| _ _ ____ _ |
| ___| | | | _ \| | |
| / __| | | | |_) | | |
| | (__| |_| | _ <| |___ |
| \___|\___/|_| \_\_____| |
| |
| Changelog |
| |
| Version 7.61.1 (4 Sep 2018) |
| |
| Daniel Stenberg (4 Sep 2018) |
| - THANKS: 7.61.1 status |
| |
| - RELEASE-NOTES: 7.61.1 |
| |
| - Curl_getoff_all_pipelines: ignore unused return values |
| |
| Since scan-build would warn on the dead "Dead store/Dead increment" |
| |
| Viktor Szakats (4 Sep 2018) |
| - sftp: fix indentation |
| |
| Daniel Stenberg (4 Sep 2018) |
| - [Przemysław Tomaszewski brought this change] |
| |
| sftp: don't send post-qoute sequence when retrying a connection |
| |
| Fixes #2939 |
| Closes #2940 |
| |
| Kamil Dudka (3 Sep 2018) |
| - url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work |
| |
| This is a follow-up to PR #2607 and PR #2926. |
| |
| Closes #2936 |
| |
| Daniel Stenberg (3 Sep 2018) |
| - [Jay Satiro brought this change] |
| |
| tool_operate: Add http code 408 to transient list for --retry |
| |
| - Treat 408 request timeout as transient so that curl will retry the |
| request if --retry was used. |
| |
| Closes #2925 |
| |
| - [Jay Satiro brought this change] |
| |
| openssl: Fix setting TLS 1.3 cipher suites |
| |
| The flag indicating TLS 1.3 cipher support in the OpenSSL backend was |
| missing. |
| |
| Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 |
| Reported-by: Kamil Dudka |
| |
| Closes #2926 |
| |
| - Curl_ntlm_core_mk_nt_hash: return error on too long password |
| |
| ... since it would cause an integer overflow if longer than (max size_t |
| / 2). |
| |
| This is CVE-2018-14618 |
| |
| Bug: https://curl.haxx.se/docs/CVE-2018-14618.html |
| Closes #2756 |
| Reported-by: Zhaoyang Wu |
| |
| - [Rikard Falkeborn brought this change] |
| |
| http2: Use correct format identifier for stream_id |
| |
| Closes #2928 |
| |
| Marcel Raad (2 Sep 2018) |
| - test1148: fix precheck output |
| |
| "precheck command error" is not very helpful. |
| |
| Daniel Stenberg (1 Sep 2018) |
| - all: s/int/size_t cleanup |
| |
| Assisted-by: Rikard Falkeborn |
| |
| Closes #2922 |
| |
| - ssh-libssh: use FALLTHROUGH to silence gcc8 |
| |
| Jay Satiro (31 Aug 2018) |
| - tool_operate: Fix setting proxy TLS 1.3 ciphers |
| |
| Daniel Stenberg (31 Aug 2018) |
| - [Daniel Gustafsson brought this change] |
| |
| cookies: support creation-time attribute for cookies |
| |
| According to RFC6265 section 5.4, cookies with equal path lengths |
| SHOULD be sorted by creation-time (earlier first). This adds a |
| creation-time record to the cookie struct in order to make cookie |
| sorting more deterministic. The creation-time is defined as the |
| order of the cookies in the jar, the first cookie read fro the |
| jar being the oldest. The creation-time is thus not serialized |
| into the jar. Also remove the strcmp() matching in the sorting as |
| there is no lexicographic ordering in RFC6265. Existing tests are |
| updated to match. |
| |
| Closes #2524 |
| |
| Marcel Raad (31 Aug 2018) |
| - Don't use Windows path %PWD for SSH tests |
| |
| All these tests failed on Windows because something like |
| sftp://%HOSTIP:%SSHPORT%PWD/ |
| expanded to |
| sftp://127.0.0.1:1234c:/msys64/home/bla/curl |
| and then curl complained about the port number ending with a letter. |
| |
| Use the original POSIX path instead of the Windows path created in |
| checksystem to fix this. |
| |
| Closes https://github.com/curl/curl/pull/2920 |
| |
| Jay Satiro (29 Aug 2018) |
| - CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning |
| |
| Reported-by: Daniel Stenberg |
| |
| Closes https://github.com/curl/curl/issues/2916 |
| |
| Daniel Stenberg (28 Aug 2018) |
| - THANKS-filter: dedup Daniel Jeliński |
| |
| - RELEASE-NOTES: synced |
| |
| - CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip] |
| |
| - CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip] |
| |
| Added a warning! |
| |
| Closes #2915 |
| |
| - curl: fix time-of-check, time-of-use race in dir creation |
| |
| Patch-by: Jay Satiro |
| Detected by Coverity |
| Fixes #2739 |
| Closes #2912 |
| |
| - cmdline-opts/page-footer: fix edit mistake |
| |
| There was a missing newline. |
| |
| follow-up to a7ba60bb7250 |
| |
| - docs: clarify NO_PROXY env variable functionality |
| |
| Reported-by: Kirill Marchuk |
| Fixes #2773 |
| Closes #2911 |
| |
| Marcel Raad (24 Aug 2018) |
| - lib1522: fix curl_easy_setopt argument type |
| |
| CURLOPT_POSTFIELDSIZE is a long option. |
| |
| - curl_threads: silence bad-function-cast warning |
| |
| As uintptr_t and HANDLE are always the same size, this warning is |
| harmless. Just silence it using an intermediate uintptr_t variable. |
| |
| Closes https://github.com/curl/curl/pull/2908 |
| |
| Daniel Stenberg (24 Aug 2018) |
| - README: add appveyor build badge [ci skip] |
| |
| Closes #2913 |
| |
| - [Ihor Karpenko brought this change] |
| |
| schannel: client certificate store opening fix |
| |
| 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) |
| while opening certificate store would be sufficient in this scenario and |
| less-demanding in sense of required user credentials ( for example, |
| IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore |
| call without any of flags mentioned above ), |
| |
| 2) as 'cert_store_name' is a DWORD, attempt to format its value like a |
| string ( in "Failed to open cert store" error message ) will throw null |
| pointer exception |
| |
| 3) adding GetLastError(), in my opinion, will make error message more |
| useful. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html |
| |
| Closes #2909 |
| |
| - [Leonardo Taccari brought this change] |
| |
| gopher: Do not translate `?' to `%09' |
| |
| Since GOPHER support was added in curl `?' character was automatically |
| translated to `%09' (`\t'). |
| |
| However, this behaviour does not seems documented in RFC 4266 and for |
| search selectors it is documented to directly use `%09' in the URL. |
| Apart that several gopher servers in the current gopherspace have CGI |
| support where `?' is used as part of the selector and translating it to |
| `%09' often leads to surprising results. |
| |
| Closes #2910 |
| |
| Marcel Raad (23 Aug 2018) |
| - cookie tests: treat files as text |
| |
| Fixes test failures because of wrong line endings on Windows. |
| |
| Daniel Stenberg (23 Aug 2018) |
| - libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation |
| |
| Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to |
| avoid the risk of getting a SIGPIPE. |
| |
| Either way, a multi-threaded application that uses libcurl/openssl needs |
| to have a signhandler for or ignore SIGPIPE on its own. |
| |
| Based on discussions in #2800 |
| Closes #2904 |
| |
| - RELEASE-NOTES: synced |
| |
| Marcel Raad (22 Aug 2018) |
| - Tests: fixes for Windows |
| |
| - test 1268 requires unix sockets |
| - test 2072 must be disabled also for MSYS/MinGW |
| |
| Daniel Stenberg (22 Aug 2018) |
| - http2: abort the send_callback if not setup yet |
| |
| When Curl_http2_done() gets called before the http2 data is setup all |
| the way, we cannot send anything and this should just return an error. |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012 |
| |
| - http2: remove four unused nghttp2 callbacks |
| |
| Closes #2903 |
| |
| - x509asn1: use FALLTHROUGH |
| |
| ... as no other comments are accepted since 014ed7c22f51463 |
| |
| Marcel Raad (21 Aug 2018) |
| - test1148: disable if decimal separator is not point |
| |
| Modifying the locale with environment variables doesn't work for native |
| Windows applications. Just disable the test in this case if the decimal |
| separator is something different than a point. Use a precheck with a |
| small C program to achieve that. |
| |
| Closes https://github.com/curl/curl/pull/2786 |
| |
| - Enable more GCC warnings |
| |
| This enables the following additional warnings: |
| -Wold-style-definition |
| -Warray-bounds=2 instead of the default 1 |
| -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not |
| respected for older versions |
| -Wunused-const-variable, which enables level 2 instead of the default 1 |
| -Warray-bounds also in debug mode through -ftree-vrp |
| -Wnull-dereference also in debug mode through |
| -fdelete-null-pointer-checks |
| |
| Closes https://github.com/curl/curl/pull/2747 |
| |
| - curl-compilers: enable -Wimplicit-fallthrough=4 for GCC |
| |
| This enables level 4 instead of the default level 3, which of the |
| currently used comments only allows /* FALLTHROUGH */ to silence the |
| warning. |
| |
| Closes https://github.com/curl/curl/pull/2747 |
| |
| - curl-compilers: enable -Wbad-function-cast on GCC |
| |
| This warning used to be enabled only for clang as it's a bit stricter |
| on GCC. Silence the remaining occurrences and enable it on GCC too. |
| |
| Closes https://github.com/curl/curl/pull/2747 |
| |
| - configure: conditionally enable pedantic-errors |
| |
| Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5, |
| pedantic-errors was synonymous to -Werror=pedantic [0], which is still |
| the case for clang [1]. With GCC 5, it became complementary [2]. |
| |
| Also fix a resulting error in acinclude.m4 as main's return type was |
| missing, which is illegal in C99. |
| |
| [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html |
| [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages |
| [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html |
| |
| Closes https://github.com/curl/curl/pull/2747 |
| |
| - Remove unused definitions |
| |
| Closes https://github.com/curl/curl/pull/2747 |
| |
| Daniel Stenberg (21 Aug 2018) |
| - x509asn1: make several functions static |
| |
| and remove the private SIZE_T_MAX define and use the generic one. |
| |
| Closes #2902 |
| |
| - INTERNALS: require GnuTLS >= 2.11.3 |
| |
| Since the public pinning support was brought in e644866caf4. GnuTLS |
| 2.11.3 was released in October 2010. |
| |
| Figured out in #2890 |
| |
| - http2: avoid set_stream_user_data() before stream is assigned |
| |
| ... before the stream is started, we have it set to -1. |
| |
| Fixes #2894 |
| Closes #2898 |
| |
| - SSLCERTS: improve the openssl command line |
| |
| ... for extracting certs from a live HTTPS server to make a cacerts.pem |
| from them. |
| |
| - docs/SECURITY-PROCESS: now we name the files after the CVE id |
| |
| - RELEASE-NOTES: synced |
| |
| - upload: change default UPLOAD_BUFSIZE to 64KB |
| |
| To make uploads significantly faster in some circumstances. |
| |
| Part 2 of #2888 |
| Closes #2892 |
| |
| - upload: allocate upload buffer on-demand |
| |
| Saves 16KB on the easy handle for operations that don't need that |
| buffer. |
| |
| Part 1 of #2888 |
| |
| - [Laurent Bonnans brought this change] |
| |
| vtls: reinstantiate engine on duplicated handles |
| |
| Handles created with curl_easy_duphandle do not use the SSL engine set |
| up in the original handle. This fixes the issue by storing the engine |
| name in the internal url state and setting the engine from its name |
| inside curl_easy_duphandle. |
| |
| Reported-by: Anton Gerasimov |
| Signed-of-by: Laurent Bonnans |
| Fixes #2829 |
| Closes #2833 |
| |
| - http2: make sure to send after RST_STREAM |
| |
| If this is the last stream on this connection, the RST_STREAM might not |
| get pushed to the wire otherwise. |
| |
| Fixes #2882 |
| Closes #2887 |
| Researched-by: Michael Kaufmann |
| |
| - test1268: check the stderr output as "text" |
| |
| Follow-up to 099f37e9c57 |
| |
| Pointed-out-by: Marcel Raad |
| |
| - urldata: remove unused pipe_broke struct field |
| |
| This struct field is never set TRUE in any existing code path. This |
| change removes the field completely. |
| |
| Closes #2871 |
| |
| - curl: warn the user if a given file name looks like an option |
| |
| ... simply because this is usually a sign of the user having omitted the |
| file name and the next option is instead "eaten" by the parser as a file |
| name. |
| |
| Add test1268 to verify |
| |
| Closes #2885 |
| |
| - http2: check nghttp2_session_set_stream_user_data return code |
| |
| Might help bug #2688 debugging |
| |
| Closes #2880 |
| |
| - travis: revert back to gcc-7 for coverage builds |
| |
| ... since the gcc-8 ones seem to fail frequently. |
| |
| Follow-up from b85207199544ca |
| |
| Closes #2886 |
| |
| - RELEASE-NOTES: synced |
| |
| ... and now listed in alphabetical order! |
| |
| - [Adrien brought this change] |
| |
| CMake: CMake config files are defining CURL_STATICLIB for static builds |
| |
| This change allows to use the CMake config files generated by Curl's |
| CMake scripts for static builds of the library. |
| The symbol CURL_STATIC lib must be defined to compile downstream, |
| thus the config package is the perfect place to do so. |
| |
| Fixes #2817 |
| Closes #2823 |
| Reported-by: adnn on github |
| Reviewed-by: Sergei Nikulov |
| |
| - TODO: host name sections in config files |
| |
| Kamil Dudka (14 Aug 2018) |
| - ssh-libssh: fix infinite connect loop on invalid private key |
| |
| Added test 656 (based on test 604) to verify the fix. |
| |
| Bug: https://bugzilla.redhat.com/1595135 |
| |
| Closes #2879 |
| |
| - ssh-libssh: reduce excessive verbose output about pubkey auth |
| |
| The verbose message "Authentication using SSH public key file" was |
| printed each time the ssh_userauth_publickey_auto() was called, which |
| meant each time a packet was transferred over network because the API |
| operates in non-blocking mode. |
| |
| This patch makes sure that the verbose message is printed just once |
| (when the authentication state is entered by the SSH state machine). |
| |
| Daniel Stenberg (14 Aug 2018) |
| - travis: disable h2 torture tests for "coverage" |
| |
| Since they started to fail almost 100% since a few days. |
| |
| Closes #2876 |
| |
| Marcel Raad (14 Aug 2018) |
| - travis: update to GCC 8 |
| |
| Closes https://github.com/curl/curl/pull/2869 |
| |
| Daniel Stenberg (13 Aug 2018) |
| - http: fix for tiny "HTTP/0.9" response |
| |
| Deal with tiny "HTTP/0.9" (header-less) responses by checking the |
| status-line early, even before a full "HTTP/" is received to allow |
| detecting 0.9 properly. |
| |
| Test 1266 and 1267 added to verify. |
| |
| Fixes #2420 |
| Closes #2872 |
| |
| Kamil Dudka (13 Aug 2018) |
| - docs: add disallow-username-in-url.d and haproxy-protocol.d on the list |
| |
| ... to make make the files appear in distribution tarballs |
| |
| Closes #2856 |
| |
| - .travis.yml: verify that man pages can be regenerated |
| |
| ... when curl is built from distribution tarball |
| |
| Closes #2856 |
| |
| Marcel Raad (11 Aug 2018) |
| - Split non-portable part off test 1133 |
| |
| Split off testing file names with double quotes into new test 1158. |
| Disable it for MSYS using a precheck as it doesn't support file names |
| with double quotes (but Cygwin does, for example). |
| |
| Fixes https://github.com/curl/curl/issues/2796 |
| Closes https://github.com/curl/curl/pull/2854 |
| |
| Jay Satiro (11 Aug 2018) |
| - projects: Improve Windows perl detection in batch scripts |
| |
| - Determine if perl is in the user's PATH by running perl.exe. |
| |
| Prior to this change detection was done by checking the PATH for perl/ |
| but that did not work in all cases (eg git install includes perl but |
| not in perl/ path). |
| |
| Bug: https://github.com/curl/curl/pull/2865 |
| Reported-by: Daniel Jeliński |
| |
| - [Michael Kaufmann brought this change] |
| |
| docs: Improve the manual pages of some callbacks |
| |
| - CURLOPT_HEADERFUNCTION: add newlines |
| - CURLOPT_INTERLEAVEFUNCTION: fix the description of 'userdata' |
| - CURLOPT_READDATA: mention crashes, same as in CURLOPT_WRITEDATA |
| - CURLOPT_READFUNCTION: rename 'instream' to 'userdata' and explain |
| how to set it |
| |
| Closes https://github.com/curl/curl/pull/2868 |
| |
| Marcel Raad (11 Aug 2018) |
| - GCC: silence -Wcast-function-type uniformly |
| |
| Pointed-out-by: Rikard Falkeborn |
| Closes https://github.com/curl/curl/pull/2860 |
| |
| - Silence GCC 8 cast-function-type warnings |
| |
| On Windows, casting between unrelated function types is fine and |
| sometimes even necessary, so just use an intermediate cast to |
| (void (*) (void)) to silence the warning as described in [0]. |
| |
| [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html |
| |
| Closes https://github.com/curl/curl/pull/2860 |
| |
| Daniel Stenberg (11 Aug 2018) |
| - CURLINFO_SIZE_UPLOAD: fix missing counter update |
| |
| Adds test 1522 for verification. |
| |
| Reported-by: cjmsoregan |
| Fixes #2847 |
| Closes #2864 |
| |
| - [Daniel Jelinski brought this change] |
| |
| Documentation: fix CURLOPT_SSH_COMPRESSION copy/paste bug |
| |
| Closes #2867 |
| |
| - RELEASE-NOTES: synced |
| |
| - openssl: fix potential NULL pointer deref in is_pkcs11_uri |
| |
| Follow-up to 298d2565e |
| Coverity CID 1438387 |
| |
| Marcel Raad (10 Aug 2018) |
| - travis: execute "set -eo pipefail" for coverage build |
| |
| Follow-up to 2de63ab179eb78630ee039ad94fb2a5423df522d and |
| 0b87c963252d3504552ee0c8cf4402bd65a80af5. |
| |
| Closes https://github.com/curl/curl/pull/2862 |
| |
| Daniel Stenberg (10 Aug 2018) |
| - lib1502: fix memory leak in torture test |
| |
| Reported-by: Marcel Raad |
| Fixes #2861 |
| Closes #2863 |
| |
| - docs: mention NULL is fine input to several functions |
| |
| Fixes #2837 |
| Closes #2858 |
| Reported-by: Markus Elfring |
| |
| - [Bas van Schaik brought this change] |
| |
| README.md: add LGTM.com code quality grade for C/C++ |
| |
| Closes #2857 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| test1531: Add timeout |
| |
| Previously, the macro TEST_HANG_TIMEOUT was unused, but since there is |
| looping going on, we might as well add timing instead of removing it. |
| |
| Closes #2853 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| test1540: Remove unused macro TEST_HANG_TIMEOUT |
| |
| The macro has never been used, and it there is not really any place |
| where it would make sense to add timing checks. |
| |
| Closes #2852 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| asyn-thread: Remove unused macro |
| |
| The macro seems to never have been used. |
| |
| Closes #2852 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| http_proxy: Remove unused macro SELECT_TIMEOUT |
| |
| Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22. |
| |
| Closes #2852 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT |
| |
| Its usage was removed in |
| 84ad1fd3047815f9c6e78728bb351b828eac10b1. |
| |
| Closes #2852 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| telnet: Remove unused macros TELOPTS and TELCMDS |
| |
| Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51. |
| |
| Closes #2852 |
| |
| - [Daniel Jelinski brought this change] |
| |
| openssl: fix debug messages |
| |
| Fixes #2806 |
| Closes #2843 |
| |
| - configure: fix for -lpthread detection with OpenSSL and pkg-config |
| |
| ... by making sure it uses the -I provided by pkg-config! |
| |
| Reported-by: pszemus on github |
| Fixes #2848 |
| Closes #2850 |
| |
| - RELEASE-NOTES: synced |
| |
| - windows: follow up to the buffer-tuning 1ba1dba7 |
| |
| Somehow I didn't include the amended version of the previous fix. This |
| is the missing piece. |
| |
| Pointed-out-by: Viktor Szakats |
| |
| - [Daniel Jelinski brought this change] |
| |
| windows: implement send buffer tuning |
| |
| Significantly enhances upload performance on modern Windows versions. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html |
| Closes #2762 |
| Fixes #2224 |
| |
| - [Anderson Toshiyuki Sasaki brought this change] |
| |
| ssl: set engine implicitly when a PKCS#11 URI is provided |
| |
| This allows the use of PKCS#11 URI for certificates and keys without |
| setting the corresponding type as "ENG" and the engine as "pkcs11" |
| explicitly. If a PKCS#11 URI is provided for certificate, key, |
| proxy_certificate or proxy_key, the corresponding type is set as "ENG" |
| if not provided and the engine is set to "pkcs11" if not provided. |
| |
| Acked-by: Nikos Mavrogiannopoulos |
| Closes #2333 |
| |
| - [Ruslan Baratov brought this change] |
| |
| CMake: Respect BUILD_SHARED_LIBS |
| |
| Use standard CMake variable BUILD_SHARED_LIBS instead of introducing |
| custom option CURL_STATICLIB. |
| |
| Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml. |
| |
| Reviewed-by: Sergei Nikulov |
| Closes #2755 |
| |
| - [John Butterfield brought this change] |
| |
| cmake: bumped minimum version to 3.4 |
| |
| Closes #2753 |
| |
| - [John Butterfield brought this change] |
| |
| cmake: link curl to the OpenSSL targets instead of lib absolute paths |
| |
| Reviewed-by: Jakub Zakrzewski |
| Reviewed-by: Sergei Nikulov |
| Closes #2753 |
| |
| - travis: build darwinssl on macos 10.12 |
| |
| ... as building on 10.13.x before 10.13.4 leads to link errors. |
| |
| Assisted-by: Nick Zitzmann |
| Fixes #2835 |
| Closes #2845 |
| |
| - DEPRECATE: remove release date from 7.62.0 |
| |
| Since it will slip and the version is the important part there, not the |
| date. |
| |
| - lib/Makefile: only do symbol hiding if told to |
| |
| This restores the ability to build a static lib with |
| --disable-symbol-hiding to keep non-curl_ symbols. |
| |
| Researched-by: Dan Fandrich |
| Reported-by: Ran Mozes |
| Fixes #2830 |
| Closes #2831 |
| |
| Marcel Raad (2 Aug 2018) |
| - hostip: fix unused variable warning |
| |
| addresses is only used in an infof call, which is a macro expanding to |
| nothing if CURL_DISABLE_VERBOSE_STRINGS is set. |
| |
| Daniel Stenberg (2 Aug 2018) |
| - test1307: disabled |
| |
| Turns out that since we're using the native fnmatch function now when |
| available, and they simply disagree on a huge number of test patterns |
| that make it hard to test this function like this... |
| |
| Fixes #2825 |
| |
| - smb: don't mark it done in smb_do |
| |
| Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its |
| doing function too, which requires smb_do() to not mark itself as |
| done... |
| |
| Closes #2822 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| general: fix printf specifiers |
| |
| Closes #2818 |
| |
| - RELEASE-NOTES: synced |
| |
| - mailmap: Daniel Jelinski |
| |
| - [Harry Sintonen brought this change] |
| |
| HTTP: Don't attempt to needlessly decompress redirect body |
| |
| This change fixes a regression where redirect body would needlessly be |
| decompressed even though it was to be ignored anyway. As it happens this |
| causes secondary issues since there appears to be a bug in apache2 that |
| it in certain conditions generates a corrupt zlib response. The |
| regression was created by commit: |
| dbcced8e32b50c068ac297106f0502ee200a1ebd |
| |
| Discovered-by: Harry Sintonen |
| Closes #2798 |
| |
| - curl: use Content-Disposition before the "URL end" for -OJ |
| |
| Regression introduced in 7.61.0 |
| |
| Reported-by: Thomas Klausner |
| Fixes #2783 |
| Closes #2813 |
| |
| - [Daniel Jelinski brought this change] |
| |
| retry: return error if rewind was necessary but didn't happen |
| |
| Fixes #2801 |
| Closes #2812 |
| |
| - http2: clear the drain counter in Curl_http2_done |
| |
| Reported-by: Andrei Virtosu |
| Fixes #2800 |
| Closes #2809 |
| |
| - smb: fix memory leak on early failure |
| |
| ... by making sure connection related data (->share) is stored in the |
| connection and not in the easy handle. |
| |
| Detected by OSS-fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 |
| Fixes #2769 |
| Closes #2810 |
| |
| - travis: run a 'make checksrc' too |
| |
| ... to make sure the examples are all checked. |
| |
| Closes #2811 |
| |
| Jay Satiro (29 Jul 2018) |
| - examples/ephiperfifo: checksrc compliance |
| |
| - [Michael Kaufmann brought this change] |
| |
| sws: handle EINTR when calling select() |
| |
| Closes https://github.com/curl/curl/pull/2808 |
| |
| Daniel Stenberg (29 Jul 2018) |
| - test1157: follow-up to 35ecffb9 |
| |
| Ignore the user-agent line. |
| Pointed-out-by: Marcel Raad |
| |
| Michael Kaufmann (29 Jul 2018) |
| - tests/http_pipe.py: Use /usr/bin/env to find python |
| |
| Daniel Stenberg (28 Jul 2018) |
| - TODO: Support Authority Information Access certificate extension (AIA) |
| |
| Closes #2793 |
| |
| - conn_free: updated comment to clarify |
| |
| Let's call it disassociate instead of disconnect since the latter term |
| is used so much for (TCP) connections already. |
| |
| - test1157: test -H from empty file |
| |
| Verifies bugfix #2797 |
| |
| - [Tobias Blomberg brought this change] |
| |
| curl: Fix segfault when -H @headerfile is empty |
| |
| The curl binary would crash if the -H command line option was given a |
| filename to read using the @filename syntax but that file was empty. |
| |
| Closes #2797 |
| |
| - mime: check Curl_rand_hex's return code |
| |
| Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html |
| Reported-by: Jeffrey Walton |
| Closes #2795 |
| |
| - [Josh Bialkowski brought this change] |
| |
| docs/examples: add hiperfifo example using linux epoll/timerfd |
| |
| Closes #2804 |
| |
| - [Darío Hereñú brought this change] |
| |
| docs/INSTALL.md: minor formatting fixes |
| |
| Closes #2794 |
| |
| - [Christopher Head brought this change] |
| |
| docs/CURLOPT_URL: fix indentation |
| |
| The statement, “The application does not have to keep the string around |
| after setting this option,” appears to be indented under the RTMP |
| paragraph. It actually applies to all protocols, not just RTMP. |
| Eliminate the extra indentation. |
| |
| Closes #2788 |
| |
| - [Christopher Head brought this change] |
| |
| docs/CURLOPT_WRITEFUNCTION: size is always 1 |
| |
| For compatibility with `fwrite`, the `CURLOPT_WRITEFUNCTION` callback is |
| passed two `size_t` parameters which, when multiplied, designate the |
| number of bytes of data passed in. In practice, CURL always sets the |
| first parameter (`size`) to 1. |
| |
| This practice is also enshrined in documentation and cannot be changed |
| in future. The documentation states that the default callback is |
| `fwrite`, which means `fwrite` must be a suitable function for this |
| purpose. However, the documentation also states that the callback must |
| return the number of *bytes* it successfully handled, whereas ISO C |
| `fwrite` returns the number of items (each of size `size`) which it |
| wrote. The only way these numbers can be equal is if `size` is 1. |
| |
| Since `size` is 1 and can never be changed in future anyway, document |
| that fact explicitly and let users rely on it. |
| |
| Closes #2787 |
| |
| - [Carie Pointer brought this change] |
| |
| wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random |
| |
| RNG structure must be freed by call to FreeRng after its use in |
| Curl_cyassl_random. This call fixes Valgrind failures when running the |
| test suite with wolfSSL. |
| |
| Closes #2784 |
| |
