| Age | Commit message (Collapse) | Author |
|---|
|
Curl_follow() no longer frees the string. Make sure it happens in the
caller function, like we normally handle allocations.
This bug was introduced with the use of the URL API internally, it has
never been in a release version
Reported-by: Dario Weißer
Closes #3149
|
|
Otherwise, closing that handle can still cause surprises!
Reported-by: Martin Ankerl
Fixes #3138
Closes #3147
|
|
As done in the autotools and CMake builds by default.
Closes https://github.com/curl/curl/pull/3137
|
|
Closes #3144
|
|
For IP addresses in the subject alternative name field, the length
of the IP address (and hence the number of bytes to perform a
memcmp on) is incorrectly calculated to be zero. The code previously
subtracted q from name.end. where in a successful case q = name.end
and therefore addrlen equalled 0. The change modifies the code to
subtract name.beg from name.end to calculate the length correctly.
The issue only affects libcurl with GSKit SSL, not other SSL backends.
The issue is not a security issue as IP verification would always fail.
Fixes #3102
Closes #3141
|
|
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
used.
|
|
Closes #3124
|
|
|
|
Also add a unique but common text ('bind via') to make it
easy to grep this specific failure regardless of platform.
Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
Closes https://github.com/curl/curl/pull/3118
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
|
|
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
on MinGW.
Closes https://github.com/curl/curl/pull/3113
|
|
Classic MinGW has neither InitializeCriticalSectionEx nor
GetTickCount64, independent of the target Windows version.
Closes https://github.com/curl/curl/pull/3113
|
|
as detected by codespell 1.14.0
Closes https://github.com/curl/curl/pull/3114
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
|
|
... when they return NULL we're out of memory and MUST return failure.
closes #3111
|
|
Closes #3110
|
|
Now FILE transfers send headers to the header callback like HTTP and
other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
work for FILE in the callbacks.
Makes "curl -i file://.." and "curl -I file://.." work like before
again. Applied the bold header logic to them too.
Regression from c1c2762 (7.61.0)
Reported-by: Shaun Jackman
Fixes #3083
Closes #3101
|
|
In case a very small buffer was passed to the version function, it could
result in the buffer not being NULL-terminated since strncpy() doesn't
guarantee a terminator on an overflowed buffer. Rather than adding code
to terminate (and handle zero-sized buffers), move to using snprintf()
instead like all the other vtls backends.
Closes #3105
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
|
|
Closes #3048
|
|
Ideally this will fix the reversed order shown in SPARC tests:
resp 8: Expected 127.0.0.1 got 1.0.0.127
Closes #3091
|
|
If a !checksrc! disable command specified to ignore zero errors, it was
still added to the ignore block even though nothing was ignored. While
there were no blocks ignored that shouldn't be ignored, the processing
ended with with a warning:
<filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
/* !checksrc! disable LONGLINE 0 */
^
Fix by instead treating a zero ignore as a a badcommand and throw a
warning for that one.
Closes #3096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Enable strict and warnings mode for checksrc to ensure we aren't missing
anything due to bugs in the checking code. This uncovered a few things
which are all fixed in this commit:
* several variables were used uninitialized
* several variables were not defined in the correct scope
* the whitelist filehandle was read even if the file didn't exist
* the enable_warn() call when a disable counter had expired was passing
incorrect variables, but since the checkwarn() call is unlikely to hit
(the counter is only decremented to zero on actual ignores) it didn't
manifest a problem.
Closes #3090
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
|
|
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.
Closes #3097
|
|
Closes #3092
|
|
The result of a memory allocation should always be checked, as we may
run under memory pressure where even a small allocation can fail. This
adds checking and error handling to a few cases where the allocation
wasn't checked for success. In the ftp case, the freeing of the path
variable is moved ahead of the allocation since there is little point
in keeping it around across the strdup, and the separation makes for
more readable code. In nwlib, the lock is aslo freed in the error path.
Also bumps the copyright years on affected files.
Closes #3084
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
Ensure that the parameters in the comment match the actual names in the
prototype.
Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
- Use .DLL extension instead of .so to load modules on Windows.
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Reported-by: Maxime Legros
Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442
Closes https://github.com/curl/curl/pull/3086
|
|
... and libcurl doesn't support any single-letter URL schemes (if there
even exist any) so it should be fairly risk-free.
Reported-by: Marcel Raad
Fixes #3070
Closes #3071
|
|
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
MinGW.
|
|
Use 'GNUInstallDirs' standard module to set destinations of installed
files.
Use uppercase "CURL" names instead of lowercase "curl" to match standard
'FindCURL.cmake' CMake module:
* https://cmake.org/cmake/help/latest/module/FindCURL.html
Meaning:
* Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
* User should call 'find_package(CURL)' instead of 'find_package(curl)'
Use 'configure_package_config_file' function to generate
'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
file smaller and handle components better. E.g. current configuration
report no error if user specified unknown components (note: new
configuration expects no components, report error if user will try to
specify any).
Closes https://github.com/curl/curl/pull/2849
|
|
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
of HTTP for use with DoH".
Reported-by: Marcel Raad
Closes #3066
|
|
... a missing multi_done() call.
Credit to OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
Closes #3063
|
|
Follow-up to #3044 - fix a leak OSS-Fuzz detected
Closes #3057
|
|
add_subdicectory(...)
|
|
Classic MinGW still has _beginthreadex's return type as unsigned long
instead of uintptr_t [0]. uintptr_t is not even defined because of [1].
[0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
[1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90
Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
Closes https://github.com/curl/curl/pull/3051
|
|
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
|
|
If the rewind would fail, a strdup() would not get freed.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
|
|
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
Closes #3042
|
|
Regression since 38203f1
Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
|
|
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.
Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>
Closes https://github.com/curl/curl/pull/3027
|
|
This fixes potential out-of-buffer access on "file:./" URL
$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516== by 0x4EBB315: seturl (urlapi.c:801)
==24516== by 0x4EBB568: parseurl (urlapi.c:861)
==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516== by 0x4E67AEF: create_conn (url.c:3613)
==24516== by 0x4E68A4F: Curl_connect (url.c:4119)
==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516== by 0x4E7558C: easy_transfer (easy.c:686)
==24516== by 0x4E75801: easy_perform (easy.c:779)
==24516== by 0x4E75868: curl_easy_perform (easy.c:798)
Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz
Closes #3039
|
|
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
in manual examples
Closes https://github.com/curl/curl/pull/3037
|
|
Detected by Coverity. CID 1439610.
Follow-up from 46e164069d1a523
Closes #3034
|
|
Detected by Coverity. CID 1439611.
Follow-up from 46e164069d1a523
|
|
... to make it a truly unified URL parser.
Closes #3017
|
|
Closes https://github.com/curl/curl/pull/3031
|
|
Closes #3029
|
|
Closes #3024
|
|
Closes #2971
|
|
- Treat CURL_SSLVERSION_MAX_NONE the same as
CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
the minimum version also as the maximum.
This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.
- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.
Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.
Co-authored-by: Daniel Gustafsson
Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
|
|
In order for this API to fully work for libcurl itself, it now offers a
CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
name prefix just like libcurl always did. If there's no known prefix, it
will guess "http://".
Separately, it relaxes the check of the host name so that IDN host names
can be passed in as well.
Both these changes are necessary for libcurl itself to use this API.
Assisted-by: Daniel Gustafsson
Closes #3018
|
|
One can still use CA certificates stored in NSS database.
Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Closes #3016
|
