aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-11-03infof: clearly indicate truncationDaniel Gustafsson
The internal buffer in infof() is limited to 2048 bytes of payload plus an additional byte for NULL termination. Servers with very long error messages can however cause truncation of the string, which currently isn't very clear, and leads to badly formatted output. This appends a "...\n" (or just "..." in case the format didn't with a newline char) marker to the end of the string to clearly show that it has been truncated. Also include a unittest covering infof() to try and catch any bugs introduced in this quite important function. Closes #3216 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-03url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
2018-11-03URL: fix IPv6 numeral address parserDaniel Stenberg
Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
2018-11-02mprintf: avoid unsigned integer overflow warningTim Rühsen
The overflow has no real world impact. Just avoid it for "best practice". Code change suggested by "The Infinnovation Team" and Daniel Stenberg. Closes #3184
2018-11-02Curl_follow: accept non-supported schemes for "fake" redirectsDaniel Stenberg
When not actually following the redirect and the target URL is only stored for later retrieval, curl always accepted "non-supported" schemes. This was a regression from 46e164069d1a5230. Reported-by: Brad King Fixes #3210 Closes #3215
2018-11-01axtls: removedDaniel Stenberg
As has been outlined in the DEPRECATE.md document, the axTLS code has been disabled for 6 months and is hereby removed. Use a better supported TLS library! Assisted-by: Daniel Gustafsson Closes #3194
2018-11-01schannel: make CURLOPT_CERTINFO support using Issuer chainmarcosdiazr
Closes #3197
2018-11-01schannel: use Curl_ prefix for global private symbolsDaniel Stenberg
Curl_verify_certificate() must use the Curl_ prefix since it is globally available in the lib and otherwise steps outside of our namespace! Closes #3201
2018-10-30vtls: add MesaLink to curl_sslbackend enumDaniel Gustafsson
MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the backend was never added to the curl_sslbackend enum in curl/curl.h. This adds the new backend to the enum and updates the relevant docs. Closes #3195 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-29Curl_auth_create_plain_message: fix too-large-input-checkDaniel Stenberg
CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29Curl_close: clear data->multi_easy on free to avoid use-after-freeDaniel Stenberg
Regression from b46cfbc068 (7.59.0) CVE-2018-16840 Reported-by: Brian Carpenter (Geeknik Labs) Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-27rand: add comment to skip a clang-tidy false positiveDaniel Stenberg
2018-10-27x509asn1: always check return code from getASN1Element()Daniel Stenberg
2018-10-27Makefile: add 'tidy' target that runs clang-tidyDaniel Stenberg
Available in the root, src and lib dirs. Closes #3163
2018-10-27x509asn1: suppress left shift on signed valuePatrick Monnerat
Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
2018-10-27multi: Fix error handling in the SENDPROTOCONNECT stateMichael Kaufmann
If Curl_protocol_connect() returns an error code, handle the error instead of switching to the next state. Closes #3170
2018-10-27openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg
When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
2018-10-26ssh: free the session on init failuresDaniel Gustafsson
Ensure to clear the session object in case the libssh2 initialization fails. It could be argued that the libssh2 error function should be called to get a proper error message in this case. But since the only error path in libssh2_knownhost_init() is memory a allocation failure it's safest to avoid since the libssh2 error handling allocates memory. Closes #3179 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26openssl: make 'done' a proper booleanDaniel Gustafsson
Closes #3176
2018-10-26gtls: Values stored to but never readDaniel Stenberg
Detected by clang-tidy Closes #3176
2018-10-26rtmp: fix for compiling with lwIPGisle Vanem
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, ^ curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) ^ Closes #3155
2018-10-25urldata: Fix comment in headerMichael Kaufmann
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25netrc: free temporary strings if memory allocation failsMichael Kaufmann
- Change the inout parameters after all needed memory has been allocated. Do not change them if something goes wrong. - Free the allocated temporary strings if strdup() fails. Closes #3122
2018-10-24config: Remove unused SIZEOF_VOIDPRuslan Baratov
Closes #3162
2018-10-23Fix for compiling with lwIP (3)Gisle Vanem
lwIP on Windows does not have a WSAIoctl() function. But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23Curl_follow: return better errors on URL problemsDaniel Stenberg
... by making the converter function global and accessible. Closes #3153
2018-10-23Curl_follow: remove remaining free(newurl)Daniel Stenberg
Follow-up to 05564e750e8f0c. This function no longer frees the passed-in URL. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm ent-30985666
2018-10-23headers: end all headers with guard commentDaniel Gustafsson
Most headerfiles end with a /* <headerguard> */ comment, but it was missing from some. The comment isn't the most important part of our code documentation but consistency has an intrinsic value in itself. This adds header guard comments to the files that were lacking it. Closes #3158 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-19multi: avoid double-freeDaniel Stenberg
Curl_follow() no longer frees the string. Make sure it happens in the caller function, like we normally handle allocations. This bug was introduced with the use of the URL API internally, it has never been in a release version Reported-by: Dario Weißer Closes #3149
2018-10-19multi: make the closure handle "inherit" CURLOPT_NOSIGNALDaniel Stenberg
Otherwise, closing that handle can still cause surprises! Reported-by: Martin Ankerl Fixes #3138 Closes #3147
2018-10-19config_win32: enable LDAPSMarcel Raad
As done in the autotools and CMake builds by default. Closes https://github.com/curl/curl/pull/3137
2018-10-18travis: add build for "configure --disable-verbose"Daniel Stenberg
Closes #3144
2018-10-16x509asn1: Fix SAN IP address verificationMatthew Whitehead
For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
2018-10-14nonblock: fix unused parameter warningMarcel Raad
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not used.
