aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2013-07-24string formatting: fix 25+ printf-style format stringsYang Tse
2013-07-23Makefile.am: use LDFLAGS as well when linking libcurlDaniel Stenberg
Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded automake for the release builds. Bug: http://curl.haxx.se/bug/view.cgi?id=1217 Reported-by: Dagobert Michelsen
2013-07-23url.c: Fix dot file path cleanup when using an HTTP proxyFabian Keil
Previously the path was cleaned, but the URL wasn't properly updated.
2013-07-23dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify()Fabian Keil
2013-07-21curl_multi_wait: fix reventsDaniel Stenberg
Commit 6d30f8ebed34e7276 didn't work properly. First, it used the wrong array index, but this fix also: 1 - only does the copying if indeed there was any activity 2 - makes sure to properly translate between internal and external bitfields, which are not guaranteed to match Reported-by: Evgeny Turnaev
2013-07-19curl_easy_perform: gradually increase the delay timeDaniel Stenberg
Instead of going 50,100,150 etc millisecond delay time when nothing has been found to do or wait for, we now start lower and double each loop as in 4,8,16,32 etc. This lowers the minimum wait without sacrifizing the longer wait too much with unnecessary CPU cycles burnt. Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html Reported-by: Andreas Malzahn
2013-07-19ftp_do_more: consider DO_MORE complete when server connects backDaniel Stenberg
In the case of an active connection when ftp_do_more() detects that the server has connected back, it must make sure to mark it as complete so that the multi_runsingle() function will detect this and move on to the next state. Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html Reported-by: Clemens Gruber
2013-07-19Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1Yang Tse
2013-07-19WIN32 MemoryTracking: require UNICODE for wide strdup code supportYang Tse
2013-07-18CURLOPT_XFERINFOFUNCTION: introducing a new progress callbackDaniel Stenberg
CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function and CURLOPT_PROGRESSFUNCTION is considered deprecated. This new callback uses pure 'curl_off_t' arguments to pass on full resolution sizes. It otherwise retains the same characteristics: the same call rate, the same meanings for the arguments and the return code is used the same way. The progressfunc.c example is updated to show how to use the new callback for newer libcurls while supporting the older one if built with an older libcurl or even built with a newer libcurl while running with an older.
2013-07-18Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage".Yang Tse
This reverts commit 7ed25cc, reinstating commit 8ec2cb5. As of 18-jul-2013 we still do have code in libcurl that makes use of these memory functions. Commit 8ec2cb5 comment still applies and is yet valid. These memory functions are solely used in Windows builds, so all related code is protected with '#ifdef WIN32' preprocessor conditional compilation directives. Specifically, wcsdup() _wcsdup() are used when building a Windows target with UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case when building a Windows UNICODE target with Windows native SSL/TLS support enabled. Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage of these is hidden behind _tcsdup() which is MS way of dealing with code that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS header files and those compatible from other compilers use this preprocessor conditional compilation directive in order to select at compilation time whether 'wide' or 'ansi' MS API functions are used. Without this code, Windows build targets with Windows native SSL/TLS support enabled and MemoryTracking support enabled misbehave in tracking memory usage, regardless of being a UNICODE enabled build or not.
2013-07-18curl_multi_wait: set revents for extra fdsEvgeny Turnaev
Pass back the revents that happened for the user-provided file descriptors.
2013-07-17asyn-ares: Don't blank ares servers if none configured.Ben Greear
Best to just let c-ares use it's defaults if none are configured in (lib)curl. Signed-off-by: Ben Greear <greearb@candelatech.com>
2013-07-17cmake: Fix for MSVC2010 project generationSergei Nikulov
Fixed issue with static build for MSVC2010. After some investigation I've discovered known issue http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked to static lib it fails with following linker error LINK : warning LNK4068: /MACHINE not specified; defaulting to X86 file.obj : fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'X86' Fix add target property /MACHINE: for MSVC generation. Also removed old workarounds - it caused errors during msvc build. Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html
2013-07-16slist.c: Curl_slist_append_nodup() OOM handling fixYang Tse
2013-07-15curl_slist_append(): fix error detectionPatrick Monnerat
2013-07-15slist.c: fix indentationPatrick Monnerat
2013-07-15OS400: new SSL backend GSKitPatrick Monnerat
2013-07-15config-os400.h: enable system strdup(), strcmpi(), etc.Patrick Monnerat
2013-07-15x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extractPatrick Monnerat
Use from qssl backend
2013-07-15ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSLPatrick Monnerat
2013-07-15Merge branch 'master' of github.com:bagder/curlPatrick Monnerat
Merge for resync
2013-07-15slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()Patrick Monnerat
2013-07-15sslgen.c: fix Curl_rand() compiler warningYang Tse
Use simple seeding method upon RANDOM_FILE seeding method failure.
