aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-10-23Curl_follow: remove remaining free(newurl)Daniel Stenberg
Follow-up to 05564e750e8f0c. This function no longer frees the passed-in URL. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm ent-30985666
2018-10-23headers: end all headers with guard commentDaniel Gustafsson
Most headerfiles end with a /* <headerguard> */ comment, but it was missing from some. The comment isn't the most important part of our code documentation but consistency has an intrinsic value in itself. This adds header guard comments to the files that were lacking it. Closes #3158 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-19multi: avoid double-freeDaniel Stenberg
Curl_follow() no longer frees the string. Make sure it happens in the caller function, like we normally handle allocations. This bug was introduced with the use of the URL API internally, it has never been in a release version Reported-by: Dario Weißer Closes #3149
2018-10-19multi: make the closure handle "inherit" CURLOPT_NOSIGNALDaniel Stenberg
Otherwise, closing that handle can still cause surprises! Reported-by: Martin Ankerl Fixes #3138 Closes #3147
2018-10-19config_win32: enable LDAPSMarcel Raad
As done in the autotools and CMake builds by default. Closes https://github.com/curl/curl/pull/3137
2018-10-18travis: add build for "configure --disable-verbose"Daniel Stenberg
Closes #3144
2018-10-16x509asn1: Fix SAN IP address verificationMatthew Whitehead
For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
2018-10-14nonblock: fix unused parameter warningMarcel Raad
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not used.
2018-10-13Curl_follow: Always free the passed new URLMichael Kaufmann
Closes #3124
2018-10-10transfer: fix typo in commentDaniel Gustafsson
2018-10-09ldap: show precise LDAP call in error message on WindowsViktor Szakats
Also add a unique but common text ('bind via') to make it easy to grep this specific failure regardless of platform. Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 Closes https://github.com/curl/curl/pull/3118 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09curl_setup: define NOGDI on WindowsMarcel Raad
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> on MinGW. Closes https://github.com/curl/curl/pull/3113
2018-10-09Windows: fixes for MinGW targeting Windows VistaMarcel Raad
Classic MinGW has neither InitializeCriticalSectionEx nor GetTickCount64, independent of the target Windows version. Closes https://github.com/curl/curl/pull/3113
2018-10-08spelling fixes [ci skip]Viktor Szakats
as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-08curl_ntlm_wb: check aprintf() return codesDaniel Stenberg
... when they return NULL we're out of memory and MUST return failure. closes #3111
2018-10-08hostip: fix check on Curl_shuffle_addr return valueRick Deist
Closes #3110
2018-10-08FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER outputDaniel Stenberg
Now FILE transfers send headers to the header callback like HTTP and other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) work for FILE in the callbacks. Makes "curl -i file://.." and "curl -I file://.." work like before again. Applied the bold header logic to them too. Regression from c1c2762 (7.61.0) Reported-by: Shaun Jackman Fixes #3083 Closes #3101
2018-10-07gskit: make sure to terminate version stringDaniel Gustafsson
In case a very small buffer was passed to the version function, it could result in the buffer not being NULL-terminated since strncpy() doesn't guarantee a terminator on an overflowed buffer. Rather than adding code to terminate (and handle zero-sized buffers), move to using snprintf() instead like all the other vtls backends. Closes #3105 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-05timeval: fix use of weak symbol clock_gettime() on Apple platformsdmitrykos
Closes #3048
2018-10-05doh: keep the IPv4 address in (original) network byte orderDaniel Stenberg
Ideally this will fix the reversed order shown in SPARC tests: resp 8: Expected 127.0.0.1 got 1.0.0.127 Closes #3091
2018-10-05checksrc: handle zero scoped ignore commandsDaniel Gustafsson
If a !checksrc! disable command specified to ignore zero errors, it was still added to the ignore block even though nothing was ignored. While there were no blocks ignored that shouldn't be ignored, the processing ended with with a warning: <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) /* !checksrc! disable LONGLINE 0 */ ^ Fix by instead treating a zero ignore as a a badcommand and throw a warning for that one. Closes #3096 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05checksrc: enable strict mode and warningsDaniel Gustafsson
Enable strict and warnings mode for checksrc to ensure we aren't missing anything due to bugs in the checking code. This uncovered a few things which are all fixed in this commit: * several variables were used uninitialized * several variables were not defined in the correct scope * the whitelist filehandle was read even if the file didn't exist * the enable_warn() call when a disable counter had expired was passing incorrect variables, but since the checkwarn() call is unlikely to hit (the counter is only decremented to zero on actual ignores) it didn't manifest a problem. Closes #3090 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05cmake: test and set missed defines during configurationdmitrykos
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. Closes #3097
2018-10-04doh: make sure TTL isn't re-inited by second (discarded?) responseDaniel Stenberg
Closes #3092
2018-10-03memory: ensure to check allocation resultsDaniel Gustafsson
The result of a memory allocation should always be checked, as we may run under memory pressure where even a small allocation can fail. This adds checking and error handling to a few cases where the allocation wasn't checked for success. In the ftp case, the freeing of the path variable is moved ahead of the allocation since there is little point in keeping it around across the strdup, and the separation makes for more readable code. In nwlib, the lock is aslo freed in the error path. Also bumps the copyright years on affected files. Closes #3084 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03comment: Fix multiple typos in function parametersDaniel Gustafsson
Ensure that the parameters in the comment match the actual names in the prototype. Closes #3079 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03nss: fix nssckbi module loading on WindowsJay Satiro
- Use .DLL extension instead of .so to load modules on Windows. Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html Reported-by: Maxime Legros Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442 Closes https://github.com/curl/curl/pull/3086
2018-10-02urlapi: starting with a drive letter on win32 is not an abs urlDaniel Stenberg
... and libcurl doesn't support any single-letter URL schemes (if there even exist any) so it should be fairly risk-free. Reported-by: Marcel Raad Fixes #3070 Closes #3071
2018-10-02doh: fix curl_easy_setopt argument typeMarcel Raad
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit MinGW.
