aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-10-04doh: make sure TTL isn't re-inited by second (discarded?) responseDaniel Stenberg
Closes #3092
2018-10-03memory: ensure to check allocation resultsDaniel Gustafsson
The result of a memory allocation should always be checked, as we may run under memory pressure where even a small allocation can fail. This adds checking and error handling to a few cases where the allocation wasn't checked for success. In the ftp case, the freeing of the path variable is moved ahead of the allocation since there is little point in keeping it around across the strdup, and the separation makes for more readable code. In nwlib, the lock is aslo freed in the error path. Also bumps the copyright years on affected files. Closes #3084 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03comment: Fix multiple typos in function parametersDaniel Gustafsson
Ensure that the parameters in the comment match the actual names in the prototype. Closes #3079 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03nss: fix nssckbi module loading on WindowsJay Satiro
- Use .DLL extension instead of .so to load modules on Windows. Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html Reported-by: Maxime Legros Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442 Closes https://github.com/curl/curl/pull/3086
2018-10-02urlapi: starting with a drive letter on win32 is not an abs urlDaniel Stenberg
... and libcurl doesn't support any single-letter URL schemes (if there even exist any) so it should be fairly risk-free. Reported-by: Marcel Raad Fixes #3070 Closes #3071
2018-10-02doh: fix curl_easy_setopt argument typeMarcel Raad
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit MinGW.
2018-10-01CMake: Improve config installationRuslan Baratov
Use 'GNUInstallDirs' standard module to set destinations of installed files. Use uppercase "CURL" names instead of lowercase "curl" to match standard 'FindCURL.cmake' CMake module: * https://cmake.org/cmake/help/latest/module/FindCURL.html Meaning: * Install 'CURLConfig.cmake' instead of 'curl-config.cmake' * User should call 'find_package(CURL)' instead of 'find_package(curl)' Use 'configure_package_config_file' function to generate 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template file smaller and handle components better. E.g. current configuration report no error if user specified unknown components (note: new configuration expects no components, report error if user will try to specify any). Closes https://github.com/curl/curl/pull/2849
2018-09-30doh: only build if h2 enabledDaniel Stenberg
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH". Reported-by: Marcel Raad Closes #3066
2018-09-29multi: fix memory leak in content encoding related error pathDaniel Stenberg
... a missing multi_done() call. Credit to OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728 Closes #3063
2018-09-28multi: fix location URL memleak in error pathDaniel Stenberg
Follow-up to #3044 - fix a leak OSS-Fuzz detected Closes #3057
2018-09-28cmake: fixed path used in generation of docs/tests during curl build through ↵Sergei Nikulov
add_subdicectory(...)
2018-09-27curl_threads: fix classic MinGW compile breakMarcel Raad
Classic MinGW still has _beginthreadex's return type as unsigned long instead of uintptr_t [0]. uintptr_t is not even defined because of [1]. [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167 [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90 Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807 Closes https://github.com/curl/curl/pull/3051
2018-09-25Curl_http2_done: fix memleak in error pathDaniel Stenberg
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for early failures. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669 Closes #3046
2018-09-25http: fix memleak in rewind error pathDaniel Stenberg
If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665 Closes #3044
2018-09-24Curl_retry_request: fix memory leakDaniel Stenberg
Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 Closes #3042
2018-09-24openssl: load built-in engines tooDaniel Stenberg
Regression since 38203f1 Reported-by: Jean Fabrice Fixes #3023 Closes #3040
2018-09-24OpenSSL: enable TLS 1.3 post-handshake authChristian Heimes
OpenSSL 1.1.1 requires clients to opt-in for post-handshake authentication. Fixes: https://github.com/curl/curl/issues/3026 Signed-off-by: Christian Heimes <christian@python.org> Closes https://github.com/curl/curl/pull/3027
2018-09-24Curl_dedotdotify(): always nul terminate returned string.Even Rouault
This fixes potential out-of-buffer access on "file:./" URL $ valgrind curl "file:./" ==24516== Memcheck, a memory error detector ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==24516== Command: /home/even/install-curl-git/bin/curl file:./ ==24516== ==24516== Conditional jump or move depends on uninitialised value(s) ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24516== by 0x4EBB315: seturl (urlapi.c:801) ==24516== by 0x4EBB568: parseurl (urlapi.c:861) ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) ==24516== by 0x4E67AEF: create_conn (url.c:3613) ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) ==24516== by 0x4E7558C: easy_transfer (easy.c:686) ==24516== by 0x4E75801: easy_perform (easy.c:779) ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) Was originally spotted by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 Credit to OSS-Fuzz Closes #3039
2018-09-23whitespace fixesViktor Szakats
- replace tabs with spaces where possible - remove line ending spaces - remove double/triple newlines at EOF - fix a non-UTF-8 character - cleanup a few indentations/line continuations in manual examples Closes https://github.com/curl/curl/pull/3037
2018-09-23http: add missing return code checkDaniel Stenberg
