#
811a693b |
| 30-Sep-2016 |
Daniel Stenberg |
strcasecompare: all case insensitive string compares ignore locale now We had some confusions on when each function was used. We should not act differently on different locales anyway.
|
#
502acba2 |
| 30-Sep-2016 |
Daniel Stenberg |
strcasecompare: is the new name for strequal() ... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the
strcasecompare: is the new name for strequal() ... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
show more ...
|
#
c5be3d72 |
| 04-Oct-2016 |
Daniel Stenberg |
cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified b
cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
show more ...
|
#
54e48b14 |
| 03-Oct-2016 |
Sergei Kuzmin |
cookies: same domain handling changed to match browser behavior Cokie with the same domain but different tailmatching property are now considered different and do not replace each other.
cookies: same domain handling changed to match browser behavior Cokie with the same domain but different tailmatching property are now considered different and do not replace each other. If header contains following lines then two cookies will be set: Set-Cookie: foo=bar; domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz; domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 This matches Chrome, Opera, Safari, and Firefox behavior. When sending stored tokens to foo.com Chrome, Opera, Firefox store send them in the stored order, while Safari pre-sort the cookies. Closes #1050
show more ...
|
Revision tags: curl-7_50_3, curl-7_50_2, curl-7_50_1, curl-7_50_0 |
|
#
bcc8f485 |
| 12-Jul-2016 |
Viktor Szakats |
cookie.c: Fix misleading indentation Closes https://github.com/curl/curl/pull/911
|
#
434f8d03 |
| 21-Jun-2016 |
Daniel Stenberg |
internals: rename the SessionHandle struct to Curl_easy
|
Revision tags: curl-7_49_1, curl-7_49_0 |
|
#
4f45240b |
| 29-Apr-2016 |
Daniel Stenberg |
lib: include curl_printf.h as one of the last headers curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((fo
lib: include curl_printf.h as one of the last headers curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
show more ...
|
Revision tags: curl-7_48_0 |
|
#
7f7fcd0d |
| 10-Mar-2016 |
Daniel Stenberg |
cookies: first n/v pair in Set-Cookie: is the cookie, then parameters RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content
cookies: first n/v pair in Set-Cookie: is the cookie, then parameters RFC 6265 section 4.1.1 spells out that the first name/value pair in the header is the actual cookie name and content, while the following are the parameters. libcurl previously had a more liberal approach which causes significant problems when introducing new cookie parameters, like the suggested new cookie priority draft. The previous logic read all n/v pairs from left-to-right and the first name used that wassn't a known parameter name would be used as the cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be a cookie named 'person' while an RFC 6265 compliant parser should consider that to be a cookie named 'Max-Age' with an (unknown) parameter 'person'. Fixes #709
show more ...
|
#
c140bd78 |
| 02-Mar-2016 |
Tim Rühsen |
cookie: do not refuse cookies for localhost Closes #658
|
#
20de9b4f |
| 05-Mar-2016 |
Jay Satiro |
cookie: Don't expire session cookies in remove_expired Prior to this change cookies with an expiry date that failed parsing and were converted to session cookies could be purged in remov
cookie: Don't expire session cookies in remove_expired Prior to this change cookies with an expiry date that failed parsing and were converted to session cookies could be purged in remove_expired. Bug: https://github.com/curl/curl/issues/697 Reported-by: Seth Mos
show more ...
|
#
33a0a926 |
| 03-Mar-2016 |
Daniel Stenberg |
cookie: remove redundant check ... as it was already checked previously within the function. Reported-by: Dmitry-Me Closes #695
|
#
18c735e7 |
| 08-Feb-2016 |
Daniel Stenberg |
cookies: allow spaces in cookie names, cut of trailing spaces It turns out Firefox and Chrome both allow spaces in cookie names and there are sites out there using that. Turned
cookies: allow spaces in cookie names, cut of trailing spaces It turns out Firefox and Chrome both allow spaces in cookie names and there are sites out there using that. Turned out the code meant to strip off trailing space from cookie names didn't work. Fixed now. Test case 8 modified to verify both these changes. Closes #639
show more ...
