aboutsummaryrefslogtreecommitdiff
path: root/src/tool_urlglob.c
AgeCommit message (Collapse)Author
2016-10-31range: reject char globs with missing end like '[L-]'Daniel Stenberg
... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn
2016-10-31glob_next_url: make sure to stay within the given output bufferDaniel Stenberg
2016-10-31range: prevent negative end number in a glob rangeDaniel Stenberg
CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
2016-06-03tool_urlglob: fix off-by-one error in glob_parse()Kamil Dudka
... causing SIGSEGV while parsing URL with too many globs. Minimal example: $ curl $(for i in $(seq 101); do printf '{a}'; done) Reported-by: Romain Coltel Bug: https://bugzilla.redhat.com/1340757
2016-03-14curl: glob_range: no need to check unsigned variable for negativeDaniel Stenberg
cppcheck warned: [src/tool_urlglob.c:283]: (style) Checking if unsigned variable 'step_n' is less than zero.
2016-02-08tool_urlglob: Allow reserved dos device names (Windows)Jay Satiro
Allow --output to reserved dos device names without the device prefix for backwards compatibility. Example: --output NUL can be used instead of --output \\.\NUL Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863 Reported-by: Gisle Vanem
2016-02-05tool_doswin: Improve sanitization processingJay Satiro
- Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes https://github.com/curl/curl/issues/624 Reported-by: Octavio Schroeder
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-03-25globbing: fix url number calculation when using range with stepEmil Lerner
In function glob_range, the number of urls was multiplied by (max - min + 1), regardless of step. The correct formula is (max - min) / step + 1
2015-03-25globbing: fix step parsing for character globbing rangesEmil Lerner
The glob_range function used wrong offset (3 instead of 4) for parsing integer step inside character range specification, which led to 'bad range' error when using character ranges with explicitly specified step (such as '[a-z:2]')
2015-03-03tool: use ENABLE_CURLX_PRINTF instead of _MPRINTF_REPLACEDaniel Stenberg
2014-12-16glob_next_url: make the loop count upwardsDaniel Stenberg
As the former contruct apparently caused a compiler warning, mentioned in d8efde07e556c.
2014-12-16tool_urlglob: unify return codes to use CURLcodeDaniel Stenberg
There was a mix of GlobCode, CURLcode and ints and they were mostly passing around CURLcode errors. This change makes the functions use only CURLcode and removes the GlobCode type completely.
2014-12-16tool_urlglob.c: partly reverse dc19789444Daniel Stenberg
The loop in glob_next_url() needs to be done backwards to maintain the logic. dc19789444 caused test 1235 to fail.
2014-12-14tool_urlglob.c: reverse two loopsDaniel Stenberg
By counting from 0 and up instead of backwards like before, we remove the need for the "funny" check of the unsigned variable when decreased passed zero. Easier to read and less risk for compiler warnings.
2014-12-14tool_urlglob.c: Added braces to clarify the conditionsMarc Hoersken
2014-12-14tool_urlglob.c: Silence warning C6293: Ill-defined for-loopMarc Hoersken
The >= 0 is actually not required, since i underflows and the for-loop is stopped using the < condition, but this makes the VS2012 compiler and code analysis happy.
2014-07-12Fixed some "statement not reached" warningsDan Fandrich
2014-05-09tool_urlglob.c: Fixed compilation warningSteve Holme
An enumerated type is mixed with another type.
2014-04-18tool_urlglob.c: added some comments to clarify for loop conditionsMarc Hoersken
I was tempted to change those to >= 0 until I saw that this is actually a for loop that terminates once i underflows.