| - [Even Rouault brought this change] |
| |
| reuse_conn(): free old_conn->options |
| |
| This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with |
| connection reuse. |
| |
| I found this with oss-fuzz on GDAL and curl master: |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582 |
| I couldn't reproduce with the oss-fuzz original test case, but looking |
| at curl source code pointed to this well reproducable leak. |
| |
| Closes #2790 |
| |
| Marcel Raad (25 Jul 2018) |
| - [Daniel Jelinski brought this change] |
| |
| system_win32: fix version checking |
| |
| In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false |
| when run on windows 10.0. This patch addresses that error. |
| |
| Closes https://github.com/curl/curl/pull/2792 |
| |
| Daniel Stenberg (24 Jul 2018) |
| - [Johannes Schindelin brought this change] |
| |
| auth: pick Bearer authentication whenever a token is available |
| |
| So far, the code tries to pick an authentication method only if |
| user/password credentials are available, which is not the case for |
| Bearer authentictation... |
| |
| Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> |
| Closes #2754 |
| |
| - [Johannes Schindelin brought this change] |
| |
| auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token |
| |
| The Bearer authentication was added to cURL 7.61.0, but there is a |
| problem: if CURLAUTH_ANY is selected, and the server supports multiple |
| authentication methods including the Bearer method, we strongly prefer |
| that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer |
| authentication fails, we will never even try to attempt any other |
| method. |
| |
| This is particularly unfortunate when we already know that we do not |
| have any Bearer token to work with. |
| |
| Such a scenario happens e.g. when using Git to push to Visual Studio |
| Team Services (which supports Basic and Bearer authentication among |
| other methods) and specifying the Personal Access Token directly in the |
| URL (this aproach is frequently taken by automated builds). |
| |
| Let's make sure that we have a Bearer token to work with before we |
| select the Bearer authentication among the available authentication |
| methods. |
| |
| Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> |
| Closes #2754 |
| |
| Marcel Raad (22 Jul 2018) |
| - test320: treat curl320.out file as binary |
| |
| Otherwise, LF line endings are converted to CRLF on Windows, |
| but no conversion is done for the reply, so the test case fails. |
| |
| Closes https://github.com/curl/curl/pull/2776 |
| |
| Daniel Stenberg (22 Jul 2018) |
| - vtls: set conn->data when closing TLS |
| |
| Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS |
| layer for a connection still needs a Curl_easy handle for the session_id |
| cache etc. |
| |
| Fixes #2764 |
| Closes #2771 |
| |
| Marcel Raad (21 Jul 2018) |
| - tests: fixes for Windows line endlings |
| |
| Set mode="text" when line endings depend on the system representation. |
| |
| Closes https://github.com/curl/curl/pull/2772 |
| |
| - test214: disable MSYS2's POSIX path conversion for URL |
| |
| By default, the MSYS2 bash converts all backslashes to forward slashes |
| in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. |
| |
| Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces |
| |
| Daniel Stenberg (20 Jul 2018) |
| - http2: several cleanups |
| |
| - separate easy handle from connections better |
| - added asserts on a number of places |
| - added sanity check of pipelines for debug builds |
| |
| Closes #2751 |
| |
| - smb_getsock: always wait for write socket too |
| |
| ... the protocol is doing read/write a lot, so it needs to write often |
| even when downloading. A more proper fix could check for eactly when it |
| wants to write and only ask for it then. |
| |
| Without this fix, an SMB download could easily get stuck when the event-driven |
| API was used. |
| |
| Closes #2768 |
| |
| Marcel Raad (20 Jul 2018) |
| - test1143: disable MSYS2's POSIX path conversion |
| |
| By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143 |
| as a POSIX file list and converts it to a Windows file list. |
| Disable this with MSYS2_ARG_CONV_EXCL for the test to pass. |
| |
| Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces |
| Closes https://github.com/curl/curl/pull/2765 |
| |
| Daniel Stenberg (18 Jul 2018) |
| - RELEASE-NOTES: sync |
| |
| ... and work toward 7.61.1 |
| |
| - [Ruslan Baratov brought this change] |
| |
| CMake: Update scripts to use consistent style |
| |
| Closes #2727 |
| Reviewed-by: Sergei Nikulov |
| |
| - header output: switch off all styles, not just unbold |
| |
| ... the "unbold" sequence doesn't work on the mac Terminal. |
| |
| Reported-by: Zero King |
| Fixes #2736 |
| Closes #2738 |
| |
| Nick Zitzmann (14 Jul 2018) |
| - [Rodger Combs brought this change] |
| |
| darwinssl: add support for ALPN negotiation |
| |
| Marcel Raad (14 Jul 2018) |
| - test1422: add required file feature |
| |
| curl configured with --enable-debug --disable-file currently complains |
| on test1422: |
| Info: Protocol "file" not supported or disabled in libcurl |
| |
| Make test1422 dependend on enabled FILE protocol to fix this. |
| |
| Fixes https://github.com/curl/curl/issues/2741 |
| Closes https://github.com/curl/curl/pull/2742 |
| |
| Patrick Monnerat (12 Jul 2018) |
| - content_encoding: accept up to 4 unknown trailer bytes after raw deflate data |
| |
| Some servers issue raw deflate data that may be followed by an undocumented |
| trailer. This commit makes curl tolerate such a trailer of up to 4 bytes |
| before considering the data is in error. |
| |
| Reported-by: clbr on github |
| Fixes #2719 |
| |
| Daniel Stenberg (12 Jul 2018) |
| - smb: fix memory-leak in URL parse error path |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369 |
| Closes #2740 |
| |
| Marcel Raad (12 Jul 2018) |
| - schannel: enable CALG_TLS1PRF for w32api >= 5.1 |
| |
| The definition of CALG_TLS1PRF has been fixed in the 5.1 branch: |
| https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5 |
| |
| Daniel Stenberg (12 Jul 2018) |
| - docs/SECURITY-PROCESS: mention bounty, drop pre-notify |
| |
| + The hackerone bounty and its process |
| |
| - We don't and can't handle pre-notification |
| |
| - multi: always do the COMPLETED procedure/state |
| |
| It was previously erroneously skipped in some situations. |
| |
| libtest/libntlmconnect.c wrongly depended on wrong behavior (that it |
| would get a zero timeout) when no handles are "running" in a multi |
| handle. That behavior is no longer present with this fix. Now libcurl |
| will always return a -1 timeout when all handles are completed. |
| |
| Closes #2733 |
| |
| - Curl_getoff_all_pipelines: improved for multiplexed |
| |
| On multiplexed connections, transfers can be removed from anywhere not |
| just at the head as for pipelines. |
| |
| - ares: check for NULL in completed-callback |
| |
| - conn: remove the boolean 'inuse' field |
| |
| ... as the usage needs to be counted. |
| |
| - [Paul Howarth brought this change] |
| |
| openssl: assume engine support in 1.0.0 or later |
| |
| Commit 38203f1585da changed engine detection to be version-based, |
| with a baseline of openssl 1.0.1. This does in fact break builds |
| with openssl 1.0.0, which has engine support - the configure script |
| detects that ENGINE_cleanup() is available - but <openssl/engine.h> |
| doesn't get included to declare it. |
| |
| According to upstream documentation, engine support was added to |
| mainstream openssl builds as of version 0.9.7: |
| https://github.com/openssl/openssl/blob/master/README.ENGINE |
| |
| This commit drops the version test down to 1.0.0 as version 1.0.0d |
| is the oldest version I have to test with. |
| |
| Closes #2732 |
| |
| Marcel Raad (11 Jul 2018) |
| - schannel: fix MinGW compile break |
| |
| Original MinGW's w32api has a sytax error in its definition of |
| CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF |
| until this bug [1] is fixed. |
| |
| [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h |
| [1] https://osdn.net/projects/mingw/ticket/38391 |
| |
| Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043 |
| Closes https://github.com/curl/curl/pull/2728 |
| |
| Daniel Stenberg (11 Jul 2018) |
| - examples/crawler.c: move #ifdef to column 0 |
| |
| Apparently the C => HTML converter on the web site doesn't quite like it |
| otherwise. |
| |
| Reported-by: Jeroen Ooms |
| |
| Version 7.61.0 (11 Jul 2018) |
| |
| Daniel Stenberg (11 Jul 2018) |
| - release: 7.61.0 |
| |
| - TODO: Configurable loading of OpenSSL configuration file |
| |
| Closes #2724 |
| |
| - post303.d: clarify that this is an RFC violation |
| |
| ... and not the other way around, which this previously said. |
| |
| Reported-by: Vasiliy Faronov |
| Fixes #2723 |
| Closes #2726 |
| |
| - [Ruslan Baratov brought this change] |
| |
| CMake: remove redundant and old end-of-block syntax |
| |
| Reviewed-by: Jakub Zakrzewski |
| Closes #2715 |
| |
| Jay Satiro (9 Jul 2018) |
| - lib/curl_setup.h: remove unicode character |
| |
| Follow-up to 82ce416. |
| |
| Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818 |
| |
| Daniel Stenberg (9 Jul 2018) |
| - lib/curl_setup.h: remove unicode bom from 8272ec50f02 |
| |
| Marcel Raad (9 Jul 2018) |
| - schannel: fix -Wsign-compare warning |
| |
| MinGW warns: |
| /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in |
| conditional expression [-Wsign-compare] |
| |
| Fix this by casting the ptrdiff_t to size_t as we know it's positive. |
| |
| Closes https://github.com/curl/curl/pull/2721 |
| |
| - schannel: workaround for wrong function signature in w32api |
| |
| Original MinGW's w32api has CryptHashData's second parameter as BYTE * |
| instead of const BYTE *. |
| |
| Closes https://github.com/curl/curl/pull/2721 |
| |
| - schannel: make more cipher options conditional |
| |
| They are not defined in the original MinGW's <wincrypt.h>. |
| |
| Closes https://github.com/curl/curl/pull/2721 |
| |
| - curl_setup: include <winerror.h> before <windows.h> |
| |
| Otherwise, only part of it gets pulled in through <windows.h> on |
| original MinGW. |
| |
| Fixes https://github.com/curl/curl/issues/2361 |
| Closes https://github.com/curl/curl/pull/2721 |
| |
| - examples: fix -Wformat warnings |
| |
| When size_t is not a typedef for unsigned long (as usually the case on |
| Windows), GCC emits -Wformat warnings when using lu and lx format |
| specifiers with size_t. Silence them with explicit casts to |
| unsigned long. |
| |
| Closes https://github.com/curl/curl/pull/2721 |
| |
| Daniel Stenberg (9 Jul 2018) |
| - smtp: use the upload buffer size for scratch buffer malloc |
| |
| ... not the read buffer size, as that can be set smaller and thus cause |
| a buffer overflow! CVE-2018-0500 |
| |
| Reported-by: Peter Wu |
| Bug: https://curl.haxx.se/docs/adv_2018-70a2.html |
| |
| - [Dave Reisner brought this change] |
| |
| scripts: include _curl as part of CLEANFILES |
| |
| Closes #2718 |
| |
| - [Nick Zitzmann brought this change] |
| |
| darwinssl: allow High Sierra users to build the code using GCC |
| |
| ...but GCC users lose out on TLS 1.3 support, since we can't weak-link |
| enumeration constants. |
| |
| Fixes #2656 |
| Closes #2703 |
| |
| - [Ruslan Baratov brought this change] |
| |
| CMake: Remove unused 'output_var' from 'collect_true' |
| |
| Variable 'output_var' is not used and can be removed. |
| Function 'collect_true' renamed to 'count_true'. |
| |
| - [Ruslan Baratov brought this change] |
| |
| CMake: Remove unused functions |
| |
| Closes #2711 |
| |
| - KNOWN_BUGS: Stick to same family over SOCKS proxy |
| |
| - libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE |
| |
| ... because otherwise not everything get closed down correctly. |
| |
| Fixes #2708 |
| Closes #2712 |
| |
| - libssh: include line number in state change debug messages |
| |
| Closes #2713 |
| |
| - KNOWN_BUGS: Borland support is dropped, AIX problem is too old |
| |
| - [Jeroen Ooms brought this change] |
| |
| example/crawler.c: simple crawler based on libxml2 |
| |
| Closes #2706 |
| |
| - RELEASE-NOTES: synced |
| |
| - DEPRECATE: include year when specifying date |
| |
| - DEPRECATE: linkified |
| |
| - DEPRECATE: mention the PR that disabled axTLS |
| |
| - docs/DEPRECATE.md: spelling and minor formatting |
| |
| - DEPRECATE: new doc describing planned item removals |
| |
| Closes #2704 |
| |
| - [Gisle Vanem brought this change] |
| |
| telnet: fix clang warnings |
| |
| telnet.c(1401,28): warning: cast from function call of type 'int' to |
| non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast] |
| |
| Fixes #2696 |
| Closes #2700 |
| |
| - docs: fix missed option name markups |
| |
| - [Gaurav Malhotra brought this change] |
| |
| openssl: Remove some dead code |
| |
| Closes #2698 |
| |
| - openssl: make the requested TLS version the *minimum* wanted |
| |
| The code treated the set version as the *exact* version to require in |
| the TLS handshake, which is not what other TLS backends do and probably |
| not what most people expect either. |
| |
| Reported-by: Andreas Olsson |
| Assisted-by: Gaurav Malhotra |
| Fixes #2691 |
| Closes #2694 |
| |
| - RELEASE-NOTES: synced |
| |
| - openssl: allow TLS 1.3 by default |
| |
| Reported-by: Andreas Olsson |
| Fixes #2692 |
| Closes #2693 |
| |
| - [Adrian Peniak brought this change] |
| |
| CURLINFO_TLS_SSL_PTR.3: improve the example |
| |
| The previous example was a little bit confusing, because SSL* structure |
| (or other "in use" SSL connection pointer) is not accessible after the |
| transfer is completed, therefore working with the raw TLS library |
| specific pointer needs to be done during transfer. |
| |
| Closes #2690 |
| |
| - travis: add a build using the synchronous name resolver |
| |
| ... since default uses the threaded one and we test the c-ares build |
| already. |
| |
| Closes #2689 |
| |
| - configure: remove CURL_CHECK_NI_WITHSCOPEID too |
| |
| Since it isn't used either and requires the getnameinfo check |
| |
| Follow-up to 0aeca41702d2 |
| |
| - getnameinfo: not used |
| |
| Closes #2687 |
| |
| - easy_perform: use *multi_timeout() to get wait times |
| |
| ... and trim the threaded Curl_resolver_getsock() to return zero |
| millisecond wait times during the first three milliseconds so that |
| localhost or names in the OS resolver cache gets detected and used |
| faster. |
| |
| Closes #2685 |
| |
| Max Dymond (27 Jun 2018) |
| - configure: Add dependent libraries after crypto |
| |
| The linker is pretty dumb and processes things left to right, keeping a |
| tally of symbols it hasn't resolved yet. So, we need -ldl to appear |
| after -lcrypto otherwise the linker won't find the dl functions. |
| |
| Closes #2684 |
| |
| Daniel Stenberg (27 Jun 2018) |
| - GOVERNANCE: linkify, changed some titles |
| |
| - GOVERNANCE: add maintainer details/duties |
| |
| - url: check Curl_conncache_add_conn return code |
| |
| ... it was previously unchecked in two places and thus errors could |
| remain undetected and cause trouble. |
| |
| Closes #2681 |
| |
| - include/README: remove "hacking" advice, not the right place |
| |
| - RELEASE-NOTES: synced |
| |
| - CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake |
| |
| Follow-up to b6a16afa0aa5 |
| |
| - netrc: use a larger buffer |
| |
| ... to work with longer passwords etc. Grow it from a 256 to a 4096 |
| bytes buffer. |
| |
| Reported-by: Dario Nieuwenhuis |
| Fixes #2676 |
| Closes #2680 |
| |
| - [Patrick Schlangen brought this change] |
| |
| CURLOPT_SSL_VERIFYPEER.3: Add performance note |
| |
| Closes #2673 |
| |
| - [Javier Blazquez brought this change] |
| |
| multi: fix crash due to dangling entry in connect-pending list |
| |
| Fixes #2677 |
| Closes #2679 |
| |
| - ConnectionExists: make sure conn->data is set when "taking" a connection |
| |
| Follow-up to 2c15693. |
| |
| Bug #2674 |
| Closes #2675 |
| |
| - [Kevin R. Bulgrien brought this change] |
| |
| system.h: fix for gcc on 32 bit OpenServer |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html |
| |
| - [Raphael Gozzo brought this change] |
| |
| cmake: allow multiple SSL backends |
| |
| This will make possible to select the SSL backend (using |
| curl_global_sslset()) even when the libcurl is built using CMake |
| |
| Closes #2665 |
| |
| - url: fix dangling conn->data pointer |
| |
| By masking sure to use the *current* easy handle with extracted |
| connections from the cache, and make sure to NULLify the ->data pointer |
| when the connection is put into the cache to make this mistake easier to |
| detect in the future. |
| |
| Reported-by: Will Dietz |
| Fixes #2669 |
| Closes #2672 |
| |
| - CURLOPT_INTERFACE.3: interface names not supported on Windows |
| |
| - travis: run more tests for coverage check |
| |
| ... run a few more tortured based and run all tests event-based. |
| |
| Closes #2664 |
| |
| - multi: fix memory leak when stopped during name resolve |
| |
| When the application just started the transfer and then stops it while |
| the name resolve in the background thread hasn't completed, we need to |
| wait for the resolve to complete and then cleanup data accordingly. |
| |
| Enabled test 1553 again and added test 1590 to also check when the host |
| name resolves successfully. |
| |
| Detected by OSS-fuzz. |
| Closes #1968 |
| |
| Viktor Szakats (15 Jun 2018) |
| - maketgz: delete .bak files, fix indentation |
| |
| Ref: https://github.com/curl/curl/pull/2660 |
| |
| Closes https://github.com/curl/curl/pull/2662 |
| |
| Daniel Stenberg (15 Jun 2018) |
| - runtests.pl: remove debug leftover from bb9a340c73f3 |
| |
| - curl-confopts.m4: fix typo from ed224f23d5beb |
| |
| Fixes my local configure to detect a custom installed c-ares without |
| pkgconfig. |
| |
| - docs/RELEASE-PROCEDURE.md: renamed to use .md extension |
| |
| Closes #2663 |
| |
| - RELEASE-PROCEDURE: gpg sign the tags |
| |
| - RELEASE-NOTES: synced |
| |
| - CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0 |
| |
| - [Mamta Upadhyay brought this change] |
| |
| maketgz: fix sed issues on OSX |
| |
| maketgz creates release tarballs and removes the -DEV string in curl |
| version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl |
| is run. maketgz works fine on linux but fails on OSX. Problem is with |
| the sed commands that use option -i without an extension. Maketgz |
| expects GNU sed instead of BSD and this simply won't work on OSX. Adding |
| a backup extension .bak after -i fixes this issue |
| |
| Running the script as if on OSX gives this error: |
| |
| sed: -e: No such file or directory |
| |
| Adding a .bak extension resolves it |
| |
| Closes #2660 |
| |
| - configure: enhance ability to detect/build with static openssl |
| |
| Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for |
| building with static libs without pkg-config. |
| |
| Reported-by: Marcel Raad |
| Fixes #2199 |
| Closes #2659 |
| |
| - configure: use pkg-config for c-ares detection |
| |
| First check if there's c-ares information given as pkg-config info and use |
| that as first preference. |
| |
| Reported-by: pszemus on github |
| Fixes #2203 |
| Closes #2658 |
| |
| - GOVERNANCE.md: explains how this project is run |
| |
| Closes #2657 |
| |
| - KNOWN_BUGS: NTLM doen't support password with § character |
| |
| Closes #2120 |
| |
| - KNOWN_BUGS: slow connect to localhost on Windows |
| |
| Closes #2281 |
| |
| - [Matteo Bignotti brought this change] |
| |
| mk-ca-bundle.pl: make -u delete certdata.txt if found not changed |
| |
| certdata.txt should be deleted also when the process is interrupted by |
| "same certificate downloaded, exiting" |
| |
| The certdata.txt is currently kept on disk even if you give the -u |
| option |
| |
| Closes #2655 |
| |
| - progress: remove a set of unused defines |
| |
| Reported-by: Peter Wu |
| Closes #2654 |
| |
| - TODO: "Option to refuse usernames in URLs" done |
| |
| Implemented by Björn in 946ce5b61f |
| |
| - [Lyman Epp brought this change] |
| |
| Curl_init_do: handle NULL connection pointer passed in |
| |
| Closes #2653 |
| |
| - runtests: support variables in <strippart> |
| |
| ... and make use of that to make 1455 work better without using a fixed |
| local port number. |
| |
| Fixes #2649 |
| Closes #2650 |
| |
| - Curl_debug: remove dead printhost code |
| |
| The struct field is never set (since 5e0d9aea3) so remove the use of it |
| and remove the connectdata pointer from the prototype. |
| |
| Reported-by: Tejas |
| Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html |
| Closes #2647 |
| |
| Viktor Szakats (12 Jun 2018) |
| - schannel: avoid incompatible pointer warning |
| |
| with clang-6.0: |
| ``` |
| vtls/schannel_verify.c: In function 'add_certs_to_store': |
| vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types] |
| &cert_context)) { |
| ^ |
| In file included from /usr/share/mingw-w64/include/schannel.h:10:0, |
| from /usr/share/mingw-w64/include/schnlsp.h:9, |
| from vtls/schannel.h:29, |
| from vtls/schannel_verify.c:40: |
| /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}' |
| WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, |
| ^~~~~~~~~~~~~~~~ |
| ``` |
| Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264 |
| |
| Closes https://github.com/curl/curl/pull/2648 |
| |
| Daniel Stenberg (12 Jun 2018) |
| - [Robert Prag brought this change] |
| |
| schannel: support selecting ciphers |
| |
| Given the contstraints of SChannel, I'm exposing these as the algorithms |
| themselves instead; while replicating the ciphersuite as specified by |
| OpenSSL would have been preferable, I found no way in the SChannel API |
| to do so. |
| |
| To use this from the commandline, you need to pass the names of contants |
| defining the desired algorithms. For example, curl --ciphers |
| "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" |
| https://github.com The specific names come from wincrypt.h |
| |
| Closes #2630 |
| |
| - [Bernhard M. Wiedemann brought this change] |
| |
| test 46: make test pass after 2025 |
| |
| shifting the expiry date to 2037 for now |
| to be before the possibly problematic year 2038 |
| |
| similar in spirit to commit e6293cf8764e9eecb |
| |
| Closes #2646 |
| |
| - [Marian Klymov brought this change] |
| |
| cppcheck: fix warnings |
| |
| - Get rid of variable that was generating false positive warning |
| (unitialized) |
| |
| - Fix issues in tests |
| |
| - Reduce scope of several variables all over |
| |
| etc |
| |
| Closes #2631 |
| |
| - openssl: assume engine support in 1.0.1 or later |
| |
| Previously it was checked for in configure/cmake, but that would then |
| leave other build systems built without engine support. |
| |
| While engine support probably existed prior to 1.0.1, I decided to play |
| safe. If someone experience a problem with this, we can widen the |
| version check. |
| |
| Fixes #2641 |
| Closes #2644 |
| |
| - RELEASE-NOTES: synced |
| |
| - RELEASE-PROCEDURE: update the release calendar for 2019 |
| |
| - [Gisle Vanem brought this change] |
| |
| boringssl + schannel: undef X509_NAME in lib/schannel.h |
| |
| Fixes the build problem when both boringssl and schannel are enabled. |
| |
| Fixes #2634 |
| Closes #2643 |
| |
| - [Vladimir Kotal brought this change] |
| |
| mk-ca-bundle.pl: leave certificate name untouched in decode() |
| |
| Closes #2640 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES |
| |
| This removes the generated lib1521.c when running make clean. |
| |
| Closes #2633 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| tests/libtest: Add lib1521 to nodist_SOURCES |
| |
| Since 467da3af0, lib1521.c is generated instead of checked in. According |
| to the commit message, the intention was to remove it from the tarball |
| as well. However, it is still present when running make dist. To remove |
| it, add it to nodist_lib1521_SOURCES. This also means there is no need |
| for the manually added dist-rule in the Makefile. |
| |
| Also update CMakelists.txt to handle the fact that we now may have |
| nodist_SOURCES. |
| |
| - [Stephan Mühlstrasser brought this change] |
| |
| system.h: add support for IBM xlc C compiler |
| |
| Added a section to system.h guarded with __xlc__ for the IBM xml C |
| compiler. Before this change the section titled 'generic "safe guess" on |
| old 32 bit style' was used, which resulted in a wrong definition of |
| CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T |
| was wrong. |
| |
| Compilation warnings fixed with this change: |
| |
| CC libcurl_la-ftp.lo |
| "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| CC libcurl_la-connect.lo |
| "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| CC libcurl_la-tftp.lo |
| "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed. |
| |
| Closes #2637 |
| |
| - cmdline-opts/cert-type.d: mention "p12" as a recognized type as well |
| |
| Viktor Szakats (3 Jun 2018) |
| - spelling fixes |
| |
| Detected using the `codespell` tool (version 1.13.0). |
| |
| Also secure and fix an URL. |
| |
| Daniel Stenberg (2 Jun 2018) |
| - axtls: follow-up spell fix of comment |
| |
| - axTLS: not considered fit for use |
| |
| URL: https://curl.haxx.se/mail/lib-2018-06/0000.html |
| |
| This is step one. It adds #error statements that require source edits to |
| make curl build again if asked to use axTLS. At a later stage we might |
| remove the axTLS specific code completely. |
| |
| Closes #2628 |
| |
| - build: remove the Borland specific makefiles |
| |
| According to the user survey 2018, not even one out of 670 users use |
| them. Nobody on the mailing list spoke up for them either. |
| |
| Closes #2629 |
| |
| - curl_addrinfo: use same #ifdef conditions in source as header |
| |
| ... for curl_dofreeaddrinfo |
| |
| - multi: remove a DEBUGF() |
| |
| ... it might call infof() with a NULL first argument that isn't harmful |
| but makes it not do anything. The infof() line is not very useful |
| anymore, it has served it purpose. Good riddance! |
| |
| Fixes #2627 |
| |
| - [Alibek.Jorajev brought this change] |
| |
| CURLOPT_RESOLVE: always purge old entry first |
| |
| If there's an existing entry using the selected name. |
| |
| Closes #2622 |
| |
| - fnmatch: use the system one if available |
| |
| If configure detects fnmatch to be available, use that instead of our |
| custom one for FTP wildcard pattern matching. For standard compliance, |
| to reduce our footprint and to use already well tested and well |
| exercised code. |
| |
| A POSIX fnmatch behaves slightly different than the internal function |
| for a few test patterns currently and the macOS one yet slightly |
| different. Test case 1307 is adjusted for these differences. |
| |
| Closes #2626 |
| |
| Patrick Monnerat (31 May 2018) |
| - os400: add new option in ILE/RPG binding |
| |
| Follow-up to commit 946ce5b |
| |
