aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-06-06schannel: Disable ALPN on Windows < 8.1Steve Holme
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL fails on Windows < 8.1 so we need to disable ALPN on these OS versions. Inspiration provide by: Daniel Seither Closes #848 Fixes #840
2016-06-05checksrc: Add LoadLibrary to the banned functions listJay Satiro
LoadLibrary was supplanted by Curl_load_library for security reasons in 6df916d.
2016-06-05http: Fix HTTP/2 connection reuseJay Satiro
- Change the parser to not require a minor version for HTTP/2. HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2 in 8243a95 because the parser still expected a minor version. Bug: https://github.com/curl/curl/issues/855 Reported-by: Andrew Robbins, Frank Gevaerts
2016-06-04connect.c: Fixed compilation warning from commit 332e8d6164Steve Holme
connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
2016-06-04win32: Used centralised verify windows version functionSteve Holme
Closes #845
2016-06-04win32: Added verify windows version functionalitySteve Holme
2016-06-04win32: Introduced centralised verify windows version functionSteve Holme
2016-06-01makefile.m32: add crypt32 for winssl buildsViktor Szakats
Dependency added by 6cabd78 Closes #849
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01schannel: add CURLOPT_CERTINFO supportAndrew Kurushin
Closes #822
2016-05-31openssl: rename the private SSL_strerrorDaniel Stenberg
... to make it not look like an OpenSSL function
2016-05-31openssl: Use correct buffer sizes for error messagesMichael Kaufmann
Closes #844
2016-05-30URL parser: allow URLs to use one, two or three slashesDaniel Stenberg
Mostly in order to support broken web sites that redirect to broken URLs that are accepted by browsers. Browsers are typically even more leniant than this as the WHATWG URL spec they should allow an _infinite_ amount. I tested 8000 slashes with Firefox and it just worked. Added test case 1141, 1142 and 1143 to verify the new parser. Closes #791
2016-05-30cmake: Added missing mbedTLS supportRenaud Lehoux
Closes #837
2016-05-30mbedtls: removed unused variablesRenaud Lehoux
Closes #838
2016-05-30http: add CURLINFO_HTTP_VERSION and %{http_version}Frank Gevaerts
Adds access to the effectively used http version to both libcurl and curl. Closes #799
2016-05-30openssl: fix build with OPENSSL_NO_COMPMarcel Raad
With OPENSSL_NO_COMP defined, there is no function SSL_COMP_free_compression_methods Closes #836
2016-05-30memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNCGisle Vanem
Fixes #828
2016-05-30loadlibrary: Only load system DLLs from the system directorySteve Holme
Inspiration provided by: Daniel Stenberg and Ray Satiro Bug: https://curl.haxx.se/docs/adv_20160530.html Ref: Windows DLL hijacking with curl, CVE-2016-4802
2016-05-30ssh: fix version number check typoDaniel Stenberg
2016-05-29ssh: fix build for libssh2 before 1.2.6Daniel Stenberg
The statvfs functionality was added to libssh2 in that version, so we switch off that functionality when built with older libraries. Fixes #831
2016-05-24mbedtls: fix includes so snprintf() worksDaniel Stenberg
Regression from the previous *printf() rearrangements, this file missed to include the correct header to make sure snprintf() works universally. Reported-by: Moti Avrahami Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
2016-05-23checksrc.pl: Added variants of strcat() & strncat() to banned function listSteve Holme
Added support for checking the tchar, unicode and mbcs variants of strcat() and strncat() in the banned function list.
2016-05-23smtp: minor ident (white space) fixesDaniel Stenberg
2016-05-20openssl: cleanup must free compression methodsJay Satiro
- Free compression methods if OpenSSL 1.0.2 to avoid a memory leak. Bug: https://github.com/curl/curl/issues/817 Reported-by: jveazey@users.noreply.github.com
2016-05-20curl_multibyte: fix compiler errorGisle Vanem
While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was getting: f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '(' to follow 'CURL_EXTERN' f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085: 'curl_domalloc': not in formal parameter list
2016-05-19openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0Daniel Stenberg
See OpenSSL commit 21e001747d4a
2016-05-19http2: use HTTP/2 in the HTTP/1.1-alike headerDaniel Stenberg
... when generating them, not "2.0" as the protocol is called just HTTP/2 and nothing else.
2016-05-18schannel: fix compile break with MSVC XP toolsetMarcel Raad
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK 7.1 is used. In this case, _USING_V110_SDK71_ is defined. Closes #812
2016-05-17mbedtls/polarssl: set "hostname" unconditionallyDaniel Stenberg
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
2016-05-17openssl: get_cert_chain: fix NULL dereferenceDaniel Stenberg
CID 1361815: Explicit null dereferenced (FORWARD_NULL)
2016-05-17openssl: get_cert_chain: avoid NULL dereferenceDaniel Stenberg
CID 1361811: Explicit null dereferenced (FORWARD_NULL)
2016-05-17dprintf_formatf: fix (false?) Coverity warningDaniel Stenberg
CID 1024412: Memory - illegal accesses (OVERRUN). Claimed to happen when we run over 'workend' but the condition says <= workend and for all I can see it should be safe. Compensating for the warning by adding a byte margin in the buffer. Also, removed the extra brace level indentation in the code and made it so that 'workend' is only assigned once within the function.
