| 8b9de77c | 01-May-2021 |
Daniel Stenberg |
http: fix the check for 'Authorization' with Bearer
The code would wrongly check for it using an additional colon.
Reported-by: Blake Burkhart
Closes #6988 |
| 3a6058cb | 30-Apr-2021 |
Kamil Dudka |
http2: fix a resource leak in push_promise()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "d
http2: fix a resource leak in push_promise()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
Closes #6986
show more ...
|
| 31931704 | 30-Apr-2021 |
Kamil Dudka |
http2: fix resource leaks in set_transfer_url()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function
http2: fix resource leaks in set_transfer_url()
... detected by Coverity:
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
Closes #6986
show more ...
|
| 8228002c | 25-Apr-2021 |
Jacob Hoffman-Andrews |
rustls: use ALPN
Update required rustls to 0.5.0
Closes #6960 |
| ea17a022 | 29-Apr-2021 |
MAntoniak <47522782+MAntoniak@users.noreply.github.com> |
gskit: fix CURL_DISABLE_PROXY build
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
u
gskit: fix CURL_DISABLE_PROXY build
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
used.
Closes #6981
show more ...
|
| 71bffe73 | 29-Apr-2021 |
MAntoniak <47522782+MAntoniak@users.noreply.github.com> |
gskit: fix undefined reference to 'conn'
Closes #6980 |
| a3268eca | 25-Apr-2021 |
Jacob Hoffman-Andrews |
tls: add USE_HTTP2 define
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without dep
tls: add USE_HTTP2 define
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.
Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.
Closes #6959
show more ...
|
| 5c932f8f | 27-Apr-2021 |
Jacob Hoffman-Andrews |
lib: fix 0-length Curl_client_write calls
Closes #6954 |
| f4b85d24 | 24-Apr-2021 |
Jacob Hoffman-Andrews |
lib: remove strlen call from Curl_client_write
At all call sites with an explicit 0 len, pass an appropriate nonzero
len.
Closes #6954 |
| 6aae7b17 | 27-Apr-2021 |
Ayushman Singh Chauhan |
docs: camelcase it like GitHub everywhere
Closes #6979 |
| b0886382 | 27-Apr-2021 |
Lucas Servén Marín |
docs: fix typo in fail-with-body doc
This commit fixes a small typo in the documentation for the
--fail-with-body flag.
Closes https://github.com/curl/curl/pull/6977 |
| 1d5d0ae9 | 23-Apr-2021 |
Jay Satiro |
lib: fix some misuse of curlx_convert_UTF8_to_tchar
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.
I'
lib: fix some misuse of curlx_convert_UTF8_to_tchar
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.
I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.
Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com
Closes https://github.com/curl/curl/pull/6938
show more ...
|
| 3e820fbf | 27-Apr-2021 |
Daniel Stenberg |
ntlm: precaution against super huge type2 offsets
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.
Detected by OSS-Fuzz
Bug:
ntlm: precaution against super huge type2 offsets
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
show more ...
|
| 826c438c | 27-Apr-2021 |
Daniel Stenberg |
c-hyper: fix unused variable ‘wrote’ |
| 2e23f3b8 | 26-Apr-2021 |
Daniel Stenberg |
libcurl-security.3: be careful of setuid
Reported-by: Harry Sintonen
Closes #6970 |
| 76f33fd3 | 26-Apr-2021 |
Kevin Burke |
c-hyper: don't write to set.writeheader if null
Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers t
c-hyper: don't write to set.writeheader if null
Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
the data->set.writeheader header buffer, even though it is null. This
led to NPE segfaults attempting to use libcurl+Hyper with Git, for
example.
Instead, process the client write for the status line using the same
logic we use to process the client write for the later HTTP headers,
which contains the appropriate guard logic. As a side benefit,
data->set.writeheader is now only read in one file instead of two.
Fixes #6619
Fixes abetterinternet/crustls#49
Fixes hyperium/hyper#2438
Closes #6971
show more ...
|
| 9fc28442 | 26-Apr-2021 |
Daniel Stenberg |
wolfssl: handle SSL_write() returns 0 for error
Reported-by: Timo Lange
Closes #6967 |
| f154ae9d | 26-Apr-2021 |
Daniel Stenberg |
easy: ignore sigpipe in curl_easy_send
Closes #6965 |
| 9ec1ef7f | 26-Apr-2021 |
Daniel Stenberg |
sigpipe: ignore SIGPIPE when using wolfSSL as well
Closes #6966 |
| 7fdf01f3 | 23-Apr-2021 |
Daniel Stenberg |
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
Closes #6942 |
| f2e1163b | 23-Apr-2021 |
Harry Sintonen |
nss_set_blocking: avoid static for sock_opt
Reviewed-by: Kamil Dudka
Closes #6945 |
| 56e23196 | 26-Apr-2021 |
Daniel Stenberg |
RELEASE-NOTES: synced |
| c1311dba | 26-Apr-2021 |
Yusuke Nakamura |
docs/HTTP3.md: fix nghttp2's HTTP/3 server port
Port 8443 does not work now.
Correct origin is in the quicwg's wiki.
https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
docs/HTTP3.md: fix nghttp2's HTTP/3 server port
Port 8443 does not work now.
Correct origin is in the quicwg's wiki.
https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2
Closes #6964
show more ...
|
| 994af2a1 | 25-Apr-2021 |
Daniel Stenberg |
krb5: don't use 'static' to store PBSZ size response
... because it makes the knowledge and usage cross-transfer in funny and
unexpected ways.
Reported-by: Harry Sintonen
Cl
krb5: don't use 'static' to store PBSZ size response
... because it makes the knowledge and usage cross-transfer in funny and
unexpected ways.
Reported-by: Harry Sintonen
Closes #6963
show more ...
|
| 9f71cc29 | 24-Apr-2021 |
Kevin Burke |
m4: add security frameworks on Mac when compiling rustls
Previously compiling rustls on Mac would only complete if you also
compiled the SecureTransport TLS backend, which curl would pre
m4: add security frameworks on Mac when compiling rustls
Previously compiling rustls on Mac would only complete if you also
compiled the SecureTransport TLS backend, which curl would prefer to
the Rust backend.
Appending these flags to LDFLAGS makes it possible to compile the
Rustls backend on Mac without the SecureTransport backend, which means
this patch will make it possible for Mac users to use the Rustls
backend for TLS.
Reviewed-by: Jacob Hoffman-Andrews
Fixes #6955
Cloes #6956
show more ...
|