| Daniel Stenberg (31 May 2018) |
| - tests/libtest/.gitignore: follow-up fix to ignore lib5* too |
| |
| - KNOWN_BUGS: CURL_GLOBAL_SSL |
| |
| Closes #2276 |
| |
| - [Bernhard Walle brought this change] |
| |
| configure: check for declaration of getpwuid_r |
| |
| On our x86 Android toolchain, getpwuid_r is implemented but the header |
| is missing: |
| |
| netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration] |
| |
| Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved |
| the prototype to curl_setup.h. |
| |
| Signed-off-by: Bernhard Walle <bernhard@bwalle.de> |
| Closes #2609 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| tests: update .gitignore for libtests |
| |
| Closes #2624 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| strictness: correct {infof, failf} format specifiers |
| |
| Closes #2623 |
| |
| - [Björn Stenberg brought this change] |
| |
| option: disallow username in URL |
| |
| Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes |
| libcurl reject URLs with a username in them. |
| |
| Closes #2340 |
| |
| - libcurl-security.3: improved layout for two rememdy lists |
| |
| - libcurl-security.3: refer to URL instead of in-source markdown file |
| |
| Viktor Szakats (30 May 2018) |
| - curl.rc: embed manifest for correct Windows version detection |
| |
| * enable it in `src/Makefile.m32` |
| * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is |
| _not_ enabled via the existing `EMBED_MANIFEST` option |
| * enable it for all Windows CMake builds (also disable the built-in |
| minimal manifest, added by CMake by default.) |
| |
| For other build systems, add the `-DCURL_EMBED_MANIFEST` option to |
| the list of RC (Resource Compiler) flags to enable the manifest |
| included in `src/curl.rc`. This may require to disable whatever |
| automatic or other means in which way another manifest is added to |
| `curl.exe`. |
| |
| Notice that Borland C doesn't support this method due to a |
| long-pending resource compiler bug. Watcom C may also not handle |
| it correctly when the `-zm` `wrc` option is used (this option may |
| be unnecessary though) and regardless of options in certain earlier |
| revisions of the 2.0 beta version. |
| |
| Closes https://github.com/curl/curl/pull/1221 |
| Fixes https://github.com/curl/curl/issues/2591 |
| |
| Patrick Monnerat (30 May 2018) |
| - os400: sync EBCDIC wrappers and ILE/RPG binding with latest options |
| |
| - os400: implement mime api EBCDIC wrappers |
| |
| Also sync ILE/RPG binding to define the new functions. |
| |
| Daniel Stenberg (29 May 2018) |
| - setopt: add TLS 1.3 ciphersuites |
| |
| Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. |
| |
| curl: added --tls13-ciphers and --proxy-tls13-ciphers |
| |
| Fixes #2435 |
| Reported-by: zzq1015 on github |
| Closes #2607 |
| |
| - configure: override AR_FLAGS to silence warning |
| |
| The automake default ar flags are 'cru', but the 'u' flag in there |
| causes warnings on many modern Linux distros. Removing 'u' may have a |
| minor performance impact on older distros but should not cause harm. |
| |
| Explained on the automake mailing list already back in April 2015: |
| |
| https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html |
| |
| Reported-by: elephoenix on github |
| Fixes #2617 |
| Closes #2619 |
| |
| Sergei Nikulov (29 May 2018) |
| - cmake: fixed comments in compile checks code |
| |
| Daniel Stenberg (29 May 2018) |
| - INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib |
| |
| ... the older description doesn't work |
| |
| Reported-by: Peter Varga |
| Fixes #2615 |
| Closes #2616 |
| |
| - [Will Dietz brought this change] |
| |
| KNOWN_BUGS: restore text regarding #2101. |
| |
| This was added earlier but appears to have been removed accidentally. |
| |
| AFAICT this is very much still an issue. |
| |
| ----- |
| |
| I say "accidentally" because the text seems to have harmlessly snuck |
| into [1] (which makes no mention of it). [1] was later reverted for |
| unspecified reasons in [2], presumably because the mentioned issue was |
| fixed or invalid. |
| |
| [1] de9fac00c40db321d44fa6fbab6eb62ec4c83998 |
| [2] 16d1f369403cbb04bd7b085eabbeebf159473fc2 |
| |
| Closes #2618 |
| |
| - fnmatch: insist on escaped bracket to match |
| |
| A non-escaped bracket ([) is for a character group - as documented. It |
| will *not* match an individual bracket anymore. Test case 1307 updated |
| accordingly to match. |
| |
| Problem detected by OSS-Fuzz, although this fix is probably not a final |
| fix for the notorious timeout issues. |
| |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525 |
| Closes #2614 |
| |
| Patrick Monnerat (28 May 2018) |
| - psl: use latest psl and refresh it periodically |
| |
| The latest psl is cached in the multi or share handle. It is refreshed |
| before use after 72 hours. |
| New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. |
| If the latest psl is not available, the builtin psl is used. |
| |
| Reported-by: Yaakov Selkowitz |
| Fixes #2553 |
| Closes #2601 |
| |
| Daniel Stenberg (28 May 2018) |
| - [Fabrice Fontaine brought this change] |
| |
| configure: fix ssh2 linking when built with a static mbedtls |
| |
| The ssh2 pkg-config file could contain the following lines when build |
| with a static version of mbedtls: |
| Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a |
| Libs.private: /xxx/libmbedcrypto.a |
| |
| This static mbedtls library must be used to correctly detect ssh2 |
| support and this library must be copied in libcurl.pc otherwise |
| compilation of any application (such as upmpdcli) with libcurl will fail |
| when trying to found mbedtls functions included in libssh2. So, replace |
| pkg-config --libs-only-l by pkg-config --libs. |
| |
| Fixes: |
| - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a |
| |
| Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> |
| Closes #2613 |
| |
| - RELEASE-NOTES: synced |
| |
| - [Bernhard Walle brought this change] |
| |
| cmake: check for getpwuid_r |
| |
| The autotools-based build system does it, so we do it also in CMake. |
| |
| Bug: #2609 |
| Signed-off-by: Bernhard Walle <bernhard@bwalle.de> |
| |
| - cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options |
| |
| - [Frank Gevaerts brought this change] |
| |
| curl.1: Fix cmdline-opts reference errors. |
| |
| --data, --form, and --ntlm were declared to be mutually exclusive with |
| non-existing options. --data and --form referred to --upload (which is |
| short for --upload-file and therefore did work, so this one was merely |
| a bit confusing), --ntlm referred to --negotiated instead of --negotiate. |
| |
| Closes #2612 |
| |
| - [Frank Gevaerts brought this change] |
| |
| docs: fix cmdline-opts metadata headers case consistency. |
| |
| Almost all headers start with an uppercase letter, but some didn't. |
| |
| - mailmap: Max Savenkov |
| |
| Sergei Nikulov (28 May 2018) |
| - [Max Savenkov brought this change] |
| |
| Fix the test for fsetxattr and strerror_r tests in CMake to work without compiling |
| |
| Daniel Stenberg (27 May 2018) |
| - mailmap: a Richard Alcock fixup |
| |
| - [Richard Alcock brought this change] |
| |
| schannel: add failf calls for client certificate failures |
| |
| Closes #2604 |
| |
| - [Richard Alcock brought this change] |
| |
| winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST |
| |
| Change requirement from $(DISTDIR) to $(DIRDIST) |
| |
| closes #2603 |
| |
| - [Richard Alcock brought this change] |
| |
| winbuild: only delete OUTFILE if it exists |
| |
| This removes the slightly annoying "Could not file LIBCURL_OBJS.inc" and |
| "Could not find CURL_OBJS.inc.inc" message when building into a clean |
| folder. |
| |
| closes #2602 |
| |
| - [Alejandro R. Sedeño brought this change] |
| |
| content_encoding: handle zlib versions too old for Z_BLOCK |
| |
| Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available. |
| |
| Fixes #2606 |
| Closes #2608 |
| |
| - multi: provide a socket to wait for in Curl_protocol_getsock |
| |
| ... even when there's no protocol specific handler setup. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html |
| Reported-by: Sean Miller |
| Closes #2600 |
| |
| - [Linus Lewandowski brought this change] |
| |
| httpauth: add support for Bearer tokens |
| |
| Closes #2102 |
| |
| - TODO: CURLINFO_PAUSE_STATE |
| |
| Closes #2588 |
| |
| Sergei Nikulov (24 May 2018) |
| - cmake: set -d postfix for debug builds if not specified |
| using -DCMAKE_DEBUG_POSTFIX explicitly |
| |
| fixes #2121, obsoletes #2384 |
| |
| Daniel Stenberg (23 May 2018) |
| - configure: add basic test of --with-ssl prefix |
| |
| When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or |
| $PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an |
| error. Helps users detect when giving configure the wrong path. |
| |
| Reported-by: Oleg Pudeyev |
| Assisted-by: Per Malmberg |
| Fixes #2580 |
| |
| Patrick Monnerat (22 May 2018) |
| - http resume: skip body if http code 416 (range error) is ignored. |
| |
| This avoids appending error data to already existing good data. |
| |
| Test 92 is updated to match this change. |
| New test 1156 checks all combinations of --range/--resume, --fail, |
| Content-Range header and http status code 200/416. |
| |
| Fixes #1163 |
| Reported-By: Ithubg on github |
| Closes #2578 |
| |
| Daniel Stenberg (22 May 2018) |
| - tftp: make sure error is zero terminated before printfing it |
| |
| - configure: add missing m4/ax_compile_check_sizeof.m4 |
| |
| follow-up to mistake in 6876ccf90b4 |
| |
| Jay Satiro (22 May 2018) |
| - [Johannes Schindelin brought this change] |
| |
| schannel: make CAinfo parsing resilient to CR/LF |
| |
| OpenSSL has supported --cacert for ages, always accepting LF-only line |
| endings ("Unix line endings") as well as CR/LF line endings ("Windows |
| line endings"). |
| |
| When we introduced support for --cacert also with Secure Channel (or in |
| cURL speak: "WinSSL"), we did not take care to support CR/LF line |
| endings, too, even if we are much more likely to receive input in that |
| form when using Windows. |
| |
| Let's fix that. |
| |
| Happily, CryptQueryObject(), the function we use to parse the ca-bundle, |
| accepts CR/LF input already, and the trailing LF before the END |
| CERTIFICATE marker catches naturally any CR/LF line ending, too. So all |
| we need to care about is the BEGIN CERTIFICATE marker. We do not |
| actually need to verify here that the line ending is CR/LF. Just |
| checking for a CR or an LF is really plenty enough. |
| |
| Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> |
| |
| Closes https://github.com/curl/curl/pull/2592 |
| |
| Daniel Stenberg (22 May 2018) |
| - CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit |
| |
| - RELEASE-NOTES: synced |
| |
| - KNOWN_BUGS: mention the -O with %-encoded file names |
| |
| Closes #2573 |
| |
| - checksrc: make sure sizeof() is used *with* parentheses |
| |
| ... and unify the source code to adhere. |
| |
| Closes #2563 |
| |
| - curl: added --styled-output |
| |
| It is enabled by default, so --no-styled-output will switch off the |
| detection/use of bold headers. |
| |
| Closes #2538 |
| |
| - curl: show headers in bold |
| |
| The feature is only enabled if the output is believed to be a tty. |
| |
| -J: There's some minor differences and improvements in -J handling, as |
| now J should work with -i and it actually creates a file first using the |
| initial name and then *renames* that to the one found in |
| Content-Disposition (if any). |
| |
| -i: only shows headers for HTTP transfers now (as documented). |
| Previously it would also show for pieces of the transfer that were HTTP |
| (for example when doing FTP over a HTTP proxy). |
| |
| -i: now shows trailers as well. Previously they were not shown at all. |
| |
| --libcurl: the CURLOPT_HEADER is no longer set, as the header output is |
| now done in the header callback. |
| |
| - configure: compile-time SIZEOF checks |
| |
| ... instead of exeucting code to get the size. Removes the use of |
| LD_LIBRARY_PATH for this. |
| |
| Fixes #2586 |
| Closes #2589 |
| Reported-by: Bernhard Walle |
| |
| - configure: replace AC_TRY_RUN with CURL_RUN_IFELSE |
| |
| ... and export LD_LIBRARY_PATH properly. This is a follow-up from |
| 2d4c215. |
| |
| Fixes #2586 |
| Reported-by: Bernhard Walle |
| |
| - docs: clarify CURLOPT_HTTPGET somewhat |
| |
| Reported-by: bsammon on github |
| Fixes #2590 |
| |
| - curl_fnmatch: only allow two asterisks for matching |
| |
| The previous limit of 5 can still end up in situation that takes a very |
| long time and consumes a lot of CPU. |
| |
| If there is still a rare use case for this, a user can provide their own |
| fnmatch callback for a version that allows a larger set of wildcards. |
| |
| This commit was triggered by yet another OSS-Fuzz timeout due to this. |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369 |
| |
| Closes #2587 |
| |
| - checksrc: fix too long line |
| |
| follow-up to e05ad5d |
| |
| - [Aleks brought this change] |
| |
| docs: mention HAproxy protocol "version 1" |
| |
| ...as there's also a version 2. |
| |
| Closes #2579 |
| |
| - examples/progressfunc: make it build on older libcurls |
| |
| This example was changed in ce2140a8c1 to use the new microsecond based |
| getinfo option. This change makes it conditionally keep using the older |
| option so that the example still builds with older libcurl versions. |
| |
| Closes #2584 |
| |
| - stub_gssapi: fix numerous 'unused parameter' warnings |
| |
| follow-up to d9e92fd9fd1d |
| |
| - [Philip Prindeville brought this change] |
| |
| getinfo: add microsecond precise timers for various intervals |
| |
| Provide a set of new timers that return the time intervals using integer |
| number of microseconds instead of floats. |
| |
| The new info names are as following: |
| |
| CURLINFO_APPCONNECT_TIME_T |
| CURLINFO_CONNECT_TIME_T |
| CURLINFO_NAMELOOKUP_TIME_T |
| CURLINFO_PRETRANSFER_TIME_T |
| CURLINFO_REDIRECT_TIME_T |
| CURLINFO_STARTTRANSFER_TIME_T |
| CURLINFO_TOTAL_TIME_T |
| |
| Closes #2495 |
| |
| - openssl: acknowledge --tls-max for default version too |
| |
| ... previously it only used the max setting if a TLS version was also |
| explicitly asked for. |
| |
| Reported-by: byte_bucket |
| Fixes #2571 |
| Closes #2572 |
| |
| - bump: start working on the pending 7.61.0 |
| |
| - [Dagobert Michelsen brought this change] |
| |
| tests/libtest/Makefile: Do not unconditionally add gcc-specific flags |
| |
| The warning flag leads e.g. Sun Studio compiler to bail out. |
| |
| Closes #2576 |
| |
| - schannel_verify: fix build for non-schannel |
| |
| Jay Satiro (16 May 2018) |
| - rand: fix typo |
| |
| - schannel: disable manual verify if APIs not available |
| |
| .. because original MinGW and old compilers do not have the Windows API |
| definitions needed to support manual verification. |
| |
| - [Archangel_SDY brought this change] |
| |
| schannel: disable client cert option if APIs not available |
| |
| Original MinGW targets Windows 2000 by default, which lacks some APIs and |
| definitions for this feature. Disable it if these APIs are not available. |
| |
| Closes https://github.com/curl/curl/pull/2522 |
| |
| Version 7.60.0 (15 May 2018) |
| |
| Daniel Stenberg (15 May 2018) |
| - RELEASE-NOTES: 7.60.0 release |
| |
| - THANKS: added people from the curl 7.60.0 release |
| |
| - docs/libcurl/index.html: removed |
| |
| The HTML files are long gone from the dist, now remove the last HTML |
| file pointing to those missing files. |
| |
| d |
| |
| - [steini2000 brought this change] |
| |
| http2: remove unused variable |
| |
| Closes #2570 |
| |
| - [steini2000 brought this change] |
| |
| http2: use easy handle of stream for logging |
| |
| - gcc: disable picky gcc-8 function pointer warnings in two places |
| |
| Reported-by: Rikard Falkeborn |
| Bug: #2560 |
| Closes #2569 |
| |
| - http2: use the correct function pointer typedef |
| |
| Fixes gcc-8 picky compiler warnings |
| Reported-by: Rikard Falkeborn |
| Bug: #2560 |
| Closes #2568 |
| |
| - CODE_STYLE: mention return w/o parens, but sizeof with |
| |
| ... and remove the github markdown syntax so that it renders better on |
| the web site. Also, don't use back-ticks inlined to allow the CSS to |
| highlight source code better. |
| |
| - [Rikard Falkeborn brought this change] |
| |
| examples: Fix format specifiers |
| |
| Closes #2561 |
| |
| - [Rikard Falkeborn brought this change] |
| |
| tool: Fix format specifiers |
| |
| - [Rikard Falkeborn brought this change] |
| |
| ntlm: Fix format specifiers |
| |
| - [Rikard Falkeborn brought this change] |
| |
| tests: Fix format specifiers |
| |
| - [Rikard Falkeborn brought this change] |
| |
| lib: Fix format specifiers |
| |
| - contributors.sh: use "on github", not at |
| |
| - http2: getsock fix for uploads |
| |
| When there's an upload in progress, make sure to wait for the socket to |
| become writable. |
| |
| Detected-by: steini2000 on github |
| Bug: #2520 |
| Closes #2567 |
| |
| - pingpong: fix response cache memcpy overflow |
| |
| Response data for a handle with a large buffer might be cached and then |
| used with the "closure" handle when it has a smaller buffer and then the |
| larger cache will be copied and overflow the new smaller heap based |
| buffer. |
| |
| Reported-by: Dario Weisser |
| CVE: CVE-2018-1000300 |
| Bug: https://curl.haxx.se/docs/adv_2018-82c2.html |
| |
| - http: restore buffer pointer when bad response-line is parsed |
| |
| ... leaving the k->str could lead to buffer over-reads later on. |
| |
| CVE: CVE-2018-1000301 |
| Assisted-by: Max Dymond |
| |
| Detected by OSS-Fuzz. |
| Bug: https://curl.haxx.se/docs/adv_2018-b138.html |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 |
| |
| Patrick Monnerat (13 May 2018) |
| - cookies: do not take cookie name as a parameter |
| |
| RFC 6265 section 4.2.1 does not set restrictions on cookie names. |
| This is a follow-up to commit 7f7fcd0. |
| Also explicitly check proper syntax of cookie name/value pair. |
| |
| New test 1155 checks that cookie names are not reserved words. |
| |
| Reported-By: anshnd at github |
| Fixes #2564 |
| Closes #2566 |
| |
| Daniel Stenberg (12 May 2018) |
| - smb: reject negative file sizes |
| |
| Assisted-by: Max Dymond |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245 |
| |
| - setup_transfer: deal with both sockets being -1 |
| |
| Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would |
| index the array with -1 if neither index was a socket. |
| |
| - travis: add build using NSS |
| |
| Closes #2558 |
| |
| - [Sunny Purushe brought this change] |
| |
| openssl: change FILE ops to BIO ops |
| |
| To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES |
| handling is causing problems. This fix changes the OpenSSL backend code |
| to use BIO functions instead of FILE I/O functions to circumvent those |
| problems. |
| |
| Closes #2512 |
| |
| - travis: add a build using WolfSSL |
| |
| Assisted-by: Dan Fandrich |
| |
| Closes #2528 |
| |
| - RELEASE-NOTES: typo |
| |
| - RELEASE-NOTES: synced |
| |
| - [Daniel Gustafsson brought this change] |
| |
| URLs: fix one more http url |
| |
| This file wasn't included in commit 4af40b3646d3b09 which updated all |
| haxx.se http urls to https. The file was committed prior to that update, |
| but may have been merged after it and hence didn't get updated. |
| |
| Closes #2550 |
| |
| - github/lock: auto-lock closed issues after 90 days of inactivity |
| |
| - vtls: fix missing commas |
| |
| follow-up to e66cca046cef |
| |
| - vtls: use unified "supports" bitfield member in backends |
| |
| ... instead of previous separate struct fields, to make it easier to |
| extend and change individual backends without having to modify them all. |
| |
| closes #2547 |
| |
| - transfer: don't unset writesockfd on setup of multiplexed conns |
| |
| Curl_setup_transfer() can be called to setup a new individual transfer |
| over a multiplexed connection so it shouldn't unset writesockfd. |
| |
| Bug: #2520 |
| Closes #2549 |
| |
| - [Frank Gevaerts brought this change] |
| |
| configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h |
| |
| They are removed from the compiler flags. |
| |
| This ensures that make dependency tracking will force a rebuild whenever |
| configure --enable-debug or --enable-curldebug changes. |
| |
| Closes #2548 |
| |
| - http: don't set the "rewind" flag when not uploading anything |
| |
| It triggers an assert. |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144 |
| Closes #2546 |
| |
| - travis: add an mbedtls build |
| |
| Closes #2531 |
| |
| - configure: only check for CA bundle for file-using SSL backends |
| |
| When only building with SSL backends that don't use the CA bundle file |
| (by default), skip the check. |
| |
| Fixes #2543 |
| Fixes #2180 |
| Closes #2545 |
| |
| - ssh-libssh.c: fix left shift compiler warning |
| |
| ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to |
| represent, but 'int' only has 32 bits [-Wshift-overflow=] |
| |
| 'len' will never be that big anyway so I converted the run-time check to |
| a regular assert. |
| |
| - [Stephan Mühlstrasser brought this change] |
| |
| URL: fix ASCII dependency in strcpy_url and strlen_url |
| |
| Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the |
| changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of |
| the problem that strcpy_url() was modified unilaterally without also |
| modifying strlen_url(). As a consequence strcpy_url() was again |
| depending on ASCII encoding. |
| |
| This change fixes strlen_url() and strcpy_url() in parallel to use a |
| common host-encoding independent criterion for deciding whether an URL |
| character must be %-escaped. |
| |
| Closes #2535 |
| |
| - [Denis Ollier brought this change] |
| |
| docs: remove extraneous commas in man pages |
| |
| Closes #2544 |
| |
| - RELEASE-NOTES: synced |
| |
| - Revert "TODO: remove configure --disable-pthreads" |
| |
| This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3. |
| |
| --disable-pthreads can be used to disable pthreads and get the threaded |
| resolver to use the windows threading when building with mingw. |
| |
| - vtls: don't define MD5_DIGEST_LENGTH for wolfssl |
| |
| ... as it defines it (too) |
| |
| - TODO: remove configure --disable-pthreads |
| |
| Jay Satiro (2 May 2018) |
| - [David Garske brought this change] |
| |
| wolfssl: Fix non-blocking connect |
| |
| Closes https://github.com/curl/curl/pull/2542 |
| |
| Daniel Stenberg (30 Apr 2018) |
| - CURLOPT_URL.3: add ENCODING section [ci skip] |
| |
| Feedback-by: Michael Kilburn |
| |
| - KNOWN_BUGS: Client cert with Issuer DN differs between backends |
| |
| Closes #1411 |
| |
| - KNOWN_BUGS: Passive transfer tries only one IP address |
| |
| Closes #1508 |
| |
| - KNOWN_BUGS: --upload-file . hang if delay in STDIN |
| |
| Closes #2051 |
| |
| - KNOWN_BUGS: Connection information when using TCP Fast Open |
| |
| Closes #1332 |
| |
| - travis: enable libssh2 on both macos and Linux |
| |
| It seems to not be detected by default anymore (which is a bug I |
| believe) |
| |
| Closes #2541 |
| |
| - TODO: Support the clienthello extension |
| |
| Closes #2299 |
| |
| - TODO: CLOEXEC |
| |
| Closes #2252 |
| |
| - tests: provide 'manual' as a feature to optionally require |
| |
| ... and make test 1026 rely on that feature so that --disable-manual |
| builds don't cause test failures. |
| |
| Reported-by: Max Dymond and Anders Roxell |
| Fixes #2533 |
| Closes #2540 |
| |
| - CURLINFO_PROTOCOL.3: mention the existing defined names |
| |
| Jay Satiro (27 Apr 2018) |
| - [Daniel Gustafsson brought this change] |
| |
| cookies: remove unused macro |
| |
| Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused, |
| so remove as it's not part of the published API. |
| |
| Closes https://github.com/curl/curl/pull/2537 |
| |
| Daniel Stenberg (27 Apr 2018) |
| - [Daniel Gustafsson brought this change] |
| |
| checksrc: force indentation of lines after an else |
| |
| This extends the INDENTATION case to also handle 'else' statements |
| and require proper indentation on the following line. Also fixes the |
| offending cases found in the codebase. |
| |
| Closes #2532 |
| |
| - http2: fix null pointer dereference in http2_connisdead |
| |
| This function can get called on a connection that isn't setup enough to |
| have the 'recv_underlying' function pointer initialized so it would try |
| to call the NULL pointer. |
| |
| Reported-by: Dario Weisser |
| |
| Follow-up to db1b2c7fe9b093f8 (never shipped in a release) |
| Closes #2536 |
| |
| - http2: get rid of another strstr() |
| |
| Follow-up to 1514c44655e12e: replace another strstr() call done on a |
| buffer that might not be zero terminated - with a memchr() call, even if |
| we know the substring will be found. |
| |
| Assisted-by: Max Dymond |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021 |
| |
| Closes #2534 |
| |
| - cyassl: adapt to libraries without TLS 1.0 support built-in |
| |
| WolfSSL doesn't enable it by default anymore |
| |
| - configure: provide --with-wolfssl as an alias for --with-cyassl |
| |
| - RELEASE-NOTES: synced |
| |
| - [Daniel Gustafsson brought this change] |
| |
| os400.c: fix ASSIGNWITHINCONDITION checksrc warnings |
| |
| All occurrences of assignment within conditional expression in |
| os400sys.c rewritten into two steps: first assignment and then the check |
| on the success of the assignment. Also adjust related incorrect brace |
| positions to match project indentation style. |
| |
| This was spurred by seeing "if((inp = input_token))", but while in there |
| all warnings were fixed. |
| |
| There should be no functional change from these changes. |
| |
| Closes #2525 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| cookies: ensure that we have cookies before writing jar |
| |
| The jar should be written iff there are cookies, so ensure that we still |
| have cookies after expiration to avoid creating an empty file. |
| |
| Closes #2529 |
| |
| - strcpy_url: only %-encode values >= 0x80 |
| |
| OSS-Fuzz detected |
| |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000 |
| |
| Broke in dd7521bcc1b7 |
| |
| - mime: avoid NULL pointer dereference risk |
| |
| Coverity detected, CID 1435120 |
| |
| Closes #2527 |
| |
| - [Stephan Mühlstrasser brought this change] |
| |
| ctype: restore character classification for non-ASCII platforms |
| |
| With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic |
| character classification macros and functions were introduced in |
| curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on |
| non-ASCII, e.g. EBCDIC platforms. This change restores the previous set |
| of character classification macros when CURL_DOES_CONVERSIONS is |
| defined. |
| |
| Closes #2494 |
| |
