moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity
22,554 Commits 10 Branches 144 Tags 113 MiB
Commit Graph

22554 Commits

Author SHA1 Message Date
Daniel Stenberg 13c9a9ded3
imap: if a FETCH response has no size, don't call write callback 
CVE-2017-1000257

Reported-by: Brian Carpenter and 0xd34db347
Also detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3586
 2017-10-22 16:02:43 +02:00
Daniel Stenberg 769647e714
ftp: reject illegal IP/port in PASV 227 response 
... by using range checks. Among other things, this avoids an undefined
behavior for a left shift that could happen on negative or very large
values.

Closes #1997

Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
 2017-10-20 15:06:25 +02:00
Patrick Monnerat 8351ab4510 test653: check reuse of easy handle after mime data change 
See issue #1999
 2017-10-20 14:01:14 +01:00
Patrick Monnerat cea27d3454 mime: do not reuse previously computed multipart size 
The contents might have changed: size must be recomputed.

Reported-by: moteus on github
Fixes #1999
 2017-10-20 13:57:12 +01:00
Patrick Monnerat aeaa22de8e test308: disable if MultiSSL feature enabled 
Even if OpenSSL is enabled, it might not be the default backend when
multi-ssl is enabled, causing the test to fail.
 2017-10-19 20:16:05 +01:00
Patrick Monnerat 7363d5a928 runtests: support MultiSSL client feature 2017-10-19 20:15:21 +01:00
Patrick Monnerat 8aee8a6a2d vtls: change struct Curl_ssl `close' field name to `close_one'. 
On OS/400, `close' is an ASCII system macro that corrupts the code if
not used in a context not targetting the close() system API.
 2017-10-19 19:55:17 +01:00
Patrick Monnerat a4fc19eb4d os400: add missing symbols in config file. 
Also adjust makefile to renamed files and warn about installation dirs mix-up.
 2017-10-19 18:48:21 +01:00
Patrick Monnerat 34def509ef test652: curl_mime_data + base64 encoder with large contents 2017-10-19 18:37:19 +01:00
Patrick Monnerat a8742efe42 mime: limit bas64-encoded lines length to 76 characters 2017-10-19 18:33:27 +01:00
Daniel Stenberg 2509395ecf
RELEASE-NOTES: synced with f121575c0 2017-10-16 11:07:30 +02:00
Daniel Stenberg f121575c0b
setopt: range check most long options 
... filter early instead of risking "funny values" having to be dealt
with elsewhere.
 2017-10-16 09:23:33 +02:00
Daniel Stenberg 172ce9cc19
setopt: avoid integer overflows when setting millsecond values 
... that are multiplied by 1000 when stored.

For 32 bit long systems, the max value accepted (2147483 seconds) is >
596 hours which is unlikely to ever be set by a legitimate application -
and previously it didn't work either, it just caused undefined behavior.

Also updated the man pages for these timeout options to mention the
return code.

Closes #1938
 2017-10-16 09:23:19 +02:00
Viktor Szakats 4440b6ad57 makefile.m32: allow to override gcc, ar and ranlib 
Allow to ovverride certain build tools, making it possible to
use LLVM/Clang to build curl. The default behavior is unchanged.
To build with clang (as offered by MSYS2), these settings can
be used:

CURL_CC=clang
CURL_AR=llvm-ar
CURL_RANLIB=llvm-ranlib

Closes https://github.com/curl/curl/pull/1993
 2017-10-15 19:42:32 +00:00
Viktor Szakats 748f5301c0 ldap: silence clang warning 
Use memset() to initialize a structure to avoid LLVM/Clang warning:
ldap.c:193:39: warning: missing field 'UserLength' initializer [-Wmissing-field-initializers]

Closes https://github.com/curl/curl/pull/1992
 2017-10-15 15:59:43 +00:00
Daniel Stenberg ed0b6b18f6
runtests: use valgrind for torture as well 
NOTE: it makes them terribly slow. I recommend only using valgrind for
specific torture tests or using lots of patience.
 2017-10-14 17:40:21 +02:00
Daniel Stenberg ad164eceb3
memdebug: trace send, recv and socket 
... to allow them to be included in torture tests too.

closes #1980
 2017-10-14 17:40:12 +02:00
Daniel Stenberg 4af3c777a9
configure: remove the C++ compiler check 
... we used it only for the fuzzer, which we now have in a separate git
repo.

Closes #1990
 2017-10-14 17:30:42 +02:00
Patrick Monnerat d7e4230538 mime: do not call failf() if easy handle is NULL. 2017-10-13 17:16:57 +01:00
Daniel Stenberg 10a659dbf6
test651: curl_formadd with huge COPYCONTENTS 2017-10-13 07:55:47 +02:00
Daniel Stenberg 5f9e2ca09b
mime: fix the content reader to handle >16K data properly 
Reported-by: Jeroen Ooms
Closes #1988
 2017-10-13 07:55:10 +02:00
Patrick Monnerat 0401734dfd mime: keep "text/plain" content type if user-specified. 
Include test cases in 554, 587, 650.

Fixes https://github.com/curl/curl/issues/1986
 2017-10-12 19:36:16 +01:00
Patrick Monnerat 56509055d2 cli tool: use file2memory() to buffer stdin in -F option. 
Closes PR https://github.com/curl/curl/pull/1985
 2017-10-12 16:42:02 +01:00
Patrick Monnerat 665b3e48bc cli tool: reimplement stdin buffering in -F option. 
If stdin is not a regular file, its content is memory-buffered to enable
a possible data "rewind".
In all cases, stdin data size is determined before real use to avoid
having an unknown part's size.

