1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 23:15:08 -05:00
Commit Graph

20291 Commits

Author SHA1 Message Date
David Benjamin
39c803cba2 openssl: remove most BoringSSL #ifdefs.
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
2016-02-09 08:46:36 +01:00
Jay Satiro
674b57e76b KNOWN_BUGS: Windows device prefix is required for devices 2016-02-08 17:40:53 -05:00
Jay Satiro
c3aac48919 tool_urlglob: Allow reserved dos device names (Windows)
Allow --output to reserved dos device names without the device prefix
for backwards compatibility.

Example: --output NUL can be used instead of --output \\.\NUL

Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
Reported-by: Gisle Vanem
2016-02-08 15:09:42 -05:00
Daniel Stenberg
18c735e790 cookies: allow spaces in cookie names, cut of trailing spaces
It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639
2016-02-08 15:49:54 +01:00
Patrick Monnerat
c4303fd5bb Merge branch 'master' of github.com:curl/curl 2016-02-08 14:52:18 +01:00
Patrick Monnerat
8893a45e76 os400: sync ILE/RPG definitions with latest public header files. 2016-02-08 14:50:53 +01:00
Ludwig Nussel
e49ab0a3b8 SSLCERTS: update wrt SSL CA certificate store 2016-02-08 14:45:58 +01:00
Ludwig Nussel
7b55279d1d configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569
2016-02-08 14:45:58 +01:00
Daniel Stenberg
113f04e664 Proxy-Connection: stop sending this header by default
RFC 7230 says we should stop. Firefox already stopped.

Bug: https://github.com/curl/curl/issues/633
Reported-By: Brad Fitzpatrick

Closes #633
2016-02-08 11:09:40 +01:00
Daniel Stenberg
7f97fd5a83 bump: work toward the next release 2016-02-08 10:47:44 +01:00
Daniel Stenberg
c18e86cb4f THANKS: 2 contributors from the 7.47.1 release 2016-02-08 10:46:01 +01:00
Daniel Stenberg
108bc5d860 RELEASE-PROCEDURE: remove the github upload part
... as we're HTTPS on the main site now, there's no point in that
extra step
2016-02-08 10:35:35 +01:00
Daniel Stenberg
8f995e2e00 RELEASE-NOTES: curl 7.47.1 time! 2016-02-08 10:26:24 +01:00
Jay Satiro
d572d2664d tool_operhlp: Check for backslashes in get_url_file_name
Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

This change needed for the curl tool built for Cygwin. Refer to the
CYGWIN addendum in advisory 20160127B.

Bug: https://curl.haxx.se/docs/adv_20160127B.html
2016-02-08 03:14:04 -05:00
Daniel Stenberg
b97307047c RELEASE-NOTES: synced with d6a8869ea3 2016-02-07 16:20:23 +01:00
Jay Satiro
d6a8869ea3 openssl: Fix signed/unsigned mismatch warning in X509V3_ext
sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.

Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem
2016-02-06 19:10:49 -05:00
Daniel Stenberg
1ca54daf3e TODO: 17.11 -w output to stderr 2016-02-07 00:27:36 +01:00
Michael Kaufmann
9e7fcd4291 idn_win32: Better error checking
.. also fix a conversion bug in the unused function
curl_win32_ascii_to_idn().

And remove wprintfs on error (Jay).

Bug: https://github.com/curl/curl/pull/637
2016-02-06 17:51:51 -05:00
Gisle Vanem
c71b6a2795 examples/asiohiper: Avoid function name collision on Windows
closesocket => close_socket
Winsock already has the former.

Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
2016-02-06 17:04:38 -05:00
Gisle Vanem
6f702ebaa2 examples/htmltitle: Use _stricmp on Windows
Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
2016-02-06 17:02:55 -05:00
Daniel Stenberg
86d3d62f5a COPYING: clarify that Daniel is not the sole author
... done on request and as it is a fair point.
2016-02-06 18:40:27 +01:00
Jay Satiro
a6208704e7 unit1604: Fix unit setup return code 2016-02-05 13:37:39 -05:00
Jay Satiro
9b6598ed08 tool_doswin: Use type SANITIZEcode in sanitize_file_name 2016-02-05 02:22:24 -05:00
Jay Satiro
4520534e6d tool_doswin: Improve sanitization processing
- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-05 01:44:27 -05:00
Viktor Szakats
d49881cb19 URLs: change more http to https 2016-02-04 18:46:54 -05:00
Jay Satiro
742deff4dd sasl_sspi: Fix memory leak in domain populate
Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635
Reported-by: silveja1@users.noreply.github.com
2016-02-04 18:11:07 -05:00
Viktor Szakats
20dcd19501 URLs: follow GitHub project rename (also Travis CI)
Closes #632
2016-02-04 23:01:38 +01:00
Daniel Stenberg
0515e49b6b CHANGES.o: fix references to curl.haxx.nu
I removed the scheme prefix from the URLs references this host name, as
we don't own/run that anymore but the name is kept for historic reasons.
2016-02-03 15:33:47 +01:00
Daniel Stenberg
42f725fb9b HISTORY: add some info about when we used which host names 2016-02-03 15:33:30 +01:00
Viktor Szakats
b4f595bde4 URLs: change more http to https 2016-02-02 22:29:47 -05:00
Dan Fandrich
093f9cd38d URLs: Change more haxx.se URLs from http: to https: 2016-02-03 01:45:21 +01:00
Daniel Stenberg
493f54c6c0 RELEASE-NOTES: synced with 4af40b364 2016-02-03 00:32:07 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
d33dd0b195 configure: update the copyright year range in output 2016-02-02 22:49:05 +01:00
Daniel Stenberg
41ae9f717a dotdot: allow an empty input string too
It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-02-02 22:43:54 +01:00
Daniel Stenberg
6b485c7407 HTTPS: update a bunch of URLs from HTTP to HTTPS 2016-02-02 00:24:30 +01:00
Sergei Nikulov
7a8a7ca7b0 AppVeyor: updated to handle OpenSSL/WinSSL builds
Closes #621
2016-02-01 23:55:08 +01:00
Jay Satiro
2b6dadc52d tool_operate: Don't sanitize --output path (Windows)
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: https://github.com/bagder/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-01 04:11:46 -05:00
Jay Satiro
96596334c8 curl.1: Explain remote-name behavior if file already exists
.. also warn about letting the server pick the filename.
2016-01-29 03:28:48 -05:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Daniel Stenberg
300718382f bump: towards the next (7.47.1 ?) 2016-01-28 16:36:29 +01:00
Sergei Nikulov
a8135f0768 cmake: fixed when OpenSSL enabled on Windows and schannel detected
Closes #617
2016-01-28 16:34:01 +01:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Viktor Szakats
1597af51b1 tool_doswin: silence unused function warning
tool_doswin.c:185:14: warning: 'msdosify' defined but not used
[-Wunused-function]

Closes https://github.com/bagder/curl/pull/616
2016-01-28 02:45:36 -05:00
Daniel Stenberg
e400a89b18 getredirect.c: fix variable name
Reported-by: Bernard Spil
2016-01-27 09:35:55 +01:00
Daniel Stenberg
06bf874bbc examples/Makefile.inc: specify programs without .c! 2016-01-27 08:30:04 +01:00
Daniel Stenberg
87a5d3d13e THANKS: 6 new contributors from 7.47.0 release notes 2016-01-26 23:45:02 +01:00
Isaac Boukris
d41dcba4e9 NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26 23:42:55 +01:00
Ray Satiro
3017d8a8d8 curl: avoid local drive traversal when saving file (Windows)
curl does not sanitize colons in a remote file name that is used as the
local file name. This may lead to a vulnerability on systems where the
colon is a special path character. Currently Windows/DOS is the only OS
where this vulnerability applies.

CVE-2016-0754

Bug: http://curl.haxx.se/docs/adv_20160127B.html
2016-01-26 23:42:55 +01:00
Daniel Stenberg
cea1fd7a94 RELEASE-NOTES: 7.47.0 2016-01-26 23:42:55 +01:00