| - ftplistparser: keep state between invokes |
| |
| Fixes FTP wildcard parsing when done over a number of read buffers. |
| |
| Regression from f786d1f14 |
| |
| Reported-by: wncboy on github |
| Fixes #2445 |
| Closes #2526 |
| |
| - examples/http2-upload: expand buffer to avoid silly warning |
| |
| http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated |
| writing between 2 and 11 bytes into a region of size between 8 and 17 |
| |
| - examples/sftpuploadresume: typecast fseek argument to long |
| |
| /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long |
| int' from 'curl_off_t {aka long long int}' may alter its value |
| |
| - Revert "ftplistparser: keep state between invokes" |
| |
| This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934. |
| |
| Caused fuzzer problems on travis not seen when this was a PR! |
| |
| - Curl_memchr: zero length input can't match |
| |
| Avoids undefined behavior. |
| |
| Reported-by: Geeknik Labs |
| |
| - ftplistparser: keep state between invokes |
| |
| Fixes FTP wildcard parsing when doing over a number of read buffers. |
| |
| Regression from f786d1f14 |
| |
| Reported-by: wncboy on github |
| Fixes #2445 |
| Closes #2519 |
| |
| - ftplistparser: renamed some members and variables |
| |
| ... to make them better spell out what they're for. |
| |
| - RELEASE-NOTES: synced |
| |
| - [Christian Schmitz brought this change] |
| |
| curl_global_sslset: always provide available backends |
| |
| Closes #2499 |
| |
| - http2: convert an assert to run-time check |
| |
| Fuzzing has proven we can reach code in on_frame_recv with status_code |
| not having been set, so let's detect that in run-time (instead of with |
| assert) and error error accordingly. |
| |
| (This should no longer happen with the latest nghttp2) |
| |
| Detected by OSS-Fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903 |
| Closes #2514 |
| |
| - curl.1: clarify that options and URLs can be mixed |
| |
| Fixes #2515 |
| Closes #2517 |
| |
| Jay Satiro (23 Apr 2018) |
| - [Archangel_SDY brought this change] |
| |
| CURLOPT_SSLCERT.3: improve WinSSL-specific usage info |
| |
| Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780 |
| |
| Closes https://github.com/curl/curl/pull/2504 |
| |
| - [Archangel_SDY brought this change] |
| |
| schannel: fix build error on targets <= XP |
| |
| - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't |
| support the latter. |
| |
| Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 |
| |
| Closes https://github.com/curl/curl/pull/2504 |
| |
| Daniel Stenberg (23 Apr 2018) |
| - Revert "ftplistparser: keep state between invokes" |
| |
| This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9. |
| |
| Unfortunately this fix introduces memory leaks I've not been able to fix |
| in several days. Reverting this for now to get the leaks fixed. |
| |
| Jay Satiro (21 Apr 2018) |
| - tool_help: clarify --max-time unit of time is seconds |
| |
| Before: |
| -m, --max-time <time> Maximum time allowed for the transfer |
| |
| After: |
| -m, --max-time <seconds> Maximum time allowed for the transfer |
| |
| Daniel Stenberg (20 Apr 2018) |
| - http2: handle GOAWAY properly |
| |
| When receiving REFUSED_STREAM, mark the connection for close and retry |
| streams accordingly on another/fresh connection. |
| |
| Reported-by: Terry Wu |
| Fixes #2416 |
| Fixes #1618 |
| Closes #2510 |
| |
| - http2: clear the "drain counter" when a stream is closed |
| |
| This fixes the notorious "httpc->drain_total >= data->state.drain" |
| assert. |
| |
| Reported-by: Anders Bakken |
| |
| Fixes #1680 |
| Closes #2509 |
| |
| - http2: avoid strstr() on data not zero terminated |
| |
| It's not strictly clear if the API contract allows us to call strstr() |
| on a string that isn't zero terminated even when we know it will find |
| the substring, and clang's ASAN check dislikes us for it. |
| |
| Also added a check of the return code in case it fails, even if I can't |
| think of a situation how that can trigger. |
| |
| Detected by OSS-Fuzz |
| Closes #2513 |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760 |
| |
| - [Stephan Mühlstrasser brought this change] |
| |
| openssl: fix subjectAltName check on non-ASCII platforms |
| |
| Curl_cert_hostcheck operates with the host character set, therefore the |
| ASCII subjectAltName string retrieved with OpenSSL must be converted to |
| the host encoding before comparison. |
| |
| Closes #2493 |
| |
| Jay Satiro (20 Apr 2018) |
| - openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages |
| |
| - Support handling verbose-mode trace messages of type |
| SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, |
| SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, |
| SSL3_MT_MESSAGE_HASH |
| |
| Reported-by: iz8mbw@users.noreply.github.com |
| |
| Fixes https://github.com/curl/curl/issues/2403 |
| |
| Daniel Stenberg (19 Apr 2018) |
| - ftplistparser: keep state between invokes |
| |
| Regression from f786d1f14 |
| |
| Reported-by: wncboy on github |
| Fixes #2445 |
| Closes #2508 |
| |
| - detect_proxy: only show proxy use if it had contents |
| |
| - http2: handle on_begin_headers() called more than once |
| |
| This triggered an assert if called more than once in debug mode (and a |
| memory leak if not debug build). With the right sequence of HTTP/2 |
| headers incoming it can happen. |
| |
| Detected by OSS-Fuzz |
| |
| Closes #2507 |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764 |
| |
| Jay Satiro (18 Apr 2018) |
| - [Dan McNulty brought this change] |
| |
| schannel: add support for CURLOPT_CAINFO |
| |
| - Move verify_certificate functionality in schannel.c into a new |
| file called schannel_verify.c. Additionally, some structure defintions |
| from schannel.c have been moved to schannel.h to allow them to be |
| used in schannel_verify.c. |
| |
| - Make verify_certificate functionality for Schannel available on |
| all versions of Windows instead of just Windows CE. verify_certificate |
| will be invoked on Windows CE or when the user specifies |
| CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. |
| |
| - In verify_certificate, create a custom certificate chain engine that |
| exclusively trusts the certificate store backed by the CURLOPT_CAINFO |
| file. |
| |
| - doc updates of --cacert/CAINFO support for schannel |
| |
| - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString |
| when available. This implements a TODO in schannel.c to improve |
| handling of multiple SANs in a certificate. In particular, all SANs |
| will now be searched instead of just the first name. |
| |
| - Update tool_operate.c to not search for the curl-ca-bundle.crt file |
| when using Schannel to maintain backward compatibility. Previously, |
| any curl-ca-bundle.crt file found in that search would have been |
| ignored by Schannel. But, with CAINFO support, the file found by |
| that search would have been used as the certificate store and |
| could cause issues for any users that have curl-ca-bundle.crt in |
| the search path. |
| |
| - Update url.c to not set the build time CURL_CA_BUNDLE if the selected |
| SSL backend is Schannel. We allow setting CA location for schannel |
| only when explicitly specified by the user via CURLOPT_CAINFO / |
| --cacert. |
| |
| - Add new test cases 3000 and 3001. These test cases check that the first |
| and last SAN, respectively, matches the connection hostname. New test |
| certificates have been added for these cases. For 3000, the certificate |
| prefix is Server-localhost-firstSAN and for 3001, the certificate |
| prefix is Server-localhost-secondSAN. |
| |
| - Remove TODO 15.2 (Add support for custom server certificate |
| validation), this commit addresses it. |
| |
| Closes https://github.com/curl/curl/pull/1325 |
| |
| - schannel: fix warning |
| |
| - Fix warning 'integer from pointer without a cast' on 3rd arg in |
| CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer |
| type of the same size. |
| |
| Follow-up to e35b025. |
| |
| Caught by Marc's CI builds. |
| |
| - [Jakub Wilk brought this change] |
| |
| docs: fix typos |
| |
| Closes https://github.com/curl/curl/pull/2503 |
| |
| Daniel Stenberg (17 Apr 2018) |
| - RELEASE-NOTES: synced |
| |
| Jay Satiro (17 Apr 2018) |
| - [Kees Dekker brought this change] |
| |
| winbuild: Support custom devel paths for each dependency |
| |
| - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2, |
| OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH, |
| NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH. |
| |
| - Use lib.exe for making the static library instead of link.exe /lib. |
| The latter is undocumented and could cause problems as noted in the |
| comments. |
| |
| - Remove a dangling URL that no longer worked. (I was not able to find |
| the IDN download at MSDN/microsoft.com, so it seems to be removed.) |
| |
| - Remove custom override for release-ssh2-ssl-dll-zlib configuration. |
| Nobody knows why it was there and as far as we can see is unnecessary. |
| |
| Closes https://github.com/curl/curl/pull/2474 |
| |
| Daniel Stenberg (17 Apr 2018) |
| - [Jess brought this change] |
| |
| README.md: add backers and sponsors |
| |
| Closes #2484 |
| |
| - [Archangel_SDY brought this change] |
| |
| schannel: add client certificate authentication |
| |
| Users can now specify a client certificate in system certificates store |
| explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` |
| |
| Closes #2376 |
| |
| Marcel Raad (16 Apr 2018) |
| - [toughengineer brought this change] |
| |
| ntlm_sspi: fix authentication using Credential Manager |
| |
| If you pass empty user/pass asking curl to use Windows Credential |
| Storage (as stated in the docs) and it has valid credentials for the |
| domain, e.g. |
| curl -v -u : --ntlm example.com |
| currently authentication fails. |
| This change fixes it by providing proper SPN string to the SSPI API |
| calls. |
| |
| Fixes https://github.com/curl/curl/issues/1622 |
| Closes https://github.com/curl/curl/pull/1660 |
| |
| Daniel Stenberg (16 Apr 2018) |
| - configure: keep LD_LIBRARY_PATH changes local |
| |
| ... only set it when we actually have to run tests to reduce its impact |
| on for example build commands etc. |
| |
| Fixes #2490 |
| Closes #2492 |
| |
| Reported-by: Dmitry Mikhirev |
| |
| Marcel Raad (16 Apr 2018) |
| - urldata: make service names unconditional |
| |
| The ifdefs have become quite long. Also, the condition for the |
| definition of CURLOPT_SERVICE_NAME and for setting it from |
| CURLOPT_SERVICE_NAME have diverged. We will soon also need the two |
| options for NTLM, at least when using SSPI, for |
| https://github.com/curl/curl/pull/1660. |
| Just make the definitions unconditional to make that easier. |
| |
| Closes https://github.com/curl/curl/pull/2479 |
| |
| Daniel Stenberg (16 Apr 2018) |
| - test1148: tolerate progress updates better |
| |
| Fixes #2446 |
| Closes #2488 |
| |
| - [Christian Schmitz brought this change] |
| |
| ssh: show libSSH2 error code when closing fails |
| |
| Closes #2500 |
| |
| Jay Satiro (15 Apr 2018) |
| - [Daniel Gustafsson brought this change] |
| |
| vauth: Fix typo |
| |
| Address various spellings of "credentials". |
| |
| Closes https://github.com/curl/curl/pull/2496 |
| |
| - [Dagobert Michelsen brought this change] |
| |
| system.h: Add sparcv8plus to oracle/sunpro 32-bit detection |
| |
| With specific compiler options selecting the arch like -xarch=sparc on |
| newer compilers like Oracle Studio 12.4 there is no definition of |
| __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the |
| 32ÎíÎñbit subset defined by the V8plus ISA specification, without the |
| Visual Instruction Set (VIS), and without other implementation-specific |
| ISA extensions. So it should be the same as __sparcv8. |
| |
| Closes https://github.com/curl/curl/pull/2491 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| checksrc: Fix typo |
| |
| Fix typo in "semicolon" spelling and remove stray tab character. |
| |
| Closes https://github.com/curl/curl/pull/2498 |
| |
| - [Daniel Gustafsson brought this change] |
| |
| all: Refactor malloc+memset to use calloc |
| |
| When a zeroed out allocation is required, use calloc() rather than |
| malloc() followed by an explicit memset(). The result will be the |
| same, but using calloc() everywhere increases consistency in the |
| codebase and avoids the risk of subtle bugs when code is injected |
| between malloc and memset by accident. |
| |
| Closes https://github.com/curl/curl/pull/2497 |
| |
| Daniel Stenberg (12 Apr 2018) |
| - duphandle: make sure CURLOPT_RESOLVE is duplicated fine too |
| |
| Verified in test 1502 now |
| |
| Fixes #2485 |
| Closes #2486 |
| Reported-by: Ernst Sjöstrand |
| |
| - mailmap: add a monnerat fixup [ci skip] |
| |
| - proxy: show getenv proxy use in verbose output |
| |
| ... to aid debugging etc as it sometimes isn't immediately obvious why |
| curl uses or doesn't use a proxy. |
| |
| Inspired by #2477 |
| |
| Closes #2480 |
| |
| - travis: build libpsl and make builds use it |
| |
| closes #2471 |
| |
| - travis: bump to clang 6 and gcc 7 |
| |
| Extra-eye-on-this-by: Marcel Raad |
| |
| Closes #2478 |
| |
| Marcel Raad (10 Apr 2018) |
| - travis: use trusty for coverage build |
| |
| This works now and precise is in the process of being decommissioned. |
| |
| Closes https://github.com/curl/curl/pull/2476 |
| |
| - lib: silence null-dereference warnings |
| |
| In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings |
| when dereferencing pointers after DEBUGASSERT-ing that they are not |
| NULL. |
| Fix this by removing the DEBUGASSERTs. |
| |
| Suggested-by: Daniel Stenberg |
| Ref: https://github.com/curl/curl/pull/2463 |
| |
| - [Kees Dekker brought this change] |
| |
| winbuild: fix URL |
| |
| Follow up on https://github.com/curl/curl/pull/2472. |
| Now using en-us instead of nl-nl as language code in the URL. |
| |
| Closes https://github.com/curl/curl/pull/2475 |
| |
| Daniel Stenberg (9 Apr 2018) |
| - [Kees Dekker brought this change] |
| |
| winbuild: updated the documentation |
| |
| The setenv command no longer exists and visual studio build prompts got |
| changed. Used Visual Studio 2015/2017 as reference. |
| |
| Closes #2472 |
| |
| - test1136: fix cookie order after commit c990eadd1277 |
| |
| - build: cleanup to fix clang warnings/errors |
| |
| unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a |
| cast from integer to pointer is a GNU extension |
| |
| Reported-by: Rikard Falkeborn |
| |
| Fixes #2466 |
| Closes #2468 |
| |
| Jay Satiro (7 Apr 2018) |
| - examples/sftpuploadresmue: Fix Windows large file seek |
| |
| - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows. |
| |
| - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print |
| curl_off_t. |
| |
| Caught by Marc's CI builds. |
| |
| Daniel Stenberg (7 Apr 2018) |
| - curl_setup: provide a CURL_SA_FAMILY_T type if none exists |
| |
| ... and use this type instead of 'sa_family_t' in the code since several |
| platforms don't have it. |
| |
| Closes #2463 |
| |
| - [Eric Gallager brought this change] |
| |
| build: add picky compiler warning flags for gcc 6 and 7 |
| |
| - configure: detect sa_family_t |
| |
| Jay Satiro (7 Apr 2018) |
| - [Stefan Agner brought this change] |
| |
| tool_operate: Fix retry on FTP 4xx to ignore other protocols |
| |
| Only treat response code as FTP response codes in case the |
| protocol type is FTP. |
| |
| This fixes an issue where an HTTP download was treated as FTP |
| in case libcurl returned with 33. This happens when the |
| download has already finished and the server responses 416: |
| HTTP/1.1 416 Requested Range Not Satisfiable |
| |
| This should not be treated as an FTP error. |
| |
| Fixes #2464 |
| Closes #2465 |
| |
| Daniel Stenberg (6 Apr 2018) |
| - hash: calculate sizes with size_t instead of longs |
| |
| ... since they return size_t anyway! |
| |
| closes #2462 |
| |
| - RELEASE-NOTES: synced |
| |
| - [Jay Satiro brought this change] |
| |
| build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15 |
| |
| .. and do the same for build-wolfssl.bat. |
| |
| Because MS calls it VC14.1. |
| |
| Closes https://github.com/curl/curl/pull/2189 |
| |
| - [Kees Dekker brought this change] |
| |
| winbuild: make the clean target work without build-type |
| |
| Due to the check in Makefile.vc and MakefileBuild.vc, no make call can |
| be invoked unless a build-type was specified. However, a clean target |
| only existed when a build type was specified. As a result, the clean |
| target was unreachable. Made clean target unconditional. |
| |
| Closes #2455 |
| |
| - [patelvivekv1993 brought this change] |
| |
| build-openssl.bat: allow custom paths for VS and perl |
| |
| Fixes #2430 |
| Closes #2457 |
| |
| - [Laurie Clark-Michalek brought this change] |
| |
| FTP: allow PASV on IPv6 connections when a proxy is being used |
| |
| In the situation of a client connecting to an FTP server using an IPv6 |
| tunnel proxy, the connection info will indicate that the connection is |
| IPv6. However, because the server behing the proxy is IPv4, it is |
| permissable to attempt PSV mode. In the case of the FTP server being |
| IPv4 only, EPSV will always fail, and with the current logic curl will |
| be unable to connect to the server, as the IPv6 fwdproxy causes curl to |
| think that EPSV is impossible. |
| |
| Closes #2432 |
| |
| - [Jon DeVree brought this change] |
| |
| file: restore old behavior for file:////foo/bar URLs |
| |
| curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC |
| 8089 but then returns an error saying this is unimplemented. This is |
| actually a regression in behavior on both Windows and Unix. |
| |
| Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and |
| then passed to the relevant OS API. This means that the behavior of this |
| case is actually OS dependent. |
| |
| The Unix path resolution rules say that the OS must handle swallowing |
| the extra "/" and so this path is the same as "/foo/bar" |
| |
| The Windows path resolution rules say that this is a UNC path and |
| automatically handles the SMB access for the program. So curl on Windows |
| was already doing Appendix E.3.2 without any special code in curl. |
| |
| Regression |
| |
| Closes #2438 |
| |
| - [Gaurav Malhotra brought this change] |
| |
| Revert "openssl: Don't add verify locations when verifypeer==0" |
| |
| This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. |
| |
| libcurl (with the OpenSSL backend) performs server certificate verification |
| even if verifypeer == 0 and the verification result is available using |
| CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the |
| CURLINFO_SSL_VERIFYRESULT to not have useful information for the |
| verifypeer == 0 use case (it would always have |
| X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). |
| |
| Closes #2451 |
| |
| - [Wyatt O'Day brought this change] |
| |
| tls: fix mbedTLS 2.7.0 build + handle sha256 failures |
| |
| (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) |
| |
| Closes #2453 |
| |
| - [Lauri Kasanen brought this change] |
| |
| cookie: case-insensitive hashing for the domains |
| |
| closes #2458 |
| |
| Patrick Monnerat (4 Apr 2018) |
| - cookie: fix and optimize 2nd top level domain name extraction |
| |
| This fixes a segfault occurring when a name of the (invalid) form "domain..tld" |
| is processed. |
| |
| test46 updated to cover this case. |
| |
| Follow-up to commit c990ead. |
| |
| Ref: https://github.com/curl/curl/pull/2440 |
| |
| Daniel Stenberg (4 Apr 2018) |
| - openssl: provide defines for argument typecasts to build warning-free |
| |
| ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types. |
| |
| - [Bernard Spil brought this change] |
| |
| openssl: fix build with LibreSSL 2.7 |
| |
| - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API |
| |
| Fixes #2319 |
| Closes #2447 |
| Closes #2448 |
| |
| Signed-off-by: Bernard Spil <brnrd@FreeBSD.org> |
| |
| - [Lauri Kasanen brought this change] |
| |
| cookie: store cookies per top-level-domain-specific hash table |
| |
| This makes libcurl handle thousands of cookies much better and speedier. |
| |
| Closes #2440 |
| |
| - [Lauri Kasanen brought this change] |
| |
| cookies: when reading from a file, only remove_expired once |
| |
| This drops the cookie load time for 8k cookies from 178ms to 15ms. |
| |
| Closes #2441 |
| |
| - test1148: set a fixed locale for the test |
| |
| ...as otherwise it might use a different decimal sign. |
| |
| Bug: #2436 |
| Reported-by: Oumph on github |
| |
| Jay Satiro (31 Mar 2018) |
| - docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T |
| |
| - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf. |
| |
| For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html |
| Reported-by: David L. |
| |
| Sergei Nikulov (27 Mar 2018) |
| - [Michał Janiszewski brought this change] |
| |
| cmake: Add advapi32 as explicit link library for win32 |
| |
| ARM targets need advapi32 explicitly. |
| |
| Closes #2363 |
| |
| Daniel Stenberg (27 Mar 2018) |
| - TODO: connection cache sharing is now supporte |
| |
| Jay Satiro (26 Mar 2018) |
| - travis: enable apt retry on fail |
| |
| This is a workaround for an unsolved travis issue that is causing CI |
| instances to sporadically fail due to 'unable to connect' issues during |
| apt stage. |
| |
| Ref: https://github.com/travis-ci/travis-ci/issues/8507 |
| Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909 |
| |
| Michael Kaufmann (26 Mar 2018) |
| - runtests.pl: fix warning 'use of uninitialized value' |
| |
| follow-up to a9a7b60 |
| |
| Closes #2428 |
| |
| Daniel Stenberg (24 Mar 2018) |
| - gitignore: ignore more generated files |
| |
| - threaded resolver: track resolver time and set suitable timeout values |
| |
| In order to make curl_multi_timeout() return suitable "sleep" times even |
| when there's no socket to wait for while the name is being resolved in a |
| helper thread. |
| |
| It will increases the timeouts as time passes. |
| |
| Closes #2419 |
| |
| - [Howard Chu brought this change] |
| |
| openldap: fix for NULL return from ldap_get_attribute_ber() |
| |
| Closes #2399 |
| |
| GitHub (22 Mar 2018) |
| - [Sergei Nikulov brought this change] |
| |
| travis-ci: enable -Werror for CMake builds (#2418) |
| |
| - [Sergei Nikulov brought this change] |
| |
| cmake: avoid warn-as-error during config checks (#2411) |
| |
| - Move the CURL_WERROR option processing after the configuration checks |
| to avoid failures in case of warnings during the configuration checks. |
| |
| This is a partial fix for #2358 |
| |
| - [Sergei Nikulov brought this change] |
| |
| timeval: remove compilation warning by casting (#2417) |
| |
| This is fixes #2358 |
| |
| Daniel Stenberg (22 Mar 2018) |
| - http2: read pending frames (including GOAWAY) in connection-check |
| |
| If a connection has received a GOAWAY frame while not being used, the |
| function now reads frames off the connection before trying to reuse it |
| to avoid reusing connections the server has told us not to use. |
| |
| Reported-by: Alex Baines |
| Fixes #1967 |
| Closes #2402 |
| |
| - [Bas van Schaik brought this change] |
| |
| CI: add lgtm.yml for tweaking lgtm.com analysis |
| |
| Closes #2414 |
| |
| - CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text |
| |
| Reported-by: Michal Trybus |
| |
| Fixes #2400 |
| |
| - TODO: expand ~/ in config files |
| |
| Closes #2317 |
| |
| - cookie.d: mention that "-" as filename means stdin |
| |
| Reported-by: Dongliang Mu |
| Fixes #2410 |
| |
| - CURLINFO_COOKIELIST.3: made the example not leak memory |
| |
| Reported-by: Muz Dima |
| |
| - vauth/cleartext: fix integer overflow check |
| |
| Make the integer overflow check not rely on the undefined behavior that |
| a size_t wraps around on overflow. |
| |
| Detected by lgtm.com |
| Closes #2408 |
| |
| - lib/curl_path.h: add #ifdef header guard |
| |
| Detected by lgtm.com |
| |
| - vauth/ntlm.h: fix the #ifdef header guard |
| |
| Detected by lgtm.com |
| |
| Jay Satiro (20 Mar 2018) |
| - examples/hiperfifo: checksrc compliance |
| |
| Daniel Stenberg (19 Mar 2018) |
| - [Nikos Tsipinakis brought this change] |
| |
| parsedate: support UT timezone |
| |
| RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with |
| GMT. |
| |
| Closes #2401 |
| |
| - RELEASE-NOTES: synced |
| |
| - [Don brought this change] |
| |
| cmake: add support for brotli |
| |
| Currently CMake cannot detect Brotli support. This adds detection of the |
| libraries and associated header files. It also adds this to the |
| generated config. |
| |
| Closes #2392 |
| |
| - [Chris Araman brought this change] |
| |
| darwinssl: fix iOS build |
| |
| Patrick Monnerat (18 Mar 2018) |
| - ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES |
| |
| Daniel Stenberg (17 Mar 2018) |
| - [Rick Deist brought this change] |
| |
| resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES |
| |
| This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request |
| shuffling of IP addresses returned for a hostname when there is more |
| than one. This is useful when the application knows that a round robin |
| approach is appropriate and is willing to accept the consequences of |
| potentially discarding some preference order returned by the system's |
| implementation. |
| |
| Closes #1694 |
| |
| - add_handle/easy_perform: clear errorbuffer on start if set |
| |
| To offer applications a more defined behavior, we clear the buffer as |
| early as possible. |
| |
| Assisted-by: Jay Satiro |
| |
| Fixes #2190 |
| Closes #2377 |
| |
| - [Lawrence Matthews brought this change] |
| |
| CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol |
| |
| Add --haproxy-protocol for the command line tool |
| |
| Closes #2162 |
| |
| - curl_version_info.3: fix ssl_version description |
| |
| Reported-by: Vincas Razma |
| Fixes #2364 |
| |
| - multi: improved pending transfers handling => improved performance |
| |
| When a transfer is requested to get done and it is put in the pending |
| queue when limited by number of connections, total or per-host, libcurl |
| would previously very aggressively retry *ALL* pending transfers to get |
| them transferring. That was very time consuming. |
| |
| By reducing the aggressiveness in how pending are being retried, we |
| waste MUCH less time on putting transfers back into pending again. |
| |
| Some test cases got a factor 30(!) speed improvement with this change. |
| |
| Reported-by: Cyril B |
| Fixes #2369 |
| Closes #2383 |
| |
| - pause: when changing pause state, update socket state |
| |
| Especially unpausing a transfer might have to move the socket back to the |
| "currently used sockets" hash to get monitored. Otherwise it would never get |
| any more data and get stuck. Easily triggered with pausing using the |
| multi_socket API. |
| |
