| Age | Commit message (Collapse) | Author |
|---|
|
- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples
- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.
Closes #5338
|
|
It was not intended nor documented!
Added test 1176 to verify.
Reported-by: vshmuk on hackerone
Closes #4812
|
|
This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting in 7.66.0
when this new handle allocating scheme was introduced.
Reported-by: Peter Sumatra
Fixes #4393
Closes #4438
|
|
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.
Ref: #3876
Closes #3883
|
|
Detected by scan-build.
|
|
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.
Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
|
|
to help user understand what the problem is
Reported-by: Daniel Shahaf
Fixes #2763
Closes #2977
|
|
Closes #2963
|
|
This enables level 4 instead of the default level 3, which of the
currently used comments only allows /* FALLTHROUGH */ to silence the
warning.
Closes https://github.com/curl/curl/pull/2747
|
|
Closes https://github.com/curl/curl/pull/2747
|
|
- Get rid of variable that was generating false positive warning
(unitialized)
- Fix issues in tests
- Reduce scope of several variables all over
etc
Closes #2631
|
|
|
|
Assisted-by: Per Lundberg
Fixes #2044
Closes #2046
Closes #2048
|
|
|
|
|
|
Added test 1289 to verify.
CVE-2017-1000101
Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter
|
|
The multiply() function that is used to avoid integer overflows, was
itself reason for a possible division by zero error when passed a
specially formatted glob.
Reported-by: GwanYeong Kim
|
|
|
|
For example allow ranges like [1-1] and [a-a] etc.
Regression since 5ca96cb.
Bug: https://github.com/curl/curl/issues/1238
Reported-by: R. Dennis Steed
|
|
In order to make the code style more uniform everywhere
|
|
Prior to this change we depended on errno if strtol could not perform a
conversion. POSIX says EINVAL *may* be set. Some implementations like
Microsoft's will not set it if there's no conversion.
Ref: https://github.com/curl/curl/commit/ee4f7660#commitcomment-19658189
|
|
|
|
|
|
Brought in ee4f76606cf
Added test case 1280 to verify
Reported-by: Dave Reisner
Bug: https://github.com/curl/curl/commit/ee4f76606cfa4ee068bf28edd37c8dae7e8db317#commitcomment-19823146
|
|
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
|
|
|
|
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
|
|
... causing SIGSEGV while parsing URL with too many globs.
Minimal example:
$ curl $(for i in $(seq 101); do printf '{a}'; done)
Reported-by: Romain Coltel
Bug: https://bugzilla.redhat.com/1340757
|
|
cppcheck warned:
[src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n'
is less than zero.
|
|
Allow --output to reserved dos device names without the device prefix
for backwards compatibility.
Example: --output NUL can be used instead of --output \\.\NUL
Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
Reported-by: Gisle Vanem
|
|
- Add unit test 1604 to test the sanitize_file_name function.
- Use -DCURL_STATICLIB when building libcurltool for unit testing.
- Better detection of reserved DOS device names.
- New flags to modify sanitize behavior:
SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
- Restore sanitization of banned characters from user-specified outfile.
Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.
Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder
|
|
|
|
In function glob_range, the number of urls was multiplied by (max - min
+ 1), regardless of step. The correct formula is (max - min) / step + 1
|
|
The glob_range function used wrong offset (3 instead of 4) for parsing
integer step inside character range specification, which led to 'bad
range' error when using character ranges with explicitly specified step
(such as '[a-z:2]')
|
|
|
|
As the former contruct apparently caused a compiler warning, mentioned
in d8efde07e556c.
|
|
There was a mix of GlobCode, CURLcode and ints and they were mostly
passing around CURLcode errors. This change makes the functions use only
CURLcode and removes the GlobCode type completely.
|
|
The loop in glob_next_url() needs to be done backwards to maintain the
logic. dc19789444 caused test 1235 to fail.
|
|
By counting from 0 and up instead of backwards like before, we remove
the need for the "funny" check of the unsigned variable when decreased
passed zero. Easier to read and less risk for compiler warnings.
|
|
|
|
The >= 0 is actually not required, since i underflows and
the for-loop is stopped using the < condition, but this
makes the VS2012 compiler and code analysis happy.
|
|
|
|
An enumerated type is mixed with another type.
|
|
I was tempted to change those to >= 0 until I saw that this is
actually a for loop that terminates once i underflows.
|
|
This makes it possible to fetch from an IPv6 literal without specifying
the -g option. Globbing remains available elsehwere in the URL.
For example:
curl http://[::1]/file[1-3].txt
This creates no ambiguity, because there is no overlap between the
syntax of valid globs and valid IPv6 literals. Globs contain hyphens
and at most 1 colon, while IPv6 literals have no hyphens, and at least 2
colons.
The peek_ipv6() parser simply whitelists a set of characters and counts
colons, because the real validation happens later on. The character set
includes A-Z, in case someone decides to implement support for scopes
like [fe80::1%25eth0] in the future.
Signed-off-by: Paul Marks <pmarks@google.com>
|
|
The "fixed string" function wrongly bumped the "urlnum" counter which
made curl output the total number of URLs wrong when using
{one,two,three} lists in globs.
Reported-by: Michael-O
Bug: http://curl.haxx.se/bug/view.cgi?id=1305
|
|
Regression since commit 5ca96cb844102 (release in 7.33.0)
Reported-by: Marcin Gryszkalis
|
|
Plain strings after glob ranges/lists weren't treated correctly but
caused broken URLs to get used.
Reported-by: Javier Barroso
|
|
Introduce a convenience macro and keep of the column better so that it
can point out the offending column better.
Updated test 75 accordingly.
|
|
By using the correct values from the start we don't have to translate
them!
|
