| #
920f73a6 |
| 14-Mar-2018 |
dasimx |
FTP: fix typo in recursive callback detection for seeking
Fixes #2380
|
|
Revision tags: curl-7_59_0 |
|
| #
535432c0 |
| 31-Jan-2018 |
Daniel Stenberg |
FTP: reject path components with control codes
Refuse to operate when given path components featuring byte values lower
than 32.
Previously, inserting a %00 sequence early in th
FTP: reject path components with control codes
Refuse to operate when given path components featuring byte values lower
than 32.
Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.
Test case 340 verifies.
CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
show more ...
|
| #
7e35eb77 |
| 23-Feb-2018 |
Viktor Szakats |
spelling fixes
Detected using the `codespell` tool.
Also contains one URL protocol upgrade.
Closes https://github.com/curl/curl/pull/2334
|
| #
b46cfbc0 |
| 10-Feb-2018 |
Björn Stenberg |
TODO fixed: Detect when called from within callbacks
Closes #2302
|
| #
ddd31dc5 |
| 31-Jan-2018 |
Daniel Stenberg |
time_t-fixes: remove typecasts to 'long' for info.filetime
They're now wrong.
Reported-by: Michael Kaufmann
Closes #2277
|
| #
e04417d9 |
| 29-Jan-2018 |
Max Dymond |
Curl_range: commonize FTP and FILE range handling
Closes #2205
|
|
Revision tags: curl-7_58_0, curl-7_57_0 |
|
| #
0d85eed3 |
| 26-Oct-2017 |
Daniel Stenberg |
Curl_timeleft: change return type to timediff_t
returning 'time_t' is problematic when that type is unsigned and we
return values less than zero to signal "already expired", used in
Curl_timeleft: change return type to timediff_t
returning 'time_t' is problematic when that type is unsigned and we
return values less than zero to signal "already expired", used in
several places in the code.
Closes #2021
show more ...
|
| #
7b11c5db |
| 25-Oct-2017 |
Max Dymond |
wildcards: don't use with non-supported protocols
Fixes timeouts in the fuzzing tests for non-FTP protocols.
Closes #2016
|
| #
5d543fe9 |
| 25-Oct-2017 |
Daniel Stenberg |
time: rename Curl_tvnow to Curl_now
... since the 'tv' stood for timeval and this function does not return a
timeval struct anymore.
Also, cleaned up the Curl_timediff*() functi
time: rename Curl_tvnow to Curl_now
... since the 'tv' stood for timeval and this function does not return a
timeval struct anymore.
Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
clean up the descriptive comments.
Closes #2011
show more ...
|
| #
b9d25f9a |
| 23-Oct-2017 |
Daniel Stenberg |
timediff: return timediff_t from the time diff functions
... to cater for systems with unsigned time_t variables.
- Renamed the functions to curlx_timediff and Curl_timediff_us.
timediff: return timediff_t from the time diff functions
... to cater for systems with unsigned time_t variables.
- Renamed the functions to curlx_timediff and Curl_timediff_us.
- Added overflow protection for both of them in either direction for
both 32 bit and 64 bit time_ts
- Reprefixed the curlx_time functions to use Curl_*
Reported-by: Peter Piekarski
Fixes #2004
Closes #2005
show more ...
|
|
Revision tags: curl-7_56_1 |
|
| #
769647e7 |
| 19-Oct-2017 |
Daniel Stenberg |
ftp: reject illegal IP/port in PASV 227 response
... by using range checks. Among other things, this avoids an undefined
behavior for a left shift that could happen on negative or very l
ftp: reject illegal IP/port in PASV 227 response
... by using range checks. Among other things, this avoids an undefined
behavior for a left shift that could happen on negative or very large
values.
