50efb082 | 28-Jun-2022 |
Daniel Stenberg |
easy_lock: switch to using atomic_int instead of bool To work with more compilers without requiring separate libs to link. Like with gcc-12 for RISC-V on Linux. Reported-by: Ada
easy_lock: switch to using atomic_int instead of bool To work with more compilers without requiring separate libs to link. Like with gcc-12 for RISC-V on Linux. Reported-by: Adam Sampson Fixes #9055 Closes #9061
show more ...
|
e631f6e1 | 27-Jun-2022 |
vvb2060 |
ngtcp2: fix incompatible function pointer types Closes #9056 |
5a1a8925 | 27-Jun-2022 |
vvb2060 |
easy_lock.h: use __asm__ instead of asm to fix build Closes #9056 |
aa34135e | 27-Jun-2022 |
Samuel Henrique |
libcurl-security.3: fix typo on macro "SH_" During the packaging of the latest curl release for Debian, Lintian warned me about a typo which causes the section name "Secrets in memory"
libcurl-security.3: fix typo on macro "SH_" During the packaging of the latest curl release for Debian, Lintian warned me about a typo which causes the section name "Secrets in memory" to not be rendered in the manpage due to "SH_" not being recognized as a header. Closes #9057
show more ...
|
e2e7f54b | 27-Jun-2022 |
Daniel Stenberg |
easy_lock.h: include sched.h if available to fix build Patched-by: Harry Sintonen Closes #9054 |
45ac4d01 | 27-Jun-2022 |
Daniel Stenberg |
RELEASE-NOTES: synced Version 7.84.0 release |
49248757 | 27-Jun-2022 |
Daniel Stenberg |
THANKS: contributors from 7.84.0 release notes |
d64115d7 | 25-May-2022 |
Daniel Stenberg |
hsts: use Curl_fopen() |
fab970a5 | 25-May-2022 |
Daniel Stenberg |
altsvc: use Curl_fopen() |
20f9dd6b | 25-May-2022 |
Daniel Stenberg |
fopen: add Curl_fopen() for better overwriting of files Bug: https://curl.se/docs/CVE-2022-32207.html CVE-2022-32207 Reported-by: Harry Sintonen Closes #9050 |
46f8911d | 26-Jun-2022 |
Daniel Stenberg |
test444: test many received Set-Cookie: The amount of sent cookies in the test is limited to 80 because hyper has its own strict limits in how many headers it allows to be received w
test444: test many received Set-Cookie: The amount of sent cookies in the test is limited to 80 because hyper has its own strict limits in how many headers it allows to be received which triggers at some point beyond this number.
show more ...
|
ff2b2bcf | 26-Jun-2022 |
Daniel Stenberg |
test442/443: test cookie caps 442 - verify that only 150 cookies are sent 443 - verify that the cookie: header remains less than 8K in size |
48d7064a | 26-Jun-2022 |
Daniel Stenberg |
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50
cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048
show more ...
|
7230b19a | 16-May-2022 |
Daniel Stenberg |
test387: verify rejection of compression chain attack |
3a09fbb7 | 16-May-2022 |
Daniel Stenberg |
content_encoding: return error on too many compression steps The max allowed steps is arbitrarily set to 5. Bug: https://curl.se/docs/CVE-2022-32206.html CVE-2022-32206 Repo
content_encoding: return error on too many compression steps The max allowed steps is arbitrarily set to 5. Bug: https://curl.se/docs/CVE-2022-32206.html CVE-2022-32206 Reported-by: Harry Sintonen Closes #9049
show more ...
|
6ecdf513 | 09-Jun-2022 |
Daniel Stenberg |
krb5: return error properly on decode errors Bug: https://curl.se/docs/CVE-2022-32208.html CVE-2022-32208 Reported-by: Harry Sintonen Closes #9051 |
2b67a0a1 | 23-Jun-2022 |
Daniel Stenberg |
easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro clang 14 warns about its use. It is being deprecated by the working group for the programming language C: "The macro ATOMI
easy_lock.h: remove use of the deprecated ATOMIC_VAR_INIT macro clang 14 warns about its use. It is being deprecated by the working group for the programming language C: "The macro ATOMIC_VAR_INIT is basically useless for the purpose for which it was designed" Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm Reported-by: Tatsuhiro Tsujikawa Fixes #9041 Closes #9042
show more ...
|
8135d420 | 22-Jun-2022 |
Stefan Eissing |
ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control buffer is provided in sengmsg(), even though msg_control
ngtcp2: avoid supplying 0 length `msg_control` to sendmsg() Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control buffer is provided in sengmsg(), even though msg_controllen was set to 0. Initialize msg.msg_controllen just as needed and also perform the size assertion only when needed. Closes #9039
show more ...
