aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-11-11URL-parser: for file://[host]/ URLs, the [host] must be localhostDaniel Stenberg
Previously, the [host] part was just ignored which made libcurl accept strange URLs misleading users. like "file://etc/passwd" which might've looked like it refers to "/etc/passwd" but is just "/passwd" since the "etc" is an ignored host name. Reported-by: Mike Crowe Assisted-by: Kamil Dudka
2016-11-11openssl: make sure to fail in the unlikely event that PRNG seeding failsDaniel Stenberg
2016-11-11openssl: avoid unnecessary seeding if already doneDaniel Stenberg
1.1.0+ does more of this by itself so we can avoid extra processing this way.
2016-11-11openssl: RAND_status always exists in OpenSSL >= 0.9.7Daniel Stenberg
and remove RAND_screen from configure since nothing is using that function
2016-11-11Curl_pgrsUpdate: use dedicated function for time passedDaniel Stenberg
2016-11-11realloc: use Curl_saferealloc to avoid common mistakesDaniel Stenberg
Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
2016-11-10openssl: raise the max_version to 1.3 if asked forDaniel Stenberg
Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when using boringssl.
2016-11-09vtls: Fail on unrecognized param for CURLOPT_SSLVERSIONJay Satiro
- Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the TLS 1.3 support was added in 6ad3add. - Homogenize across code for all backends the error message when TLS 1.3 is not available to "<backend>: TLS 1.3 is not yet supported". - Return an error when a user-specified ssl version is unrecognized. --- Prior to this change our code for some of the backends used the 'default' label in the switch statement (ie ver unrecognized) for ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT. Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html Reported-by: Kamil Dudka
2016-11-09SPNEGO: Fix memory leak when authentication failsIsaac Boukris
If SPNEGO fails, cleanup the negotiate handle right away. Fixes #1115 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reported-by: ashman-p
2016-11-08printf: fix ".*f" handlingDaniel Stenberg
It would always use precision 1 instead of reading it from the argument list as intended. Reported-by: Ray Satiro Bug: #1113
2016-11-07nss: silence warning 'SSL_NEXT_PROTO_EARLY_VALUE not handled in switch'Kamil Dudka
... with nss-3.26.0 and newer Reported-by: Daniel Stenberg
2016-11-07openssl: initial TLS 1.3 adaptionsDaniel Stenberg
BoringSSL supports TLSv1.3 already, but these changes don't seem to be anough to get it working.
2016-11-07ssh: check md5 fingerprints case insensitively (regression)Daniel Stenberg
Revert the change from ce8d09483eea but use the new function Reported-by: Kamil Dudka Bug: https://github.com/curl/curl/commit/ce8d09483eea2fcb1b50e323e1a8ed1f3613b2e3#commitcomment-19666146
2016-11-07vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3Kamil Dudka
Fully implemented with the NSS backend only for now. Reviewed-by: Ray Satiro
2016-11-07nss: map CURL_SSLVERSION_DEFAULT to NSS defaultKamil Dudka
... but make sure we use at least TLSv1.0 according to libcurl API Reported-by: Cure53 Reviewed-by: Ray Satiro
2016-11-07s/cURL/curlDaniel Stenberg
We're mostly saying just "curl" in lower case these days so here's a big cleanup to adapt to this reality. A few instances are left as the project could still formally be considered called cURL.
2016-11-07http2: Don't send header fields prohibited by HTTP/2 specTatsuhiro Tsujikawa
Previously, we just ignored "Connection" header field. But HTTP/2 specification actually prohibits few more header fields. This commit ignores all of them so that we don't send these bad header fields. Bug: https://curl.haxx.se/mail/archive-2016-10/0033.html Reported-by: Ricki Hirner Closes https://github.com/curl/curl/pull/1092
2016-11-05easy: Initialize info variables on easy init and duphandleJay Satiro
- Call Curl_initinfo on init and duphandle. Prior to this change the statistical and informational variables were simply zeroed by calloc on easy init and duphandle. While zero is the correct default value for almost all info variables, there is one where it isn't (filetime initializes to -1). Bug: https://github.com/curl/curl/issues/1103 Reported-by: Neal Poole
2016-11-04mbedtls: fix build with mbedtls versions < 2.4.0Daniel Stenberg
Regression added in 62a8095e714 Reported-by: Tony Kelman Discussed in #1087
2016-11-02msvc: removed a straggling reference to strequal.cDan Fandrich
Follow-up to 502acba2
2016-11-02ftp_done: don't clobber the passed in error codeDaniel Stenberg
Coverity CID 1374359 pointed out the unused result value.
