aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-03-12FTP: reject path components with control codesDaniel Stenberg
Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
2018-03-12readwrite: make sure excess reads don't go beyond buffer endDaniel Stenberg
CVE-2018-1000122 Bug: https://curl.haxx.se/docs/adv_2018-b047.html Detected by OSS-fuzz
2018-03-11limit-rate: kick in even before "limit" data has been receivedDaniel Stenberg
... and make sure to avoid integer overflows with really large values. Reported-by: 刘佩东 Fixes #2371 Closes #2373
2018-03-11Curl_range: fix FTP-only and FILE-only buildsMichael Kaufmann
follow-up to e04417d
2018-03-11hostip: fix compiler warning: 'variable set but not used'Michael Kaufmann
2018-03-11HTTP: allow "header;" to replace an internal header with a blank oneDaniel Stenberg
Reported-by: Michael Kaufmann Fixes #2357 Closes #2362
2018-03-10http2: verbose output new MAX_CONCURRENT_STREAMS valuesDaniel Stenberg
... as it is interesting for many users.
2018-03-05WolfSSL: adding TLSv1.3sergii.kavunenko
Closes #2349
2018-03-04krb5: use nondeprecated functionsMarcel Raad
gss_seal/gss_unseal have been deprecated in favor of gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and "GSS_Unwrap() (formerly GSS_Unseal())". Use the nondeprecated functions to avoid deprecation warnings. [1] https://tools.ietf.org/html/rfc2078 [2] https://tools.ietf.org/html/rfc1964 Closes https://github.com/curl/curl/pull/2356
2018-03-04NO_PROXY: fix for IPv6 numericals in the URLDaniel Stenberg
Added test 1265 that verifies. Reported-by: steelman on github Fixes #2353 Closes #2355
2018-03-03curl_ctype: fix macro redefinition warningsMarcel Raad
On MinGW and Cygwin, GCC and clang have been complaining about macro redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this by undefining the macros before redefining them as suggested in https://github.com/curl/curl/pull/2269. Suggested-by: Daniel Stenberg
2018-02-28unit1309: fix warning on Windows x64Marcel Raad
When targeting x64, MinGW-w64 complains about conversions between 32-bit long and 64-bit pointers. Fix this by reusing the GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / CURLX_INTEGER_TO_POINTER_CAST. Closes https://github.com/curl/curl/pull/2341
2018-02-23spelling fixesViktor Szakats
Detected using the `codespell` tool. Also contains one URL protocol upgrade. Closes https://github.com/curl/curl/pull/2334
2018-02-21url: Add option CURLOPT_RESOLVER_START_FUNCTIONFrancisco Sedano
- Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that will be called every time before a new resolve request is started (ie before a host is resolved) with a pointer to backend-specific resolver data. Currently this is only useful for ares. - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to pass to the resolver start callback. Closes https://github.com/curl/curl/pull/2311
2018-02-21lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MSJay Satiro
- In keeping with the naming of our other connect timeout options rename CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS. This change adds the _MS suffix since the option expects milliseconds. This is more intuitive for our users since other connect timeout options that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS, CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS. The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms. Follow-up to 2427d94 which added the lib and tool option yesterday. Ref: https://github.com/curl/curl/pull/2260
2018-02-21sasl: prefer PLAIN mechanism over LOGINPatrick Monnerat
SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says PLAIN should be used instead if available.
2018-02-20url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUTAnders Bakken
- Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy eyeball timeout value. - Add new optval macro CURL_HET_DEFAULT to represent the default happy eyeballs timeout value (currently 200 ms). - Add new tool option --happy-eyeballs-timeout-ms to expose CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the other -timeout options in the tool expect seconds not milliseconds. Closes https://github.com/curl/curl/pull/2260
2018-02-20hostip: fix 'potentially uninitialized variable' warningJay Satiro
Follow-up to 50d1b33. Caught by AppVeyor.
2018-02-20CURLOPT_RESOLVE: Add support for multiple IP addresses per entryAnders Bakken
This enables users to preresolve but still take advantage of happy eyeballs and trying multiple addresses if some are not connecting. Ref: https://github.com/curl/curl/pull/2260
2018-02-16header callback: don't chop headers into smaller piecesDaniel Stenberg
Reported-by: Guido Berhoerster Fixes #2314 Closes #2316
2018-02-16http: fix the max header length detection logicDaniel Stenberg
Previously, it would only check for max length if the existing alloc buffer was to small to fit it, which often would make the header still get used. Reported-by: Guido Berhoerster Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html Closes #2315
2018-02-16ssh: add two missing state namesDaniel Stenberg
The list of state names (used in debug builds) was out of sync in relation to the list of states (used in all builds). I now added an assert to make sure the sizes of the two lists match, to aid in detecting this mistake better in the future. Regression since c92d2e14cf, shipped in 7.58.0. Reported-by: Somnath Kundu Fixes #2312 Closes #2313
2018-02-15non-ascii: fix implicit declaration warningJay Satiro
Follow-up to b46cfbc. Caught by Travis CI.