2018-10-01CMake: Improve config installationRuslan Baratov
Use 'GNUInstallDirs' standard module to set destinations of installed files. Use uppercase "CURL" names instead of lowercase "curl" to match standard 'FindCURL.cmake' CMake module: * https://cmake.org/cmake/help/latest/module/FindCURL.html Meaning: * Install 'CURLConfig.cmake' instead of 'curl-config.cmake' * User should call 'find_package(CURL)' instead of 'find_package(curl)' Use 'configure_package_config_file' function to generate 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template file smaller and handle components better. E.g. current configuration report no error if user specified unknown components (note: new configuration expects no components, report error if user will try to specify any). Closes https://github.com/curl/curl/pull/2849
2018-09-30doh: only build if h2 enabledDaniel Stenberg
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH". Reported-by: Marcel Raad Closes #3066
2018-09-29multi: fix memory leak in content encoding related error pathDaniel Stenberg
... a missing multi_done() call. Credit to OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728 Closes #3063
2018-09-28multi: fix location URL memleak in error pathDaniel Stenberg
Follow-up to #3044 - fix a leak OSS-Fuzz detected Closes #3057
2018-09-28cmake: fixed path used in generation of docs/tests during curl build through ↵Sergei Nikulov
add_subdicectory(...)
2018-09-27curl_threads: fix classic MinGW compile breakMarcel Raad
Classic MinGW still has _beginthreadex's return type as unsigned long instead of uintptr_t [0]. uintptr_t is not even defined because of [1]. [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167 [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90 Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807 Closes https://github.com/curl/curl/pull/3051
2018-09-25Curl_http2_done: fix memleak in error pathDaniel Stenberg
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for early failures. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 Closes #3046
2018-09-25http: fix memleak in rewind error pathDaniel Stenberg
If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 Closes #3044
2018-09-24Curl_retry_request: fix memory leakDaniel Stenberg
Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 Closes #3042
2018-09-24openssl: load built-in engines tooDaniel Stenberg
Regression since 38203f1 Reported-by: Jean Fabrice Fixes #3023 Closes #3040
2018-09-24OpenSSL: enable TLS 1.3 post-handshake authChristian Heimes
OpenSSL 1.1.1 requires clients to opt-in for post-handshake authentication. Fixes: https://github.com/curl/curl/issues/3026 Signed-off-by: Christian Heimes <christian@python.org> Closes https://github.com/curl/curl/pull/3027
2018-09-24Curl_dedotdotify(): always nul terminate returned string.Even Rouault
This fixes potential out-of-buffer access on "file:./" URL $ valgrind curl "file:./" ==24516== Memcheck, a memory error detector ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==24516== Command: /home/even/install-curl-git/bin/curl file:./ ==24516== ==24516== Conditional jump or move depends on uninitialised value(s) ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24516== by 0x4EBB315: seturl (urlapi.c:801) ==24516== by 0x4EBB568: parseurl (urlapi.c:861) ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) ==24516== by 0x4E67AEF: create_conn (url.c:3613) ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) ==24516== by 0x4E7558C: easy_transfer (easy.c:686) ==24516== by 0x4E75801: easy_perform (easy.c:779) ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) Was originally spotted by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 Credit to OSS-Fuzz Closes #3039
2018-09-23whitespace fixesViktor Szakats
- replace tabs with spaces where possible - remove line ending spaces - remove double/triple newlines at EOF - fix a non-UTF-8 character - cleanup a few indentations/line continuations in manual examples Closes https://github.com/curl/curl/pull/3037
2018-09-23http: add missing return code checkDaniel Stenberg
Detected by Coverity. CID 1439610. Follow-up from 46e164069d1a523 Closes #3034
2018-09-23ftp: don't access pointer before NULL checkDaniel Stenberg
Detected by Coverity. CID 1439611. Follow-up from 46e164069d1a523
2018-09-22url: use the URL API internally as wellDaniel Stenberg
... to make it a truly unified URL parser. Closes #3017
2018-09-22URL and mailmap updates, remove an obsolete directory [ci skip]Viktor Szakats
Closes https://github.com/curl/curl/pull/3031
2018-09-21Curl_saferealloc: Fixed typo in docblockErik Minekus
Closes #3029
2018-09-21urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg
Closes #3024
2018-09-21GnutTLS: TLS 1.3 supportLoganaden Velvindron
Closes #2971
2018-09-20vtls: fix ssl version "or later" behavior change for many backendsJay Satiro
- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012