aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-09-10urlapi: verify the IPv6 numerical addressDaniel Stenberg
It needs to parse correctly. Otherwise it could be tricked into letting through a-f using host names that libcurl would then resolve. Like '[ab.be]'. Reported-by: Thomas Vegas Closes #4315
2019-09-10openssl: use SSL_CTX_set_<min|max>_proto_version() when availableClément Notin
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL. Closes #4304
2019-09-10openssl: indent, re-organize and add commentsClément Notin
2019-09-10sspi: fix memory leaksmigueljcrum
Closes #4299
2019-09-09Curl_fillreadbuffer: avoid double-free trailer buf on errorDaniel Stenberg
Reviewed-by: Jay Satiro Reported-by: Thomas Vegas Closes #4307
2019-09-09security:read_data fix bad realloc()Daniel Stenberg
... that could end up a double-free CVE-2019-5481 Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
2019-09-09tftp: Alloc maximum blksize, and use default unless OACK is receivedThomas Vegas
Fixes potential buffer overflow from 'recvfrom()', should the server return an OACK without blksize. Bug: https://curl.haxx.se/docs/CVE-2019-5482.html CVE-2019-5482
2019-09-09tftp: return error when packet is too small for optionsThomas Vegas
2019-09-03netrc: free 'home' on errorDaniel Stenberg
Follow-up to f9c7ba9096ec2 Coverity CID 1453474 Closes #4291
2019-09-03urldata: avoid 'generic', use dedicated pointersDaniel Stenberg
For the 'proto' union within the connectdata struct. Closes #4290
2019-09-03cleanup: move functions out of url.c and make them staticDaniel Stenberg
Closes #4289
2019-09-03smtp: check for and bail out on too short EHLO responseDaniel Stenberg
Otherwise, a three byte response would make the smtp_state_ehlo_resp() function misbehave. Credit to OSS-Fuzz Bug: https://crbug.com/oss-fuzz/16918 Assisted-by: Max Dymond Closes #4287
2019-09-02smb: init *msg to NULL in smb_send_and_recv()Daniel Stenberg
... it might otherwise return OK from this function leaving that pointer uninitialized. Bug: https://crbug.com/oss-fuzz/16907 Closes #4286
2019-08-31Curl_addr2string: take an addrlen argument tooDaniel Stenberg
This allows the function to figure out if a unix domain socket has a file name or not associated with it! When a socket is created with socketpair(), as done in the fuzzer testing, the path struct member is uninitialized and must not be accessed. Bug: https://crbug.com/oss-fuzz/16699 Closes #4283
2019-08-30quiche: expire when poll returned dataDaniel Stenberg
... to make sure we continue draining the queue until empty Closes #4281
2019-08-30quiche: decrease available buffer size, don't assign it!Daniel Stenberg
Found-by: Jeremy Lainé
2019-08-29ngtcp2: on h3 stream close, call expireDaniel Stenberg
... to trigger a new read to detect the stream close! Closes #4275
2019-08-29ngtcp2: build latest ngtcp2 and ngtcp2_crypto_opensslTatsuhiro Tsujikawa
Closes #4278
2019-08-28ngtcp2: set flow control window to stream buffer sizeDaniel Stenberg
Closes #4274
2019-08-27ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_opensslTatsuhiro Tsujikawa
Closes #4270
2019-08-26http2: when marked for closure and wanted to close == OKDaniel Stenberg
It could otherwise return an error even when closed correctly if GOAWAY had been received previously. Reported-by: Tom van der Woerdt Fixes #4267 Closes #4268
2019-08-26vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failureKamil Dudka
This is a follow-up to https://github.com/curl/curl/pull/3864 . Closes #4224
2019-08-26quiche: send the HTTP body correctly on callback uploadsDaniel Stenberg
Closes #4265
2019-08-25ngtcp2: add support for SSLKEYLOGFILEDaniel Stenberg
Closes #4260