2014-03-30curl: stop interpreting IPv6 literals as glob patterns.Paul Marks
This makes it possible to fetch from an IPv6 literal without specifying the -g option. Globbing remains available elsehwere in the URL. For example: curl http://[::1]/file[1-3].txt This creates no ambiguity, because there is no overlap between the syntax of valid globs and valid IPv6 literals. Globs contain hyphens and at most 1 colon, while IPv6 literals have no hyphens, and at least 2 colons. The peek_ipv6() parser simply whitelists a set of characters and counts colons, because the real validation happens later on. The character set includes A-Z, in case someone decides to implement support for scopes like [fe80::1%25eth0] in the future. Signed-off-by: Paul Marks <pmarks@google.com>
2013-11-28globbing: curl glob counter mismatch with {} list useDaniel Stenberg
The "fixed string" function wrongly bumped the "urlnum" counter which made curl output the total number of URLs wrong when using {one,two,three} lists in globs. Reported-by: Michael-O Bug: http://curl.haxx.se/bug/view.cgi?id=1305
2013-11-03glob_range: pass the closing bracket for a-z rangesDaniel Stenberg
Regression since commit 5ca96cb844102 (release in 7.33.0) Reported-by: Marcin Gryszkalis
2013-10-22glob: fix regression from commit 5ca96cb844Daniel Stenberg
Plain strings after glob ranges/lists weren't treated correctly but caused broken URLs to get used. Reported-by: Javier Barroso
2013-09-06urlglob: improved error messages and column number on bad useDaniel Stenberg
Introduce a convenience macro and keep of the column better so that it can point out the offending column better. Updated test 75 accordingly.
2013-09-06urlglob: avoid error code translationDaniel Stenberg
By using the correct values from the start we don't have to translate them!
2013-09-06urlglob: avoid NULL pointer dereferenceDaniel Stenberg
Thanks to clang-analyzer
2013-08-26tool_urlglob.c: Fixed compiler warningsSteve Holme
warning: 'variable' may be used uninitialized in this function
2013-08-16glob: error out on range overflowDaniel Stenberg
The new multiply() function detects range value overflows. 32bit machines will overflow on a 32bit boundary while 64bit hosts support ranges up to the full 64 bit range. Added test 1236 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1267 Reported-by: Will Dietz
2013-08-16urlglob: better detect unclosed braces, empty lists and overflowsDaniel Stenberg
A rather big overhaul and cleanup. 1 - curl wouldn't properly detect and reject globbing that ended with an open brace if there were brackets or braces before it. Like "{}{" or "[0-1]{" 2 - curl wouldn't properly reject empty lists so that "{}{}" would result in curl getting (nil) strings in the output. 3 - By using strtoul() instead of sscanf() the code will now detected over and underflows. It now also better parses the step argument to only accept positive numbers and only step counters that is smaller than the delta between the maximum and minimum numbers. 4 - By switching to unsigned longs instead of signed ints for the counters, the max values for []-ranges are now very large (on 64bit machines). 5 - Bumped the maximum number of globs in a single URL to 100 (from 10) 6 - Simplified the code somewhat and now it stores fixed strings as single- entry lists. That's also one of the reasons why I did (5) as now all strings between "globs" will take a slot in the array. Added test 1234 and 1235 to verify. Updated test 87. This commit fixes three separate bug reports. Bug: http://curl.haxx.se/bug/view.cgi?id=1264 Bug: http://curl.haxx.se/bug/view.cgi?id=1265 Bug: http://curl.haxx.se/bug/view.cgi?id=1266 Reported-by: Will Dietz
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-08-07globbing: fix segfault when >9 globs were usedDaniel Stenberg
Stupid lack of range checks caused the code to overwrite local variables after glob number nine. Added checks now. Bug: http://curl.haxx.se/bug/view.cgi?id=3546353
2012-04-08curl tool: make curl.h first header included in tool_setup.hYang Tse
2012-04-06curl tool: use configuration files from lib directoryYang Tse
Configuration files such as curl_config.h and all config-*.h no longer exist nor are generated/copied into 'src' directory, now these only exist in 'lib' directory from where curl tool sources uses them. Additionally old src/setup.h has been refactored into src/tool_setup.h which now pulls lib/setup.h The possibility of a makefile needing an include path adjustment exists.
2011-10-05curl tool: OOM handling fixesYang Tse
2011-10-05curl tool: reviewed code moved to tool_*.[ch] filesYang Tse