aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-09-03openssl: Fix setting TLS 1.3 cipher suitesJay Satiro
The flag indicating TLS 1.3 cipher support in the OpenSSL backend was missing. Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 Reported-by: Kamil Dudka Closes #2926
2018-09-03Curl_ntlm_core_mk_nt_hash: return error on too long passwordDaniel Stenberg
... since it would cause an integer overflow if longer than (max size_t / 2). This is CVE-2018-14618 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html Closes #2756 Reported-by: Zhaoyang Wu
2018-09-02http2: Use correct format identifier for stream_idRikard Falkeborn
Closes #2928
2018-09-01all: s/int/size_t cleanupDaniel Stenberg
Assisted-by: Rikard Falkeborn Closes #2922
2018-09-01ssh-libssh: use FALLTHROUGH to silence gcc8Daniel Stenberg
2018-08-31cookies: support creation-time attribute for cookiesDaniel Gustafsson
According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
2018-08-24curl_threads: silence bad-function-cast warningMarcel Raad
As uintptr_t and HANDLE are always the same size, this warning is harmless. Just silence it using an intermediate uintptr_t variable. Closes https://github.com/curl/curl/pull/2908
2018-08-24schannel: client certificate store opening fixIhor Karpenko
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html Closes #2909
2018-08-24gopher: Do not translate `?' to `%09'Leonardo Taccari
Since GOPHER support was added in curl `?' character was automatically translated to `%09' (`\t'). However, this behaviour does not seems documented in RFC 4266 and for search selectors it is documented to directly use `%09' in the URL. Apart that several gopher servers in the current gopherspace have CGI support where `?' is used as part of the selector and translating it to `%09' often leads to surprising results. Closes #2910
2018-08-22http2: abort the send_callback if not setup yetDaniel Stenberg
When Curl_http2_done() gets called before the http2 data is setup all the way, we cannot send anything and this should just return an error. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
2018-08-21http2: remove four unused nghttp2 callbacksDaniel Stenberg
Closes #2903
2018-08-21x509asn1: use FALLTHROUGHDaniel Stenberg
... as no other comments are accepted since 014ed7c22f51463
2018-08-21curl-compilers: enable -Wimplicit-fallthrough=4 for GCCMarcel Raad
This enables level 4 instead of the default level 3, which of the currently used comments only allows /* FALLTHROUGH */ to silence the warning. Closes https://github.com/curl/curl/pull/2747
2018-08-21Remove unused definitionsMarcel Raad
Closes https://github.com/curl/curl/pull/2747
2018-08-21x509asn1: make several functions staticDaniel Stenberg
and remove the private SIZE_T_MAX define and use the generic one. Closes #2902
2018-08-21http2: avoid set_stream_user_data() before stream is assignedDaniel Stenberg
... before the stream is started, we have it set to -1. Fixes #2894 Closes #2898
2018-08-18upload: change default UPLOAD_BUFSIZE to 64KBDaniel Stenberg
To make uploads significantly faster in some circumstances. Part 2 of #2888 Closes #2892
2018-08-18upload: allocate upload buffer on-demandDaniel Stenberg
Saves 16KB on the easy handle for operations that don't need that buffer. Part 1 of #2888
2018-08-18vtls: reinstantiate engine on duplicated handlesLaurent Bonnans
Handles created with curl_easy_duphandle do not use the SSL engine set up in the original handle. This fixes the issue by storing the engine name in the internal url state and setting the engine from its name inside curl_easy_duphandle. Reported-by: Anton Gerasimov Signed-of-by: Laurent Bonnans Fixes #2829 Closes #2833
2018-08-17http2: make sure to send after RST_STREAMDaniel Stenberg
If this is the last stream on this connection, the RST_STREAM might not get pushed to the wire otherwise. Fixes #2882 Closes #2887 Researched-by: Michael Kaufmann
2018-08-16urldata: remove unused pipe_broke struct fieldDaniel Stenberg
This struct field is never set TRUE in any existing code path. This change removes the field completely. Closes #2871
2018-08-15http2: check nghttp2_session_set_stream_user_data return codeDaniel Stenberg
Might help bug #2688 debugging Closes #2880
2018-08-15CMake: CMake config files are defining CURL_STATICLIB for static buildsAdrien
This change allows to use the CMake config files generated by Curl's CMake scripts for static builds of the library. The symbol CURL_STATIC lib must be defined to compile downstream, thus the config package is the perfect place to do so. Fixes #2817 Closes #2823 Reported-by: adnn on github Reviewed-by: Sergei Nikulov
2018-08-14ssh-libssh: fix infinite connect loop on invalid private keyKamil Dudka
Added test 656 (based on test 604) to verify the fix. Bug: https://bugzilla.redhat.com/1595135 Closes #2879
2018-08-14ssh-libssh: reduce excessive verbose output about pubkey authKamil Dudka
The verbose message "Authentication using SSH public key file" was printed each time the ssh_userauth_publickey_auto() was called, which meant each time a packet was transferred over network because the API operates in non-blocking mode. This patch makes sure that the verbose message is printed just once (when the authentication state is entered by the SSH state machine).
