| d7b970e4 | 29-Apr-2022 |
Daniel Stenberg |
http: move Curl_allow_auth_to_host()
It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef
Reported-by: Michael Olbrich
Fixes #8772
Closes #8775 |
| 59d89286 | 29-Apr-2022 |
Daniel Gustafsson |
msh3: print boolean value as text representation
Print the boolean value as its string representation instead of with
%hhu which isn't a format we typically use.
Closes: #8763
msh3: print boolean value as text representation
Print the boolean value as its string representation instead of with
%hhu which isn't a format we typically use.
Closes: #8763
Reviewed-by: Nick Banks <nibanks@microsoft.com>
show more ...
|
| 685170b7 | 29-Apr-2022 |
Daniel Stenberg |
data/test376: set a proper name |
| fa40e15a | 28-Apr-2022 |
Daniel Stenberg |
GHA/mbedtls: enabled nghttp2 in the build
Closes #8767 |
| 6eb7fb37 | 28-Apr-2022 |
Daniel Stenberg |
mbedtls: fix compile when h2-enabled
Fixes #8766
Reported-by: LigH-de on github
Closes #8768 |
| 3fd1d8df | 28-Apr-2022 |
Daniel Stenberg |
RELEASE-NOTES: synced
bumped curlver to 7.83.1-dev |
| ba342909 | 27-Apr-2022 |
Daniel Stenberg |
SECURITY-PROCESS: extended
Also clarify BUG-BOUNTY.md with IBB details.
Closes #8754 |
| e07a9b66 | 27-Apr-2022 |
Adam Rosenfield |
conn: fix typo 'connnection' -> 'connection' in two function names
Closes #8759 |
| 1669b17d | 27-Apr-2022 |
Daniel Stenberg |
RELEASE-NOTES: synced
The 7.83.0 release |
| 0ea2456a | 27-Apr-2022 |
Daniel Stenberg |
docs/THANKS: contributors from 7.83.0 |
| cb60b2cc | 26-Apr-2022 |
Daniel Stenberg |
test 898/974/976: require proxy to run
Fixes #8755
Reported-by: Marc Hörsken
Closes #8756 |
| 09353155 | 26-Apr-2022 |
Daniel Stenberg |
gnutls: don't leak the SRP credentials in redirects
Follow-up to 620ea21410030 and 139a54ed0a172a
Reported-by: Harry Sintonen
Closes #8752 |
| d2a36bee | 25-Apr-2022 |
Daniel Stenberg |
CURLOPT*TLSAUTH: they only work with OpenSSL or GnuTLS
Closes #8753 |
| 139a54ed | 25-Apr-2022 |
Daniel Stenberg |
openssl: don't leak the SRP credentials in redirects either
Follow-up to 620ea21410030
Reported-by: Harry Sintonen
Closes #8751 |
| aad7d9f9 | 14-Apr-2022 |
Liam Warfield |
hyper: fix tests 580 and 581 for hyper
Hyper now has the ability to preserve header order. This commit adds a
few lines setting the connection options for this feature.
Related
hyper: fix tests 580 and 581 for hyper
Hyper now has the ability to preserve header order. This commit adds a
few lines setting the connection options for this feature.
Related to issue #8617
Closes #8707
show more ...
|
| 030adbce | 25-Apr-2022 |
Daniel Stenberg |
conncache: remove name arg from Curl_conncache_find_bundle
To simplify, and also since the returned name is not the full actual
name used for the check. The port number and zone id is al
conncache: remove name arg from Curl_conncache_find_bundle
To simplify, and also since the returned name is not the full actual
name used for the check. The port number and zone id is also involved,
so just showing the name is misleading.
Closes #8750
show more ...
|
| 5295e8d6 | 25-Apr-2022 |
Daniel Stenberg |
tests: verify the fix for CVE-2022-27774
- Test 973 redirects from HTTP to FTP, clear auth
- Test 974 redirects from HTTP to HTTP different port, clear auth
- Test 975 redirects f
tests: verify the fix for CVE-2022-27774
- Test 973 redirects from HTTP to FTP, clear auth
- Test 974 redirects from HTTP to HTTP different port, clear auth
- Test 975 redirects from HTTP to FTP, permitted to keep auth
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
auth
show more ...
|
| 620ea214 | 25-Apr-2022 |
Daniel Stenberg |
transfer: redirects to other protocols or ports clear auth
... unless explicitly permitted.
Bug: https://curl.se/docs/CVE-2022-27774.html
Reported-by: Harry Sintonen
Closes
transfer: redirects to other protocols or ports clear auth
... unless explicitly permitted.
Bug: https://curl.se/docs/CVE-2022-27774.html
Reported-by: Harry Sintonen
Closes #8748
show more ...
|
| 08b8ef4e | 25-Apr-2022 |
Daniel Stenberg |
connect: store "conn_remote_port" in the info struct
To make it available after the connection ended. |
| c1262996 | 25-Apr-2022 |
Daniel Stenberg |
cookie.d: clarify when cookies are always sent |
| afe752e0 | 25-Apr-2022 |
Daniel Stenberg |
test898: verify the fix for CVE-2022-27776
Do not pass on Authorization headers on redirects to another port |
| 6e659993 | 25-Apr-2022 |
Daniel Stenberg |
http: avoid auth/cookie on redirects same host diff port
CVE-2022-27776
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27776.html
Closes #8749 |
| 8f207915 | 25-Apr-2022 |
Daniel Stenberg |
libssh2: make the md5 comparison fail if wrong length
Making it just skip the check unless exactly 32 is too brittle. Even if
the docs says it needs to be exactly 32, it is be safer to m
libssh2: make the md5 comparison fail if wrong length
Making it just skip the check unless exactly 32 is too brittle. Even if
the docs says it needs to be exactly 32, it is be safer to make the
comparison fail here instead.
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1549461
Closes #8745
show more ...
|
| 058f98dc | 25-Apr-2022 |
Daniel Stenberg |
conncache: include the zone id in the "bundle" hashkey
Make connections to two separate IPv6 zone ids create separate
connections.
Reported-by: Harry Sintonen
Bug: https://c
conncache: include the zone id in the "bundle" hashkey
Make connections to two separate IPv6 zone ids create separate
connections.
Reported-by: Harry Sintonen
Bug: https://curl.se/docs/CVE-2022-27775.html
Closes #8747
show more ...
|
| 852aa5ad | 25-Apr-2022 |
Patrick Monnerat |
url: check sasl additional parameters for connection reuse.
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug:
url: check sasl additional parameters for connection reuse.
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug: https://curl.se/docs/CVE-2022-22576.html
CVE-2022-22576
Closes #8746
show more ...
|