| Reported-by: Philip Prindeville |
| Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html |
| Fixes #2393 |
| Closes #2391 |
| |
| - [Philip Prindeville brought this change] |
| |
| examples/hiperfifo.c: improved |
| |
| * use member struct event’s instead of pointers to alloc’d struct |
| events |
| |
| * simplify the cases for the mcode_or_die() function via macros; |
| |
| * make multi_timer_cb() actually do what the block comment says it |
| should; |
| |
| * accept a “stop” command on the FIFO to shut down the service; |
| |
| * use cleaner notation for unused variables than the (void) hack; |
| |
| * allow following redirections (304’s); |
| |
| - rate-limit: use three second window to better handle high speeds |
| |
| Due to very frequent updates of the rate limit "window", it could |
| attempt to rate limit within the same milliseconds and that then made |
| the calculations wrong, leading to it not behaving correctly on very |
| fast transfers. |
| |
| This new logic updates the rate limit "window" to be no shorter than the |
| last three seconds and only updating the timestamps for this when |
| switching between the states TOOFAST/PERFORM. |
| |
| Reported-by: 刘佩东 |
| Fixes #2386 |
| Closes #2388 |
| |
| - [luz.paz brought this change] |
| |
| cleanup: misc typos in strings and comments |
| |
| Found via `codespell` |
| |
| Closes #2389 |
| |
| - RELEASE-NOTES: toward 7.60.0 |
| |
| - [Kobi Gurkan brought this change] |
| |
| http2: fixes typo |
| |
| Closes #2387 |
| |
| - user-agent.d:: mention --proxy-header as well |
| |
| Bug: https://github.com/curl/curl/issues/2381 |
| |
| - transfer: make HTTP without headers count correct body size |
| |
| This is what "HTTP/0.9" basically looks like. |
| |
| Reported on IRC |
| |
| Closes #2382 |
| |
| - test1208: marked flaky |
| |
| It fails somewhere between every 3rd to 10th travis-CI run |
| |
| - SECURITY-PROCESS: mention how we write/add advisories |
| |
| - [dasimx brought this change] |
| |
| FTP: fix typo in recursive callback detection for seeking |
| |
| Fixes #2380 |
| |
| Version 7.59.0 (13 Mar 2018) |
| |
| Daniel Stenberg (13 Mar 2018) |
| - release: 7.59.0 |
| |
| Kamil Dudka (13 Mar 2018) |
| - tests/.../spnego.py: fix identifier typo |
| |
| Detected by Coverity Analysis: |
| |
| Error: IDENTIFIER_TYPO: |
| curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo: |
| * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code. |
| * Identifier "SupportedMech" is referenced elsewhere at least 4 times. |
| curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech". |
| curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech". |
| curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function). |
| curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"? |
| |
| Closes #2379 |
| |
| Daniel Stenberg (13 Mar 2018) |
| - CURLOPT_COOKIEFILE.3: "-" as file name means stdin |
| |
| Reported-by: Aron Bergman |
| Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html |
| |
| [ci skip] |
| |
| - Revert "hostip: fix compiler warning: 'variable set but not used'" |
| |
| This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248. |
| |
| The assignment really needs to be there or we risk working with an |
| uninitialized pointer. |
| |
| Michael Kaufmann (12 Mar 2018) |
| - limit-rate: fix compiler warning |
| |
| follow-up to 72a0f62 |
| |
| Viktor Szakats (12 Mar 2018) |
| - checksrc.pl: add -i and -m options |
| |
| To sync it with changes made for the libssh2 project. |
| Also cleanup some whitespace. |
| |
| - curl-openssl.m4: fix spelling [ci skip] |
| |
| - FAQ: fix a broken URL [ci skip] |
| |
| Daniel Stenberg (12 Mar 2018) |
| - http2: mark the connection for close on GOAWAY |
| |
| ... don't consider it an error! |
| |
| Assisted-by: Jay Satiro |
| Reported-by: Łukasz Domeradzki |
| Fixes #2365 |
| Closes #2375 |
| |
| - credits: Viktor prefers without accent |
| |
| - openldap: white space changes, fixed up the copyright years |
| |
| - openldap: check ldap_get_attribute_ber() results for NULL before using |
| |
| CVE-2018-1000121 |
| Reported-by: Dario Weisser |
| Bug: https://curl.haxx.se/docs/adv_2018-97a2.html |
| |
| - FTP: reject path components with control codes |
| |
| Refuse to operate when given path components featuring byte values lower |
| than 32. |
| |
| Previously, inserting a %00 sequence early in the directory part when |
| using the 'singlecwd' ftp method could make curl write a zero byte |
| outside of the allocated buffer. |
| |
| Test case 340 verifies. |
| |
| CVE-2018-1000120 |
| Reported-by: Duy Phan Thanh |
| Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html |
| |
| - readwrite: make sure excess reads don't go beyond buffer end |
| |
| CVE-2018-1000122 |
| Bug: https://curl.haxx.se/docs/adv_2018-b047.html |
| |
| Detected by OSS-fuzz |
| |
| - BUGS: updated link to security process |
| |
| - limit-rate: kick in even before "limit" data has been received |
| |
| ... and make sure to avoid integer overflows with really large values. |
| |
| Reported-by: 刘佩东 |
| Fixes #2371 |
| Closes #2373 |
| |
| - docs/SECURITY.md -> docs/SECURITY-PROCESS.md |
| |
| - SECURITY.md: call it the security process |
| |
| Michael Kaufmann (11 Mar 2018) |
| - Curl_range: fix FTP-only and FILE-only builds |
| |
| follow-up to e04417d |
| |
| - hostip: fix compiler warning: 'variable set but not used' |
| |
| Daniel Stenberg (11 Mar 2018) |
| - HTTP: allow "header;" to replace an internal header with a blank one |
| |
| Reported-by: Michael Kaufmann |
| Fixes #2357 |
| Closes #2362 |
| |
| - http2: verbose output new MAX_CONCURRENT_STREAMS values |
| |
| ... as it is interesting for many users. |
| |
| - SECURITY: distros' max embargo time is 14 days now |
| |
| Patrick Monnerat (8 Mar 2018) |
| - curl tool: accept --compressed also if Brotli is enabled and zlib is not. |
| |
| Daniel Stenberg (5 Mar 2018) |
| - THANKS + mailmap: remove duplicates, fixup full names |
| |
| - [sergii.kavunenko brought this change] |
| |
| WolfSSL: adding TLSv1.3 |
| |
| Closes #2349 |
| |
| - RELEASE-NOTES/THANKS: synced with cc1d4c505 |
| |
| - [Richard Alcock brought this change] |
| |
| winbuild: prefer documented zlib library names |
| |
| Check for existence of import and static libraries with documented names |
| and use them if they do. Fallback to previous names. |
| |
| According to |
| https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on |
| Windows, the names of the import library is "zdll.lib" and static |
| library is "zlib.lib". |
| |
| closes #2354 |
| |
| Marcel Raad (4 Mar 2018) |
| - krb5: use nondeprecated functions |
| |
| gss_seal/gss_unseal have been deprecated in favor of |
| gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first |
| version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June |
| 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and |
| "GSS_Unwrap() (formerly GSS_Unseal())". |
| |
| Use the nondeprecated functions to avoid deprecation warnings. |
| |
| [1] https://tools.ietf.org/html/rfc2078 |
| [2] https://tools.ietf.org/html/rfc1964 |
| |
| Closes https://github.com/curl/curl/pull/2356 |
| |
| Daniel Stenberg (4 Mar 2018) |
| - curl.1: mention how to add numerical IP addresses in NO_PROXY |
| |
| - CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses |
| |
| - NO_PROXY: fix for IPv6 numericals in the URL |
| |
| Added test 1265 that verifies. |
| |
| Reported-by: steelman on github |
| Fixes #2353 |
| Closes #2355 |
| |
| - build: get CFLAGS (including -werror) used for examples and tests |
| |
| ... so that the CI and more detects compiler warnings/errors properly! |
| |
| Closes #2337 |
| |
| Marcel Raad (3 Mar 2018) |
| - curl_ctype: fix macro redefinition warnings |
| |
| On MinGW and Cygwin, GCC and clang have been complaining about macro |
| redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this |
| by undefining the macros before redefining them as suggested in |
| https://github.com/curl/curl/pull/2269. |
| |
| Suggested-by: Daniel Stenberg |
| |
| Dan Fandrich (2 Mar 2018) |
| - unit1307: proper cleanup on OOM to fix torture tests |
| |
| Marcel Raad (28 Feb 2018) |
| - unit1309: fix warning on Windows x64 |
| |
| When targeting x64, MinGW-w64 complains about conversions between |
| 32-bit long and 64-bit pointers. Fix this by reusing the |
| GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic |
| from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / |
| CURLX_INTEGER_TO_POINTER_CAST. |
| |
| Closes https://github.com/curl/curl/pull/2341 |
| |
| - travis: update compiler versions |
| |
| Update clang to version 3.9 and GCC to version 6. |
| |
| Closes https://github.com/curl/curl/pull/2345 |
| |
| Daniel Stenberg (26 Feb 2018) |
| - docs/MANUAL: formfind.pl is not accessible on the site anymore |
| |
| Fixes #2342 |
| |
| Jay Satiro (24 Feb 2018) |
| - curl-openssl.m4: Fix version check for OpenSSL 1.1.1 |
| |
| - Add OpenSSL 1.1.1 to the header/library version lists. |
| |
| - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark, |
| which was added in that version. |
| |
| Prior to this change an erroneous header/library mismatch was caused by |
| lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1. |
| |
| Viktor Szakats (23 Feb 2018) |
| - lib655: silence compiler warning |
| |
| Closes https://github.com/curl/curl/pull/2335 |
| |
| - spelling fixes |
| |
| Detected using the `codespell` tool. |
| |
| Also contains one URL protocol upgrade. |
| |
| Closes https://github.com/curl/curl/pull/2334 |
| |
| Daniel Stenberg (24 Feb 2018) |
| - projects/README: remove reference to dead IDN link/package |
| |
| Reported-by: Stefan Kanthak and Rod Widdowson |
| |
| Fixes #2325 |
| |
| Jay Satiro (23 Feb 2018) |
| - [Rod Widdowson brought this change] |
| |
| winbuild: Use macros for the names of some build utilities |
| |
| - Add macros to the top of the makefile for rc and mt utilities so that |
| it is easier to change their locations. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html |
| Reported-by: Stefan Kanthak |
| |
| Closes https://github.com/curl/curl/issues/2329 |
| |
| Daniel Stenberg (23 Feb 2018) |
| - TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2 |
| |
| - curl_share_setopt.3: connection cache is shared within multi handles |
| |
| Jay Satiro (22 Feb 2018) |
| - [Rod Widdowson brought this change] |
| |
| winbuild: Use CALL to run batch scripts |
| |
| Co-authored-by: Stefan Kanthak |
| |
| Closes https://github.com/curl/curl/issues/2330 |
| Closes https://github.com/curl/curl/pull/2331 |
| |
| Patrick Monnerat (22 Feb 2018) |
| - os400: add curl_resolver_start_callback type to ILE/RPG binding |
| |
| Daniel Stenberg (22 Feb 2018) |
| - form.d: rephrased somewhat, added two example command lines |
| |
| Jay Satiro (21 Feb 2018) |
| - [Francisco Sedano brought this change] |
| |
| url: Add option CURLOPT_RESOLVER_START_FUNCTION |
| |
| - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that |
| will be called every time before a new resolve request is started |
| (ie before a host is resolved) with a pointer to backend-specific |
| resolver data. Currently this is only useful for ares. |
| |
| - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to |
| pass to the resolver start callback. |
| |
| Closes https://github.com/curl/curl/pull/2311 |
| |
| - lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS |
| |
| - In keeping with the naming of our other connect timeout options rename |
| CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS. |
| |
| This change adds the _MS suffix since the option expects milliseconds. |
| This is more intuitive for our users since other connect timeout options |
| that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS, |
| CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS. |
| |
| The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms. |
| |
| Follow-up to 2427d94 which added the lib and tool option yesterday. |
| |
| Ref: https://github.com/curl/curl/pull/2260 |
| |
| Patrick Monnerat (21 Feb 2018) |
| - sasl: prefer PLAIN mechanism over LOGIN |
| |
| SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says |
| PLAIN should be used instead if available. |
| |
| Daniel Stenberg (21 Feb 2018) |
| - RELEASE-NOTES: synced with 2427d94c6 |
| |
| Jay Satiro (20 Feb 2018) |
| - [Anders Bakken brought this change] |
| |
| url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT |
| |
| - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy |
| eyeball timeout value. |
| |
| - Add new optval macro CURL_HET_DEFAULT to represent the default happy |
| eyeballs timeout value (currently 200 ms). |
| |
| - Add new tool option --happy-eyeballs-timeout-ms to expose |
| CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the |
| other -timeout options in the tool expect seconds not milliseconds. |
| |
| Closes https://github.com/curl/curl/pull/2260 |
| |
| - hostip: fix 'potentially uninitialized variable' warning |
| |
| Follow-up to 50d1b33. |
| |
| Caught by AppVeyor. |
| |
| Daniel Stenberg (20 Feb 2018) |
| - TODO: warning if curl version is not in sync with libcurl version |
| |
| Jay Satiro (20 Feb 2018) |
| - [Anders Bakken brought this change] |
| |
| CURLOPT_RESOLVE: Add support for multiple IP addresses per entry |
| |
| This enables users to preresolve but still take advantage of happy |
| eyeballs and trying multiple addresses if some are not connecting. |
| |
| Ref: https://github.com/curl/curl/pull/2260 |
| |
| Daniel Stenberg (20 Feb 2018) |
| - [Sergio Borghese brought this change] |
| |
| examples/sftpuploadresume: resume upload via CURLOPT_APPEND |
| |
| URL: https://curl.haxx.se/mail/lib-2018-02/0072.html |
| |
| - curl --version: show PSL if the run-time lib has it enabled |
| |
| ... not of the #define was set at build-time! |
| |
| - TODO: "Support in-memory certs/ca certs/keys" |
| |
| removed SSLKEYLOGFILE support (fixed) |
| |
| removed "consider SSL patches" (outdated) |
| |
| Closes #2310 |
| |
| - CURLOPT_HEADER.3: clarify problems with different data sizes |
| |
| - test1556: verify >16KB headers to the header callback |
| |
| - header callback: don't chop headers into smaller pieces |
| |
| Reported-by: Guido Berhoerster |
| Fixes #2314 |
| Closes #2316 |
| |
| - test1154: verify that long HTTP headers get rejected |
| |
| - http: fix the max header length detection logic |
| |
| Previously, it would only check for max length if the existing alloc |
| buffer was to small to fit it, which often would make the header still |
| get used. |
| |
| Reported-by: Guido Berhoerster |
| Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html |
| |
| Closes #2315 |
| |
| - CURLOPT_HEADERFUNCTION.3: fix typo from d939226813 |
| |
| Reported-by: Erik Johansson |
| Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495 |
| |
| - CURLOPT_HEADERFUNCTION.3: mention folded headers |
| |
| - TODO: 1.1 Option to refuse usernames in URLs |
| |
| Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas. |
| |
| - TODO: 1.7 Support HTTP/2 for HTTP(S) proxies |
| |
| - ssh: add two missing state names |
| |
| The list of state names (used in debug builds) was out of sync in |
| relation to the list of states (used in all builds). |
| |
| I now added an assert to make sure the sizes of the two lists match, to |
| aid in detecting this mistake better in the future. |
| |
| Regression since c92d2e14cf, shipped in 7.58.0. |
| |
| Reported-by: Somnath Kundu |
| |
| Fixes #2312 |
| Closes #2313 |
| |
| - Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy" |
| |
| This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998. |
| |
| Reported-by: Jay Satiro |
| |
| Jay Satiro (15 Feb 2018) |
| - non-ascii: fix implicit declaration warning |
| |
| Follow-up to b46cfbc. |
| |
| Caught by Travis CI. |
| |
| Daniel Stenberg (15 Feb 2018) |
| - travis: add build with iconv enabled |
| |
| ... to verify it builds and works fine. |
| |
| Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html |
| |
| Closes #1872 |
| |
| - TODO: 18.18 retry on network is unreachable |
| |
| Closes #1603 |
| |
| - KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy |
| |
| Closes #1254 |
| |
| Kamil Dudka (15 Feb 2018) |
| - nss: use PK11_CreateManagedGenericObject() if available |
| |
| ... so that the memory allocated by applications using libcurl does not |
| grow per each TLS connection. |
| |
| Bug: https://bugzilla.redhat.com/1510247 |
| |
| Closes #2297 |
| |
| Daniel Stenberg (15 Feb 2018) |
| - [Björn Stenberg brought this change] |
| |
| TODO fixed: Detect when called from within callbacks |
| |
| Closes #2302 |
| |
| - BINDINGS: fix curb link (and remove ruby-curl-multi) |
| |
| Reported-by: Klaus Stein |
| |
| - curl_gssapi: make sure this file too uses our *printf() |
| |
| - libcurl-security.3: separate file:// section |
| |
| ... just to make it more apparent. Even if it repeats |
| some pieces of information. |
| |
| - libcurl-security.3: the http://192.168.0.1/my_router_config case |
| |
| Mentioned-By: Rich Moore |
| |
| - libcurl-security.3: mention the URL standards problems too |
| |
| - libcurl-security.3: split out from libcurl-tutorial.3 |
| |
| To make more accessible. |
| |
| Merged in some new language from "URLs are dangerous things" as discussed on |
| the mailing list a few days ago: |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html |
| |
| - RELEASE-NOTES: synced with e551910f8 |
| |
| Patrick Monnerat (13 Feb 2018) |
| - tests: new tests for http raw mode |
| |
| Test 319 checks proper raw mode data with non-chunked gzip |
| transfer-encoded server data. |
| Test 326 checks raw mode with chunked server data. |
| |
| Bug: #2303 |
| Closes #2308 |
| |
| Kamil Dudka (12 Feb 2018) |
| - tlsauthtype.d: works only if libcurl is built with TLS-SRP support |
| |
| Bug: https://bugzilla.redhat.com/1542256 |
| |
| Closes #2306 |
| |
| Patrick Monnerat (12 Feb 2018) |
| - smtp: fix processing of initial dot in data |
| |
| RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command |
| should be taken into account when chasing the <CRLF>.<CRLF> end marker. |
| Thus a leading dot character in data is also subject to escaping. |
| |
| Tests 911 and test server are adapted to this situation. |
| New tests 951 and 952 check proper handling of initial dot in data. |
| |
| Closes #2304 |
| |
| Daniel Stenberg (12 Feb 2018) |
| - sha256: avoid redefine |
| |
| - [Douglas Mencken brought this change] |
| |
| sha256: build with OpenSSL < 0.9.8 too |
| |
| support for SHA-2 was introduced in OpenSSL 0.9.8 |
| |
| Closes #2305 |
| |
| - [Bruno Grasselli brought this change] |
| |
| README: language fix |
| |
| s/off/from |
| |
| Closes #2300 |
| |
| Patrick Monnerat (12 Feb 2018) |
| - http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on |
| |
| Bug: #2303 |
| Reported-By: Henry Roeland |
| |
| Daniel Stenberg (9 Feb 2018) |
| - get_posix_time: only check for overflows if they can happen! |
| |
| Michael Kaufmann (9 Feb 2018) |
| - schannel: fix "no previous prototype" compiler warning |
| |
| Jay Satiro (9 Feb 2018) |
| - [Mohammad AlSaleh brought this change] |
| |
| content_encoding: Add "none" alias to "identity" |
| |
| Some servers return a "content-encoding" header with a non-standard |
| "none" value. |
| |
| Add "none" as an alias to "identity" as a work-around, to avoid |
| unrecognised content encoding type errors. |
| |
| Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com> |
| |
| Closes https://github.com/curl/curl/pull/2298 |
| |
| Steve Holme (8 Feb 2018) |
| - build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output |
| |
| - build-openssl.bat: Fixed incorrect move if destination build folder exists |
| |
| Michael Kaufmann (8 Feb 2018) |
| - schannel: fix compiler warnings |
| |
| Closes #2296 |
| |
| Steve Holme (7 Feb 2018) |
| - curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows |
| |
| Windows 10.0.17061 SDK introduces support for Unix Domain Sockets. |
| Added the necessary include file to curl_addrinfo.c. |
| |
| Note: The SDK (which is considered beta) has to be installed, VS 2017 |
| project file has to be re-targeted for Windows 10.0.17061 and #define |
| enabled in config-win32.h. |
| |
| Patrick Monnerat (7 Feb 2018) |
| - fnmatch: optimize processing of consecutive *s and ?s pattern characters |
| |
| Reported-By: Daniel Stenberg |
| Fixes #2291 |
| Closes #2293 |
| |
| Steve Holme (6 Feb 2018) |
| - build-openssl.bat/build-wolfssl.bat: Build platform is optional |
| |
| Whilst the compiler parameter is mandatory, platform is optional as it |
| is automatically calculated by the :configure section. |
| |
| This partially reverts commit 6d62d2c55d. |
| |
| Daniel Stenberg (6 Feb 2018) |
| - [Patrick Schlangen brought this change] |
| |
| openssl: Don't add verify locations when verifypeer==0 |
| |
| When peer verification is disabled, calling |
| SSL_CTX_load_verify_locations is not necessary. Only call it when |
| verification is enabled to save resources and increase performance. |
| |
| Closes #2290 |
| |
| Steve Holme (5 Feb 2018) |
| - build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional |
| |
| ...and not just the Community Edition. |
| |
| - build-openssl.bat: Extend VC15 support to include Enterprise and Professional |
| |
| ...and not just the Community Edition. |
| |
| Michael Kaufmann (5 Feb 2018) |
| - time-cond: fix reading the file modification time on Windows |
| |
| On Windows, stat() may adjust the unix file time by a daylight saving time |
| offset. Avoid this by calling GetFileTime() instead. |
| |
| Fixes #2164 |
| Closes #2204 |
| |
| Daniel Stenberg (5 Feb 2018) |
| - formdata: use the mime-content type function |
| |
| Reduce code duplication by making Curl_mime_contenttype available and |
| used by the formdata function. This also makes the formdata function |
| recognize a set of more file extensions by default. |
| |
| PR #2280 brought this to my attention. |
| |
| Closes #2282 |
| |
| - getdate: return -1 for out of range |
| |
| ...as that's how the function is documented to work. |
| |
| Reported-by: Michael Kaufmann |
| Bug found in an autobuild with 32 bit time_t |
| |
| Closes #2278 |
| |
| - [Ben Greear brought this change] |
| |
| build: fix termios issue on android cross-compile |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html |
| Signed-off-by: Ben Greear <greearb@candelatech.com> |
| |
| - time_t-fixes: remove typecasts to 'long' for info.filetime |
| |
| They're now wrong. |
| |
| Reported-by: Michael Kaufmann |
| |
| Closes #2277 |
| |
| - curl_setup: move the precautionary define of SIZEOF_TIME_T |
| |
| ... up to before it may be used for the TIME_T_MAX/MIN logic. |
| |
| Reported-by: Michael Kaufmann |
| |
| - parsedate: s/#if/#ifdef |
| |
| Reported-by: Michael Kaufmann |
| Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479 |
| |
| Patrick Monnerat (31 Jan 2018) |
| - fnmatch: pattern syntax can no longer fail |
| |
| Whenever an expected pattern syntax rule cannot be matched, the |
| character starting the rule loses its special meaning and the parsing |
| is resumed: |
| - backslash at the end of pattern string matches itself. |
| - Error in [:keyword:] results in set containing :\[dekorwy. |
| |
| Unit test 1307 updated for this new situation. |
| |
| Closes #2273 |
| |
| - fnmatch: accept an alphanum to be followed by a non-alphanum in char set |
| |
| Also be more tolerant about set pattern syntax. |
| Update unit test 1307 accordingly. |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html |
| |
| - fnmatch: do not match the empty string with a character set |
| |
| Jay Satiro (30 Jan 2018) |
| - build: fix windows build methods for curl_ctype.c |
| |
| - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as |
| curlx files since they are required by both src and lib. |
| |
| Follow-up to 4272a0b which added curl_ctype. |
| |
| Daniel Stenberg (30 Jan 2018) |
| - progress-bar.d: update to match implementation |
| |
| ... since commit 993dd5651a6 |
| |
| Reported-by: Martin Dreher |
| Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228 |
| |
| Closes #2271 |
| |
| - http2: set DEBUG_HTTP2 to enable more HTTP/2 logging |
| |
| ... instead of doing it unconditionally in debug builds. It cluttered up |
| the output a little too much. |
| |
| - [Max Dymond brought this change] |
| |
| file: Check the return code from Curl_range and bail out on error |
| |
| - [Max Dymond brought this change] |
| |
| Curl_range: add check to ensure "from <= to" |
| |
| - [Max Dymond brought this change] |
| |
| Curl_range: commonize FTP and FILE range handling |
| |
| Closes #2205 |
| |
| - RELEASE-NOTES: synced with 811beab9f |
| |
| - curlver: next release will be 7.59.0 |
| |
| - [Michał Janiszewski brought this change] |
| |
| curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6 |
| |
| Closes #2275 |
| |
| - time: support > year 2038 time stamps for system with 32bit long |
| |
| ... with the introduction of CURLOPT_TIMEVALUE_LARGE and |
| CURLINFO_FILETIME_T. |
| |
| Fixes #2238 |
| Closes #2264 |
| |
| - curl_easy_reset: clear digest auth state |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html |
| Reported-by: Ruurd Beerstra |
| Fixes #2255 |
| Closes #2272 |
| |
| - [Adam Marcionek brought this change] |
| |
| winbuild: make linker generate proper PDB |
| |
| Link.exe requires /DEBUG to properly generate a full pdb file on release |
| builds. |
| |
| Closes #2274 |
| |
| - curl: add --proxy-pinnedpubkey |
| |
| To verify a proxy's public key. For when using HTTPS proxies. |
| |
| Fixes #2192 |
| Closes #2268 |
| |
| - configure: set PATH_SEPARATOR to colon for PATH w/o separator |
| |
| The logic tries to figure out what the path separator in the $PATH |
| variable is, but if there's only one directory in the $PATH it |
| fails. This change make configure *guess* on colon instead of erroring |
| out, simply because that is probably the more common character. |
| |
| PATH_SEPARATOR can always be set by the user to override the guessing. |
| |
| (tricky bug to reproduce, as in my case for example the configure script |
| requires binaries in more than one directory so passing in a PATH with a |
| single dir fails.) |
| |
| Reported-by: Earnestly on github |
| Fixes #2202 |
| Closes #2265 |
| |
| - curl_ctype: private is*() type macros and functions |
| |
| ... since the libc provided one are locale dependent in a way we don't |
| want. Also, the "native" isalnum() (for example) works differently on |
| different platforms which caused test 1307 failures on macos only. |
| |
| Closes #2269 |
| |
| Marcel Raad (29 Jan 2018) |
| - build: open VC15 projects with VS 2017 |
| |
| Previously, they were opened with Visual Studio 2015 by default, which |
| cannot build them. |
| |
| Daniel Stenberg (29 Jan 2018) |
| - RELEASE-NOTES: synced with 094647fca |
| |
| - TODO: UTF-8 filenames in Content-Disposition |
| |