--libcurl generated code is left as an unbuffered stdin fread/fseek callback
part with unknown data size.

Buffering is not supported in deprecated curl_formadd() API.
 2017-10-12 14:25:59 +01:00
Daniel Stenberg f64c05278e
winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2 2017-10-12 13:54:00 +02:00
Daniel Stenberg 46ffcd07cb
HELP-US: the label "PR-welcome" is now renamed to "help wanted" 
following the new github "standard"
 2017-10-12 09:50:52 +02:00
Daniel Stenberg 35ad79dcdd
RELEASE-NOTES: synced with 5505df7d2 2017-10-11 12:07:29 +02:00
Artak Galoyan 5505df7d24 url: Update current connection SSL verify params in setopt 
Now VERIFYHOST, VERIFYPEER and VERIFYSTATUS options change during active
connection updates the current connection's (i.e.'connectdata'
structure) appropriate ssl_config (and ssl_proxy_config) structures
variables, making these options effective for ongoing connection.

This functionality was available before and was broken by the
following change:
"proxy: Support HTTPS proxy and SOCKS+HTTP(s)"
CommitId: cb4e2be7c6.

Bug: https://github.com/curl/curl/issues/1941

Closes https://github.com/curl/curl/pull/1951
 2017-10-11 03:14:26 -04:00
David Benjamin de7597f155
openssl: don't use old BORINGSSL_YYYYMM macros 
Those were temporary things we'd add and remove for our own convenience
long ago. The last few stayed around for too long as an oversight but
have since been removed. These days we have a running
BORINGSSL_API_VERSION counter which is bumped when we find it
convenient, but 2015-11-19 was quite some time ago, so just check
OPENSSL_IS_BORINGSSL.

Closes #1979
 2017-10-11 08:12:19 +02:00
Daniel Stenberg 06bba26e37
test950; verify SMTP with custom request 2017-10-10 23:00:53 +02:00
Daniel Stenberg b20df57326
ftpserver: support case insensitive commands 2017-10-10 23:00:52 +02:00
Daniel Stenberg 38ab7b4ccb
smtp_done: free data before returning (on send failure) 
... as otherwise it could leak that memory.

Detected by OSS-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600

Assisted-by: Max Dymond
Closes #1977
 2017-10-10 22:56:50 +02:00
Daniel Stenberg ecf21c551f
FTP: URL decode path for dir listing in nocwd mode 
Reported-by: Zenju on github

Test 244 added to verify
Fixes #1974
Closes #1976
 2017-10-10 15:02:38 +02:00
Daniel Stenberg 00fb811e2b
test298: verify --ftp-method nowcwd with URL encoded path 
Ref: #1974
 2017-10-09 22:50:40 +02:00
Daniel Stenberg f8e593887e
CURLOPT_XFERINFODATA.3: fix duplicate see also 2017-10-09 16:24:36 +02:00
Daniel Stenberg d895a83a3b
CURLOPT_NOPROGRESS.3: also refer to xferinfofunction 2017-10-09 16:24:19 +02:00
Daniel Stenberg 7f555dc5a4
FAQ: s/CURLOPT_PROGRESSFUNCTION/CURLOPT_XFERINFOFUNCTION 2017-10-09 16:13:27 +02:00
Daniel Stenberg 62a721ea47
openssl: enable PKCS12 support for !BoringSSL 
Enable PKCS12 for all non-boringssl builds without relying on configure
or cmake checks.

Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
Reported-by: Christian Schmitz
Closes #1948
 2017-10-09 11:29:53 +02:00
Kristiyan Tsaklev c95c92da75
curl: don't pass semicolons when parsing Content-Disposition 
Test 1422 updated to verify.

Closes #1964
 2017-10-09 10:37:27 +02:00
Patrick Monnerat 06cb8adde2 mime: properly unbind mime structure in curl_mime_free(). 
This allows freeing a mime structure bound to the easy handle before
curl_easy_cleanup().

Fixes #1970.
 2017-10-09 01:26:27 +01:00
Daniel Stenberg 232dffcf24
RTSP: avoid integer overflow on funny RTSP response 
... like a very large non-existing RTSP version number.

Added test 577 to verify.

Detected by OSS-fuzz.
Closes #1969
 2017-10-09 00:41:48 +02:00
Patrick Monnerat eb04636d68 ftpserver: properly reset $ftptargetdir. 2017-10-08 19:29:44 +01:00
Patrick Monnerat 70c3ed48ac test643: verify curl_mime_subparts() rejects cyclic additions. 2017-10-08 19:05:59 +01:00
Patrick Monnerat ebcbed3821 mime: refuse to add subparts to one of their own descendants. 
Reported-by: Alexey Melnichuk
Fixes #1962
 2017-10-08 18:49:52 +01:00
Patrick Monnerat 112ea5adb6 mime: avoid resetting a part's encoder when part's contents change. 2017-10-08 18:43:13 +01:00
Patrick Monnerat b557182db1 mime: improve unbinding top multipart from easy handle. 
Also avoid dangling pointers in referencing parts.
 2017-10-08 18:38:34 +01:00
Daniel Stenberg dd97fd3bb3
RELEASE-NOTES: synced with a4c1c75da3 2017-10-08 17:29:37 +02:00
Daniel Stenberg a4c1c75da3
curlver.h: next expected release is 7.57.0 2017-10-08 17:28:07 +02:00
Patrick Monnerat 93e62adde8 mime: be tolerant about setting twice the same header list in a part. 2017-10-08 16:20:13 +01:00
Patrick Monnerat 14d6e207d3 docs: clarify form/mime usage of non-regular data files. 2017-10-08 16:15:23 +01:00