aboutsummaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-02-05tool_doswin: Use type SANITIZEcode in sanitize_file_nameJay Satiro
2016-02-05tool_doswin: Improve sanitization processingJay Satiro
- Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes https://github.com/curl/curl/issues/624 Reported-by: Octavio Schroeder
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-02-01tool_operate: Don't sanitize --output path (Windows)Jay Satiro
Due to path separators being incorrectly sanitized in --output pathnames, eg -o c:\foo => c__foo This is a partial revert of 3017d8a until I write a proper fix. The remote-name will continue to be sanitized, but if the user specified an --output with string replacement (#1, #2, etc) that data is unsanitized until I finish a fix. Bug: https://github.com/bagder/curl/issues/624 Reported-by: Octavio Schroeder
2016-01-28tool_doswin: silence unused function warningViktor Szakats
tool_doswin.c:185:14: warning: 'msdosify' defined but not used [-Wunused-function] Closes https://github.com/bagder/curl/pull/616
2016-01-26curl: avoid local drive traversal when saving file (Windows)Ray Satiro
curl does not sanitize colons in a remote file name that is used as the local file name. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows/DOS is the only OS where this vulnerability applies. CVE-2016-0754 Bug: http://curl.haxx.se/docs/adv_20160127B.html
2015-12-23Makefile.inc: s/curl_SOURCES/CURL_FILESDaniel Stenberg
This allows the root Makefile.am to include the Makefile.inc without causing automake to warn on it (variables named *_SOURCES are magic). curl_SOURCES is then instead assigned properly in src/Makefile.am only. Closes #577
2015-12-15curl --expect100-timeout: addedDaniel Stenberg
This is the new command line option to set the value for the existing libcurl option CURLOPT_EXPECT_100_TIMEOUT_MS
2015-12-13curl: use 2TLS by defaultDaniel Stenberg
Make this the default for the curl tool (if built with HTTP/2 powers enabled) unless a specific HTTP version is requested on the command line. This should allow more users to get HTTP/2 powers without having to change anything.
2015-12-03curl: remove keepalive #ifdef checks done on libcurl's behalfDaniel Stenberg
They didn't match the ifdef logic used within libcurl anyway so they could indeed warn for the wrong case - plus the tool cannot know how the lib actually performs at that level.
2015-11-27tool_paramhlp: Fixed display of URL index in password prompt for --nextSteve Holme
Commit f3bae6ed73 added the URL index to the password prompt when using --next. Unfortunately, because the size_t specifier (%zu) is not supported by all sprintf() implementations we use the curl_off_t format specifier instead. The display of an incorrect value arises on platforms where size_t and curl_off_t are of a different size.
2015-11-24curl: expanded the -XHEAD warning textDaniel Stenberg
... to also mention the specific options used.
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-13curl: mark two more options strings for --libcurl outputDaniel Stenberg
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-11-09oauth2: Don't use XOAUTH2 in OAuth 2.0 variablesSteve Holme
2015-11-09oauth2: Use OAuth 2.0 rather than XOAUTH2 in commentsSteve Holme
When referring to OAuth 2.0 we should use the official name rather the SASL mechanism name.
2015-11-08tool: Fixed a memory leak on OOM introduced in 19cb0c4aDan Fandrich
2015-10-31curl.h: s/HTTPPOST_/CURL_HTTPOST_Daniel Stenberg
Fixes a name space pollution at the cost of programs using one of these defines will no longer compile. However, the vast majority of libcurl programs that do multipart formposts use curl_formadd() to build this list. Closes #506
2015-10-20copyrights: update Gisle Vanem's emailDaniel Stenberg
2015-10-18curl: slist_wc: remove curl_memory.h inclusionDaniel Stenberg
... that's for the library only.