2016-11-02ftp: remove dead code in ftp_doneDaniel Stenberg
Coverity CID 1374358
2016-11-01file: fix compiler warningMichael Kaufmann
follow-up to 46133aa5
2016-11-01strcase: fixed Metalink builds by redefining checkprefix()Dan Fandrich
...to use the public function curl_strnequal(). This isn't ideal because it adds extra overhead to any internal calls to checkprefix. follow-up to 95bd2b3e
2016-10-31strcase: make the tool use curl_str[n]equal insteadDaniel Stenberg
As they are after all part of the public API. Saves space and reduces complexity. Remove the strcase defines from the curlx_ family. Suggested-by: Dan Fandrich Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
2016-10-31gskit, nss: do not include strequal.hKamil Dudka
follow-up to 811a693b80
2016-10-31strcasecompare: include curl.h in strcase.cDan Fandrich
This should fix the "warning: 'curl_strequal' redeclared without dllimport attribute: previous dllimport ignored" message and subsequent link error on Windows because of the missing CURL_EXTERN on the prototype.
2016-10-31strcase: fix the remaining rawstr usersDaniel Stenberg
2016-10-31strcasecompare: replaced remaining rawstr.h with strcase.hDan Fandrich
This is a followup to commit 811a693b
2016-10-31digest_sspi: fix includeMarcel Raad
Fix compile break from 811a693b80
2016-10-31ldap: fix includeDaniel Stenberg
Fix bug from 811a693b80
2016-10-31url: remove unconditional idn2.h includeDaniel Stenberg
Mistake brought by 9c91ec778104a
2016-10-31curl_strequal: part of public API/ABI, needs to be keptDaniel Stenberg
These two public functions have been mentioned as deprecated since a very long time but since they are still part of the API and ABI we need to keep them around.
2016-10-31strcase: s/strequal/strcasecompareDaniel Stenberg
some more follow-ups to 811a693b80
2016-10-31ldap: fix strcase useDaniel Stenberg
follow-up to 811a693b80
2016-10-31cookie: replace use of fgets() with custom versionDaniel Stenberg
... that will ignore lines that are too long to fit in the buffer. CVE-2016-8615 Bug: https://curl.haxx.se/docs/adv_20161102A.html Reported-by: Cure53
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-10-31ftp: check for previous patch must be case sensitive!Daniel Stenberg
... otherwise example.com/PATH and example.com/path would be assumed to be the same and they usually aren't!
2016-10-31SSH: check md5 fingerprint case sensitivelyDaniel Stenberg
2016-10-31connectionexists: use case sensitive user/password comparisonsDaniel Stenberg
CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53
2016-10-31base64: check for integer overflow on large inputDaniel Stenberg
CVE-2016-8617 Bug: https://curl.haxx.se/docs/adv_20161102C.html Reported-by: Cure53
2016-10-31krb5: avoid realloc(0)Daniel Stenberg
If the requested size is zero, bail out with error instead of doing a realloc() that would cause a double-free: realloc(0) acts as a free() and then there's a second free in the cleanup path. CVE-2016-8619 Bug: https://curl.haxx.se/docs/adv_20161102E.html Reported-by: Cure53
2016-10-31aprintf: detect wrap-around when growing allocationDaniel Stenberg
On 32bit systems we could otherwise wrap around after 2GB and allocate 0 bytes and crash. CVE-2016-8618 Bug: https://curl.haxx.se/docs/adv_20161102D.html Reported-by: Cure53
2016-10-31parsedate: handle cut off numbers betterDaniel Stenberg
... and don't read outside of the given buffer! CVE-2016-8621 bug: https://curl.haxx.se/docs/adv_20161102G.html Reported-by: Luật Nguyễn
2016-10-31escape: avoid using curl_easy_unescape() internallyDaniel Stenberg
Since the internal Curl_urldecode() function has a better API.
2016-10-31unescape: avoid integer overflowDaniel Stenberg
CVE-2016-8622 Bug: https://curl.haxx.se/docs/adv_20161102H.html Reported-by: Cure53
2016-10-31cookies: getlist() now holds deep copies of all cookiesDaniel Stenberg
Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
2016-10-31idn: switch to libidn2 use and IDNA2008 supportDaniel Stenberg
CVE-2016-8625 Bug: https://curl.haxx.se/docs/adv_20161102K.html Reported-by: Christian Heimes
2016-10-31urlparse: accept '#' as end of host nameDaniel Stenberg
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com for the '/' document with the rest of the URL being a fragment. CVE-2016-8624 Bug: https://curl.haxx.se/docs/adv_20161102J.html Reported-by: Fernando Muñoz