Closes #1997
Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
show more ...
|
| #
ecf21c55 |
| 10-Oct-2017 |
Daniel Stenberg |
FTP: URL decode path for dir listing in nocwd mode
Reported-by: Zenju on github
Test 244 added to verify
Fixes #1974
Closes #1976
|
| #
a69a4d22 |
| 03-Oct-2017 |
Daniel Stenberg |
ftp: UBsan fixup 'pointer index expression overflowed'
Closes #1939
|
|
Revision tags: curl-7_56_0 |
|
| #
5ff2c5ff |
| 24-Sep-2017 |
Daniel Stenberg |
FTP: zero terminate the entry path even on bad input
... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254
Test 1152 adde
FTP: zero terminate the entry path even on bad input
... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254
Test 1152 added to verify.
Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
show more ...
|
| #
87501e57 |
| 12-Sep-2017 |
Daniel Stenberg |
code style: remove wrong uses of multiple spaces
Closes #1878
|
| #
e5743f08 |
| 09-Sep-2017 |
Daniel Stenberg |
code style: use spaces around pluses
|
| #
6b84438d |
| 09-Sep-2017 |
Daniel Stenberg |
code style: use spaces around equals signs
|
| #
c95eff4a |
| 15-Aug-2017 |
Daniel Stenberg |
ftp: fix CWD when doing multicwd then nocwd on same connection
Fixes #1782
Closes #1787
Reported-by: Peter Lamare
|
| #
ff50fe03 |
| 14-Aug-2017 |
Daniel Stenberg |
strtoofft: reduce integer overflow risks globally
... make sure we bail out on overflows.
Reported-by: Brian Carpenter
Closes #1758
|
|
Revision tags: curl-7_55_1, curl-7_55_0 |
|
| #
2ccd65af |
| 03-Aug-2017 |
Daniel Stenberg |
FTP: skip unnecessary CWD when in nocwd mode
... when reusing a connection. If it didn't do any CWD previously.
Fixes #1718
|
| #
4dee50b9 |
| 28-Jul-2017 |
Daniel Stenberg |
timeval: struct curltime is a struct timeval replacement
... to make all libcurl internals able to use the same data types for
the struct members. The timeval struct differs subtly on se
timeval: struct curltime is a struct timeval replacement
... to make all libcurl internals able to use the same data types for
the struct members. The timeval struct differs subtly on several
platforms so it makes it cumbersome to use everywhere.
Ref: #1652
Closes #1693
show more ...
|
|
Revision tags: curl-7_54_1 |
|
| #
c75f63d7 |
| 31-May-2017 |
Max Dymond |
handler: refactor connection checking
Add a new type of callback to Curl_handler which performs checks on
the connection. Alter RTSP so that it uses this callback to do its
own check
handler: refactor connection checking
Add a new type of callback to Curl_handler which performs checks on
the connection. Alter RTSP so that it uses this callback to do its
own check on connection health.
show more ...
|
| #
efc83d6d |
| 15-Jun-2017 |
Daniel Stenberg |
http-proxy: only attempt FTP over HTTP proxy
... all other non-HTTP protocol schemes are now defaulting to "tunnel
trough" mode if a HTTP proxy is specified. In reality there are no HTTP
http-proxy: only attempt FTP over HTTP proxy
... all other non-HTTP protocol schemes are now defaulting to "tunnel
trough" mode if a HTTP proxy is specified. In reality there are no HTTP
proxies out there that allow those other schemes.
Assisted-by: Ray Satiro, Michael Kaufmann
Closes #1505
show more ...
|
| #
5113ad04 |
| 07-Jun-2017 |
Daniel Stenberg |
http-proxy: do the HTTP CONNECT process entirely non-blocking
Mentioned as a problem since 2007 (8f87c15bdac63) and of course it
existed even before that.
Closes #1547
|
| #
e9fd794a |
| 09-May-2017 |
Daniel Stenberg |
multi: assign IDs to all timers and make each timer singleton
A) reduces the timeout lists drastically
B) prevents a lot of superfluous loops for timers that expires "in vain"
multi: assign IDs to all timers and make each timer singleton
A) reduces the timeout lists drastically
B) prevents a lot of superfluous loops for timers that expires "in vain"
when it has actually already been extended to fire later on
show more ...
|
