Age | Commit message (Collapse) | Author |
|
It fails somewhere between every 3rd to 10th travis-CI run
|
|
Detected by Coverity Analysis:
Error: IDENTIFIER_TYPO:
curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
* Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
* Identifier "SupportedMech" is referenced elsewhere at least 4 times.
curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
Closes #2379
|
|
Refuse to operate when given path components featuring byte values lower
than 32.
Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.
Test case 340 verifies.
CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
|
|
Reported-by: Michael Kaufmann
Fixes #2357
Closes #2362
|
|
Added test 1265 that verifies.
Reported-by: steelman on github
Fixes #2353
Closes #2355
|
|
... so that the CI and more detects compiler warnings/errors properly!
Closes #2337
|
|
|
|
When targeting x64, MinGW-w64 complains about conversions between
32-bit long and 64-bit pointers. Fix this by reusing the
GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
CURLX_INTEGER_TO_POINTER_CAST.
Closes https://github.com/curl/curl/pull/2341
|
|
Closes https://github.com/curl/curl/pull/2335
|
|
Detected using the `codespell` tool.
Also contains one URL protocol upgrade.
Closes https://github.com/curl/curl/pull/2334
|
|
- Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
will be called every time before a new resolve request is started
(ie before a host is resolved) with a pointer to backend-specific
resolver data. Currently this is only useful for ares.
- Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
pass to the resolver start callback.
Closes https://github.com/curl/curl/pull/2311
|
|
This enables users to preresolve but still take advantage of happy
eyeballs and trying multiple addresses if some are not connecting.
Ref: https://github.com/curl/curl/pull/2260
|
|
|
|
|
|
Closes #2302
|
|
Test 319 checks proper raw mode data with non-chunked gzip
transfer-encoded server data.
Test 326 checks raw mode with chunked server data.
Bug: #2303
Closes #2308
|
|
RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
should be taken into account when chasing the <CRLF>.<CRLF> end marker.
Thus a leading dot character in data is also subject to escaping.
Tests 911 and test server are adapted to this situation.
New tests 951 and 952 check proper handling of initial dot in data.
Closes #2304
|
|
Whenever an expected pattern syntax rule cannot be matched, the
character starting the rule loses its special meaning and the parsing
is resumed:
- backslash at the end of pattern string matches itself.
- Error in [:keyword:] results in set containing :\[dekorwy.
Unit test 1307 updated for this new situation.
Closes #2273
|
|
Also be more tolerant about set pattern syntax.
Update unit test 1307 accordingly.
Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
|
|
|
|
... since the libc provided one are locale dependent in a way we don't
want. Also, the "native" isalnum() (for example) works differently on
different platforms which caused test 1307 failures on macos only.
Closes #2269
|
|
If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
giving a result that is different from what is expected.
This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
to upload in ascii.
Bug: https://github.com/curl/curl/pull/1872
|
|
... with clang on macos
|
|
Data mismatch caused test 545 to fail when character encoding
conversion is enabled.
Bug: https://github.com/curl/curl/pull/1872
|
|
Make curl_getdate() handle dates before 1970 as well (returning negative
values).
Make test 517 test dates for 64 bit time_t.
This fixes bug (3) mentioned in #2238
Closes #2250
|
|
Closes #1429
|
|
|
|
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.
Note: this changes behavior slightly, for the sake of reducing mistakes.
Added test 317 and 318 to verify.
Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
|
|
Get screen width from the environment variable COLUMNS first, if set. If
not, use ioctl(). If nether works, assume 79.
Closes #2242
The "refresh" is for the -# output when no total transfer size is
known. It will now only use a single updated line even for this case:
The "-=O=-" ship moves when data is transferred. The four flying
"hashes" move (on a sine wave) on each refresh, independent of data.
|
|
vtls.c:multissl_init() might do a curl_free() call so strip that out to
make this work with more builds. We just want to verify that
memorytracking works so skipping one line is no harm.
|
|
|
|
.... and avoid advancing the pointer to trigger an out of buffer read.
Detected by OSS-fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
Assisted-by: Max Dymond
|
|
A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
strongly bound to the handle: there is a pointer to the easy handle in
each item of the mime tree and following the parent pointer list
of mime items ends in a dummy part stored within the handle.
Because of this binding, a mime tree cannot be shared between different
easy handles, thus it needs to be cloned upon easy handle duplication.
There is no way for the caller to get the duplicated mime tree
handle: it is then set to be automatically destroyed upon freeing the
new easy handle.
New test 654 checks proper mime structure duplication/release.
Add a warning note in curl_mime_data_cb() documentation about sharing
user data between duplicated handles.
Closes #2235
|
|
|
|
|
|
|
|
... and make the max filesize check trigger if the value is too big.
Updates test 178.
Reported-by: Brad Spencer
Fixes #2212
Closes #2223
|
|
- Enable execute permission (chmod +x)
- Change interpreter to /usr/bin/env perl
Closes https://github.com/curl/curl/pull/2222
|
|
.. because limits.h presence isn't optional, it's required by C89.
Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
Closes https://github.com/curl/curl/pull/2215
|
|
|
|
|
|
Decoding loop implementation did not concern the case when all
received data is consumed by Brotli decoder and the size of decoded
data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
can result in the loss of data at the end of content.
Closes #2194
|
|
Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
functions dealing with UserDefined structure contents.
This avoids memory leakages on curl-generated part mime headers.
New test 2073 checks this using the cli tool --next option: it
triggers a valgrind error if bug is present.
Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
Reported-by: Martin Galvan
|
|
- When zlib version is < 1.2.0.4, process gzip trailer before considering
extra data as an error.
- Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
and minimize corrupt data output.
- Do not try to restart deflate decompression in raw mode if output has
started or if the leading data is not available anymore.
- New test 232 checks inflating raw-deflated content.
Closes #2068
|
|
This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
It was actually added rather recently in 8e8afa82cbb629 due to a crash
that would otherwise happen in the RTSP code. As I don't think we've
fixed that behavior yet, we better keep this work-around until we have
fixed it better.
|
|
|
|
|
|
Prune the DNS cache immediately after the dns entry is unlocked in
multi_done. Timed out entries will then get discarded in a more orderly
fashion.
Test506 is updated
Reported-by: Oleg Pudeyev
Fixes #2169
Closes #2170
|
|
That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
and that option isn't set or used by the curl tool!
Updates the 9 tests that verify --libcurl
Closes #2167
|
|
|