| Closes #1888 |
| |
| - KNOWN_BUGS: DICT responses show the underlying protocol |
| |
| Closes #1809 |
| |
| Jay Satiro (27 Jan 2018) |
| - [Alessandro Ghedini brought this change] |
| |
| docs: fix typos in man pages |
| |
| Closes https://github.com/curl/curl/pull/2266 |
| |
| Patrick Monnerat (26 Jan 2018) |
| - lib555: drop text conversion and encode data as ascii codes |
| |
| If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs, |
| giving a result that is different from what is expected. |
| This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data |
| to upload in ascii. |
| |
| Bug: https://github.com/curl/curl/pull/1872 |
| |
| Daniel Stenberg (26 Jan 2018) |
| - lib517: make variable static to avoid compiler warning |
| |
| ... with clang on macos |
| |
| Patrick Monnerat (26 Jan 2018) |
| - lib544: sync ascii code data with textual data |
| |
| Data mismatch caused test 545 to fail when character encoding |
| conversion is enabled. |
| |
| Bug: https://github.com/curl/curl/pull/1872 |
| |
| Daniel Stenberg (25 Jan 2018) |
| - [Travis Burtrum brought this change] |
| |
| GSKit: restore pinnedpubkey functionality |
| |
| inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37 |
| |
| Closes #2263 |
| |
| - [Dair Grant brought this change] |
| |
| darwinssl: Don't import client certificates into Keychain on macOS |
| |
| Closes #2085 |
| |
| - configure: fix the check for unsigned time_t |
| |
| Assign the time_t variable negative value and then check if it is |
| greater than zero, which will evaluate true for unsigned time_t but |
| false for signed time_t. |
| |
| - parsedate: fix date parsing for systems with 32 bit long |
| |
| Make curl_getdate() handle dates before 1970 as well (returning negative |
| values). |
| |
| Make test 517 test dates for 64 bit time_t. |
| |
| This fixes bug (3) mentioned in #2238 |
| |
| Closes #2250 |
| |
| - [McDonough, Tim brought this change] |
| |
| openssl: fix pinned public key build error in FIPS mode |
| |
| Here is a version that should work with all versions of openssl 0.9.7 |
| through 1.1.0. |
| |
| Links to the docs: |
| https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html |
| https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html |
| |
| At the very bottom of the 1.1.0 documentation there is a history section |
| that states, " stack allocated EVP_MD_CTXs are no longer supported." |
| |
| If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a |
| simple mapping can be used as described here: |
| https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes |
| |
| Closes #2258 |
| |
| - [Travis Burtrum brought this change] |
| |
| SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum |
| |
| - [Travis Burtrum brought this change] |
| |
| SChannel/WinSSL: Implement public key pinning |
| |
| Closes #1429 |
| |
| - bump: towards 7.58.1 |
| |
| - cookies: remove verbose "cookie size:" output |
| |
| It was once used for some debugging/verifying logic but should never have |
| ended up in git! |
| |
| - TODO: hardcode the "localhost" addresses |
| |
| - TODO: CURL_REFUSE_CLEARTEXT |
| |
| An idea that popped up in discussions on twitter. |
| |
| - progress-bar: don't use stderr explicitly, use bar->out |
| |
| Reported-By: Gisle Vanem |
| Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080 |
| |
| GitHub (24 Jan 2018) |
| - [Gisle Vanem brought this change] |
| |
| Fixes for MSDOS etc. |
| |
| djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not |
| But djgpp seems the only choice for MSDOS anyway. |
| |
| PellesC do have a 'F_OK' defined in it's <unistd.h>. |
| |
| Update year in Copyright. |
| |
| - [Gisle Vanem brought this change] |
| |
| Fix small typo. |
| |
| Version 7.58.0 (23 Jan 2018) |
| |
| Daniel Stenberg (23 Jan 2018) |
| - RELEASE: 7.58.0 |
| |
| - [Gisle Vanem brought this change] |
| |
| progress-bar: get screen width on windows |
| |
| - test1454: --connect-to with IPv6 address w/o IPv6 support! |
| |
| - CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support |
| |
| Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html |
| Reported-by: John Hascall |
| |
| Closes #2257 |
| |
| - docs: fix man page syntax to make test 1140 OK again |
| |
| - http: prevent custom Authorization headers in redirects |
| |
| ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how |
| curl already handles Authorization headers created internally. |
| |
| Note: this changes behavior slightly, for the sake of reducing mistakes. |
| |
| Added test 317 and 318 to verify. |
| |
| Reported-by: Craig de Stigter |
| Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html |
| |
| - curl: progress bar refresh, get width using ioctl() |
| |
| Get screen width from the environment variable COLUMNS first, if set. If |
| not, use ioctl(). If nether works, assume 79. |
| |
| Closes #2242 |
| |
| The "refresh" is for the -# output when no total transfer size is |
| known. It will now only use a single updated line even for this case: |
| |
| The "-=O=-" ship moves when data is transferred. The four flying |
| "hashes" move (on a sine wave) on each refresh, independent of data. |
| |
| - RELEASE-NOTES: synced with bb0ffcc36 |
| |
| - libcurl-env.3: first take |
| |
| - TODO: two possible name resolver improvements |
| |
| - [Kartik Mahajan brought this change] |
| |
| http2: don't close connection when single transfer is stopped |
| |
| Fixes #2237 |
| Closes #2249 |
| |
| - test558: fix for multissl builds |
| |
| vtls.c:multissl_init() might do a curl_free() call so strip that out to |
| make this work with more builds. We just want to verify that |
| memorytracking works so skipping one line is no harm. |
| |
| - examples/url2file.c: add missing curl_global_cleanup() call |
| |
| Reported-by: XhstormR on github |
| Fixes #2245 |
| |
| - [Michael Gmelin brought this change] |
| |
| SSH: Fix state machine for ssh-agent authentication |
| |
| In case an identity didn't match[0], the state machine would fail in |
| state SSH_AUTH_AGENT instead of progressing to the next identity in |
| ssh-agent. As a result, ssh-agent authentication only worked if the |
| identity required happened to be the first added to ssh-agent. |
| |
| This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which |
| stated that the "else" statement was required to prevent getting stuck |
| in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's |
| interface I couldn't see how this could happen or reproduce it and I |
| also couldn't find a more detailed description of the problem which |
| would explain a test case to reproduce the problem this was supposed to |
| fix. |
| |
| [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED |
| |
| Closes #2248 |
| |
| - openssl: fix potential memory leak in SSLKEYLOGFILE logic |
| |
| Coverity CID 1427646. |
| |
| - openssl: fix the libressl build again |
| |
| Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is |
| late OpenSSL version... |
| |
| Fixes #2246 |
| Closes #2247 |
| |
| Reported-by: jungle-boogie on github |
| |
| - unit1307: test many wildcards too |
| |
| - curl_fnmatch: only allow 5 '*' sections in a single pattern |
| |
| ... to avoid excessive recursive calls. The number 5 is totally |
| arbitrary and could be modified if someone has a good motivation. |
| |
| - ftp-wildcard: fix matching an empty string with "*[^a]" |
| |
| .... and avoid advancing the pointer to trigger an out of buffer read. |
| |
| Detected by OSS-fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251 |
| Assisted-by: Max Dymond |
| |
| - SMB: fix numeric constant suffix and variable types |
| |
| 1. don't use "ULL" suffix since unsupported in older MSVC |
| 2. use curl_off_t instead of custom long long ifdefs |
| 3. make get_posix_time() not do unaligned data access |
| |
| Fixes #2211 |
| Closes #2240 |
| Reported-by: Chester Liu |
| |
| - [rouzier brought this change] |
| |
| CURLOPT_TCP_NODELAY.3: fix typo |
| |
| Closes #2239 |
| |
| - smtp/pop3/imap_get_message: decrease the data length too... |
| |
| Follow-up commit to 615edc1f73 which was incomplete. |
| |
| Assisted-by: Max Dymond |
| Detected by OSS-fuzz |
| Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206 |
| |
| - openssl: enable SSLKEYLOGFILE support by default |
| |
| Fixes #2210 |
| Closes #2236 |
| |
| Patrick Monnerat (14 Jan 2018) |
| - mime: clone mime tree upon easy handle duplication. |
| |
| A mime tree attached to an easy handle using CURLOPT_MIMEPOST is |
| strongly bound to the handle: there is a pointer to the easy handle in |
| each item of the mime tree and following the parent pointer list |
| of mime items ends in a dummy part stored within the handle. |
| |
| Because of this binding, a mime tree cannot be shared between different |
| easy handles, thus it needs to be cloned upon easy handle duplication. |
| |
| There is no way for the caller to get the duplicated mime tree |
| handle: it is then set to be automatically destroyed upon freeing the |
| new easy handle. |
| |
| New test 654 checks proper mime structure duplication/release. |
| |
| Add a warning note in curl_mime_data_cb() documentation about sharing |
| user data between duplicated handles. |
| |
| Closes #2235 |
| |
| - docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata |
| |
| Daniel Stenberg (13 Jan 2018) |
| - test395: HTTP with overflow Content-Length value |
| |
| - test394: verify abort of rubbish in Content-Length: value |
| |
| - test393: verify --max-filesize with excessive Content-Length |
| |
| - HTTP: bail out on negative Content-Length: values |
| |
| ... and make the max filesize check trigger if the value is too big. |
| |
| Updates test 178. |
| |
| Reported-by: Brad Spencer |
| Fixes #2212 |
| Closes #2223 |
| |
| Marcel Raad (13 Jan 2018) |
| - [Dan Johnson brought this change] |
| |
| configure.ac: append extra linker flags instead of prepending them. |
| |
| Link order should list libraries after the libraries that use them, |
| so when we're guessing that we might also need to add -ldl in order |
| to use -lssl, we should add -ldl after -lssl. |
| |
| Closes https://github.com/curl/curl/pull/2234 |
| |
| Daniel Stenberg (13 Jan 2018) |
| - RELEASE-NOTES: synced with 6fa10c8fa |
| |
| Jay Satiro (13 Jan 2018) |
| - setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values |
| |
| Broken since f121575 (precedes 7.56.1). |
| |
| Bug: https://github.com/curl/curl/issues/2225 |
| Reported-by: cmfrolick@users.noreply.github.com |
| |
| Closes https://github.com/curl/curl/pull/2227 |
| |
| Patrick Monnerat (13 Jan 2018) |
| - setopt: reintroduce non-static Curl_vsetopt() for OS400 support |
| |
| This also upgrades ILE/RPG bindings with latest setopt options. |
| |
| Reported-By: jonrumsey on github |
| Fixes #2230 |
| Closes #2233 |
| |
| Jay Satiro (11 Jan 2018) |
| - [Zhouyihai Ding brought this change] |
| |
| http2: fix incorrect trailer buffer size |
| |
| Prior to this change the stored byte count of each trailer was |
| miscalculated and 1 less than required. It appears any trailer |
| after the first that was passed to Curl_client_write would be truncated |
| or corrupted as well as the size. Potentially the size of some |
| subsequent trailer could be erroneously extracted from the contents of |
| that trailer, and since that size is used by client write an |
| out-of-bounds read could occur and cause a crash or be otherwise |
| processed by client write. |
| |
| The bug appears to have been born in 0761a51 (precedes 7.49.0). |
| |
| Closes https://github.com/curl/curl/pull/2231 |
| |
| - [Basuke Suzuki brought this change] |
| |
| easy: fix connection ownership in curl_easy_pause |
| |
| Before calling Curl_client_chop_write(), change the owner of connection |
| to the current Curl_easy handle. This will fix the issue #2217. |
| |
| Fixes https://github.com/curl/curl/issues/2217 |
| Closes https://github.com/curl/curl/pull/2221 |
| |
| Daniel Stenberg (9 Jan 2018) |
| - [Dimitrios Apostolou brought this change] |
| |
| system.h: Additionally check __LONG_MAX__ for defining curl_off_t |
| |
| __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced |
| in GCC 3.3. |
| |
| Closes #2216 |
| |
| - COPYING: it's 2018! |
| |
| - progress: calculate transfer speed on milliseconds if possible |
| |
| to increase accuracy for quick transfers |
| |
| Fixes #2200 |
| Closes #2206 |
| |
| Jay Satiro (7 Jan 2018) |
| - scripts: allow all perl scripts to be run directly |
| |
| - Enable execute permission (chmod +x) |
| |
| - Change interpreter to /usr/bin/env perl |
| |
| Closes https://github.com/curl/curl/pull/2222 |
| |
| - mail-rcpt.d: fix short-text description |
| |
| - build: remove HAVE_LIMITS_H check |
| |
| .. because limits.h presence isn't optional, it's required by C89. |
| |
| Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2 |
| |
| Closes https://github.com/curl/curl/pull/2215 |
| |
| - openssl: fix memory leak of SSLKEYLOGFILE filename |
| |
| - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl |
| initialization. |
| |
| Caught by ASAN. |
| |
| - Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX" |
| |
| This reverts commit c97648b55080343bb371522bf4233e94a2a13a99. |
| |
| SIZEOF_LONG should not be checked in system.h since that macro is only |
| defined when building libcurl. |
| |
| Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080 |
| Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html |
| |
| Michael Kaufmann (30 Dec 2017) |
| - test1554: improve the error handling |
| |
| - test1554: add global initialization and cleanup |
| |
| Daniel Stenberg (29 Dec 2017) |
| - curl_version_info.3: call the argument 'age' |
| |
| Reported-by: Pete Lomax |
| Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html |
| |
| Patrick Monnerat (27 Dec 2017) |
| - [Mikalai Ananenka brought this change] |
| |
| brotli: data at the end of content can be lost |
| |
| Decoding loop implementation did not concern the case when all |
| received data is consumed by Brotli decoder and the size of decoded |
| data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE. |
| For content with unencoded length greater than CURL_MAX_WRITE_SIZE this |
| can result in the loss of data at the end of content. |
| |
| Closes #2194 |
| |
| Jay Satiro (26 Dec 2017) |
| - examples/cacertinmem: ignore cert-already-exists error |
| |
| - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback |
| since it's possible the cert may have already been loaded by libcurl. |
| |
| - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc. |
| Instead have it direct the reader to this cacertinmem.c example. |
| |
| - Fix the CA certificate to use the right CA for example.com, Digicert. |
| |
| Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html |
| Reported-by: Thomas van Hesteren |
| |
| Closes https://github.com/curl/curl/pull/2182 |
| |
| - [Gisle Vanem brought this change] |
| |
| tool_getparam: Support size modifiers for --max-filesize |
| |
| - Move the size modifier detection code from limit-rate to its own |
| function so that it can also be used with max-filesize. |
| |
| Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc. |
| |
| For example --max-filesize 1G |
| |
| Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html |
| |
| Closes https://github.com/curl/curl/pull/2179 |
| |
| Steve Holme (22 Dec 2017) |
| - build: Fixed incorrect script termination from commit ad1dc10e61 |
| |
| - Makefile.vc: Added our standard copyright header |
| |
| - winbuild: Added support for VC15 |
| |
| - build: Added Visual Studio 2017 project files |
| |
| - build-wolfssl.bat: Added support for VC15 |
| |
| - build-openssl.bat: Added support for VC15 |
| |
| Jay Satiro (22 Dec 2017) |
| - [Dimitrios Apostolou brought this change] |
| |
| curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX |
| |
| Closes https://github.com/curl/curl/pull/2186 |
| |
| - [Mattias Fornander brought this change] |
| |
| examples/rtsp: fix error handling macros |
| |
| Closes https://github.com/curl/curl/pull/2185 |
| |
| Patrick Monnerat (20 Dec 2017) |
| - curl_easy_reset: release mime-related data. |
| |
| Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level |
| functions dealing with UserDefined structure contents. |
| This avoids memory leakages on curl-generated part mime headers. |
| New test 2073 checks this using the cli tool --next option: it |
| triggers a valgrind error if bug is present. |
| |
| Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html |
| Reported-by: Martin Galvan |
| |
| - content_encoding: rework zlib_inflate |
| |
| - When zlib version is < 1.2.0.4, process gzip trailer before considering |
| extra data as an error. |
| - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data |
| and minimize corrupt data output. |
| - Do not try to restart deflate decompression in raw mode if output has |
| started or if the leading data is not available anymore. |
| - New test 232 checks inflating raw-deflated content. |
| |
| Closes #2068 |
| |
| - brotli: allow compiling with version 0.6.0. |
| |
| Some error codes were not yet defined in brotli 0.6.0: do not issue code |
| for them in this case. |
| |
| Daniel Stenberg (13 Dec 2017) |
| - CURLOPT_READFUNCTION.3: refer to argument with correct name |
| |
| Bug: #2175 |
| |
| [ci skip] |
| |
| - rand: add a clang-analyzer work-around |
| |
| scan-build would warn on a potential access of an uninitialized |
| buffer. I deem it a false positive and had to add this somewhat ugly |
| work-around to silence it. |
| |
| - krb5: fix a potential access of uninitialized memory |
| |
| A scan-build warning. |
| |
| - conncache: fix a return code [regression] |
| |
| This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed |
| out by scan-build! |
| |
| - curl: support >256 bytes warning messsages |
| |
| Bug: #2174 |
| |
| Michael Kaufmann (12 Dec 2017) |
| - libssh: fix a syntax error in configure.ac |
| |
| Follow-up to c92d2e1 |
| |
| Closes #2172 |
| |
| Daniel Stenberg (12 Dec 2017) |
| - examples/smtp-mail.c: use separate defines for options and mail |
| |
| ... to make it clearer that the options want address-only, while the |
| headers in an email can also have the real name. |
| |
| Assisted-by: Sean MacLennan |
| |
| - THANKS: added missing names |
| |
| ... as I reran the contrithanks script after the mailmap name fixups. |
| |
| - mailmap: added/clarified several names |
| |
| - setopt: less *or equal* than INT_MAX/1000 should be fine |
| |
| ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and |
| CURLOPT_SERVER_RESPONSE_TIMEOUT range checks. |
| |
| Reported-by: Dominik Hölzl |
| Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html |
| |
| Closes #2173 |
| |
| - [Dmitry Kostjuchenko brought this change] |
| |
| vtls: replaced getenv() with curl_getenv() |
| |
| Fixed undefined symbol of getenv() which does not exist when compiling |
| for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with |
| curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP |
| is defined. |
| |
| Closes #2171 |
| |
| - RELEASE-NOTES: synced with 3b9ea70ee |
| |
| - TODO: Expose tried IP addresses that failed |
| |
| Suggested-by: Rainer Canavan |
| |
| Closes #2126 |
| |
| - curl.1: mention http:// and https:// as valid proxy prefixes |
| |
| - curl.1: documented two missing valid exit codes |
| |
| - CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference |
| |
| - Revert "curl: don't set CURLOPT_INTERLEAVEDATA" |
| |
| This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955. |
| |
| It was actually added rather recently in 8e8afa82cbb629 due to a crash |
| that would otherwise happen in the RTSP code. As I don't think we've |
| fixed that behavior yet, we better keep this work-around until we have |
| fixed it better. |
| |
| Michael Kaufmann (10 Dec 2017) |
| - tests: mark data files as non-executable in git |
| |
| - tests: update .gitignore for libtests |
| |
| Daniel Stenberg (10 Dec 2017) |
| - multi_done: prune DNS cache |
| |
| Prune the DNS cache immediately after the dns entry is unlocked in |
| multi_done. Timed out entries will then get discarded in a more orderly |
| fashion. |
| |
| Test506 is updated |
| |
| Reported-by: Oleg Pudeyev |
| |
| Fixes #2169 |
| Closes #2170 |
| |
| - mailmap: fixup two old git Author "aliases" |
| |
| Jay Satiro (10 Dec 2017) |
| - openssl: Disable file buffering for Win32 SSLKEYLOGFILE |
| |
| Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just |
| like it does for other platforms. However, the Windows CRT does not |
| actually support line buffering (_IOLBF) and will use full buffering |
| (_IOFBF) instead. We can't use full buffering because multiple processes |
| may be writing to the file and that could lead to corruption, and since |
| full buffering is the only buffering available this commit disables |
| buffering for Windows SSLKEYLOGFILE entirely (_IONBF). |
| |
| Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901 |
| |
| Daniel Stenberg (10 Dec 2017) |
| - RESOLVE: output verbose text when trying to set a duplicate name |
| |
| ... to help users understand what is or isn't done! |
| |
| - CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE |
| |
| - [John DeHelian brought this change] |
| |
| sftp: allow quoted commands to use relative paths |
| |
| Closes #1900 |
| |
| Jay Satiro (8 Dec 2017) |
| - [Richard Alcock brought this change] |
| |
| CURLOPT_PRIVATE.3: fix grammar |
| |
| - Change "never does nothing" double-negative to "never does anything". |
| |
| Closes https://github.com/curl/curl/pull/2168 |
| |
| Daniel Stenberg (8 Dec 2017) |
| - curl: remove __EMX__ #ifdefs |
| |
| These are OS/2-specific things added to the code in the year 2000. They |
| were always ugly. If there's any user left, they still don't need it |
| done this way. |
| |
| Closes #2166 |
| |
| Jay Satiro (8 Dec 2017) |
| - openssl: improve data-pending check for https proxy |
| |
| - Allow proxy_ssl to be checked for pending data even when connssl does |
| not yet have an SSL handle. |
| |
| This change is for posterity. Currently there doesn't seem to be a code |
| path that will cause a pending data check when proxyssl could have |
| pending data and the connssl handle doesn't yet exist [1]. |
| |
| [1]: Recall that an https proxy connection starts out in connssl but if |
| the destination is also https then the proxy SSL backend data is moved |
| from connssl to proxyssl, which means connssl handle is temporarily |
| empty until an SSL handle for the destination can be created. |
| |
| Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542 |
| |
| Closes https://github.com/curl/curl/pull/1916 |
| |
| Daniel Stenberg (8 Dec 2017) |
| - curl: don't set CURLOPT_INTERLEAVEDATA |
| |
| That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback |
| and that option isn't set or used by the curl tool! |
| |
| Updates the 9 tests that verify --libcurl |
| |
| Closes #2167 |
| |
| - curl.h: remove incorrect comment about ERRORBUFFER |
| |
| ... error messages are _not_ sent to stderr if this is not set. |
| |
| - [Michael Felt brought this change] |
| |
| configure: add AX_CODE_COVERAGE only if using gcc |
| |
| Fixes #2076 |
| Closes #2125 |
| |
| - curl: limit -# update frequency for unknown total size |
| |
| Make it use a max 10Hz update frequency for this case as well. Return |
| early if the "point" hasn't moved since last invoke. |
| |
| Reported-by: Elliot Saba |
| |
| Fixes #2158 |
| Closes #2163 |
| |
| - BINDINGS: another PostgreSQL client |
| |
| ...the former link is dead. |
| |
| Reported-by: Frank Gevaerts |
| |
| - [Zachary Seguin brought this change] |
| |
| CONNECT: keep close connection flag in http_connect_state struct |
| |
| Fixes #2088 |
| Closes #2157 |
| |
| - [Per Malmberg brought this change] |
| |
| include: get netinet/in.h before linux/tcp.h |
| |
| ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc |
| 4.8.5) |
| |
| Closes #2160 |
| |
| - openldap: fix checksrc nits |
| |
| - [Stepan Broz brought this change] |
| |
| openldap: add commented out debug possibilities |
| |
| ... to aid debugging openldap library using its built-in debug messages. |
| |
| Closes #2159 |
| |
| - examples: move threaded-shared-conn.c to the "complicated" ones |
| |
| ... due it relying on pthreads to link. |
| |
| - RELEASE-NOTES: synced with b261c44e8 |
| |
| ... and bump next release version to 7.58.0 |
| |
| - [Jan Ehrhardt brought this change] |
| |
| URL: tolerate backslash after drive letter for FILE: |
| |
| ... as in "file://c:\some\path\curl.out" |
| |
| Reviewed-by: Matthew Kerwin |
| Closes #2154 |
| |
| - [Randall S. Becker brought this change] |
| |
| tests: added netinet/in6.h includes in test servers |
| |
| - [Randall S. Becker brought this change] |
| |
| configure: check for netinet/in6.h |
| |
| Needed by HPE NonStop NSE and NSX systems |
| |
| Fixes #2146 |
| Closes #2155 |
| |
| - curl-config: add --ssl-backends |
| |
| Lists all SSL backends that were enabled at build-time. |
| |
| Suggested-by: Oleg Pudeyev |
| Fixes #2128 |
| |
| - conncache: only allow multiplexing within same multi handle |
| |
| Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing |
| only get additional transfers added to them if the existing connection |
| is held by the same multi or easy handle. libcurl does not support doing |
| HTTP/2 streams in different threads using a shared connection. |
| |
| Closes #2152 |
| |
| - threaded-shared-conn.c: fixed typo in commenta |
| |
| - threaded-shared-conn.c: new example |
| |
| - conncache: fix several lock issues |
| |
| If the lock is released before the dealings with the bundle is over, it may |
| have changed by another thread in the mean time. |
| |
| Fixes #2132 |
| Fixes #2151 |
| Closes #2139 |
| |
| - libssh: remove dead code in sftp_qoute |
| |
| ... by removing a superfluous NULL pointer check that also confuses |
| Coverity. |
| |
| Fixes #2143 |
| Closes #2153 |
| |
| - sasl_getmesssage: make sure we have a long enough string to pass |
| |
| For pop3/imap/smtp, added test 891 to somewhat verify the pop3 |
| case. |
| |
| For this, I enhanced the pingpong test server to be able to send back |
| responses with LF-only instead of always using CRLF. |
| |
| Closes #2150 |
| |
| - libssh2: remove dead code from SSH_SFTP_QUOTE |
| |
| Figured out while reviewing code in the libssh backend. The pointer was |
| checked for NULL after having been dereferenced, so we know it would |
| always equal true or it would've crashed. |
| |
| Pointed-out-by: Nikos Mavrogiannopoulos |
| |
| Bug #2143 |
| Closes #2148 |
| |
| - ssh-libssh.c: please checksrc |
| |
| Nikos Mavrogiannopoulos (4 Dec 2017) |
| - libssh: fixed dereference in statvfs access |
| |
| The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS |
| handling fails. |
| |
| Fixes #2142 |
| |
| Daniel Stenberg (4 Dec 2017) |
| - [Guitared brought this change] |
| |
| RESOURCES: update spec names |
