docs: minor polish to the bug bounty / security docs

Closes #3811

CURL_MAX_INPUT_LENGTH: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API

CURL_MAX_INPUT_LENGTH: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805

show more ...

curlver.h: use parenthesis in CURL_VERSION_BITS macro

Closes #3809

cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP

Closes https://github.com/curl/curl/pull/3769

ntlm: Missed pre-processor || (or) during rebase for cd15acd0

ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4

Just like we do for mbed TLS, use our local implementation of MD4 when
OpenSSL doesn't support it. This allow

ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4

Just like we do for mbed TLS, use our local implementation of MD4 when
OpenSSL doesn't support it. This allows a type-3 message to include the
NT response.

show more ...

INTERNALS: fix misindentation of ToC item

Kerberos was incorrectly indented as a subsection under FTP, which is
incorrect as they are both top level sections. A fix for this was first

INTERNALS: fix misindentation of ToC item

Kerberos was incorrectly indented as a subsection under FTP, which is
incorrect as they are both top level sections. A fix for this was first
attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that
was a few paddles short of being complete.

show more ...

INTERNALS: Add structs to ToC

Add the subsections under "Structs in libcurl" to the table of contents.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafss

INTERNALS: Add structs to ToC

Add the subsections under "Structs in libcurl" to the table of contents.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

show more ...

INTERNALS: Add code highlighting

Make all struct members under the Curl_handler section
print in monospace font.

Closes #3801
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

INTERNALS: Add code highlighting

Make all struct members under the Curl_handler section
print in monospace font.

Closes #3801
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>

show more ...

docs/BUG-BOUNTY: bug bounty time [skip ci]

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which

docs/BUG-BOUNTY: bug bounty time [skip ci]

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

Assisted-by: Daniel Gustafsson

Closes #3488

show more ...

sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616

RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will deriv

sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616

RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will derive the authorisation identity
(authzid) from the authentication identity (authcid) when not specified
by the client.

show more ...

memdebug: fix variable name

Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile.

Ref: https://github.com/curl/curl/commit/76b6348#r33259088

vauth/cleartext: Don't send the authzid if it is empty

Follow up to 762a292f.

test 196,197,198: add 'retry' keyword [skip ci]

RELEASE-NOTES: synced

CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse

... and disconnect too old ones instead of trying to reuse.

Default max age is set to 118 seconds.

Ref: #372

CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse

... and disconnect too old ones instead of trying to reuse.

Default max age is set to 118 seconds.

Ref: #3722
Closes #3782

show more ...

altsvc: Fix building with cookies disables

ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
check of HTTP and COOKIES. That makes Curl_get_line undefined if CO

altsvc: Fix building with cookies disables

ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is
disabled. Fix by splitting out the function into a separate file which can
be included where needed.

Closes #3717
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>

show more ...

test1002: correct the name [skip ci]

test660: verify CONNECT_ONLY with IMAP

which basically just makes sure LOGOUT is *not* issued on disconnect

Curl_disconnect: treat all CONNECT_ONLY connections as "dead"

Since the connection has been used by the "outside" we don't know the
state of it anymore and curl should not use it anymore

Curl_disconnect: treat all CONNECT_ONLY connections as "dead"

Since the connection has been used by the "outside" we don't know the
state of it anymore and curl should not use it anymore.

Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html

Closes #3795

show more ...

multi: fix the statenames (follow-up fix from 2f44e94efb3df8e)

The list of names must be in sync with the defined states in the header
file!

openvms: Remove pre-processors for Windows as VMS cannot support them

openvms: Remove pre-processor for SecureTransport as VMS cannot support it

Fixes #3768
Closes #3785

TODO: Add issue link to an existing entry

RELEASE-NOTES: synced