Revision tags: curl-7_67_0 |
|
#
249541f1 |
| 03-Oct-2019 |
Daniel Stenberg |
cookies: change argument type for Curl_flush_cookies The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
|
#
13ecc072 |
| 03-Oct-2019 |
Paul Dreik |
cookie: avoid harmless use after free This fix removes a use after free which can be triggered by the internal cookie fuzzer, but otherwise is probably impossible to trigger from an
cookie: avoid harmless use after free This fix removes a use after free which can be triggered by the internal cookie fuzzer, but otherwise is probably impossible to trigger from an ordinary application. The following program reproduces it: curl_global_init(CURL_GLOBAL_DEFAULT); CURL* handle=curl_easy_init(); CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); Curl_flush_cookies(handle, true); Curl_cookie_cleanup(info); curl_easy_cleanup(handle); curl_global_cleanup(); This was found through fuzzing. Closes #4454
show more ...
|
#
d0a7ee3f |
| 27-Sep-2019 |
Daniel Stenberg |
cookies: using a share with cookies shouldn't enable the cookie engine The 'share object' only sets the storage area for cookies. The "cookie engine" still needs to be enabled or activat
cookies: using a share with cookies shouldn't enable the cookie engine The 'share object' only sets the storage area for cookies. The "cookie engine" still needs to be enabled or activated using the normal cookie options. This caused the curl command line tool to accidentally use cookies without having been told to, since curl switched to using shared cookies in 7.66.0. Test 1166 verifies Updated test 506 Fixes #4429 Closes #4434
show more ...
|
#
0801343e |
| 18-Sep-2019 |
Daniel Stenberg |
cookie: pass in the correct cookie amount to qsort() As the loop discards cookies without domain set. This bug would lead to qsort() trying to sort uninitialized pointers. We have howeve
cookie: pass in the correct cookie amount to qsort() As the loop discards cookies without domain set. This bug would lead to qsort() trying to sort uninitialized pointers. We have however not found it a security problem. Reported-by: Paul Dreik Closes #4386
show more ...
|
Revision tags: curl-7_66_0 |
|
#
ec3f6f1c |
| 19-Jul-2019 |
Daniel Stenberg |
source: remove names from source comments Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers
source: remove names from source comments Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
show more ...
|
Revision tags: curl-7_65_3, curl-7_65_2 |
|
#
cf4255c8 |
| 03-Jul-2019 |
Gergely Nagy |
lib: Use UTF-8 encoding in comments Some editors and IDEs assume that source files use UTF-8 file encodings. It also fixes the build with MSVC when /utf-8 command line option is used
lib: Use UTF-8 encoding in comments Some editors and IDEs assume that source files use UTF-8 file encodings. It also fixes the build with MSVC when /utf-8 command line option is used (this option is mandatory for some other open-source projects, this is useful when using the same options is desired for building all libraries of a project). Closes https://github.com/curl/curl/pull/4087
show more ...
|
Revision tags: curl-7_65_1, curl-7_65_0 |
|
#
10db3ef2 |
| 11-May-2019 |
Marcel Raad |
lib: reduce variable scopes Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
|
#
b45fd893 |
| 01-May-2019 |
Daniel Gustafsson |
cookie: Guard against possible NULL ptr deref In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to a
cookie: Guard against possible NULL ptr deref In case the name pointer isn't set (due to memory pressure most likely) we need to skip the prefix matching and reject with a badcookie to avoid a possible NULL pointer dereference. Closes #3820 #3821 Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|
#
060f870b |
| 30-Mar-2019 |
Po-Chuan Hsieh |
altsvc: Fix building with cookies disables ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if check of HTTP and COOKIES. That makes Curl_get_line undefined if CO
altsvc: Fix building with cookies disables ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is disabled. Fix by splitting out the function into a separate file which can be included where needed. Closes #3717 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
show more ...
|
Revision tags: curl-7_64_1 |
|
#
299d9660 |
| 08-Mar-2019 |
Daniel Stenberg |
Revert "cookies: extend domain checks to non psl builds" This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. Regression shipped in 7.64.0 Fixes #3649
|
#
e1be8254 |
| 03-Mar-2019 |
Daniel Stenberg |
alt-svc: the libcurl bits
|
#
eb433389 |
| 26-Feb-2019 |
Daniel Stenberg |
cookies: only save the cookie file if the engine is enabled Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, w
cookies: only save the cookie file if the engine is enabled Follow-up to 8eddb8f4259. If the cookieinfo pointer is NULL there really is nothing to save. Without this fix, we got a problem when a handle was using shared object with cookies and is told to "FLUSH" it to file (which worked) and then the share object was removed and when the easy handle was closed just afterwards it has no cookieinfo and no cookies so it decided to save an empty jar (overwriting the file just flushed). Test 1905 now verifies that this works. Assisted-by: Michael Wallner Assisted-by: Marcel Raad Closes #3621
show more ...