2018-10-13Curl_follow: Always free the passed new URLMichael Kaufmann
Closes #3124
2018-10-10transfer: fix typo in commentDaniel Gustafsson
2018-10-09ldap: show precise LDAP call in error message on WindowsViktor Szakats
Also add a unique but common text ('bind via') to make it easy to grep this specific failure regardless of platform. Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468 Closes https://github.com/curl/curl/pull/3118 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09curl_setup: define NOGDI on WindowsMarcel Raad
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h> on MinGW. Closes https://github.com/curl/curl/pull/3113
2018-10-09Windows: fixes for MinGW targeting Windows VistaMarcel Raad
Classic MinGW has neither InitializeCriticalSectionEx nor GetTickCount64, independent of the target Windows version. Closes https://github.com/curl/curl/pull/3113
2018-10-08spelling fixes [ci skip]Viktor Szakats
as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-08curl_ntlm_wb: check aprintf() return codesDaniel Stenberg
... when they return NULL we're out of memory and MUST return failure. closes #3111
2018-10-08hostip: fix check on Curl_shuffle_addr return valueRick Deist
Closes #3110
2018-10-08FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER outputDaniel Stenberg
Now FILE transfers send headers to the header callback like HTTP and other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...) work for FILE in the callbacks. Makes "curl -i file://.." and "curl -I file://.." work like before again. Applied the bold header logic to them too. Regression from c1c2762 (7.61.0) Reported-by: Shaun Jackman Fixes #3083 Closes #3101
2018-10-07gskit: make sure to terminate version stringDaniel Gustafsson
In case a very small buffer was passed to the version function, it could result in the buffer not being NULL-terminated since strncpy() doesn't guarantee a terminator on an overflowed buffer. Rather than adding code to terminate (and handle zero-sized buffers), move to using snprintf() instead like all the other vtls backends. Closes #3105 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-05timeval: fix use of weak symbol clock_gettime() on Apple platformsdmitrykos
Closes #3048
2018-10-05doh: keep the IPv4 address in (original) network byte orderDaniel Stenberg
Ideally this will fix the reversed order shown in SPARC tests: resp 8: Expected 127.0.0.1 got 1.0.0.127 Closes #3091
2018-10-05checksrc: handle zero scoped ignore commandsDaniel Gustafsson
If a !checksrc! disable command specified to ignore zero errors, it was still added to the ignore block even though nothing was ignored. While there were no blocks ignored that shouldn't be ignored, the processing ended with with a warning: <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE) /* !checksrc! disable LONGLINE 0 */ ^ Fix by instead treating a zero ignore as a a badcommand and throw a warning for that one. Closes #3096 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05checksrc: enable strict mode and warningsDaniel Gustafsson
Enable strict and warnings mode for checksrc to ensure we aren't missing anything due to bugs in the checking code. This uncovered a few things which are all fixed in this commit: * several variables were used uninitialized * several variables were not defined in the correct scope * the whitelist filehandle was read even if the file didn't exist * the enable_warn() call when a disable counter had expired was passing incorrect variables, but since the checkwarn() call is unlikely to hit (the counter is only decremented to zero on actual ignores) it didn't manifest a problem. Closes #3090 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05cmake: test and set missed defines during configurationdmitrykos
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC. Closes #3097
2018-10-04doh: make sure TTL isn't re-inited by second (discarded?) responseDaniel Stenberg
Closes #3092