
2017-07-04smb: add support for CURLOPT_FILETIMEGisle Vanem
Bug: https://curl.haxx.se/mail/lib-2017-07/0005.html Closes #1643
2017-07-04smb: fix build for djgpp/MSDOSGisle Vanem
bug: https://curl.haxx.se/mail/lib-2017-07/0005.html
2017-07-04configure: remove checks for 5 functions never usedDaniel Stenberg
fork, getprotobyname, inet_addr, perror, uname closes #1638
2017-07-04timeval.c: Use long long constant type for timeval assignmentMartin Kepplinger
On a 64 bit host, sparse says: timeval.c:148:15: warning: constant 0x7fffffffffffffff is so big it is long timeval.c:149:12: warning: constant 0x7fffffffffffffff is so big it is long so let's use long long constant types in order to prevent undesired overflow failures. Bug: https://curl.haxx.se/mail/lib-2017-07/0003.html Closes #1636 Signed-off-by: Martin Kepplinger <martink@posteo.de>
2017-07-03url: make the original string get used on subsequent transfersDaniel Stenberg
... since CURLOPT_URL should follow the same rules as other options: they remain set until changed or cleared. Added test 1551 to verify. Fixes #1631 Closes #1632 Reported-by: Pavel Rochnyak
2017-07-03gtls: fix build when sizeof(long) < sizeof(void *)Johannes Schindelin
- Change gnutls pointer/int macros to pointer/curl_socket_t. Prior to this change they used long type as well. The size of the `long` data type can be shorter than that of pointer types. This is the case most notably on Windows. If C99 were acceptable, we could simply use `intptr_t` here. But we want to retain C89 compatibility. Simply use the trick of performing pointer arithmetic with the NULL pointer: to convert an integer `i` to a pointer, simply take the address of the `i`th element of a hypothetical character array starting at address NULL. To convert back, simply cast the pointer difference. Thanks to Jay Satiro for the initial modification to use curl_socket_t instead of int/long. Closes #1617 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-06-30http2: handle PING framesMax Dymond
Add a connection check function to HTTP2 based off RTSP. This causes PINGs to be handled the next time the connection is reused. Closes #1521
2017-06-30handler: refactor connection checkingMax Dymond
Add a new type of callback to Curl_handler which performs checks on the connection. Alter RTSP so that it uses this callback to do its own check on connection health.
2017-06-30openssl: improve fallback seed of PRNG with a time based hashdmitrykos
Fixes #1620
2017-06-30progress: prevent resetting t_starttransferRyan Winograd
Prevent `Curl_pgrsTime` from modifying `t_starttransfer` when invoked with `TIMER_STARTTRANSFER` more than once during a single request. When a redirect occurs, this is considered a new request and `t_starttransfer` can be updated to reflect the `t_starttransfer` time of the redirect request. Closes #1616 Bug: https://github.com/curl/curl/pull/1602#issuecomment-310267370
2017-06-28CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy authKamil Dudka
If libcurl was built with GSS-API support, it unconditionally advertised GSS-API authentication while connecting to a SOCKS5 proxy. This caused problems in environments with improperly configured Kerberos: a stock libcurl failed to connect, despite libcurl built without GSS-API connected fine using username and password. This commit introduces the CURLOPT_SOCKS5_AUTH option to control the allowed methods for SOCKS5 authentication at run time. Note that a new option was preferred over reusing CURLOPT_PROXYAUTH for compatibility reasons because the set of authentication methods allowed by default was different for HTTP and SOCKS5 proxies. Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html Closes https://github.com/curl/curl/pull/1454
2017-06-28socks: deduplicate the code for auth requestKamil Dudka