| |
| Closes #2145 |
| |
| Nikos Mavrogiannopoulos (3 Dec 2017) |
| - libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS |
| |
| The previous code was incorrectly following the libssh2 error detection |
| for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs. |
| |
| Fixes #2142 |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| - libssh: no need to call sftp_get_error as ssh_get_error is sufficient |
| |
| Fixes #2141 |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| Daniel Stenberg (2 Dec 2017) |
| - libssh: fix minor static code analyzer nits |
| |
| - remove superfluous NULL check which otherwise tricks the static code |
| analyzers to assume NULL pointer dereferences. |
| |
| - fix fallthrough in switch() |
| |
| - indent mistake |
| |
| - openssl: pkcs12 is supported by boringssl |
| |
| Removes another #ifdef for BoringSSL |
| |
| Pointed-out-by: David Benjamin |
| |
| Closes #2134 |
| |
| - [Jay Satiro brought this change] |
| |
| travis: use pip2 instead of pip |
| |
| .. since now mac osx image expects pip2 or pip3, and doesn't know pip: |
| |
| 0.01s$ pip install --user cpp-coveralls |
| /Users/travis/.travis/job_stages: line 57: pip: command not found |
| |
| Ref: https://github.com/travis-ci/travis-ci/issues/8829 |
| |
| Closes https://github.com/curl/curl/pull/2133 |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| lib582: do not verify host for SFTP |
| |
| This SFTP test fails with libssh back-end due to failure to verify |
| the peer. Disable peer verification in the test as there seems to |
| be the intention of the test. |
| |
| Note that the libssh back-end automatically verifies the peer's |
| host using the default known_hosts file. |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| libssh: added SFTP support |
| |
| The SFTP back-end supports asynchronous reading only, limited |
| to 32-bit file length. Writing is synchronous with no other |
| limitations. |
| |
| This also brings keyboard-interactive authentication. |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| symbols-in-versions: added new symbols with 7.56.3 version |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| .travis.yml: added build --with-libssh |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| libssh2: return CURLE_UPLOAD_FAILED on failure to upload |
| |
| This brings its in sync with the error code returned by the |
| libssh backend. |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| libssh2: send the correct CURLE error code on scp file not found |
| |
| That also updates tests to expect the right error code |
| |
| libssh2 back-end returns CURLE_SSH error if the remote file |
| is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND |
| which is sent by the libssh backend. |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
| |
| - [Nikos Mavrogiannopoulos brought this change] |
| |
| Added support for libssh SSH SCP back-end |
| |
| libssh is an alternative library to libssh2. |
| https://www.libssh.org/ |
| |
| That patch set also introduces support for ECDSA |
| ed25519 keys, as well as gssapi authentication. |
| |
| Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> |
| |
| - RELEASE-NOTES: synced with af8cc7a69 |
| |
| - curlver: towards 7.57.1 |
| |
| - [W. Mark Kubacki brought this change] |
| |
| lib: don't export all symbols, just everything curl_* |
| |
| Absent any 'symbol map' or script to limit what gets exported, static |
| linking of libraries previously resulted in a libcurl with curl's and |
| those other symbols being (re-)exported. |
| |
| This did not happen if 'versioned symbols' were enabled (which is not |
| the default) because then a version script is employed. |
| |
| This limits exports to everything starting in 'curl_*'., which is |
| what "libcurl.vers" exports. |
| |
| This avoids strange side-effects such as with mixing methods |
| from system libraries and those erroneously offered by libcurl. |
| |
| Closes #2127 |
| |
| - [Johannes Schindelin brought this change] |
| |
| SSL: Avoid magic allocation of SSL backend specific data |
| |
| Originally, my idea was to allocate the two structures (or more |
| precisely, the connectdata structure and the four SSL backend-specific |
| strucutres required for ssl[0..1] and proxy_ssl[0..1]) in one go, so |
| that they all could be free()d together. |
| |
| However, getting the alignment right is tricky. Too tricky. |
| |
| So let's just bite the bullet and allocate the SSL backend-specific |
| data separately. |
| |
| As a consequence, we now have to be very careful to release the memory |
| allocated for the SSL backend-specific data whenever we release any |
| connectdata. |
| |
| Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> |
| |
| Closes #2119 |
| |
| - examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL |
| |
| Reported-by: Dima Tisnek |
| |
| - travis: add boringssl build |
| |
| Uses a separate build without --enable-debug and no valgrind. |
| |
| The debug option causes far too many warnings in boringssl's headers |
| (C++ comments, trailing commas etc). Valgrind triggers some false |
| positive errors in thread-local data used by boringssl. |
| |
| Closes #2118 |
| |
| Version 7.57.0 (29 Nov 2017) |
| |
| Daniel Stenberg (29 Nov 2017) |
| - RELEASE-NOTES: curl 7.57.0 |
| |
| - THANKS: added contributors from 7.57.0 release |
| |
| - openssl: fix boringssl build again |
| |
| commit d3ab7c5a21e broke the boringssl build since it doesn't have |
| RSA_flags(), so we disable that code block for boringssl builds. |
| |
| Reported-by: W. Mark Kubacki |
| Fixes #2117 |
| |
| - curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided |
| |
| - libcurl-share.3: the connection cache is shareable now |
| |
| - global_init: ignore CURL_GLOBAL_SSL's absense |
| |
| This bit is no longer used. It is not clear what it meant for users to |
| "init the TLS" in a world with different TLS backends and since the |
| introduction of multissl, libcurl didn't properly work if inited without |
| this bit set. |
| |
| Not a single user responded to the call for users of it: |
| https://curl.haxx.se/mail/lib-2017-11/0072.html |
| |
| Reported-by: Evgeny Grin |
| Assisted-by: Jay Satiro |
| |
| Fixes #2089 |
| Fixes #2083 |
| Closes #2107 |
| |
| - ntlm: avoid integer overflow for malloc size |
| |
| Reported-by: Alex Nichols |
| Assisted-by: Kamil Dudka and Max Dymond |
| |
| CVE-2017-8816 |
| |
| Bug: https://curl.haxx.se/docs/adv_2017-11e7.html |
| |
| - wildcardmatch: fix heap buffer overflow in setcharset |
| |
| The code would previous read beyond the end of the pattern string if the |
| match pattern ends with an open bracket when the default pattern |
| matching function is used. |
| |
| Detected by OSS-Fuzz: |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 |
| |
| CVE-2017-8817 |
| |
| Bug: https://curl.haxx.se/docs/adv_2017-ae72.html |
| |
| - [Jay Satiro brought this change] |
| |
| url: fix alignment of ssl_backend_data struct |
| |
| - Align the array of ssl_backend_data on a max 32 byte boundary. |
| |
| 8 is likely to be ok but I went with 32 for posterity should one of |
| the ssl_backend_data structs change to contain a larger sized variable |
| in the future. |
| |
| Prior to this change (since dev 70f1db3, release 7.56) the connectdata |
| structure was undersized by 4 bytes in 32-bit builds with ssl enabled |
| because long long * was mistakenly used for alignment instead of |
| long long, with the intention being an 8 byte boundary. Also long long |
| may not be an available type. |
| |
| The undersized connectdata could lead to oob read/write past the end in |
| what was expected to be the last 4 bytes of the connection's secondary |
| socket https proxy ssl_backend_data struct (the secondary socket in a |
| connection is used by ftp, others?). |
| |
| Closes https://github.com/curl/curl/issues/2093 |
| |
| CVE-2017-8818 |
| |
| Bug: https://curl.haxx.se/docs/adv_2017-af0a.html |
| |
| - ssh: remove check for a NULL pointer (!) |
| |
| With this check present, scan-build warns that we might dereference this |
| point in other places where it isn't first checked for NULL. Thus, if it |
| *can* be NULL we have a problem on a few places. However, this pointer |
| should not be possible to be NULL here so I remove the check and thus |
| also three different scan-build warnings. |
| |
| Closes #2111 |
| |
| - [Matthew Kerwin brought this change] |
| |
| test: add test for bad UNC/SMB path in file: URL |
| |
| - [Matthew Kerwin brought this change] |
| |
| test: add tests to ensure basic file: URLs |
| |
| - [Matthew Kerwin brought this change] |
| |
| URL: update "file:" URL handling |
| |
| * LOTS of comment updates |
| * explicit error for SMB shares (e.g. "file:////share/path/file") |
| * more strict handling of authority (i.e. "//localhost/") |
| * now accepts dodgy old "C:|" drive letters |
| * more precise handling of drive letters in and out of Windows |
| (especially recognising both "file:c:/" and "file:/c:/") |
| |
| Closes #2110 |
| |
| - metalink: fix memory-leak and NULL pointer dereference |
| |
| Reported by scan-build |
| |
| Closes #2109 |
| |
| - [Alessandro Ghedini brought this change] |
| |
| connect: add support for new TCP Fast Open API on Linux |
| |
| The new API added in Linux 4.11 only requires setting a socket option |
| before connecting, without the whole sento() machinery. |
| |
| Notably, this makes it possible to use TFO with SSL connections on Linux |
| as well, without the need to mess around with OpenSSL (or whatever other |
| SSL library) internals. |
| |
| Closes #2056 |
| |
| - make: fix "make distclean" |
| |
| Fixes #2097 |
| Closes #2108 |
| |
| - RELEASE-NOTES: synced with 31f18d272 |
| |
| Jay Satiro (23 Nov 2017) |
| - connect: improve the bind error message |
| |
| eg consider a non-existent interface eth8, curl --interface eth8 |
| |
| Before: curl: (45) Could not resolve host: eth8 |
| After: curl: (45) Couldn't bind to 'eth8' |
| |
| Bug: https://github.com/curl/curl/issues/2104 |
| Reported-by: Alfonso Martone |
| |
| Daniel Stenberg (23 Nov 2017) |
| - examples/rtsp: clear RANGE again after use |
| |
| Fixes #2106 |
| Reported-by: youngchopin on github |
| |
| - [Michael Kaufmann brought this change] |
| |
| test1264: verify URL with space in host name being rejected |
| |
| - url: reject ASCII control characters and space in host names |
| |
| Host names like "127.0.0.1 moo" would otherwise be accepted by some |
| getaddrinfo() implementations. |
| |
| Updated test 1034 and 1035 accordingly. |
| |
| Fixes #2073 |
| Closes #2092 |
| |
| - Curl_open: fix OOM return error correctly |
| |
| Closes #2098 |
| |
| - http2: fix "Value stored to 'end' is never read" scan-build error |
| |
| - http2: fix "Value stored to 'hdbuf' is never read" scan-build error |
| |
| - openssl: fix "Value stored to 'rc' is never read" scan-build error |
| |
| - mime: fix "Value stored to 'sz' is never read" scan-build error |
| |
| - Curl_llist_remove: fix potential NULL pointer deref |
| |
| Fixes a scan-build warning. |
| |
| - ntlm: remove unnecessary NULL-check to please scan-build |
| |
| - BUGS: spellchecked |
| |
| Jay Satiro (18 Nov 2017) |
| - [fmmedeiros brought this change] |
| |
| examples/curlx: Fix code style |
| |
| - Add braces around multi-line if statement. |
| |
| Closes https://github.com/curl/curl/pull/2096 |
| |
| Daniel Stenberg (17 Nov 2017) |
| - resolve: allow IP address within [] brackets |
| |
| ... so that IPv6 addresses can be passed like they can for connect-to |
| and how they're used in URLs. |
| |
| Added test 1324 to verify |
| Reported-by: Alex Malinovich |
| |
| Fixes #2087 |
| Closes #2091 |
| |
| - [Pavol Markovic brought this change] |
| |
| macOS: Fix missing connectx function with Xcode version older than 9.0 |
| |
| The previous fix https://github.com/curl/curl/pull/1788 worked just for |
| Xcode 9. This commit extends the fix to older Xcode versions effectively |
| by not using connectx function. |
| |
| Fixes https://github.com/curl/curl/issues/1330 |
| Fixes https://github.com/curl/curl/issues/2080 |
| Closes https://github.com/curl/curl/pull/1336 |
| Closes #2082 |
| |
| - [Dirk Feytons brought this change] |
| |
| openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY |
| |
| Fixes #2079 |
| Closes #2081 |
| |
| - TODO: ignore private IP addresses in PASV response |
| |
| Closes #1455 |
| |
| - RELEASE-NOTES: synced with ae7369b6d |
| |
| Michael Kaufmann (14 Nov 2017) |
| - URL: return error on malformed URLs with junk after IPv6 bracket |
| |
| Follow-up to aadb7c7. Verified by new test 1263. |
| |
| Closes #2072 |
| |
| Daniel Stenberg (14 Nov 2017) |
| - INTERNALS: we may use libidn2 now, not libidn |
| |
| Patrick Monnerat (13 Nov 2017) |
| - zlib/brotli: only include header files in modules needing them |
| |
| There is a conflict on symbol 'free_func' between openssl/crypto.h and |
| zlib.h on AIX. This is an attempt to resolve it. |
| |
| Bug: https://curl.haxx.se/mail/lib-2017-11/0032.html |
| Reported-By: Michael Felt |
| |
| Daniel Stenberg (13 Nov 2017) |
| - SMB: fix uninitialized local variable |
| |
| Reported-by: Brian Carpenter |
| |
| - [Orgad Shaneh brought this change] |
| |
| connect.c: remove executable bit on file |
| |
| Closes #2071 |
| |
| - [hsiao yi brought this change] |
| |
| README.md: fixed layout |
| |
| Closes #2069 |
| |
| - setopt: split out curl_easy_setopt() to its own file |
| |
| ... to make url.c smaller. |
| |
| Closes #1944 |
| |
| Jay Satiro (10 Nov 2017) |
| - [John Starks brought this change] |
| |
| cmake: Add missing setmode check |
| |
| Ensure HAVE_SETMODE is set to 1 on OSes that have setmode. Without this, |
| curl will corrupt binary files when writing them to stdout on Windows. |
| |
| Closes https://github.com/curl/curl/pull/2067 |
| |
| Daniel Stenberg (10 Nov 2017) |
| - curl_share_setopt: va_end was not called if conncache errors |
| |
| CID 984459, detected by Coverity |
| |
| Sergei Nikulov (10 Nov 2017) |
| - [John Starks brought this change] |
| |
| cmake: Correctly include curl.rc in Windows builds (#2064) |
| |
| Update CMakeLists.txt to add curl.rc to the correct list. |
| |
| Daniel Stenberg (9 Nov 2017) |
| - RELEASE-NOTES: synced with 32828cc4f |
| |
| - [Luca Boccassi brought this change] |
| |
| --interface: add support for Linux VRF |
| |
| The --interface command (CURLOPT_INTERFACE option) already uses |
| SO_BINDTODEVICE on Linux, but it tries to parse it as an interface or IP |
| address first, which fails in case the user passes a VRF. |
| |
| Try to use the socket option immediately and parse it as a fallback |
| instead. Update the documentation to mention this feature, and that it |
| requires the binary to be ran by root or with CAP_NET_RAW capabilities |
| for this to work. |
| |
| Closes #2024 |
| |
| - curl_share_setopt.3: document CURL_LOCK_DATA_CONNECT |
| |
| Closes #2043 |
| |
| - examples: add shared-connection-cache |
| |
| - test1554: verify connection cache sharing |
| |
| - share: add support for sharing the connection cache |
| |
| - imap: deal with commands case insensitively |
| |
| As documented in RFC 3501 section 9: |
| https://tools.ietf.org/html/rfc3501#section-9 |
| |
| Closes #2061 |
| |
| - connect: store IPv6 connection status after valid connection |
| |
| ... previously it would store it already in the happy eyeballs stage |
| which could lead to the IPv6 bit being set for an IPv4 connection, |
| leading to curl not wanting to do EPSV=>PASV for FTP transfers. |
| |
| Closes #2053 |
| |
| - curl_multi_fdset.3: emphasize curl_multi_timeout |
| |
| ... even when there's no socket to wait for, the timeout can still be |
| very short. |
| |
| Jay Satiro (9 Nov 2017) |
| - content_encoding: fix inflate_stream for no bytes available |
| |
| - Don't call zlib's inflate() when avail_in stream bytes is 0. |
| |
| This is a follow up to the parent commit 19e66e5. Prior to that change |
| libcurl's inflate_stream could call zlib's inflate even when no bytes |
| were available, causing inflate to return Z_BUF_ERROR, and then |
| inflate_stream would treat that as a hard error and return |
| CURLE_BAD_CONTENT_ENCODING. |
| |
| According to the zlib FAQ, Z_BUF_ERROR is not fatal. |
| |
| This bug would happen randomly since packet sizes are arbitrary. A test |
| of 10,000 transfers had 55 fail (ie 0.55%). |
| |
| Ref: https://zlib.net/zlib_faq.html#faq05 |
| |
| Closes https://github.com/curl/curl/pull/2060 |
| |
| Patrick Monnerat (7 Nov 2017) |
| - content_encoding: do not write 0 length data |
| |
| Daniel Stenberg (6 Nov 2017) |
| - fnmatch: remove dead code |
| |
| There was a duplicate check for backslashes in the setcharset() |
| function. |
| |
| Coverity CID 1420611 |
| |
| - url: remove unncessary NULL-check |
| |
| Since 'conn' won't be NULL in there and we also access the pointer in |
| there without the check. |
| |
| Coverity CID 1420610 |
| |
| Viktor Szakats (6 Nov 2017) |
| - src/Makefile.m32: fix typo in brotli lib customization |
| |
| Ref cc1f4436099decb9d1a7034b2bb773a9f8379d31 |
| |
| - Makefile.m32: allow to customize brotli libs |
| |
| It adds the ability to link against static brotli libs. |
| |
| Also fix brotli include path. |
| |
| Patrick Monnerat (5 Nov 2017) |
| - travis: add a job with brotli enabled |
| |
| - [Viktor Szakats brought this change] |
| |
| Makefile.m32: add brotli support |
| |
| - HTTP: implement Brotli content encoding |
| |
| This uses the brotli external library (https://github.com/google/brotli). |
| Brotli becomes a feature: additional curl_version_info() bit and |
| structure fields are provided for it and CURLVERSION_NOW bumped. |
| |
| Tests 314 and 315 check Brotli content unencoding with correct and |
| erroneous data. |
| |
| Some tests are updated to accomodate with the now configuration dependent |
| parameters of the Accept-Encoding header. |
| |
| - HTTP: support multiple Content-Encodings |
| |
| This is implemented as an output streaming stack of unencoders, the last |
| calling the client write procedure. |
| |
| New test 230 checks this feature. |
| |
| Bug: https://github.com/curl/curl/pull/2002 |
| Reported-By: Daniel Bankhead |
| |
| Jay Satiro (4 Nov 2017) |
| - url: remove arg value check from CURLOPT_SSH_AUTH_TYPES |
| |
| Since CURLSSH_AUTH_ANY (aka CURLSSH_AUTH_DEFAULT) is ~0 an arg value |
| check on this option is incorrect; we have to accept any value. |
| |
| Prior to this change since f121575 (7.56.1+) CURLOPT_SSH_AUTH_TYPES |
| erroneously rejected CURLSSH_AUTH_ANY with CURLE_BAD_FUNCTION_ARGUMENT. |
| |
| Bug: https://github.com/curl/curl/commit/f121575#commitcomment-25347120 |
| |
| Daniel Stenberg (4 Nov 2017) |
| - ntlm: avoid malloc(0) for zero length passwords |
| |
| It triggers an assert() when built with memdebug since malloc(0) may |
| return NULL *or* a valid pointer. |
| |
| Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 |
| |
| Assisted-by: Max Dymond |
| Closes #2054 |
| |
| - RELEASE-NOTES: synced with ee8016b3d |
| |
| - curl: speed up handling of many URLs |
| |
| By properly keeping track of the last entry in the list of URLs/uploads |
| to handle, curl now avoids many meaningless traverses of the list which |
| speeds up many-URL handling *MASSIVELY* (several magnitudes on 100K |
| URLs). |
| |
| Added test 1291, to verify that it doesn't take ages - but we don't have |
| any detection of "too slow" command in the test suite. |
| |
| Reported-by: arainchik on github |
| Fixes #1959 |
| Closes #2052 |
| |
| - curl: pass through [] in URLs instead of calling globbing error |
| |
| Assisted-by: Per Lundberg |
| Fixes #2044 |
| Closes #2046 |
| Closes #2048 |
| |
| - CURLOPT_INFILESIZE: accept -1 |
| |
| Regression since f121575 |
| |
| Reported-by: Petr Voytsik |
| Fixes #2047 |
| |
| Jay Satiro (2 Nov 2017) |
| - url: fix CURLOPT_DNS_CACHE_TIMEOUT arg value check to allow -1 |
| |
| Prior to this change since f121575 (7.56.1+) CURLOPT_DNS_CACHE_TIMEOUT |
| erroneously rejected -1 with CURLE_BAD_FUNCTION_ARGUMENT. |
| |
| Dan Fandrich (1 Nov 2017) |
| - http2: Fixed OOM handling in upgrade request |
| |
| This caused the torture tests on test 1800 to fail. |
| |
| - tests: Fixed torture tests on tests 556 and 650 |
| |
| Test cleanup after OOM wasn't being consistently performed. |
| |
| Daniel Stenberg (1 Nov 2017) |
| - CURLOPT_MAXREDIRS: allow -1 as a value |
| |
| ... which is valid according to documentation. Regression since |
| f121575c0b5f. |
| |
| Verified now in test 501. |
| |
| Reported-by: cbartl on github |
| Fixes #2038 |
| Closes #2039 |
| |
| - include: remove conncache.h inclusion from where its not needed |
| |
| Jay Satiro (1 Nov 2017) |
| - url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1 |
| |
| .. also add same arg value check to CURLOPT_POSTFIELDSIZE_LARGE. |
| |
| Prior to this change since f121575 (7.56.1+) CURLOPT_POSTFIELDSIZE |
| erroneously rejected -1 value with CURLE_BAD_FUNCTION_ARGUMENT. |
| |
| Bug: https://curl.haxx.se/mail/lib-2017-11/0000.html |
| Reported-by: Andrew Lambert |
| |
| Daniel Stenberg (31 Oct 2017) |
| - cookie: avoid NULL dereference |
| |
| ... when expiring old cookies. |
| |
| Reported-by: Pavel Gushchin |
| Fixes #2032 |
| Closes #2035 |
| |
| Marcel Raad (30 Oct 2017) |
| - memdebug: use send/recv signature for curl_dosend/curl_dorecv |
| |
| This avoids build errors and warnings caused by implicit casts. |
| |
| Closes https://github.com/curl/curl/pull/2031 |
| |
| Daniel Stenberg (30 Oct 2017) |
| - [Juro Bystricky brought this change] |
| |
| mkhelp.pl: support reproducible build |
| |
| Do not generate line with the current date, such as: |
| |
| * Generation time: Tue Oct-24 18:01:41 2017 |
| |
| This will improve reproducibility. The generated string is only |
| part of a comment, so there should be no adverse consequences. |
| |
| Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> |
| |
| closes #2026 |
| |
| Dan Fandrich (30 Oct 2017) |
| - runtests.pl: Fixed typo in message |
| |
| Daniel Stenberg (30 Oct 2017) |
| - curlx: the timeval functions are no longer provided as curlx_* |
| |
| Pointed-out-by: Dmitri Tikhonov |
| Bug: #2034 |
| |
| - select: update comments |
| |
| s/curlx_tvnow/Curl_now |
| |
| - INTERNALS: remove curlx_tv* functions no longer provided |
| |
| - [Dmitri Tikhonov brought this change] |
| |
| timeval: use mach time on MacOS |
| |
| If clock_gettime() is not supported, use mach_absolute_time() on MacOS. |
| |
| closes #2033 |
| |
| Patrick Monnerat (29 Oct 2017) |
| - cli tool: improve ";type=" handling in -F option arguments |
| |
| - cli tool: in -F option arg, comma is a delimiter for files only |
| |
| Also upgrade test 1133 to cover this case and clarify man page about |
| form data quoting. |
| |
| Bug: https://github.com/curl/curl/issues/2022 |
| Reported-By: omau on github |
| |
| Daniel Stenberg (29 Oct 2017) |
| - timeleft: made two more users of Curl_timeleft use timediff_t |
| |
| Jakub Zakrzewski (28 Oct 2017) |
| - cmake: Export libcurl and curl targets to use by other cmake projects |
| |
| The config files define curl and libcurl targets as imported targets |
| CURL::curl and CURL::libcurl. For backward compatibility with CMake- |
| provided find-module the CURL_INCLUDE_DIRS and CURL_LIBRARIES are |
| also set. |
| |
| Closes #1879 |
| |
| Daniel Stenberg (28 Oct 2017) |
| - RELEASE-NOTES: synced with f20cbac97 |
| |
| - [Florin Petriuc brought this change] |
| |
| auth: Added test cases for RFC7616 |
| |
| Updated docs to include support for RFC7616 |
| |
| Signed-off-by: Florin <petriuc.florin@gmail.com> |
| |
| Closes #1934 |
| |
| - [Florin Petriuc brought this change] |
| |
| auth: add support for RFC7616 - HTTP Digest access authentication |
| |
| Signed-off-by: Florin <petriuc.florin@gmail.com> |
| |
| - [Daniel Bankhead brought this change] |
| |
| TODO: support multiple Content-Encodings |
| |
| Closes #2002 |
| |
| - ROADMAP: cleanup |
| |
| Removed done stuff. Removed entries no longer considered for the near |
| term. |
| |
| - [Magicansk brought this change] |
| |
| ROADMAP.md: spelling fixes |
| |
| Closes #2028 |
| |
| - Curl_timeleft: change return type to timediff_t |
| |
| returning 'time_t' is problematic when that type is unsigned and we |
| return values less than zero to signal "already expired", used in |
| several places in the code. |
| |
| Closes #2021 |
| |
| - appveyor: add a win32 build |
| |
| - setopt: fix CURLOPT_SSH_AUTH_TYPES option read |
| |
| Regression since f121575c0b5f |
| |
| Reported-by: Rob Cotrone |
| |
| Marcel Raad (27 Oct 2017) |
| - resolvers: only include anything if needed |
| |
| This avoids warnings about unused stuff. |
| |
| Closes https://github.com/curl/curl/pull/2023 |
| |
| Daniel Stenberg (27 Oct 2017) |
| - HELP-US: rename the subtitle too since the label is changed |
| |
| "PR-welcome" was the former name. |
| |
| - curl_setup.h: oops, shorten the too long line |
| |
| - [Martin Storsjo brought this change] |
| |
| curl_setup: Improve detection of CURL_WINDOWS_APP |
| |
| If WINAPI_FAMILY is defined, it should be safe to try to include |
| winapifamily.h to check what the define evaluates to. |
| |
| This should fix detection of CURL_WINDOWS_APP if building with |
| _WIN32_WINNT set to 0x0600. |
| |
| Closes #2025 |
| |
| Jay Satiro (26 Oct 2017) |
| - transfer: Fix chunked-encoding upload bug |
| |
| - When uploading via chunked-encoding don't compare file size to bytes |
| sent to determine whether the upload has finished. |
| |
| Chunked-encoding adds its own overhead which why the bytes sent is not |
| equal to the file size. Prior to this change if a file was uploaded in |
| chunked-encoding and its size was known it was possible that the upload |
| could end prematurely without sending the final few chunks. That would |
| result in a server hang waiting for the remaining data, likely followed |
| by a disconnect. |
| |
| The scope of this bug is limited to some arbitrary file sizes which have |
| not been determined. One size that triggers the bug is 475020. |
| |
| Bug: https://github.com/curl/curl/issues/2001 |
| Reported-by: moohoorama@users.noreply.github.com |
| |
| Closes https://github.com/curl/curl/pull/2010 |
| |
| Daniel Stenberg (26 Oct 2017) |
| - timeval: make timediff_t also work on 32bit windows |
| |
| ... by using curl_off_t for the typedef if time_t is larger than 4 |
| bytes. |
| |
| Reported-by: Gisle Vanem |
| Bug: https://github.com/curl/curl/commit/b9d25f9a6b3ca791385b80a6a3c3fa5ae113e1e0#co |
| mmitcomment-25205058 |
| Closes #2019 |
| |
| - curl_fnmatch: return error on illegal wildcard pattern |
| |
| ... instead of doing an infinite loop! |
| |
| Added test 1162 to verify. |
| |
| Reported-by: Max Dymond |
| Fixes #2015 |
| Closes #2017 |
| |
| - [Max Dymond brought this change] |
| |
| wildcards: don't use with non-supported protocols |
| |
