aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-10-18Curl_polarsslthreadlock_thread_setup: clear array at initDaniel Stenberg
... since if it fails to init the entire array and then tries to clean it up, it would attempt to work on an uninitialized pointer.
2016-10-18gopher: properly return error for poll failuresDaniel Stenberg
2016-10-18select: switch to macros in uppercaseDaniel Stenberg
Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-10-18select: use more proper macro-looking namesDaniel Stenberg
... so that it becomes more obvious in the code what is what. Also added a typecast for one of the calculations.
2016-10-18Curl_socket_check: add extra check to avoid integer overflowDaniel Stenberg
2016-10-17url: skip to-be-closed connections when pipelining (follow-up)Jay Satiro
- Change back behavior so that pipelining is considered possible for connections that have not yet reached the protocol level. This is a follow-up to e5f0b1a which had changed the behavior of checking if pipelining is possible to ignore connections that had 'bits.close' set. Connections that have not yet reached the protocol level also have that bit set, and we need to consider pipelining possible on those connections.
2016-10-16win: fix Universal Windows Platform buildMarcel Raad
This fixes a merge error in commit 7f3df80 caused by commit 332e8d6. Additionally, this changes Curl_verify_windows_version for Windows App builds to assume to always be running on the target Windows version. There seems to be no way to determine the Windows version from a UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the Version Helper functions are supported. Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878 Reported-by: Paul Joyce Closes https://github.com/curl/curl/pull/1048
2016-10-14url: skip to-be-closed connections when pipeliningRider Linden
No longer attempt to use "doomed" to-be-closed connections when pipelining. Prior to this change connections marked for deletion (e.g. timeout) would be erroneously used, resulting in sporadic crashes. As originally reported and fixed by Carlo Wood (origin unknown). Bug: https://github.com/curl/curl/issues/627 Reported-by: Rider Linden Closes https://github.com/curl/curl/pull/1075 Participation-by: nopjmp@users.noreply.github.com
2016-10-13vtls: only re-use session-ids using the same schemeDaniel Stenberg
To make it harder to do cross-protocol mistakes
2016-10-10cmake: add nghttp2 supportRemo E
Closes #922
2016-10-10resolve: add error message when resolving using SIGALRMAndreas Streichardt
Closes #1066
2016-10-09smb: properly check incoming packet boundariesTobias Stoeckmann
Not all reply messages were properly checked for their lengths, which made it possible to access uninitialized memory (but this does not lead to out of boundary accesses). Closes #1052
2016-10-08mprintf: return error on too many argumentsDaniel Stenberg
128 arguments should be enough for everyone
2016-10-08ftp: fix Curl_ftpsendf()Daniel Stenberg
... it no longer takes printf() arguments since it was only really taken advantage by one user and it was not written and used in a safe way. Thus the 'f' is removed from the function name and the proto is changed. Although the current code wouldn't end up in badness, it was a risk that future changes could end up springf()ing too large data or passing in a format string inadvertently.
2016-10-08formpost: avoid silent snprintf() truncationDaniel Stenberg
The previous use of snprintf() could make libcurl silently truncate some input data and not report that back on overly large input, which could make data get sent over the network in a bad format. Example: $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
2016-10-04memdup: use 'void *' as return and source typeDaniel Stenberg
2016-10-04formpost: trying to attach a directory no longer crashesDaniel Stenberg
The error path would previously add a freed entry to the linked list. Reported-by: Toby Peterson Fixes #1053
2016-10-03cookies: same domain handling changed to match browser behaviorSergei Kuzmin
Cokie with the same domain but different tailmatching property are now considered different and do not replace each other. If header contains following lines then two cookies will be set: Set-Cookie: foo=bar; domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz; domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 This matches Chrome, Opera, Safari, and Firefox behavior. When sending stored tokens to foo.com Chrome, Opera, Firefox store send them in the stored order, while Safari pre-sort the cookies. Closes #1050
2016-09-22New libcurl option to keep sending on errorMichael Kaufmann
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether sending the request body shall be completed when the server responds early with an error status code. This is suitable for manual NTLM authentication. Reviewed-by: Jay Satiro Closes https://github.com/curl/curl/pull/904
2016-09-22nss: add chacha20-poly1305 cipher suites if supported by NSSKamil Dudka
2016-09-22nss: add cipher suites using SHA384 if supported by NSSKamil Dudka
2016-09-22nss: fix typo in ecdhe_rsa_null cipher suite stringKamil Dudka
As it seems to be a rarely used cipher suite (for securely established but _unencrypted_ connections), I believe it is fine not to provide an alias for the misspelled variant.