Detected by Coverity. CID 1439610. Follow-up from 46e164069d1a523 Closes #3034
2018-09-23ftp: don't access pointer before NULL checkDaniel Stenberg
Detected by Coverity. CID 1439611. Follow-up from 46e164069d1a523
2018-09-22url: use the URL API internally as wellDaniel Stenberg
... to make it a truly unified URL parser. Closes #3017
2018-09-22URL and mailmap updates, remove an obsolete directory [ci skip]Viktor Szakats
Closes https://github.com/curl/curl/pull/3031
2018-09-21Curl_saferealloc: Fixed typo in docblockErik Minekus
Closes #3029
2018-09-21urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg
Closes #3024
2018-09-21GnutTLS: TLS 1.3 supportLoganaden Velvindron
Closes #2971
2018-09-20vtls: fix ssl version "or later" behavior change for many backendsJay Satiro
- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
2018-09-19urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptanceDaniel Stenberg
In order for this API to fully work for libcurl itself, it now offers a CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host name prefix just like libcurl always did. If there's no known prefix, it will guess "http://". Separately, it relaxes the check of the host name so that IDN host names can be passed in as well. Both these changes are necessary for libcurl itself to use this API. Assisted-by: Daniel Gustafsson Closes #3018
2018-09-19nss: try to connect even if libnssckbi.so fails to loadKamil Dudka
One can still use CA certificates stored in NSS database. Reported-by: Maxime Legros Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html Closes #3016
2018-09-19urlapi: don't set value which is never readDaniel Gustafsson
In the CURLUPART_URL case, there is no codepath which invokes url decoding so remove the assignment of the urldecode variable. This fixes the deadstore bug-report from clang static analysis. Closes #3015 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-18curl_multi_wait: call getsock before figuring out timeoutDaniel Stenberg
.... since getsock may update the expiry timer. Fixes #2996 Closes #3000
2018-09-18darwinssl: Fix realloc memleakDaniel Gustafsson
The reallocation was using the input pointer for the return value, which leads to a memory leak on reallication failure. Fix by instead use the safe internal API call Curl_saferealloc(). Closes #3005 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
2018-09-17memory: add missing curl_printf headerDaniel Gustafsson
ftp_send_command() was using vsnprintf() without including the libcurl *rintf() replacement header. Fix by including curl_printf.h and also add curl_memory.h while at it since memdebug.h depends on it. Closes #2999 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-16http: made Curl_add_buffer functions take a pointer-pointerDaniel Stenberg
... so that they can clear the original pointer on failure, which makes the error-paths and their cleanups easier. Closes #2992
2018-09-16http2: fix memory leaks on error-pathDaniel Stenberg
2018-09-14secure Openwall URLsViktor Szakats
2018-09-14openssl: show "proper" version number for libressl buildsDaniel Stenberg
Closes #2989
2018-09-14openssl: assume engine support in 0.9.8 or laterRainer Jung
Fixes #2983 Closes #2988
2018-09-13sendf: use failf() rather than Curl_failf()Daniel Gustafsson
The failf() macro is the name used for invoking Curl_failf(). While there isn't a way to turn off failf like there is for infof, but it's still a good idea to use the macro. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13sendf: Fix whitespace in infof/failf concatenationDaniel Gustafsson
Strings broken on multiple rows in the .c file need to have appropriate whitespace padding on either side of the concatenation point to render a correct amalgamated string. Fix by adding a space at the occurrences found. Closes #2986 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13krb5: fix memory leak in krb_authDaniel Gustafsson
The FTP command allocated by aprintf() must be freed after usage. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13ftp: include command in Curl_ftpsend sendbufferDaniel Gustafsson
Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed the actual command to be sent from the send buffer in a refactoring. Add back copying the command into the buffer. Also add more guards against malformed input while at it. Closes #2985 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13ntlm_wb: Fix memory leaks in ntlm_wb_responseDaniel Gustafsson
When erroring out on a request being too large, the existing buffer was leaked. Fix by explicitly freeing on the way out. Closes #2966 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13vtls: add a MesaLink vtls backendYiming Jing
Closes #2984
2018-09-13configure.ac: add a MesaLink vtls backendYiming Jing
2018-09-12lib: fix gcc8 warning on WindowsViktor Szakats
Closes https://github.com/curl/curl/pull/2979
2018-09-12openssl: fix gcc8 warningJay Satiro
- Use memcpy instead of strncpy to copy a string without termination, since gcc8 warns about using strncpy to copy as many bytes from a string as its length. Suggested-by: Viktor Szakats Closes https://github.com/curl/curl/issues/2980
2018-09-10cookies: Move failure case label to end of functionDaniel Gustafsson
Rather than jumping backwards to where failure cleanup happens to be performed, move the failure case to end of the function where it is expected per existing coding convention. Closes #2965
2018-09-10misc: fix typos in commentsDaniel Gustafsson
Closes #2963
2018-09-10cookies: fix leak when writing cookies to fileDaniel Gustafsson
If the formatting fails, we error out on a fatal error and clean up on the way out. The array was however freed within the wrong scope and was thus never freed in case the cookies were written to a file instead of STDOUT. Closes #2957