2018-08-13http: fix for tiny "HTTP/0.9" responseDaniel Stenberg
Deal with tiny "HTTP/0.9" (header-less) responses by checking the status-line early, even before a full "HTTP/" is received to allow detecting 0.9 properly. Test 1266 and 1267 added to verify. Fixes #2420 Closes #2872
2018-08-11GCC: silence -Wcast-function-type uniformlyMarcel Raad
Pointed-out-by: Rikard Falkeborn Closes https://github.com/curl/curl/pull/2860
2018-08-11Silence GCC 8 cast-function-type warningsMarcel Raad
On Windows, casting between unrelated function types is fine and sometimes even necessary, so just use an intermediate cast to (void (*) (void)) to silence the warning as described in [0]. [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html Closes https://github.com/curl/curl/pull/2860
2018-08-11CURLINFO_SIZE_UPLOAD: fix missing counter updateDaniel Stenberg
Adds test 1522 for verification. Reported-by: cjmsoregan Fixes #2847 Closes #2864
2018-08-10openssl: fix potential NULL pointer deref in is_pkcs11_uriDaniel Stenberg
Follow-up to 298d2565e Coverity CID 1438387
2018-08-09asyn-thread: Remove unused macroRikard Falkeborn
The macro seems to never have been used. Closes #2852
2018-08-09http_proxy: Remove unused macro SELECT_TIMEOUTRikard Falkeborn
Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22. Closes #2852
2018-08-09formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULTRikard Falkeborn
Its usage was removed in 84ad1fd3047815f9c6e78728bb351b828eac10b1. Closes #2852
2018-08-09telnet: Remove unused macros TELOPTS and TELCMDSRikard Falkeborn
Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51. Closes #2852
2018-08-09openssl: fix debug messagesDaniel Jelinski
Fixes #2806 Closes #2843
2018-08-08windows: follow up to the buffer-tuning 1ba1dba7Daniel Stenberg
Somehow I didn't include the amended version of the previous fix. This is the missing piece. Pointed-out-by: Viktor Szakats
2018-08-08windows: implement send buffer tuningDaniel Jelinski
Significantly enhances upload performance on modern Windows versions. Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html Closes #2762 Fixes #2224
2018-08-08ssl: set engine implicitly when a PKCS#11 URI is providedAnderson Toshiyuki Sasaki
This allows the use of PKCS#11 URI for certificates and keys without setting the corresponding type as "ENG" and the engine as "pkcs11" explicitly. If a PKCS#11 URI is provided for certificate, key, proxy_certificate or proxy_key, the corresponding type is set as "ENG" if not provided and the engine is set to "pkcs11" if not provided. Acked-by: Nikos Mavrogiannopoulos Closes #2333
2018-08-08CMake: Respect BUILD_SHARED_LIBSRuslan Baratov
Use standard CMake variable BUILD_SHARED_LIBS instead of introducing custom option CURL_STATICLIB. Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml. Reviewed-by: Sergei Nikulov Closes #2755
2018-08-03lib/Makefile: only do symbol hiding if told toDaniel Stenberg
This restores the ability to build a static lib with --disable-symbol-hiding to keep non-curl_ symbols. Researched-by: Dan Fandrich Reported-by: Ran Mozes Fixes #2830 Closes #2831
2018-08-02hostip: fix unused variable warningMarcel Raad
addresses is only used in an infof call, which is a macro expanding to nothing if CURL_DISABLE_VERBOSE_STRINGS is set.
2018-08-01smb: don't mark it done in smb_doDaniel Stenberg
Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its doing function too, which requires smb_do() to not mark itself as done... Closes #2822
2018-08-01general: fix printf specifiersRikard Falkeborn
Closes #2818
2018-07-31HTTP: Don't attempt to needlessly decompress redirect bodyHarry Sintonen
This change fixes a regression where redirect body would needlessly be decompressed even though it was to be ignored anyway. As it happens this causes secondary issues since there appears to be a bug in apache2 that it in certain conditions generates a corrupt zlib response. The regression was created by commit: dbcced8e32b50c068ac297106f0502ee200a1ebd Discovered-by: Harry Sintonen Closes #2798
2018-07-31retry: return error if rewind was necessary but didn't happenDaniel Jelinski
Fixes #2801 Closes #2812
2018-07-30http2: clear the drain counter in Curl_http2_doneDaniel Stenberg
Reported-by: Andrei Virtosu Fixes #2800 Closes #2809
2018-07-30smb: fix memory leak on early failureDaniel Stenberg
... by making sure connection related data (->share) is stored in the connection and not in the easy handle. Detected by OSS-fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 Fixes #2769 Closes #2810
2018-07-28conn_free: updated comment to clarifyDaniel Stenberg
Let's call it disassociate instead of disconnect since the latter term is used so much for (TCP) connections already.
2018-07-28mime: check Curl_rand_hex's return codeDaniel Stenberg
Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html Reported-by: Jeffrey Walton Closes #2795
2018-07-26wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_randomCarie Pointer
RNG structure must be freed by call to FreeRng after its use in Curl_cyassl_random. This call fixes Valgrind failures when running the test suite with wolfSSL. Closes #2784