2019-08-25ngtcp2: improve h3 response receivingDaniel Stenberg
Closes #4259
2019-08-25ngtcp2: use nghttp3_version()Daniel Stenberg
2019-08-25ngtcp2: sync with upstream API changesDaniel Stenberg
Assisted-by: Tatsuhiro Tsujikawa
2019-08-24scp: fix directory name length used in memcpyKyle Abramowitz
Fix read off end of array due to bad pointer math in getworkingpath for SCP home directory case. Closes #4258
2019-08-24http: the 'closed' struct field is used by both ngh2 and ngh3Daniel Stenberg
and remove 'header_recvbuf', not used for anything Reported-by: Jeremy Lainé Closes #4257
2019-08-23ngtcp2: accept upload via callbackDaniel Stenberg
Closes #4256
2019-08-20cleanup: remove DOT_CHAR completelyDaniel Stenberg
Follow-up to f9c7ba9096ec The use of DOT_CHAR for ".ssh" was probably a mistake and is removed now. Pointed-out-by: Gisle Vanem Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 Closes #4247
2019-08-20spnego_sspi: add typecast to fix build warningDaniel Stenberg
Reported in build "Win32 target on Debian Stretch (64-bit) - i686-w64-mingw32 - gcc-20170516" Closes #4245
2019-08-20openssl: build warning free with boringsslDaniel Stenberg
Closes #4244
2019-08-20ngtcp2: make postfields-set posts workDaniel Stenberg
Closes #4242
2019-08-20http: remove chunked-encoding and expect header use for HTTP/3Daniel Stenberg
2019-08-20CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2Daniel Stenberg
For a long time (since 7.28.1) we've returned error when setting the value to 1 to make applications notice that we stopped supported the old behavior for 1. Starting now, we treat 1 and 2 exactly the same. Closes #4241
2019-08-20netrc: make the code try ".netrc" on Windows as wellDaniel Stenberg
... but fall back and try "_netrc" too if the dot version didn't work. Co-Authored-By: Steve Holme
2019-08-20ngtcp2: use ngtcp2_version() to get the run-time versionDaniel Stenberg
... which of course doesn't have to be the same used at build-time. Function just recently merged in ngtcp2.
2019-08-20ngtcp2: move the h3 initing to immediately after the rx keyDaniel Stenberg
To fix a segfault and to better deal with 0-RTT Assisted-by: Tatsuhiro Tsujikawa
2019-08-17quiche: register debug callback once and earlierAlessandro Ghedini
The quiche debug callback is global and can only be initialized once, so make sure we don't do it multiple times (e.g. if multiple requests are executed). In addition this initializes the callback before the connection is created, so we get logs for the handshake as well. Closes #4236
2019-08-17ssh: add a generic Curl_ssh_version function for SSH backendsDaniel Stenberg
Closes #4235
2019-08-17base64: check for SSH, not specific SSH backendsDaniel Stenberg
2019-08-17vssh: move ssh init/cleanup functions into backend codeDaniel Stenberg
2019-08-17vssh: create directory for SSH backend codeDaniel Stenberg
2019-08-16http: fix use of credentials from URL when using HTTP proxyDaniel Stenberg
When a username and password are provided in the URL, they were wrongly removed from the stored URL so that subsequent uses of the same URL wouldn't find the crendentials. This made doing HTTP auth with multiple connections (like Digest) mishave. Regression from 46e164069d1a5230 (7.62.0) Test case 335 added to verify. Reported-by: Mike Crowe Fixes #4228 Closes #4229
2019-08-15ngtcp2: provide the callbacks as a static structDaniel Stenberg
... instead of having them in quicsocket
2019-08-15ngtcp2: add missing nghttp3_conn_add_write_offset callTatsuhiro Tsujikawa
Closes #4225
2019-08-15ngtcp2: deal with stream closeTatsuhiro Tsujikawa
2019-08-15ngtcp2: Consume QUIC STREAM data properlyTatsuhiro Tsujikawa
2019-08-15ngtcp2: don't reinitialize SSL on RetryTatsuhiro Tsujikawa