|
Revision tags: curl-7_47_1 |
|
#
4af40b36 |
| 02-Feb-2016 |
Daniel Stenberg |
URLs: change all http:// URLs to https://
|
Revision tags: curl-7_47_0, curl-7_46_0, curl-7_45_0 |
|
#
e77b5b74 |
| 29-Sep-2015 |
Tim Rühsen |
cookies: Add support for Mozilla's Publix Suffix List Use libpsl to check the domain value of Set-Cookie headers (and cookie jar entries) for not being a Publix Suffix. The conf
cookies: Add support for Mozilla's Publix Suffix List Use libpsl to check the domain value of Set-Cookie headers (and cookie jar entries) for not being a Publix Suffix. The configure script checks for "libpsl" by default. Disable the check with --without-libpsl. Ref: https://publicsuffix.org/ Ref: https://github.com/publicsuffix/list Ref: https://github.com/rockdaboot/libpsl
show more ...
|
Revision tags: curl-7_44_0 |
|
#
ef0fdb83 |
| 18-Jun-2015 |
Jay Satiro |
cookie: Fix bug in export if any-domain cookie is present In 3013bb6 I had changed cookie export to ignore any-domain cookies, however the logic I used to do so was incorrect, and would
cookie: Fix bug in export if any-domain cookie is present In 3013bb6 I had changed cookie export to ignore any-domain cookies, however the logic I used to do so was incorrect, and would lead to a busy loop in the case of exporting a cookie list that contained any-domain cookies. The result of that is worse though, because in that case the other cookies would not be written resulting in an empty file once the application is terminated to stop the busy loop.
show more ...
|
Revision tags: curl-7_43_0 |
|
#
3013bb6b |
| 04-Jun-2015 |
Jay Satiro |
cookie: Stop exporting any-domain cookies Prior to this change any-domain cookies (cookies without a domain that are sent to any domain) were exported with domain name "unknown".
cookie: Stop exporting any-domain cookies Prior to this change any-domain cookies (cookies without a domain that are sent to any domain) were exported with domain name "unknown". Bug: https://github.com/bagder/curl/issues/292
show more ...
|
#
e8423f9c |
| 01-Jun-2015 |
Jay Satiro |
curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or
curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT - Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
show more ...
|
Revision tags: curl-7_42_1, curl-7_42_0 |
|
#
b5f947b8 |
| 16-Apr-2015 |
Daniel Stenberg |
cookie: cookie parser out of boundary memory access The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when
cookie: cookie parser out of boundary memory access The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
show more ...
|
#
2685041a |
| 01-Apr-2015 |
Daniel Stenberg |
cookie: handle spaces after the name in Set-Cookie "name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: https://github.co
cookie: handle spaces after the name in Set-Cookie "name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: https://github.com/bagder/curl/issues/195 Reported-by: cromestant Help-by: Frank Gevaerts
show more ...
|
#
35648f2e |
| 24-Mar-2015 |
Dan Fandrich |
curl_memory: make curl_memory.h the second-last header file loaded This header file must be included after all header files except memdebug.h, as it does similar memory function redefini
curl_memory: make curl_memory.h the second-last header file loaded This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
show more ...
|
#
0f4a03cb |
| 16-Mar-2015 |
Daniel Stenberg |
free: instead of Curl_safefree() Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefre
free: instead of Curl_safefree() Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
show more ...
|
#
29c655c0 |
| 11-Mar-2015 |
Markus Elfring |
Bug #149: Deletion of unnecessary checks before calls of the function "free" The function "free" is documented in the way that no action shall occur for a passed null pointer. It is ther
Bug #149: Deletion of unnecessary checks before calls of the function "free" The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
show more ...
|
#
df5578a7 |
| 03-Mar-2015 |
Daniel Stenberg |
mprintf.h: remove #ifdef CURLDEBUG ... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
|
Revision tags: curl-7_41_0, curl-7_40_0 |
|
#
41f1f6e8 |
| 07-Dec-2014 |
Dan Fandrich |
cookies: Improved OOM handling in cookies This fixes the test 506 torture test. The internal cookie API really ought to be improved to separate cookie parsing errors (which may be ig
cookies: Improved OOM handling in cookies This fixes the test 506 torture test. The internal cookie API really ought to be improved to separate cookie parsing errors (which may be ignored) with OOM errors (which should be fatal).
show more ...
|
#
2adf2946 |
| 07-Dec-2014 |
Dan Fandrich |
cookie.c: Refactored cleanup code to simplify Also, fixed the outdated comments on the cookie API.
|