| Age | Commit message (Collapse) | Author |
|---|
|
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!
Regression since 3f5da4e59a556fc (7.65.0)
Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
|
|
... by using the *_LAST define names better.
Closes #4321
|
|
Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333
|
|
Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).
We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:
failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));
Closes https://github.com/curl/curl/pull/4272
|
|
|
|
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.
Reported-by: Thomas Vegas
Closes #4315
|
|
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available. Existing code is preserved for older versions of
OpenSSL.
Closes #4304
|
|
|
|
Closes #4299
|
|
Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas
Closes #4307
|
|
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
|
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
|
|
|
|
Follow-up to f9c7ba9096ec2
Coverity CID 1453474
Closes #4291
|
|
For the 'proto' union within the connectdata struct.
Closes #4290
|
|
Closes #4289
|
|
Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.
Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918
Assisted-by: Max Dymond
Closes #4287
|
|
... it might otherwise return OK from this function leaving that pointer
uninitialized.
Bug: https://crbug.com/oss-fuzz/16907
Closes #4286
|
|
This allows the function to figure out if a unix domain socket has a
file name or not associated with it! When a socket is created with
socketpair(), as done in the fuzzer testing, the path struct member is
uninitialized and must not be accessed.
Bug: https://crbug.com/oss-fuzz/16699
Closes #4283
|
|
... to make sure we continue draining the queue until empty
Closes #4281
|
|
Found-by: Jeremy Lainé
|
|
... to trigger a new read to detect the stream close!
Closes #4275
|
|
Closes #4278
|
|
Closes #4274
|
|
Closes #4270
|
|
It could otherwise return an error even when closed correctly if GOAWAY
had been received previously.
Reported-by: Tom van der Woerdt
Fixes #4267
Closes #4268
|
|
This is a follow-up to https://github.com/curl/curl/pull/3864 .
Closes #4224
|
|
Closes #4265
|
|
Closes #4260
|
|
Closes #4259
|
|
|
|
Assisted-by: Tatsuhiro Tsujikawa
|
|
Fix read off end of array due to bad pointer math in getworkingpath for
SCP home directory case.
Closes #4258
|
|
and remove 'header_recvbuf', not used for anything
Reported-by: Jeremy Lainé
Closes #4257
|
|
Closes #4256
|
|
Follow-up to f9c7ba9096ec
The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
now.
Pointed-out-by: Gisle Vanem
Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638
Closes #4247
|
|
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-20170516"
Closes #4245
|
|
Closes #4244
|
|
Closes #4242
|
|
|
|
For a long time (since 7.28.1) we've returned error when setting the
value to 1 to make applications notice that we stopped supported the old
behavior for 1. Starting now, we treat 1 and 2 exactly the same.
Closes #4241
|
|
... but fall back and try "_netrc" too if the dot version didn't work.
Co-Authored-By: Steve Holme
|
|
... which of course doesn't have to be the same used at build-time.
Function just recently merged in ngtcp2.
|
|
To fix a segfault and to better deal with 0-RTT
Assisted-by: Tatsuhiro Tsujikawa
|
|
The quiche debug callback is global and can only be initialized once, so
make sure we don't do it multiple times (e.g. if multiple requests are
executed).
In addition this initializes the callback before the connection is
created, so we get logs for the handshake as well.
Closes #4236
|
|
Closes #4235
|
|
|
|
|
|
|
|
When a username and password are provided in the URL, they were wrongly
removed from the stored URL so that subsequent uses of the same URL
wouldn't find the crendentials. This made doing HTTP auth with multiple
connections (like Digest) mishave.
Regression from 46e164069d1a5230 (7.62.0)
Test case 335 added to verify.
Reported-by: Mike Crowe
Fixes #4228
Closes #4229
|