2015-10-18tool: Generate easysrc with last cache linked-listDaniel Hwang
Using a last cache linked-list improves the performance of easysrc generation. Bug: https://github.com/bagder/curl/issues/444 Ref: https://github.com/bagder/curl/issues/429 Closes #452
2015-10-17cookies: Add support for Mozilla's Publix Suffix ListTim Rühsen
Use libpsl to check the domain value of Set-Cookie headers (and cookie jar entries) for not being a Publix Suffix. The configure script checks for "libpsl" by default. Disable the check with --without-libpsl. Ref: https://publicsuffix.org/ Ref: https://github.com/publicsuffix/list Ref: https://github.com/rockdaboot/libpsl
2015-10-02tool_setopt: fix c_escape truncated octalMaksim Stsepanenka
Closes https://github.com/bagder/curl/pull/469
2015-09-22tool: remove redundant libcurl checkDaniel Hwang
The easysrc generation is run only when --libcurl is initialized. Ref: https://github.com/bagder/curl/issues/429 Closes #448
2015-09-21tool_operate: Don't call easysrc cleanup unless --libcurlJay Satiro
- Review of 4d95491. The author changed it so easysrc only initializes when --libcurl but did not do the same for the call to easysrc cleanup. Ref: https://github.com/bagder/curl/issues/429
2015-09-20tool: generate easysrc only on --libcurlDaniel Lee Hwang
Code should only be generated when --libcurl is used. Bug: https://github.com/bagder/curl/issues/429 Reported-by: @greafhe, Jay Satiro Closes #429 Closes #442
2015-09-11curl: customrequest_helper: deal with NULL custom methodDaniel Stenberg
2015-09-11curl: point out unnecessary uses of -X in verbose modeDaniel Stenberg
It uses 'Note:' as a prefix as opposed to the common 'Warning:' to take down the tone a bit. It adds a warning for using -XHEAD on other methods becasue that may lead to a hanging connection.
2015-09-03gitignore: ignore more generated VC MakefilesDaniel Stenberg
2015-09-02tool_sdecls.h: Fixed compilation warning from commit 4a889441d3Steve Holme
tool_sdecls.h:139 warning: comma at end of enumerator list
2015-08-30makefiles: Added our standard copyright headerSteve Holme
But kept the original author, when they were specified in a comment, as the initial copyright holder.
2015-08-25curl: point out the conflicting HTTP methods if usedDaniel Stenberg
It isn't always clear to the user which options that cause the HTTP methods to conflict so by spelling them out it should hopefully be easier to understand why curl complains.
2015-08-25curl: clarify that users can only specify one _METHOD_Daniel Stenberg
2015-08-23tool: fix memory leak with --proto-default optionDan Fandrich
2015-08-22CURLOPT_DEFAULT_PROTOCOL: addedNathaniel Waisbrot
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default protocol for schemeless URLs. - Add new tool option --proto-default to expose CURLOPT_DEFAULT_PROTOCOL. In the case of schemeless URLs libcurl will behave in this way: When the option is used libcurl will use the supplied default. When the option is not used, libcurl will follow its usual plan of guessing from the hostname and falling back to 'http'.
2015-08-18gitignore: Sort for readabilityJay Satiro
find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
2015-08-10build: refer to fixed libidn versionsViktor Szakats
closes #371
2015-07-26comment: fix comment about adding new option supportDaniel Stenberg
2015-07-25tool_operate: Fix CURLOPT_SSL_OPTIONS for builds without HTTPSJay Satiro
- Set CURLOPT_SSL_OPTIONS only if the tool enabled an SSL option. Broken by me several days ago in 172b2be. https://github.com/bagder/curl/commit/172b2be#diff-70b44ee478e58d4e1ddcf9c9a73d257b Bug: http://curl.haxx.se/mail/lib-2015-07/0119.html Reported-by: Dan Fandrich
2015-07-17SSL: Add an option to disable certificate revocation checksJay Satiro
New tool option --ssl-no-revoke. New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. Currently this option applies only to WinSSL where we have automatic certificate revocation checking by default. According to the ssl-compared chart there are other backends that have automatic checking (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at some later point. Bug: https://github.com/bagder/curl/issues/264 Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-06-25tool_header_cb: fflush the header streamDaniel Stenberg
Flush the header stream when -D is used so that they are sent off earlier. Bug: https://github.com/bagder/curl/issues/324 Reported-by: Cédric Connes
2015-06-21tool_help: fix --tlsv1 help text to use >= for TLSv1Lior Kaplan
2015-06-18tool: always provide negotiate/kerberos optionsDaniel Stenberg
libcurl can still be built with it, even if the tool is not. Maintain independence!
2015-06-08help: Add --proxy-service-name and --service-name to the --help outputLinus Nielsen
2015-06-02checksrc: detect fopen() for text without the FOPEN_* macrosDaniel Stenberg
Follow-up to e8423f9ce150 with discussionis in https://github.com/bagder/curl/pull/258 This check scans for fopen() with a mode string without 'b' present, as it may indicate that an FOPEN_* define should rather be used.
2015-06-01curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
2015-05-22curl: fix potential NULL dereferenceDaniel Stenberg
Coverity CID 1299428: Dereference after null check (FORWARD_NULL)
2015-05-19build: bump version in default nghttp2 pathsViktor Szakats