|
#
8eddb8f4 |
| 25-Feb-2019 |
Michael Wallner |
cookies: fix NULL dereference if flushing cookies with no CookieInfo set Regression brought by a52e46f3900fb0 (shipped in 7.63.0) Closes #3613
|
#
e6522522 |
| 16-Feb-2019 |
Daniel Gustafsson |
cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted
cookie: Add support for cookie prefixes The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes and how they should affect cookie initialization, which has been adopted by the major browsers. This adds support for the two prefixes defined, __Host- and __Secure, and updates the testcase with the supplied examples from the draft. Closes #3554 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|
Revision tags: curl-7_64_0 |
|
#
c54ee668 |
| 14-Jan-2019 |
Frank Gevaerts |
cookie: fix comment typo (url_path_len -> uri_path_len) Closes #3469
|
#
afeb8d99 |
| 09-Jan-2019 |
Daniel Stenberg |
cookies: allow secure override when done over HTTPS Added test 1562 to verify. Reported-by: Jeroen Ooms Fixes #3445 Closes #3450
|
#
3773de37 |
| 19-Dec-2018 |
Daniel Gustafsson |
cookies: extend domain checks to non psl builds Ensure to perform the checks we have to enforce a sane domain in the cookie request. The check for non-PSL enabled builds is quite bas
cookies: extend domain checks to non psl builds Ensure to perform the checks we have to enforce a sane domain in the cookie request. The check for non-PSL enabled builds is quite basic but it's better than nothing. Closes #2964 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|
#
7a09b52c |
| 13-Dec-2018 |
Daniel Gustafsson |
cookies: leave secure cookies alone Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the sta
cookies: leave secure cookies alone Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|
Revision tags: curl-7_63_0 |
|
#
1e9abfed |
| 08-Dec-2018 |
Daniel Stenberg |
cookies: expire "Max-Age=0" immediately Reported-by: Jeroen Ooms Fixes #3351 Closes #3352
|
#
a52e46f3 |
| 22-Nov-2018 |
Daniel Stenberg |
cookies: create the cookiejar even if no cookies to save Important for when the file is going to be read again and thus must not contain old contents! Adds test 327 to verify.
cookies: create the cookiejar even if no cookies to save Important for when the file is going to be read again and thus must not contain old contents! Adds test 327 to verify. Reported-by: daboul on github Fixes #3299 Closes #3300
show more ...
|
Revision tags: curl-7_62_0 |
|
#
2099dde2 |
| 09-Sep-2018 |
Daniel Gustafsson |
cookies: Move failure case label to end of function Rather than jumping backwards to where failure cleanup happens to be performed, move the failure case to end of the function where
cookies: Move failure case label to end of function Rather than jumping backwards to where failure cleanup happens to be performed, move the failure case to end of the function where it is expected per existing coding convention. Closes #2965
show more ...
|
#
6e054623 |
| 08-Sep-2018 |
Daniel Gustafsson |
cookies: fix leak when writing cookies to file If the formatting fails, we error out on a fatal error and clean up on the way out. The array was however freed within the wrong scope
cookies: fix leak when writing cookies to file If the formatting fails, we error out on a fatal error and clean up on the way out. The array was however freed within the wrong scope and was thus never freed in case the cookies were written to a file instead of STDOUT. Closes #2957
show more ...
|
#
c3654df1 |
| 09-Sep-2018 |
Daniel Gustafsson |
cookies: Remove redundant expired check Expired cookies have already been purged at a later expiration time before this check, so remove the redundant check. closes #2962
|
Revision tags: curl-7_61_1 |
|
#
1a890997 |
| 31-Aug-2018 |
Daniel Stenberg |
all: s/int/size_t cleanup Assisted-by: Rikard Falkeborn Closes #2922
|
#
e2ef8d6f |
| 28-Aug-2018 |
Daniel Gustafsson |
cookies: support creation-time attribute for cookies According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a
cookies: support creation-time attribute for cookies According to RFC6265 section 5.4, cookies with equal path lengths SHOULD be sorted by creation-time (earlier first). This adds a creation-time record to the cookie struct in order to make cookie sorting more deterministic. The creation-time is defined as the order of the cookies in the jar, the first cookie read fro the jar being the oldest. The creation-time is thus not serialized into the jar. Also remove the strcmp() matching in the sorting as there is no lexicographic ordering in RFC6265. Existing tests are updated to match. Closes #2524
show more ...
|