Age | Commit message (Collapse) | Author |
|
If the rewind would fail, a strdup() would not get freed.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
|
|
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
Closes #3042
|
|
Regression since 38203f1
Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
|
|
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.
Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>
Closes https://github.com/curl/curl/pull/3027
|
|
This fixes potential out-of-buffer access on "file:./" URL
$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516== by 0x4EBB315: seturl (urlapi.c:801)
==24516== by 0x4EBB568: parseurl (urlapi.c:861)
==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516== by 0x4E67AEF: create_conn (url.c:3613)
==24516== by 0x4E68A4F: Curl_connect (url.c:4119)
==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516== by 0x4E7558C: easy_transfer (easy.c:686)
==24516== by 0x4E75801: easy_perform (easy.c:779)
==24516== by 0x4E75868: curl_easy_perform (easy.c:798)
Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz
Closes #3039
|
|
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
in manual examples
Closes https://github.com/curl/curl/pull/3037
|
|
Detected by Coverity. CID 1439610.
Follow-up from 46e164069d1a523
Closes #3034
|
|
Detected by Coverity. CID 1439611.
Follow-up from 46e164069d1a523
|
|
... to make it a truly unified URL parser.
Closes #3017
|
|
Closes https://github.com/curl/curl/pull/3031
|
|
Closes #3029
|
|
Closes #3024
|
|
Closes #2971
|
|
- Treat CURL_SSLVERSION_MAX_NONE the same as
CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
the minimum version also as the maximum.
This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.
- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.
Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.
Co-authored-by: Daniel Gustafsson
Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
|
|
In order for this API to fully work for libcurl itself, it now offers a
CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
name prefix just like libcurl always did. If there's no known prefix, it
will guess "http://".
Separately, it relaxes the check of the host name so that IDN host names
can be passed in as well.
Both these changes are necessary for libcurl itself to use this API.
Assisted-by: Daniel Gustafsson
Closes #3018
|
|
One can still use CA certificates stored in NSS database.
Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Closes #3016
|
|
In the CURLUPART_URL case, there is no codepath which invokes url
decoding so remove the assignment of the urldecode variable. This
fixes the deadstore bug-report from clang static analysis.
Closes #3015
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
.... since getsock may update the expiry timer.
Fixes #2996
Closes #3000
|
|
The reallocation was using the input pointer for the return value, which
leads to a memory leak on reallication failure. Fix by instead use the
safe internal API call Curl_saferealloc().
Closes #3005
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
|
|
ftp_send_command() was using vsnprintf() without including the libcurl
*rintf() replacement header. Fix by including curl_printf.h and also
add curl_memory.h while at it since memdebug.h depends on it.
Closes #2999
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
... so that they can clear the original pointer on failure, which makes
the error-paths and their cleanups easier.
Closes #2992
|
|
|
|
|
|
Closes #2989
|
|
Fixes #2983
Closes #2988
|
|
The failf() macro is the name used for invoking Curl_failf(). While
there isn't a way to turn off failf like there is for infof, but it's
still a good idea to use the macro.
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Strings broken on multiple rows in the .c file need to have appropriate
whitespace padding on either side of the concatenation point to render
a correct amalgamated string. Fix by adding a space at the occurrences
found.
Closes #2986
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
The FTP command allocated by aprintf() must be freed after usage.
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed
the actual command to be sent from the send buffer in a refactoring.
Add back copying the command into the buffer. Also add more guards
against malformed input while at it.
Closes #2985
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
When erroring out on a request being too large, the existing buffer was
leaked. Fix by explicitly freeing on the way out.
Closes #2966
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Closes #2984
|
|
|
|
Closes https://github.com/curl/curl/pull/2979
|
|
- Use memcpy instead of strncpy to copy a string without termination,
since gcc8 warns about using strncpy to copy as many bytes from a
string as its length.
Suggested-by: Viktor Szakats
Closes https://github.com/curl/curl/issues/2980
|
|
Rather than jumping backwards to where failure cleanup happens
to be performed, move the failure case to end of the function
where it is expected per existing coding convention.
Closes #2965
|
|
Closes #2963
|
|
If the formatting fails, we error out on a fatal error and
clean up on the way out. The array was however freed within
the wrong scope and was thus never freed in case the cookies
were written to a file instead of STDOUT.
Closes #2957
|
|
Expired cookies have already been purged at a later expiration time
before this check, so remove the redundant check.
closes #2962
|
|
Exit the realloc() loop if the response turns out ridiculously large to
avoid worse problems.
Reported-by: Harry Sintonen
Closes #2959
|
|
Closes #2960
|
|
Coverity CID 1439134
|
|
See header file and man pages for API. All documented API details work
and are tested in the 1560 test case.
Closes #2842
|
|
... including the associated option.
Fixes #2951
Closes #2952
|
|
Add functionality so that protocols can do custom keepalive on their
connections, when an external API function is called.
Add docs for the new options in 7.62.0
Closes #1641
|
|
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.
Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.
Fixes #2724
Closes #2791
|
|
The gcc typecheck macros and coverity combined made it warn on the 2nd
argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it.
Coverity CID 1439115 and CID 1439114.
|
|
SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
mingw and would require an ifdef otherwise.
Reported-by: Thomas Glanzmann
Approved-by: Marc Hörsken
Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html
Closes #2950
|
|
... and add "MAILINDEX".
As described in #2789, this is a suggested solution. Changing UID=xx to
actually get mail with UID xx and add "MAILINDEX" to get a mail with a
special index in the mail box (old behavior). So MAILINDEX=1 gives the
first non deleted mail in the mail box.
Fixes #2789
Closes #2815
|
|
This is step 3 of #2888.
Fixes #2888
Closes #2896
|
|
|