| 53400f5a | 24-Jan-2019 |
Ladar Levison |
runtests.pl: Fix perl call to include srcdir
- Use explicit include opt for perl calls.
Prior to this change some scripts couldn't find their dependencies.
At the top, perl
runtests.pl: Fix perl call to include srcdir
- Use explicit include opt for perl calls.
Prior to this change some scripts couldn't find their dependencies.
At the top, perl is called using with the "-Isrcdir" option, and it
works:
https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L183
But on line 3868, that option is omitted. This caused problems for me,
as the symbol-scan.pl script in particular couldn't find its
dependencies properly:
https://github.com/curl/curl/blob/curl-7_63_0/tests/runtests.pl#L3868
This patch fixes that oversight by making calls to perl sub-shells
uniform.
Closes https://github.com/curl/curl/pull/3496
show more ...
|
| 39df4073 | 18-Jan-2019 |
Daniel Gustafsson |
smtp: avoid risk of buffer overflow in strtol
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buf
smtp: avoid risk of buffer overflow in strtol
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.
Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
Reported-by: Brian Carpenter (Geeknik Labs)
CVE-2019-3823
show more ...
|
| 50c94842 | 03-Jan-2019 |
Daniel Stenberg |
ntlm: fix *_type3_message size check to avoid buffer overflow
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822 |
| b780b30d | 02-Jan-2019 |
Daniel Stenberg |
NTLM: fix size check condition for type2 received data
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890 |
| a730432e | 29-Jan-2019 |
georgeok |
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
acce
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.
Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
show more ...
|
| 463f16d1 | 01-Feb-2019 |
Daniel Stenberg |
RELEASE-NOTES: synced |
| 180501cb | 29-Jan-2019 |
Daniel Stenberg |
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alia
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.
Closes #3504
show more ...
|
| 6f61933a | 27-Jan-2019 |
Daniel Stenberg |
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.
B
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.
Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
show more ...
|
| 427fa512 | 31-Jan-2019 |
John Marshall |
doc: use meaningless port number in CURLOPT_LOCALPORT example
Use an ephemeral port number here; previously the example had 8080
which could be confusing as the common web server port nu
doc: use meaningless port number in CURLOPT_LOCALPORT example
Use an ephemeral port number here; previously the example had 8080
which could be confusing as the common web server port number might
be misinterpreted as suggesting this option affects the remote port.
URL: https://curl.haxx.se/mail/lib-2019-01/0084.html
Closes #3513
show more ...
|
| 06f744d4 | 29-Jan-2019 |
Gisle Vanem |
Escape the '\'
A backslash should be escaped in Roff / Troff. |
| 3de60741 | 29-Jan-2019 |
Jay Satiro |
TODO: WinSSL: 'Add option to disable client cert auto-send'
By default WinSSL selects and send a client certificate automatically,
but for privacy and consistency we should offer an opti
TODO: WinSSL: 'Add option to disable client cert auto-send'
By default WinSSL selects and send a client certificate automatically,
but for privacy and consistency we should offer an option to disable the
default auto-send behavior.
Reported-by: Jeroen Ooms
Closes https://github.com/curl/curl/issues/2262
show more ...
|
| a9d9a3ab | 23-Jan-2019 |
Jeremie Rapin |
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
ap
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application. Use the curl mecanisms fix this behavior.
Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>
Closes #3502
show more ...
|
| 1b8fe0a8 | 28-Jan-2019 |
Daniel Stenberg |
unit1653: make it survive torture tests |
| b0a43aad | 05-Jan-2019 |
Michael Kujawa |
timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)
timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)
Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.
Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
show more ...
|
| 179311ec | 25-Jan-2019 |
Daniel Stenberg |
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.
Reported-by: William A. Rowe Jr
Fixes #3497
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.
Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
show more ...
|
| 3cbf731d | 23-Jan-2019 |
Felix Hädicke |
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these optio
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.
Fixes #3493
Closes #3494
show more ...
|
| 15c94b31 | 23-Jan-2019 |
Felix Hädicke |
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.
Pass the socket created by curl
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.
Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.
This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.
Fixes #3491
Closes #3495
show more ...
|
| c497cab4 | 21-Jan-2019 |
Daniel Stenberg |
RELEASE-NOTES: synced |
| ce6f73b9 | 20-Jan-2019 |
Archangel_SDY |
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487 |
| 458e8989 | 21-Jan-2019 |
Daniel Stenberg |
KNOWN_BUGS: tests not compatible with python3
Closes #3289
[skip ci] |
| f0b2c13a | 20-Jan-2019 |
Daniel Gustafsson |
memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a cal
memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.
Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
show more ...
|
| 6bd5bc97 | 19-Jan-2019 |
Daniel Stenberg |
COPYING: it's 2019
[skip ci] |
| 21c37942 | 18-Jan-2019 |
hhb |
configure: fix recv/send/select detection on Android
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9.
The overloadable attribute is removed again starting from
NDK1
configure: fix recv/send/select detection on Android
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9.
The overloadable attribute is removed again starting from
NDK17. Actually they only exist in two NDK versions (15 and 16). With
overloadable, the first condition tried will succeed. Results in wrong
detection result.
Closes #3484
show more ...
|
| 09662337 | 27-Nov-2018 |
georgeok |
ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.
ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.
Fixes #3280
Closes #3321
show more ...
|
| 6ee67297 | 18-Jan-2019 |
Daniel Stenberg |
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483 |