2018-02-15nss: use PK11_CreateManagedGenericObject() if availableKamil Dudka
... so that the memory allocated by applications using libcurl does not grow per each TLS connection. Bug: https://bugzilla.redhat.com/1510247 Closes #2297
2018-02-15TODO fixed: Detect when called from within callbacksBjörn Stenberg
Closes #2302
2018-02-13curl_gssapi: make sure this file too uses our *printf()Daniel Stenberg
2018-02-12smtp: fix processing of initial dot in dataPatrick Monnerat
RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command should be taken into account when chasing the <CRLF>.<CRLF> end marker. Thus a leading dot character in data is also subject to escaping. Tests 911 and test server are adapted to this situation. New tests 951 and 952 check proper handling of initial dot in data. Closes #2304
2018-02-12sha256: avoid redefineDaniel Stenberg
2018-02-12sha256: build with OpenSSL < 0.9.8 tooDouglas Mencken
support for SHA-2 was introduced in OpenSSL 0.9.8 Closes #2305
2018-02-12http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING onPatrick Monnerat
Bug: #2303 Reported-By: Henry Roeland
2018-02-09get_posix_time: only check for overflows if they can happen!Daniel Stenberg
2018-02-09schannel: fix "no previous prototype" compiler warningMichael Kaufmann
2018-02-09content_encoding: Add "none" alias to "identity"Mohammad AlSaleh
Some servers return a "content-encoding" header with a non-standard "none" value. Add "none" as an alias to "identity" as a work-around, to avoid unrecognised content encoding type errors. Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com> Closes https://github.com/curl/curl/pull/2298
2018-02-08schannel: fix compiler warningsMichael Kaufmann
Closes #2296
2018-02-07curl_addrinfo.c: Allow Unix Domain Sockets to compile under WindowsSteve Holme
Windows 10.0.17061 SDK introduces support for Unix Domain Sockets. Added the necessary include file to curl_addrinfo.c. Note: The SDK (which is considered beta) has to be installed, VS 2017 project file has to be re-targeted for Windows 10.0.17061 and #define enabled in config-win32.h.
2018-02-07fnmatch: optimize processing of consecutive *s and ?s pattern charactersPatrick Monnerat
Reported-By: Daniel Stenberg Fixes #2291 Closes #2293
2018-02-06openssl: Don't add verify locations when verifypeer==0Patrick Schlangen
When peer verification is disabled, calling SSL_CTX_load_verify_locations is not necessary. Only call it when verification is enabled to save resources and increase performance. Closes #2290
2018-02-05formdata: use the mime-content type functionDaniel Stenberg
Reduce code duplication by making Curl_mime_contenttype available and used by the formdata function. This also makes the formdata function recognize a set of more file extensions by default. PR #2280 brought this to my attention. Closes #2282
2018-02-02getdate: return -1 for out of rangeDaniel Stenberg
...as that's how the function is documented to work. Reported-by: Michael Kaufmann Bug found in an autobuild with 32 bit time_t Closes #2278
2018-02-01time_t-fixes: remove typecasts to 'long' for info.filetimeDaniel Stenberg
They're now wrong. Reported-by: Michael Kaufmann Closes #2277
2018-01-31curl_setup: move the precautionary define of SIZEOF_TIME_TDaniel Stenberg
... up to before it may be used for the TIME_T_MAX/MIN logic. Reported-by: Michael Kaufmann
2018-01-31parsedate: s/#if/#ifdefDaniel Stenberg
Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
2018-01-31fnmatch: pattern syntax can no longer failPatrick Monnerat
Whenever an expected pattern syntax rule cannot be matched, the character starting the rule loses its special meaning and the parsing is resumed: - backslash at the end of pattern string matches itself. - Error in [:keyword:] results in set containing :\[dekorwy. Unit test 1307 updated for this new situation. Closes #2273
2018-01-31fnmatch: accept an alphanum to be followed by a non-alphanum in char setPatrick Monnerat
Also be more tolerant about set pattern syntax. Update unit test 1307 accordingly. Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
2018-01-31fnmatch: do not match the empty string with a character setPatrick Monnerat
2018-01-30http2: set DEBUG_HTTP2 to enable more HTTP/2 loggingDaniel Stenberg
... instead of doing it unconditionally in debug builds. It cluttered up the output a little too much.
2018-01-30file: Check the return code from Curl_range and bail out on errorMax Dymond
2018-01-30Curl_range: add check to ensure "from <= to"Max Dymond
2018-01-30Curl_range: commonize FTP and FILE range handlingMax Dymond
Closes #2205
2018-01-30time: support > year 2038 time stamps for system with 32bit longDaniel Stenberg
... with the introduction of CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T. Fixes #2238 Closes #2264