2016-09-20easy: Reset all statistical session info in curl_easy_resetJay Satiro
Bug: https://github.com/curl/curl/issues/1017 Reported-by: Jeroen Ooms
2016-09-19darwinssl: Fix typo in commentDaniel Gustafsson
Closes https://github.com/curl/curl/pull/1028
2016-09-19libressl: fix version outputBernard Spil
LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all versions returning `LibreSSL/2.0.0` for any LibreSSL version. This change provides a local OpenSSL_version_num function replacement returning LIBRESSL_VERSION_NUMBER instead. Closes #1029
2016-09-19openssl: don't call ERR_remote_thread_state on >= 1.1.0Daniel Stenberg
Follow-up fix to d9321562
2016-09-19openssl: don’t call CRYTPO_cleanup_all_ex_dataDaniel Stenberg
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called multiple times without crashing - and other libs might call it! We basically cannot call it without risking a crash. The function is a no-op since OpenSSL 1.1.0. Not calling this function only risks a small memory leak with OpenSSL < 1.1.0. Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html Reported-by: Todd Short
2016-09-18darwinssl: disable RC4 cipher-suite supportNick Zitzmann
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-16http2: debug ouput sent HTTP/2 request headersDaniel Stenberg
2016-09-16http: accept "Transfer-Encoding: chunked" for HTTP/2 as wellDaniel Stenberg
... but don't send the actual header over the wire as it isn't accepted. Chunked uploading is still triggered using this method. Fixes #1013 Fixes #662
2016-09-14openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2Daniel Stenberg
OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread so we need to clean it when easy handles are freed, in case the thread will be killed in which the easy handle was used. All OpenSSL code in libcurl should extract the error in association with the error already so clearing this queue here should be harmless at worst. Fixes #964
2016-09-14curl_easy_unescape: deny negative string lengths as inputDaniel Stenberg
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14curl_easy_escape: deny negative string lengths as inputDaniel Stenberg
CVE-2016-7167 Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-12mbedtls: switch off NTLM in build if md4 isn't availableTony Kelman
NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS is built with the MD4 functions available, which it isn't in default builds. This now adapts if the funtion isn't there and builds libcurl without NTLM support if so. Fixes #1004
2016-09-11http: refuse to pass on response body with NO_NODY was setDaniel Stenberg
... like when a HTTP/0.9 response comes back without any headers at all and just a body this now prevents that body from being sent to the callback etc. Adapted test 1144 to verify. Fixes #973 Assisted-by: Ray Satiro
2016-09-10CMake: Try to (un-)hide private library symbolsJakub Zakrzewski
Detect support for compiler symbol visibility flags and apply those according to CURL_HIDDEN_SYMBOLS option. It should work true to the autotools build except it tries to unhide symbols on Windows when requested and prints warning if it fails. Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951 Reported-by: Daniel Stenberg
2016-09-09openssl: fix bad memory free (regression)Daniel Stenberg
... by partially reverting f975f06033b1. The allocation could be made by OpenSSL so the free must be made with OPENSSL_free() to avoid problems. Reported-by: Harold Stuart Fixes #1005
2016-09-09http2: support > 64bit sized uploadsDaniel Stenberg
... by making sure we don't count down the "upload left" counter when the uploaded size is unknown and then it can be allowed to continue forever. Fixes #996
2016-09-07errors: new alias CURLE_WEIRD_SERVER_REPLY (8)Jay Satiro
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as more of a generic "failed to parse" introduce an alias without FTP in the name. Closes https://github.com/curl/curl/pull/975
2016-09-07checksrc: detect strtok() useDaniel Stenberg
... as that function slipped through once before.
2016-09-07mk-ca-bundle.pl: use SHA256 instead of SHA1Viktor Szakats
This hash is used to verify the original downloaded certificate bundle and also included in the generated bundle's comment header. Also rename related internal symbols to algorithm-agnostic names.
2016-09-06openssl: fix CURLINFO_SSL_VERIFYRESULTGaurav Malhotra
CURLINFO_SSL_VERIFYRESULT does not get the certificate verification result when SSL_connect fails because of a certificate verification error. This fix saves the result of SSL_get_verify_result so that it is returned by CURLINFO_SSL_VERIFYRESULT. Closes https://github.com/curl/curl/pull/995
2016-09-06darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)Daniel Gustafsson
While noErr and errSecSuccess are defined as the same value, the API documentation states that SecPKCS12Import() returns errSecSuccess if there were no errors in importing. Ensure that a future change of the defined value doesn't break (however unlikely) and be consistent with the API docs.
2016-09-05openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000LMarcel Raad
With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is now called OpenSSL_version_num(). [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html Closes #992
2016-09-05http2: return EOF when done uploading without known sizeDaniel Stenberg
Fixes #982
2016-09-05http2: skip the content-length parsing, detect unknown sizeDaniel Stenberg
2016-09-05http2: minor white space editDaniel Stenberg
2016-09-05http2: use named define instead of magic constant in read callbackDaniel Stenberg
2016-09-04speed caps: not based on average speeds anymoreOlivier Brunel
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE & CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits with the cumulative average speed of the entire transfer; While this might work at times with good/constant connections, in other cases it can result to the limits simply being "ignored" for more than "short bursts" (as told in man page). Consider a download that goes on much slower than the limit for some time (because bandwidth is used elsewhere, server is slow, whatever the reason), then once things get better, curl would simply ignore the limit up until the average speed (since the beginning of the transfer) reached the limit. This could prove the limit useless to effectively avoid using the entire bandwidth (at least for quite some time). So instead, we now use a "moving starting point" as reference, and every time at least as much as the limit as been transferred, we can reset this starting point to the current position. This gets a good limiting effect that applies to the "current speed" with instant reactivity (in case of sudden speed burst). Closes #971
2016-08-31curl_sspi.c: Updated function description commentsSteve Holme
* Added description to Curl_sspi_free_identity() * Added parameter and return explanations to Curl_sspi_global_init() * Added parameter explaination to Curl_sspi_global_cleanup()