| Fixes timeouts in the fuzzing tests for non-FTP protocols. |
| |
| Closes #2016 |
| |
| - [Max Dymond brought this change] |
| |
| multi: allow table handle sizes to be overridden |
| |
| Allow users to specify their own hash define for |
| CURL_CONNECTION_HASH_SIZE so that both values can be overridden. |
| |
| Closes #1982 |
| |
| - time: rename Curl_tvnow to Curl_now |
| |
| ... since the 'tv' stood for timeval and this function does not return a |
| timeval struct anymore. |
| |
| Also, cleaned up the Curl_timediff*() functions to avoid typecasts and |
| clean up the descriptive comments. |
| |
| Closes #2011 |
| |
| - ftplistparser: follow-up cleanup to remove PL_ERROR() |
| |
| - [Max Dymond brought this change] |
| |
| ftplistparser: free off temporary memory always |
| |
| When using the FTP list parser, ensure that the memory that's |
| allocated is always freed. |
| |
| Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3682 |
| Closes #2013 |
| |
| - timediff: return timediff_t from the time diff functions |
| |
| ... to cater for systems with unsigned time_t variables. |
| |
| - Renamed the functions to curlx_timediff and Curl_timediff_us. |
| |
| - Added overflow protection for both of them in either direction for |
| both 32 bit and 64 bit time_ts |
| |
| - Reprefixed the curlx_time functions to use Curl_* |
| |
| Reported-by: Peter Piekarski |
| Fixes #2004 |
| Closes #2005 |
| |
| - [Paul Howarth brought this change] |
| |
| libtest: Add required test libraries for lib1552 and lib1553 |
| |
| They use $(TESTUTIL) and thus should use $(TESTUTIL_LIBS) too. |
| |
| This fixes build failures on Fedora 13. |
| |
| Closes #2006 |
| |
| - [Alessandro Ghedini brought this change] |
| |
| libcurl-tutorial.3: fix typo |
| |
| closes #2008 |
| |
| Alessandro Ghedini (23 Oct 2017) |
| - curl_mime_filedata.3: fix typos |
| |
| Daniel Stenberg (23 Oct 2017) |
| - RELEASE-NOTES: clean slate towards 7.57.0 |
| |
| - [Max Dymond brought this change] |
| |
| travis: exit if any steps fail |
| |
| We don't expect any steps to fail in travis. Exit the script if they do. |
| |
| Closes #1966 |
| |
| Version 7.56.1 (23 Oct 2017) |
| |
| Daniel Stenberg (23 Oct 2017) |
| - RELEASE-NOTES: 7.56.1 |
| |
| - THANKS: update at 7.56.1 release time |
| |
| - [Jon DeVree brought this change] |
| |
| mk-ca-bundle: Remove URL for aurora |
| |
| Aurora is no longer used by Mozilla |
| https://hacks.mozilla.org/2017/04/simplifying-firefox-release-channels/ |
| |
| - [Jon DeVree brought this change] |
| |
| mk-ca-bundle: Fix URL for NSS |
| |
| The 'tip' is the most recent branch committed to, this should be |
| 'default' like the URLs for the browser are. |
| |
| Closes #1998 |
| |
| - imap: if a FETCH response has no size, don't call write callback |
| |
| CVE-2017-1000257 |
| |
| Reported-by: Brian Carpenter and 0xd34db347 |
| Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586 |
| |
| - ftp: reject illegal IP/port in PASV 227 response |
| |
| ... by using range checks. Among other things, this avoids an undefined |
| behavior for a left shift that could happen on negative or very large |
| values. |
| |
| Closes #1997 |
| |
| Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694 |
| |
| Patrick Monnerat (20 Oct 2017) |
| - test653: check reuse of easy handle after mime data change |
| |
| See issue #1999 |
| |
| - mime: do not reuse previously computed multipart size |
| |
| The contents might have changed: size must be recomputed. |
| |
| Reported-by: moteus on github |
| Fixes #1999 |
| |
| - test308: disable if MultiSSL feature enabled |
| |
| Even if OpenSSL is enabled, it might not be the default backend when |
| multi-ssl is enabled, causing the test to fail. |
| |
| - runtests: support MultiSSL client feature |
| |
| - vtls: change struct Curl_ssl `close' field name to `close_one'. |
| |
| On OS/400, `close' is an ASCII system macro that corrupts the code if |
| not used in a context not targetting the close() system API. |
| |
| - os400: add missing symbols in config file. |
| |
| Also adjust makefile to renamed files and warn about installation dirs mix-up. |
| |
| - test652: curl_mime_data + base64 encoder with large contents |
| |
| - mime: limit bas64-encoded lines length to 76 characters |
| |
| Daniel Stenberg (16 Oct 2017) |
| - RELEASE-NOTES: synced with f121575c0 |
| |
| - setopt: range check most long options |
| |
| ... filter early instead of risking "funny values" having to be dealt |
| with elsewhere. |
| |
| - setopt: avoid integer overflows when setting millsecond values |
| |
| ... that are multiplied by 1000 when stored. |
| |
| For 32 bit long systems, the max value accepted (2147483 seconds) is > |
| 596 hours which is unlikely to ever be set by a legitimate application - |
| and previously it didn't work either, it just caused undefined behavior. |
| |
| Also updated the man pages for these timeout options to mention the |
| return code. |
| |
| Closes #1938 |
| |
| Viktor Szakats (15 Oct 2017) |
| - makefile.m32: allow to override gcc, ar and ranlib |
| |
| Allow to ovverride certain build tools, making it possible to |
| use LLVM/Clang to build curl. The default behavior is unchanged. |
| To build with clang (as offered by MSYS2), these settings can |
| be used: |
| |
| CURL_CC=clang |
| CURL_AR=llvm-ar |
| CURL_RANLIB=llvm-ranlib |
| |
| Closes https://github.com/curl/curl/pull/1993 |
| |
| - ldap: silence clang warning |
| |
| Use memset() to initialize a structure to avoid LLVM/Clang warning: |
| ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers] |
| |
| Closes https://github.com/curl/curl/pull/1992 |
| |
| Daniel Stenberg (14 Oct 2017) |
| - runtests: use valgrind for torture as well |
| |
| NOTE: it makes them terribly slow. I recommend only using valgrind for |
| specific torture tests or using lots of patience. |
| |
| - memdebug: trace send, recv and socket |
| |
| ... to allow them to be included in torture tests too. |
| |
| closes #1980 |
| |
| - configure: remove the C++ compiler check |
| |
| ... we used it only for the fuzzer, which we now have in a separate git |
| repo. |
| |
| Closes #1990 |
| |
| Patrick Monnerat (13 Oct 2017) |
| - mime: do not call failf() if easy handle is NULL. |
| |
| Daniel Stenberg (13 Oct 2017) |
| - test651: curl_formadd with huge COPYCONTENTS |
| |
| - mime: fix the content reader to handle >16K data properly |
| |
| Reported-by: Jeroen Ooms |
| Closes #1988 |
| |
| Patrick Monnerat (12 Oct 2017) |
| - mime: keep "text/plain" content type if user-specified. |
| |
| Include test cases in 554, 587, 650. |
| |
| Fixes https://github.com/curl/curl/issues/1986 |
| |
| - cli tool: use file2memory() to buffer stdin in -F option. |
| |
| Closes PR https://github.com/curl/curl/pull/1985 |
| |
| - cli tool: reimplement stdin buffering in -F option. |
| |
| If stdin is not a regular file, its content is memory-buffered to enable |
| a possible data "rewind". |
| In all cases, stdin data size is determined before real use to avoid |
| having an unknown part's size. |
| |
| --libcurl generated code is left as an unbuffered stdin fread/fseek callback |
| part with unknown data size. |
| |
| Buffering is not supported in deprecated curl_formadd() API. |
| |
| Daniel Stenberg (12 Oct 2017) |
| - winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2 |
| |
| - HELP-US: the label "PR-welcome" is now renamed to "help wanted" |
| |
| following the new github "standard" |
| |
| - RELEASE-NOTES: synced with 5505df7d2 |
| |
| Jay Satiro (11 Oct 2017) |
| - [Artak Galoyan brought this change] |
| |
| url: Update current connection SSL verify params in setopt |
| |
| Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active |
| connection updates the current connection's (i.e.'connectdata' |
| structure) appropriate ssl_config (and ssl_proxy_config) structures |
| variables, making these options effective for ongoing connection. |
| |
| This functionality was available before and was broken by the |
| following change: |
| "proxy: Support HTTPS proxy and SOCKS+HTTP(s)" |
| CommitId: cb4e2be7c6d42ca0780f8e0a747cecf9ba45f151. |
| |
| Bug: https://github.com/curl/curl/issues/1941 |
| |
| Closes https://github.com/curl/curl/pull/1951 |
| |
| Daniel Stenberg (11 Oct 2017) |
| - [David Benjamin brought this change] |
| |
| openssl: don't use old BORINGSSL_YYYYMM macros |
| |
| Those were temporary things we'd add and remove for our own convenience |
| long ago. The last few stayed around for too long as an oversight but |
| have since been removed. These days we have a running |
| BORINGSSL_API_VERSION counter which is bumped when we find it |
| convenient, but 2015-11-19 was quite some time ago, so just check |
| OPENSSL_IS_BORINGSSL. |
| |
| Closes #1979 |
| |
| - test950; verify SMTP with custom request |
| |
| - ftpserver: support case insensitive commands |
| |
| - smtp_done: free data before returning (on send failure) |
| |
| ... as otherwise it could leak that memory. |
| |
| Detected by OSS-fuzz: |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600 |
| |
| Assisted-by: Max Dymond |
| Closes #1977 |
| |
| - FTP: URL decode path for dir listing in nocwd mode |
| |
| Reported-by: Zenju on github |
| |
| Test 244 added to verify |
| Fixes #1974 |
| Closes #1976 |
| |
| - test298: verify --ftp-method nowcwd with URL encoded path |
| |
| Ref: #1974 |
| |
| - CURLOPT_XFERINFODATA.3: fix duplicate see also |
| |
| - CURLOPT_NOPROGRESS.3: also refer to xferinfofunction |
| |
| - FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION |
| |
| - openssl: enable PKCS12 support for !BoringSSL |
| |
| Enable PKCS12 for all non-boringssl builds without relying on configure |
| or cmake checks. |
| |
| Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html |
| Reported-by: Christian Schmitz |
| Closes #1948 |
| |
| - [Kristiyan Tsaklev brought this change] |
| |
| curl: don't pass semicolons when parsing Content-Disposition |
| |
| Test 1422 updated to verify. |
| |
| Closes #1964 |
| |
| Patrick Monnerat (9 Oct 2017) |
| - mime: properly unbind mime structure in curl_mime_free(). |
| |
| This allows freeing a mime structure bound to the easy handle before |
| curl_easy_cleanup(). |
| |
| Fixes #1970. |
| |
| Daniel Stenberg (9 Oct 2017) |
| - RTSP: avoid integer overflow on funny RTSP response |
| |
| ... like a very large non-existing RTSP version number. |
| |
| Added test 577 to verify. |
| |
| Detected by OSS-fuzz. |
| Closes #1969 |
| |
| Patrick Monnerat (8 Oct 2017) |
| - ftpserver: properly reset $ftptargetdir. |
| |
| - test643: verify curl_mime_subparts() rejects cyclic additions. |
| |
| - mime: refuse to add subparts to one of their own descendants. |
| |
| Reported-by: Alexey Melnichuk |
| Fixes #1962 |
| |
| - mime: avoid resetting a part's encoder when part's contents change. |
| |
| - mime: improve unbinding top multipart from easy handle. |
| |
| Also avoid dangling pointers in referencing parts. |
| |
| Daniel Stenberg (8 Oct 2017) |
| - RELEASE-NOTES: synced with a4c1c75da30af1 |
| |
| - curlver.h: next expected release is 7.57.0 |
| |
| Patrick Monnerat (8 Oct 2017) |
| - mime: be tolerant about setting twice the same header list in a part. |
| |
| - docs: clarify form/mime usage of non-regular data files. |
| |
| Daniel Stenberg (8 Oct 2017) |
| - Revert "multi_done: wait for name resolve to finish if still ongoing" |
| |
| This reverts commit f3e03f6c0ac52a1bf396e03f7d7e9b5b3b7165fe. |
| |
| Caused memory leaks in the fuzzer, needs to be done differently. |
| |
| Disable test 1553 for now too, as it causes memory leaks without this |
| commit! |
| |
| - remove_handle: call multi_done() first, then clear dns cache pointer |
| |
| Closes #1960 |
| |
| - multi_done: wait for name resolve to finish if still ongoing |
| |
| ... as we must clean up memory. |
| |
| - pingpong: return error when trying to send without connection |
| |
| When imap_done() got called before a connection is setup, it would try |
| to "finish up" and dereffed a NULL pointer. |
| |
| Test case 1553 managed to reproduce. I had to actually use a host name |
| to try to resolve to slow it down, as using the normal local server IP |
| will make libcurl get a connection in the first curl_multi_perform() |
| loop and then the bug doesn't trigger. |
| |
| Fixes #1953 |
| Assisted-by: Max Dymond |
| |
| Dan Fandrich (6 Oct 2017) |
| - tests: added flaky keyword to tests 587 and 644 |
| |
| These are around 5% flaky in my Linux x86 autobuilds. |
| |
| Marcel Raad (6 Oct 2017) |
| - vtls: fix warnings with --disable-crypto-auth |
| |
| When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters |
| are not used. |
| |
| Daniel Stenberg (6 Oct 2017) |
| - multi_cleanup: call DONE on handles that never got that |
| |
| ... fixes a memory leak with at least IMAP when remove_handle is never |
| called and the transfer is abruptly just abandoned early. |
| |
| Test 1552 added to verify |
| |
| Detected by OSS-fuzz |
| Assisted-by: Max Dymond |
| Closes #1954 |
| |
| - [Benbuck Nason brought this change] |
| |
| strtoofft: Remove extraneous null check |
| |
| Fixes #1950: curlx_strtoofft() doesn't fully protect against null 'str' |
| argument. |
| |
| Closes #1952 |
| |
| - openssl: fix build without HAVE_OPAQUE_EVP_PKEY |
| |
| Reported-by: Javier Sixto |
| Fixes #1955 |
| Closes #1956 |
| |
| Viktor Szakats (6 Oct 2017) |
| - lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS |
| |
| The source code is now prepared to handle the case when both |
| Win32 Crypto and OpenSSL/NSS crypto backends are enabled |
| at the same time, making it now possible to enable `USE_WIN32_CRYPTO` |
| whenever the targeted Windows version supports it. Since this |
| matches the minimum Windows version supported by curl |
| (Windows 2000), enable it unconditionally for the Win32 platform. |
| |
| This in turn enables SMB (and SMBS) protocol support whenever |
| Win32 Crypto is available, regardless of what other crypto backends |
| are enabled. |
| |
| Ref: https://github.com/curl/curl/pull/1840#issuecomment-325682052 |
| |
| Closes https://github.com/curl/curl/pull/1943 |
| |
| Daniel Stenberg (5 Oct 2017) |
| - build: fix --disable-crypto-auth |
| |
| Reported-by: Wyatt O'Day |
| Fixes #1945 |
| Closes #1947 |
| |
| Jay Satiro (5 Oct 2017) |
| - [Nick Zitzmann brought this change] |
| |
| darwinssl: add support for TLSv1.3 |
| |
| Closes https://github.com/curl/curl/pull/1794 |
| |
| Daniel Stenberg (4 Oct 2017) |
| - [Felix Kaiser brought this change] |
| |
| docs: fix typo in curl_mime_data_cb man page |
| |
| Closes #1946 |
| |
| Viktor Szakats (4 Oct 2017) |
| - lib/Makefile.m32: allow customizing dll suffixes |
| |
| - New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated |
| libcurl dll name. Useful to add `-x64` to 64-bit builds so that |
| it can live in the same directory as the 32-bit one. By default |
| this is empty. |
| |
| - New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the |
| generated import library (implib) for libcurl .dll. It defaults |
| to `dll`, and it's useful to modify that to `.dll` to have the |
| standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`. |
| |
| Closes https://github.com/curl/curl/pull/1942 |
| |
| Daniel Stenberg (4 Oct 2017) |
| - [Max Dymond brought this change] |
| |
| fuzzer: move to using external curl-fuzzer |
| |
| Use the external curl-fuzzer repository for fuzzing. |
| |
| Closes #1923 |
| |
| - failf: skip the sprintf() if there are no consumers |
| |
| Closes #1936 |
| |
| - ftp: UBsan fixup 'pointer index expression overflowed' |
| |
| Closes #1939 |
| |
| - RELEASE-PROCEDURE: update the release schedule |
| |
| Version 7.56.0 (4 Oct 2017) |
| |
| Daniel Stenberg (4 Oct 2017) |
| - RELEASE-NOTES: curl 7.56.0 |
| |
| - THANKS: added new 7.56.0 contributors |
| |
| Jay Satiro (4 Oct 2017) |
| - build-openssl.bat: Warn OpenSSL 1.1.0 not yet supported |
| |
| Ref: https://github.com/curl/curl/issues/1002 |
| |
| Michael Kaufmann (3 Oct 2017) |
| - idn: fix source code comment |
| |
| - vtls: compare and clone ssl configs properly |
| |
| Compare these settings in Curl_ssl_config_matches(): |
| - verifystatus (CURLOPT_SSL_VERIFYSTATUS) |
| - random_file (CURLOPT_RANDOM_FILE) |
| - egdsocket (CURLOPT_EGDSOCKET) |
| |
| Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), |
| and copy the setting "sessionid" unconditionally. |
| |
| This means that reusing connections that are secured with a client |
| certificate is now possible, and the statement "TLS session resumption |
| is disabled when a client certificate is used" in the old advisory at |
| https://curl.haxx.se/docs/adv_20170419.html is obsolete. |
| |
| Reviewed-by: Daniel Stenberg |
| |
| Closes #1917 |
| |
| - proxy: read the "no_proxy" variable only if necessary |
| |
| Reviewed-by: Daniel Stenberg |
| |
| Closes #1919 |
| |
| Patrick Monnerat (3 Oct 2017) |
| - libcurl-tutorial: add casts in example to avoid compilation warnings. |
| |
| Daniel Stenberg (3 Oct 2017) |
| - examples: bring back curl_formadd-using examples |
| |
| ... now with a -formadd suffix. While the new mime API is introduced in |
| 7.56.0 we must acknowledge that lots of users can't upgrade their curl |
| versions immediately. |
| |
| - test1153: verify quoted double-qoutes in PWD response |
| |
| - FTP: zero terminate the entry path even on bad input |
| |
| ... a single double quote could leave the entry path buffer without a zero |
| terminating byte. CVE-2017-1000254 |
| |
| Test 1152 added to verify. |
| |
| Reported-by: Max Dymond |
| Bug: https://curl.haxx.se/docs/adv_20171004.html |
| |
| Jay Satiro (2 Oct 2017) |
| - [Sergei Nikulov brought this change] |
| |
| cmake: disable tests and man generation if perl/nroff not found |
| |
| Fixes https://github.com/curl/curl/issues/1500 |
| Reported-by: Jay Satiro |
| |
| Fixes https://github.com/curl/curl/pull/1662 |
| Assisted-by: Tom Seddon |
| Assisted-by: dpull@users.noreply.github.com |
| Assisted-by: elelel@users.noreply.github.com |
| |
| Closes https://github.com/curl/curl/pull/1924 |
| |
| Patrick Monnerat (2 Oct 2017) |
| - libcurl-tutorial: fix two typos. |
| |
| - TODO: remove deprecated form API items. |
| |
| - libcurl-tutorial: describe MIME API and deprecate form API. |
| |
| Include a guide to form/mime API conversion. |
| |
| Daniel Stenberg (30 Sep 2017) |
| - cookie: fix memory leak if path was set twice in header |
| |
| ... this will let the second occurance override the first. |
| |
| Added test 1161 to verify. |
| |
| Reported-by: Max Dymond |
| Fixes #1932 |
| Closes #1933 |
| |
| Dan Fandrich (30 Sep 2017) |
| - test650: Use variable replacement to set the host address and port |
| |
| Otherwise, the test fails when the -b test option is used to set a |
| different test port range. |
| |
| - Set and use more necessary options when some protocols are disabled |
| |
| When curl and libcurl are built with some protocols disabled, they stop |
| setting and receiving some options that don't make sense with those |
| protocols. In particular, when HTTP is disabled many options aren't set |
| that are used only by HTTP. However, some options that appear to be |
| HTTP-only are actually used by other protocols as well (some despite |
| having HTTP in the name) and should be set, but weren't. This change now |
| causes some of these options to be set and used for more (or for all) |
| protocols. In particular, this fixes tests 646 through 649 in an |
| HTTP-disabled build, which use the MIME API in the mail protocols. |
| |
| Daniel Stenberg (29 Sep 2017) |
| - test1160: verifies cookie leak for large cookies |
| |
| The fix done in 20ea22ff735 |
| |
| - cookie: fix memory leak on oversized rejection |
| |
| Regression brought by 2bc230de63b |
| |
| Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3513 |
| Assisted-by: Max Dymond |
| |
| Closes #1930 |
| |
| - [Anders Bakken brought this change] |
| |
| connect: fix race condition with happy eyeballs timeout |
| |
| The timer should be started after conn->connecttime is set. Otherwise |
| the timer could expire without this condition being true: |
| |
| /* should we try another protocol family? */ |
| if(i == 0 && conn->tempaddr[1] == NULL && |
| curlx_tvdiff(now, conn->connecttime) >= HAPPY_EYEBALLS_TIMEOUT) { |
| |
| Ref: #1928 |
| |
| Michael Kaufmann (28 Sep 2017) |
| - docs: link CURLOPT_CONNECTTIMEOUT and CURLOPT_CONNECTTIMEOUT_MS |
| |
| Closes #1922 |
| |
| - docs: clarify the use of environment variables for proxy |
| |
| Closes #1921 |
| |
| - http: add custom empty headers to repeated requests |
| |
| Closes #1920 |
| |
| - reuse_conn: don't copy flags that are known to be equal |
| |
| A connection can only be reused if the flags "conn_to_host" and |
| "conn_to_port" match. Therefore it is not necessary to copy these flags |
| in reuse_conn(). |
| |
| Closes #1918 |
| |
| Daniel Stenberg (27 Sep 2017) |
| - curl.h: include <sys/select.h> on cygwin too |
| |
| When building with -std=c++14 on cygwin, this header won't be |
| automatically included as it otherwise is. |
| |
| The <sys/select.h> include decision should ideally be reversed and be |
| avoided where that header file doesn't exist. |
| |
| Reported-by: Ian Fette |
| Fixes #1925 |
| |
| - RELEASE-NOTES: synced with d8ab5dc50 |
| |
| Michael Kaufmann (24 Sep 2017) |
| - tests: adjust .gitignore for new tests |
| |
| Jay Satiro (23 Sep 2017) |
| - ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header |
| |
| .. and include the core NTLM header in all NTLM-related source files. |
| |
| Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT |
| but did not include vtls.h where it was defined. |
| |
| Closes https://github.com/curl/curl/pull/1911 |
| |
| Daniel Stenberg (23 Sep 2017) |
| - file_range: avoid integer overflow when figuring out byte range |
| |
| When trying to bump the value with one and the value is already at max, |
| it causes an integer overflow. |
| |
| Closes #1908 |
| Detected by oss-fuzz: |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 |
| |
| Assisted-by: Max Dymond |
| |
| Michael Kaufmann (23 Sep 2017) |
| - tests: fix a compiler warning in test 643 |
| |
| Jay Satiro (23 Sep 2017) |
| - symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry |
| |
| - Use spaces instead of tabs as the delimiter. |
| |
| Follow up to 7c52b12 which added the entry. The entry had used tabs but |
| the symbol-scan parser doesn't recognize tabs and would fail the symbol. |
| |
| Viktor Szakats (22 Sep 2017) |
| - metalink: fix NSS issue in MultiSSL builds |
| |
| In MultiSSL mode (i.e. when more than one SSL backend is compiled |
| in), we cannot use the compile time flag `USE_NSS` as indicator that |
| the NSS backend is in use. As far as Metalink is concerned, the SSL |
| backend is only used for MD5, SHA-1 and SHA-256 calculations, |
| therefore one of the available SSL backends is selected at compile |
| time, in a strict order of preference. |
| |
| Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used |
| to determine whether the SSL backend used for Metalink is the NSS |
| backend, and use that to guard the code that wants to de-initialize |
| the NSS-specific data structure. |
| |
| Ref: https://github.com/curl/curl/pull/1848 |
| |
| - ntlm: use strict order for SSL backend #if branches |
| |
| With the recently introduced MultiSSL support multiple SSL backends |
| can be compiled into cURL That means that now the order of the SSL |
| |
| One option would be to use the same SSL backend as was configured |
| via `curl_global_sslset()`, however, NTLMv2 support would appear |
| to be available only with some SSL backends. For example, when |
| eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced |
| support for NTLMv1 using Windows' Crypt API, it specifically did |
| *not* introduce NTLMv2 support using Crypt API at the same time. |
| |
| So let's select one specific SSL backend for NTLM support when |
| compiled with multiple SSL backends, using a priority order such |
| that we support NTLMv2 even if only one compiled-in SSL backend can |
| be used for that. |
| |
| Ref: https://github.com/curl/curl/pull/1848 |
| |
| Daniel Stenberg (22 Sep 2017) |
| - symbols-in-versions: add CURLSSLSET_NO_BACKENDS |
| |
| ...fixup from b8e0fe19ec |
| |
| - imap: quote atoms properly when escaping characters |
| |
| Updates test 800 to verify |
| |
| Fixes #1902 |
| Closes #1903 |
| |
| - tests: make the imap server not verify user+password |
| |
| ... as the test cases themselves do that and it makes it easier to add |
| crazy test cases. |
| |
| Test 800 updated to use user name + password that need quoting. |
| |
| Test 856 updated to trigger an auth fail differently. |
| |
| Ref: #1902 |
| |
| - vtls: provide curl_global_sslset() even in non-SSL builds |
| |
| ... it just returns error: |
| |
| Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367 |
| Reported-by: Marcel Raad |
| |
| Closes #1906 |
| |
| Patrick Monnerat (22 Sep 2017) |
| - form/mime: field names are not allowed to contain zero-valued bytes. |
| |
| Also suppress length argument of curl_mime_name() (names are always |
| zero-terminated). |
| |
| Daniel Stenberg (21 Sep 2017) |
| - [Dirk Feytons brought this change] |
| |
| openssl: only verify RSA private key if supported |
| |
| In some cases the RSA key does not support verifying it because it's |
| located on a smart card, an engine wants to hide it, ... |
| Check the flags on the key before trying to verify it. |
| OpenSSL does the same thing internally; see ssl/ssl_rsa.c |
| |
| Closes #1904 |
| |
| Marcel Raad (21 Sep 2017) |
| - examples/post-callback: use long for CURLOPT_POSTFIELDSIZE |
| |
| Otherwise, typecheck-gcc.h warns on MinGW-w64. |
| |
| Patrick Monnerat (20 Sep 2017) |
| - mime: rephrase the multipart output state machine (#1898) ... |
| |
| ... in hope coverity will like it much. |
| |
| - mime: fix an explicit null dereference (#1899) |
| |
| Daniel Stenberg (20 Sep 2017) |
| - curl: check fseek() return code and bail on error |
| |
| Detected by coverity. CID 1418137. |
| |
| - smtp: fix memory leak in OOM |
| |
| Regression since ce0881edee |
| |
| Coverity CID 1418139 and CID 1418136 found it, but it was also seen in |
| torture testing. |
| |
| - RELEASE-NOTES: synced with 5fe85587c |
| |
| - [Pavel Pavlov brought this change] |
| |
| cookies: use lock when using CURLINFO_COOKIELIST |
| |
| Closes #1896 |
| |
| - [Max Dymond brought this change] |
| |
| ossfuzz: changes before merging the generated corpora |
| |
| Before merging in the oss-fuzz corpora from Google, there are some changes |
| to the fuzzer. |
| - Add a read corpus script, to display corpus files nicely. |
| - Change the behaviour of the fuzzer so that TLV parse failures all now |
| go down the same execution paths, which should reduce the size of the |
| corpora. |
| - Make unknown TLVs a failure to parse, which should decrease the size |
| of the corpora as well. |
| |
| Closes #1881 |