Age | Commit message (Collapse) | Author |
|
|
|
Bug born in changes made several days ago 9a91e80.
Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
|
|
This fixes using a multi-target mingw distro to build curl .dll for the
non-default target.
(mirroring the same patch present in src/makefile.m32)
|
|
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
|
|
|
|
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
|
|
|
|
So that it fits HTTP/2 as well
|
|
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
|
|
|
|
Reported-by: Brian Chrisman
|
|
white space changes only
|
|
To have engine modules work, we must tell openssl to load builtin
modules first.
Bug: https://github.com/bagder/curl/pull/206
|
|
The code extracting the cert serial number was broken and didn't display
it properly.
Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
|
|
Without this, SSPI based digest auth was broken.
Bug: https://github.com/bagder/curl/pull/141.patch
|
|
The 'default' token has no argument and means to match _any_ domain.
It must be placed last if there are 'machine <name>' tokens in the same file.
See full description here:
https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html
|
|
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
|
|
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
|
|
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
|
|
Bug: https://bugzilla.redhat.com/1195771
|
|
|
|
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.
CVE-2015-3148
Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
|
|
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.
CVE-2015-3144
Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
|
|
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.
CVE-2015-3145
Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
|
|
CVE-2015-3143
Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
|
|
|
|
|
|
This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6.
Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
|
|
Prior to this change CyaSSL's build options could redefine some generic
build symbols.
http://curl.haxx.se/mail/lib-2015-04/0069.html
|
|
|
|
|
|
|
|
|
|
|
|
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.
Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
|
|
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
|
|
Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.
|
|
The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
rate_bps are both in bytes. When using the rate limiting option, curl
waits 8 times too long, and then transfers very quickly until the
average rate reaches the limit. The average rate follows the limit over
time, but the actual traffic is bursty.
Thanks-to: Benjamin Gilbert
|
|
The key length in bits will always fit in an unsigned long so the
loss-of-data warning assigning the result of x64 pointer arithmetic to
an unsigned long is unnecessary.
|
|
Also fix it so that all ERR_error_string calls use an error buffer.
CyaSSL's implementation of ERR_error_string only writes the error when
an error buffer is passed.
http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
|
|
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
messages since cyassl_connect_step2 is called multiple times, typically.
The message is superfluous even once since libcurl already informs the
user elsewhere in code that it is connecting.
|
|
introduced in the previous mini-series of 3 commits
|
|
- also log when a CURLOPT_RESOLVE entry couldn't get parsed
|
|
|
|
- cache entries must be also refreshed when they are in use
- have the cache count as inuse reference too, freeing timestamp == 0 special
value
- use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed
- remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh)
- fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special
reference anymore, and it would also release non CURLOPT_RESOLVE references
- fix locking in Curl_hostcache_clean
- fix unit1305.c: hash now keeps a reference, need to set inuse = 1
|
|
This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
|
|
SSL_CTX_load_verify_locations can return negative values on fail,
therefore to check for failure we check if load is != 1 (success)
instead of if load is == 0 (failure), the latter being incorrect given
that behavior.
|
|
Previously in Curl_http2_switched, we called nghttp2_session_mem_recv to
parse incoming data which were already received while curl was handling
upgrade. But we didn't call nghttp2_session_send, and it led to make
curl not send any response to the received frames. Most likely, we
received SETTINGS from server at this point, so we missed opportunity to
send SETTINGS + ACK. This commit adds missing nghttp2_session_send call
in Curl_http2_switched to fix this issue.
Bug: https://github.com/bagder/curl/issues/192
Reported-by: Stefan Eissing
|
|
"name =value" is fine and the space should just be skipped.
Updated test 31 to also test for this.
Bug: https://github.com/bagder/curl/issues/195
Reported-by: cromestant
Help-by: Frank Gevaerts
|
|
(Curl_cyassl_init)
- Return 1 on success, 0 in failure.
Prior to this change the fail path returned an incorrect value and the
evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
Ironically that combined with the way curl_global_init tests SSL library
initialization (!Curl_ssl_init()) meant that CyaSSL having been
successfully initialized would be seen as that even though the code path
and return value in Curl_cyassl_init were wrong.
|