2013-07-15sslgen.c: fix unreleased Curl_rand() infinite recursionYang Tse
2013-07-14url.c: fix parse_url_login() OOM handlingYang Tse
2013-07-12http_digest.c: SIGSEGV and OOM handling fixesYang Tse
2013-07-12url.c: fix parse_login_details() OOM handlingYang Tse
2013-07-12setup-vms.h: sk_pop symbol tweakJohn E. Malmberg
Newer versions of curl are referencing a sk_pop symbol while the HP OpenSSL library has the symbol in uppercase only.
2013-07-11getinfo.c: fix enumerated type mixed with another typeYang Tse
2013-07-11url.c: fix SIGSEGVYang Tse
2013-07-11dotdot.c: fix global declaration shadowingYang Tse
2013-07-11easy.c: fix global declaration shadowingYang Tse
2013-07-08Added winssl-zlib target to VC builds.Guenter Knauf
2013-07-08Synced Makefile.vc6 with recent changes.Guenter Knauf
Issue posted to the list by malinowsky AT FTW DOT at.
2013-07-02darwinssl: SSLv2 connections are aborted if unsupported by the OSNick Zitzmann
I just noticed that OS X no longer supports SSLv2. Other TLS engines return an error if the requested protocol isn't supported by the underlying engine, so we do that now for SSLv2 if the framework returns an error when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is only enabled in curl when starting the app with the -2 argument; it's off by default. SSLv2 is really old and insecure.)
2013-06-30url: restore the functionality of 'curl -u :'Kamil Dudka
This commit fixes a regression introduced in fddb7b44a79d78e05043e1c97e069308b6b85f79. Reported by: Markus Moeller Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
2013-06-25digest: append the timer to the random for the nonceDaniel Stenberg
2013-06-25digest: improve nonce generationDaniel Stenberg
Use the new improved Curl_rand() to generate better random nonce for Digest auth.
2013-06-25formpost: better random boundariesDaniel Stenberg
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
2013-06-25printf: make sure %x are treated unsignedDaniel Stenberg
When using %x, the number must be treated as unsigned as otherwise it would get sign-extended on for example 64bit machines and do wrong output. This problem showed when doing printf("%08x", 0xffeeddcc) on a 64bit host.
2013-06-24SIGPIPE: don't use 'data' in sigpipe restoreDaniel Stenberg
Follow-up fix from 7d80ed64e43515. The SessionHandle may not be around to use when we restore the sigpipe sighandler so we store the no_signal boolean in the local struct to know if/how to restore.
2013-06-23c-ares: improve error message on failed resolveDaniel Stenberg
When the c-ares based resolver backend failed to resolve a name, it tried to show the name that failed from existing structs. This caused the wrong output and shown hostname when for example --interface [hostname] was used and that name resolving failed. Now we use the hostname used in the actual resolve attempt in the error message as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1191 Reported-by: Kim Vandry
2013-06-23ossl_recv: check for an OpenSSL error, don't assumeDaniel Stenberg
When we recently started to treat a zero return code from SSL_read() as an error we also got false positives - which primarily looks to be because the OpenSSL documentation is wrong and a zero return code is not at all an error case in many situations. Now ossl_recv() will check with ERR_get_error() to see if there is a stored error and only then consider it to be a true error if SSL_read() returned zero. Bug: http://curl.haxx.se/bug/view.cgi?id=1249 Reported-by: Nach M. S. Patch-by: Nach M. S.
2013-06-22Merge branch 'master' of https://github.com/bagder/curlNick Zitzmann
2013-06-22darwinssl: fix crash that started happening in LionNick Zitzmann
Something (a recent security update maybe?) changed in Lion, and now it has changed SSLCopyPeerTrust such that it may return noErr but also give us a null trust, which caught us off guard and caused an eventual crash.
2013-06-22SIGPIPE: ignored while inside the libraryDaniel Stenberg
... and restore the ordinary handling again when it returns. This is done for curl_easy_perform() and curl_easy_cleanup() only for now - and only when built to use OpenSSL as backend as this is the known culprit for the spurious SIGPIPEs people have received. Bug: http://curl.haxx.se/bug/view.cgi?id=1180 Reported by: LluĂ­s Batlle i Rossell
2013-06-22darwinssl: reform OS-specific #definesNick Zitzmann
This doesn't need to be in the release notes. I cleaned up a lot of the #if lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like __MAC_10_6 or whatever were defined, because for some SDKs Apple has released they were defined out of place.
2013-06-22dotdot: introducing dot file path cleanupDaniel Stenberg
RFC3986 details how a path part passed in as part of a URI should be "cleaned" from dot sequences before getting used. The described algorithm is now implemented in lib/dotdot.c with the accompanied test case in test 1395. Bug: http://curl.haxx.se/bug/view.cgi?id=1200 Reported-by: Alex Vinnik
2013-06-22Curl_urldecode: no peeking beyond end of input bufferDaniel Stenberg
Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen