aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2017-06-13libressl: OCSP and intermediate certs workaround no longer neededStuart Henderson
lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed by intermediate certs, this was fixed in LibreSSL in https://github.com/libressl-portable/openbsd/commit/912c64f68f7ac4f225b7d1fdc8fbd43168912ba0 Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
2017-06-13url: fix buffer overwrite with file protocol (CVE-2017-9502)Daniel Stenberg
Bug: https://github.com/curl/curl/issues/1540 Advisory: https://curl.haxx.se/docs/adv_20170614.html Assisted-by: Ray Satiro Reported-by: Marcel Raad
2017-06-09setopt: check CURLOPT_ADDRESS_SCOPE option rangeDaniel Stenberg
... and return error instead of triggering an assert() when being way out of range.
2017-06-08asyn-ares: s/Curl_expire_latest/Curl_expireDaniel Stenberg
2017-06-08expire: remove Curl_expire_latest()Daniel Stenberg
With the introduction of expire IDs and the fact that existing timers can be removed now and thus never expire, the concept with adding a "latest" timer is not working anymore as it risks to not expire at all. So, to be certain the timers actually are in line and will expire, the plain Curl_expire() needs to be used. The _latest() function was added as a sort of shortcut in the past that's quite simply not necessary anymore. Follow-up to 31b39c40cf90 Reported-by: Paul Harris Closes #1555
2017-06-07file: make speedcheck use current time for checksDaniel Stenberg
... as it would previously just get the "now" timestamp before the transfer starts and then not update it again. Closes #1550
2017-06-05test1521: test *all* curl_easy_setopt optionsDaniel Stenberg
mk-lib1521.pl generates a test program (lib1521.c) that calls curl_easy_setopt() for every known option with a few typical values to make sure they work (ignoring the return codes). Some small changes were necessary to avoid asserts and NULL accesses when doing this. The perl script needs to be manually rerun when we add new options. Closes #1543
2017-06-05curl_ntlm_core: use Curl_raw_toupper instead of toupperMarcel Raad
This was the only remaining use of toupper in the entire source code. Suggested-by: Daniel Stenberg
2017-06-04curl_ntlm_core: pass unsigned char to toupperMarcel Raad
Otherwise, clang on Cygwin64 warns: curl_ntlm_core.c:525:35: error: array subscript is of type 'char' [-Werror,-Wchar-subscripts] dest[2 * i] = (unsigned char)(toupper(src[i])); ^~~~~~~~~~~~~~~ /usr/include/ctype.h:152:25: note: expanded from macro 'toupper' (void) __CTYPE_PTR[__x]; (toupper) (__x);}) ^~~~
2017-06-03x509asn1: fix implicit-fallthrough warning with GCC 7Marcel Raad
2017-06-03curl_sasl: fix unused-variable warningMarcel Raad
This fixes the following warning with CURL_DISABLE_CRYPTO_AUTH, as seen in the autobuilds: curl_sasl.c:417:9: warning: unused variable 'serverdata' [-Wunused-variable]
2017-06-03cyassl: define build macros before including ssl.hMarcel Raad
cyassl/ssl.h needs the macros from cyassl/options.h, so define them before including cyassl/ssl.h the first time, which happens in urldata.h. This broke the build on Ubuntu Xenial, which comes with WolfSSL 3.4.8 and therefore redefines the symbols from cyassl/options.h instead of including the header. Closes https://github.com/curl/curl/pull/1536
2017-06-03dedotdot: fixed output for ".." and "." only inputDaniel Stenberg
Found when updating test 1395, which I did to increase test coverage of this source file... Closes #1535
2017-06-02mbedtls: make TU-local variable staticMarcel Raad
mbedtls_x509_crt_profile_fr is only used locally. This fixes a missing-variable-declarations warning with clang.
2017-06-02MD(4|5): silence cast-align clang warningMarcel Raad
Unaligned access is on purpose here and the warning is harmless on affected architectures. GCC knows that, while clang warns on all architectures.
2017-06-02curl_endian: remove unused functionsDaniel Stenberg
Closes #1529
2017-06-02build: provide easy code coverage measuringDaniel Stenberg
Closes #1528
2017-05-30transfer: init the infilesize from the postfields...Daniel Stenberg
... with a strlen() if no size was set, and do this in the pretransfer function so that the info is set early. Otherwise, the default strlen() done on the POSTFIELDS data never sets state.infilesize. Reported-by: Vincas Razma Bug: #1294
2017-05-29mbedtls: fix variable shadow warningJay Satiro
vtls/mbedtls.c:804:69: warning: declaration of 'entropy' shadows a global declaration [-Wshadow] CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy, ^~~~~~~
2017-05-25ssh: fix 'left' may be used uninitializedDaniel Stenberg
follow-up to f31760e63b4e Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/pull/1495#issuecomment-303982793
2017-05-24time: fix type conversions and compiler warningsMichael Kaufmann
Fix bugs and compiler warnings on systems with 32-bit long and 64-bit time_t. Reviewed-by: Daniel Stenberg Closes #1499
2017-05-23redirect: store the "would redirect to" URL when max redirs is reachedDaniel Stenberg
Test 1261 added to verify. Reported-by: Lloyd Fournier Fixes #1489 Closes #1497
2017-05-24LDAP: fixed checksrc issueSergei Nikulov
2017-05-23LDAP: using ldap_bind_s on Windows with methods (#878)Sergei Nikulov
* LDAP: using ldap_bind_s on Windows with methods(BASIC/DIGEST/NTLM/AUTONEG) * ldap: updated per build options handling * ldap: fixed logic for auth selection
2017-05-23cmake: fix build on Ubuntu 14.04Akhil Kedia
Fixed a syntax error with setting cache variables (The type and docstring were missing), resulting in build errors. Quoted the CURL_CA_PATH and CURL_CA_BUNDLE otherwise the path was written without quotes in C code, resulting in build errors. Closes #1503 Signed-off-by: Akhil <akhil.kedia@samsung.com>
2017-05-23url: fix declaration of 'pipe' shadows a global declarationDaniel Stenberg
follow-up to 4cdb1be8246c
2017-05-22memdebug: fix compilation failureKamil Dudka
.... caused by a typo in the last commit (fixing issue #1504): memdebug.c: In function ‘curl_fclose’: memdebug.c:444:3: error: implicit declaration of function ‘DEBUGDEBUGASSERT’ [-Werror=implicit-function-declaration]
2017-05-22assert: avoid, use DEBUGASSERT instead!Daniel Stenberg
... as it does extra checks to actually work. Reported-by: jonrumsey at github Fixes #1504
2017-05-21cmake: Add CURL_CA_FALLBACK to curl_config.h.cmakeSimon Warta
This is for symmetry with the autoconf generated curl_config.h.in
2017-05-20ssh: ignore timeouts during disconnectDaniel Stenberg
... as otherwise it risks not cleaning up the libssh2 handle properly which leads to memory leak! Assisted-by: Joel Depooter Closes #1495 Closes #1479 Bug: https://curl.haxx.se/mail/lib-2017-04/0024.html
2017-05-16darwinssl: Fix exception when processing a client-side certificate fileNick Zitzmann
if no error was raised by the API but the SecIdentityRef was null Fixes #1450
2017-05-16curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLMDaniel Stenberg
Reported-by: wyattoday at github Fixes #1487
2017-05-15SecureTransport/DarwinSSL: Implement public key pinningmoparisthebest
Closes #1400
2017-05-13url.c: add a compile-time check that CURL_MAX_WRITE_SIZE is large enoughDan Fandrich
Some code (e.g. Curl_fillreadbuffer) assumes that this buffer is not exceedingly tiny and will break if it is. This same check is already done at run time in the CURLOPT_BUFFERSIZE option.
2017-05-12multi: remove leftover debug infof() calls from e9fd794a6Daniel Stenberg
2017-05-12pipeline: fix mistakenly trying to pipeline POSTsDaniel Stenberg
The function IsPipeliningPossible() would return TRUE if either pipelining OR HTTP/2 were possible on a connection, which would lead to it returning TRUE even for POSTs on HTTP/1 connections. It now returns a bitmask so that the caller can differentiate which kind the connection allows. Fixes #1481 Closes #1483 Reported-by: stootill at github
2017-05-12mbedtls: Support server renegotiation requestRon Eldor
Tested with servers: IIS 7.5; OpenSSL 1.0.2. Closes https://github.com/curl/curl/pull/1475
2017-05-11formdata: fix -Wcomma warningMarcel Raad
clang 5.0 complains: possible misuse of comma operator here [-Wcomma] Change the comma to a semicolon to fix that.
2017-05-10multi: use a fixed array of timers instead of mallocDaniel Stenberg
... since the total amount is low this is faster, easier and reduces memory overhead. Also, Curl_expire_done() can now mark an expire timeout as done so that it never times out. Closes #1472
2017-05-10multi: assign IDs to all timers and make each timer singletonDaniel Stenberg
A) reduces the timeout lists drastically B) prevents a lot of superfluous loops for timers that expires "in vain" when it has actually already been extended to fire later on
2017-05-09formboundary: convert assert into run-time checkDaniel Stenberg
... to really make sure the boundary fits in the target buffer. Fixes unused parameter 'buflen' warning. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/pull/1468#issuecomment-300078754
2017-05-08rand: treat fake entropy the same regardless of endiannessJay Satiro
When the random seed is purposely made predictable for testing purposes by using the CURL_ENTROPY environment variable, process that data in an endian agnostic way so the the initial random seed is the same regardless of endianness. - Change Curl_rand to write to a char array instead of int array. - Add Curl_rand_hex to write random hex characters to a buffer. Fixes #1315 Closes #1468 Co-authored-by: Daniel Stenberg Reported-by: Michael Kaufmann
2017-05-07asyn-thread: fix unused macro warningsMarcel Raad
Don't do anything in this file if CURLRES_THREADED is not defined.
2017-05-07tftp: silence bad-function-cast warningMarcel Raad
The cases this warns about are handled elsewhere, so just use an intermediate variable to silence the warning.
2017-05-04schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOTDan Fandrich
2017-05-04curl_setup_once: use SEND_QUAL_ARG2 for swriteMarcel Raad
SEND_QUAL_ARG2 had to be set, but was never used. Use it in swrite to avoid warnings about casting away low-level const. Closes https://github.com/curl/curl/pull/1464
2017-05-03lib: fix compiler warningsMarcel Raad
Fix the following warnings when building the tests by using the correct types: cast from 'const char *' to 'void *' drops const qualifier [-Wcast-qual] implicit conversion changes signedness [-Wsign-conversion]
2017-05-02Telnet: Write full buffer instead of byte-by-byteRichard Hsu
Previous TODO wanting to write in chunks. We should support writing more at once since some TELNET servers may respond immediately upon first byte written such as WHOIS servers. Closes #1389
2017-05-02gtls: fixed a lingering BUFSIZE referenceDan Fandrich
2017-05-02ssh: fix compiler warning from e40e9d7f0deDaniel Stenberg