2016-05-15ftp: fix incorrect out-of-memory code in Curl_pretransferJay Satiro
- Return value type must match function type. s/CURLM_OUT_OF_MEMORY/CURLE_OUT_OF_MEMORY/ Caught by Travis CI
2016-05-15ftp wildcard: segfault due to init only in multi_performDaniel Stenberg
The proper FTP wildcard init is now more properly done in Curl_pretransfer() and the corresponding cleanup in Curl_close(). The previous place of init/cleanup code made the internal pointer to be NULL when this feature was used with the multi_socket() API, as it was made within the curl_multi_perform() function. Reported-by: Jonathan Cardoso Machado Fixes #800
2016-05-13darwinssl.c: fix OS X codename typo in commentViktor Szakats
2016-05-13mprintf: Fix processing of width and prec argsJay Satiro
Prior to this change a width arg could be erroneously output, and also width and precision args could not be used together without crashing. "%0*d%s", 2, 9, "foo" Before: "092" After: "09foo" "%*.*s", 5, 2, "foo" Before: crash After: " fo" Test 557 is updated to verify this and more
2016-05-13ConnectionExists: follow-up fix for proxy re-useMichael Kaufmann
Follow-up commit to 5823179 Closes #648
2016-05-12darwinssl: fix certificate verification disable on OS X 10.8Per Malmberg
The new way of disabling certificate verification doesn't work on Mountain Lion (OS X 10.8) so we need to use the old way in that version too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 and 10.11. Closes #802
2016-05-12http2: Add space between colon and header valueCory Benfield
curl's representation of HTTP/2 responses involves transforming the response to a format that is similar to HTTP/1.1. Prior to this change, curl would do this by separating header names and values with only a colon, without introducing a space after the colon. While this is technically a valid way to represent a HTTP/1.1 header block, it is much more common to see a space following the colon. This change introduces that space, to ensure that incautious tools are safely able to parse the header block. This also ensures that the difference between the HTTP/1.1 and HTTP/2 response layout is as minimal as possible. Bug: https://github.com/curl/curl/issues/797 Closes #798 Fixes #797
2016-05-12openssl: fix compile-time warning in Curl_ossl_check_cxn()Kamil Dudka
... introduced in curl-7_48_0-293-g2968c83: Error: COMPILER_WARNING: lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’ may alter its value [-Wconversion]
2016-05-11openssl: stricter connection check functionJay Satiro
- In the case of recv error, limit returning 'connection still in place' to EINPROGRESS, EAGAIN and EWOULDBLOCK. This is an improvement on the parent commit which changed the openssl connection check to use recv MSG_PEEK instead of SSL_peek. Ref: https://github.com/curl/curl/commit/856baf5#comments
2016-05-11TLS: SSL_peek is not a const operationAnders Bakken
Calling SSL_peek can cause bytes to be read from the raw socket which in turn can upset the select machinery that determines whether there's data available on the socket. Since Curl_ossl_check_cxn only tries to determine whether the socket is alive and doesn't actually need to see the bytes SSL_peek seems like the wrong function to call. We're able to occasionally reproduce a connect timeout due to this bug. What happens is that Curl doesn't know to call SSL_connect again after the peek happens since data is buffered in the SSL buffer and thus select won't fire for this socket. Closes #795
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-08connect: fix invalid "Network is unreachable" errorsAntonio Larrosa
Sometimes, in systems with both ipv4 and ipv6 addresses but where the network doesn't support ipv6, Curl_is_connected returns an error (intermittently) even if the ipv4 socket connects successfully. This happens because there's a for-loop that iterates on the sockets but the error variable is not resetted when the ipv4 is checked and is ok. This patch fixes this problem by setting error to 0 when checking the second socket and not having a result yet. Fixes #794
2016-05-03connections: non-HTTP proxies on different ports aren't reused eitherDaniel Stenberg
Reported-by: Oleg Pudeyev and fuchaoqun Fixes #648
2016-05-02http: make sure a blank header overrides accept_decodingDaniel Stenberg
Reported-by: rcanavan Assisted-by: Isaac Boukris Closes #785
2016-05-01tls: make setting pinnedkey option fail if not supportedDaniel Stenberg
to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-04-29memdebug.h: remove inclusion of other headersDaniel Stenberg
Mostly because they're not needed, because memdebug.h is always included last of all headers so the others already included the correct ones. But also, starting now we don't want this to accidentally include any system headers, as the header included _before_ this header may add defines and other fun stuff that we won't want used in system includes.