|
71bbabb1 | 23-Jun-2022 |
Tom Eccles |
ftp: restore protocol state after http proxy CONNECT connect_init() (lib/http_proxy.c) swaps out the protocol state while working on the proxy connection, this is then restored by Cu
ftp: restore protocol state after http proxy CONNECT connect_init() (lib/http_proxy.c) swaps out the protocol state while working on the proxy connection, this is then restored by Curl_connect_done() after the connection completes. ftp_do_more() extracted the protocol state pointer to a local variable at the start of the function then calls Curl_proxy_connect(). If the proxy connection completes, Curl_proxy_connect() will call Curl_connect_done() (via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp protocol state instead of the http proxy protocol state, but the local variable in ftp_do_more still pointed to the old value. Ultimately this meant that the state worked on by ftp_do_more() was the http proxy state not the ftp state initialised by ftp_connect(), but subsequent calls to any ftp_ function would use the original state. For my use-case, the visible consequence was that ftp->downloadsize was never set and so downloaded data was never returned to the application. This commit updates the ftp protocol state pointer in ftp_do_more() after Curl_proxy_connect() returns, ensuring that the correct state pointer is used. Fixes #8737 Closes #9043
show more ...
|
f3a77815 | 23-Jun-2022 |
Jay Satiro |
THANKS: add contributor missing from aea8ac1 aea8ac1 fixed #8980 which was reported by Sgharat on github, but that info was not included in the commit message. |
37337175 | 22-Jun-2022 |
Jay Satiro |
curl_setup: include _mingw.h Prior to this change _mingw.h needed to be included in each unit before evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It is include
curl_setup: include _mingw.h Prior to this change _mingw.h needed to be included in each unit before evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It is included only in some mingw headers (eg stdio.h) and not others (eg windows.h) so it's better to explicitly include it once. Closes https://github.com/curl/curl/pull/9036
show more ...
|
70adb81c | 22-Jun-2022 |
Viktor Szakats |
rand: stop detecting /dev/urandom in cross-builds - Prevent CMake to auto-detect /dev/urandom when cross-building. Before this patch, it would detect it in a cross-build scenario on *n
rand: stop detecting /dev/urandom in cross-builds - Prevent CMake to auto-detect /dev/urandom when cross-building. Before this patch, it would detect it in a cross-build scenario on *nix hosts with this device present. This was a problem for example with Windows builds, but it could affect any target system with this device missing. This also syncs detection behaviour with autotools, which also skips it for cross-builds. - Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's fallback random number generator on Windows. Windows does not have the concept of reading a random stream from a filename, nor any guaranteed non-world-writable path on disk. With this, a manual misconfiguration or an overeager auto-detection can no longer result in a user-controllable seed source. Reviewed-by: Daniel Stenberg Closes #9038
show more ...
|
79f915e8 | 15-Jun-2022 |
Emanuele Torre |
ci: avoid `cmake -Hpath` This is an undocumented option similar to the `-Spath' option introduced in cmake 3.13. Replace all instances of `-Hpath' with `-Spath' in macos workflow.
ci: avoid `cmake -Hpath` This is an undocumented option similar to the `-Spath' option introduced in cmake 3.13. Replace all instances of `-Hpath' with `-Spath' in macos workflow. Replace `-H. -Bpath' with `mkdir path; cd ./path; cmake ..' in zuul scripts since it runs an older version of cmake. Fixes #9008 Closes #9014
show more ...
|
8b83fbfe | 22-Jun-2022 |
Daniel Stenberg |
INTERNALS: bring back the "Library symbols" section Most contents was moved, but this text should remain here. Follow-up to: d324ac8 Reported-by: Viktor Szakats Bug: https:/
INTERNALS: bring back the "Library symbols" section Most contents was moved, but this text should remain here. Follow-up to: d324ac8 Reported-by: Viktor Szakats Bug: https://github.com/curl/curl/pull/9027#discussion_r903382326 Closes #9037
show more ...
|
6c501cb6 | 22-Jun-2022 |
Viktor Szakats |
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows XP when the `-ipv6` option is selected. Maybe this
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip] Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows XP when the `-ipv6` option is selected. Maybe this was added to support pre-XP Windows versions (?). These days libcurl builds fine for both XP and post-XP versions with IPv6 support enabled. The relevance of pre-XP version is also low by now. Other build methods also do not impose such limitation for a similar configuration. So, drop this hard-wired `_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default Windows version set by the compiler. This is Vista for recent MinGW versions. Old behaviour can be restored by setting this envvar: export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501 [1] 98a61d8e2e8982786aaf3916cbbcac96838316e7 Closes #9035
show more ...
|