Dan Fandrich
788b319dfe
msvc: removed a straggling reference to strequal.c
...
Follow-up to 502acba2
2016-11-02 09:15:02 +01:00
Daniel Stenberg
3c561c657c
THANKS: synced with 7.51.0
2016-11-02 07:34:06 +01:00
Daniel Stenberg
1fe755f99d
RELEASE-NOTES: 7.51.0
2016-11-02 07:34:06 +01:00
Daniel Stenberg
f81a836461
ftp_done: don't clobber the passed in error code
...
Coverity CID 1374359 pointed out the unused result value.
2016-11-02 07:22:27 +01:00
Daniel Stenberg
3c6c2bcd5a
ftp: remove dead code in ftp_done
...
Coverity CID 1374358
2016-11-02 07:18:24 +01:00
Jay Satiro
0e727979a5
generate.bat: Include include/curl in libcurl VS projects
...
.. because including those headers helps Visual Studio's Intellisense.
2016-11-01 21:31:10 -04:00
Jay Satiro
ee96ffa2a4
generate.bat: Remove strcase.[ch] from curl tool VS projects
...
..because they're no longer needed in the tool build. strcase is still
built by the libcurl project and exports curl_str(n)equal which is used
by the curl tool.
Bug: https://github.com/curl/curl/commit/9363f1a#all_commit_comments
2016-11-01 21:29:44 -04:00
Daniel Stenberg
6b52b7eb2b
metalink: simplify the hex parsing function
...
... and now it avoids using the libcurl toupper() function
2016-11-02 00:31:49 +01:00
Michael Kaufmann
f9e51fb55d
file: fix compiler warning
...
follow-up to 46133aa5
2016-11-01 20:40:26 +01:00
Dan Fandrich
e44bfc7664
strcase: fixed Metalink builds by redefining checkprefix()
...
...to use the public function curl_strnequal(). This isn't ideal because
it adds extra overhead to any internal calls to checkprefix.
follow-up to 95bd2b3e
2016-11-01 11:44:11 +01:00
Daniel Stenberg
e5c49b9e69
curl.1: typo
2016-11-01 10:27:40 +01:00
Daniel Stenberg
b744950f43
curl.1: expand on how multiple uses of -o looks
...
Suggested-by: Dan Jacobson
Issue: https://github.com/curl/curl/issues/1097
2016-11-01 10:24:49 +01:00
Daniel Stenberg
07b95ea268
tests/util: get a private strncasecompare clone
...
... since the curlx_* code no longer provides one and we don't link
libcurl to these test servers.
2016-10-31 23:49:54 +01:00
Daniel Stenberg
95bd2b3e7f
strcase: make the tool use curl_str[n]equal instead
...
As they are after all part of the public API. Saves space and reduces
complexity. Remove the strcase defines from the curlx_ family.
Suggested-by: Dan Fandrich
Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
2016-10-31 21:51:19 +01:00
Kamil Dudka
1071680946
gskit, nss: do not include strequal.h
...
follow-up to 811a693b80
2016-10-31 17:36:22 +01:00
Dan Fandrich
47a21ca9ba
strcasecompare: include curl.h in strcase.c
...
This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
link error on Windows because of the missing CURL_EXTERN on the
prototype.
2016-10-31 15:21:13 +01:00
Daniel Stenberg
64c2d24c42
strcase: fix the remaining rawstr users
2016-10-31 15:19:26 +01:00
Daniel Stenberg
309d6e80d0
msvc builds: s/rawstr/strcase
...
Follow-up to 811a693b
2016-10-31 13:35:26 +01:00
Dan Fandrich
9363f1a37f
strcasecompare: replaced remaining rawstr.h with strcase.h
...
This is a followup to commit 811a693b
2016-10-31 12:57:58 +01:00
Marcel Raad
4f97d9832c
digest_sspi: fix include
...
Fix compile break from 811a693b80
2016-10-31 12:51:27 +01:00
Dan Fandrich
52a2c2fb51
libauthretry: use the external function curl_strequal
...
The internal version strcasecompare isn't available outside libcurl
2016-10-31 12:44:18 +01:00
Daniel Stenberg
9934f4fe9f
RELEASE-NOTES: synced with d14538d250
2016-10-31 10:50:32 +01:00
Daniel Stenberg
d14538d250
configure: raise the default minimum version for macos to 10.8
...
follow-up to 4f8d0b6f02
. Since the darwinssl code breaks
otherwise. If you build without darwinssl 10.5 works fine.
2016-10-31 10:19:22 +01:00
Daniel Stenberg
06bc2100d2
unit1301: keep testing curl_strequal
...
as that is still part of the API, fix from 8fe4bd0844
2016-10-31 09:53:34 +01:00
Daniel Stenberg
cce5250f6a
ldap: fix include
...
Fix bug from 811a693b80
2016-10-31 09:50:41 +01:00
Daniel Stenberg
c27013c05d
url: remove unconditional idn2.h include
...
Mistake brought by 9c91ec7781
2016-10-31 09:50:12 +01:00
Daniel Stenberg
8fe4bd0844
curl_strequal: part of public API/ABI, needs to be kept
...
These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.
2016-10-31 09:45:17 +01:00
Daniel Stenberg
44c53cc38b
strcase: s/strequal/strcasecompare
...
some more follow-ups to 811a693b80
2016-10-31 09:37:54 +01:00
Daniel Stenberg
532491a27c
ldap: fix strcase use
...
follow-up to 811a693b80
2016-10-31 09:30:36 +01:00
Daniel Stenberg
ad16f89791
test165: adapted to the libidn2 use and IDNA2008 fix
2016-10-31 08:46:35 +01:00
Daniel Stenberg
cff89bc088
cookie: replace use of fgets() with custom version
...
... that will ignore lines that are too long to fit in the buffer.
CVE-2016-8615
Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
811a693b80
strcasecompare: all case insensitive string compares ignore locale now
...
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af
strcasecompare: is the new name for strequal()
...
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
1833a45dde
ftp: check for previous patch must be case sensitive!
...
... otherwise example.com/PATH and example.com/path would be assumed to
be the same and they usually aren't!
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ce8d09483e
SSH: check md5 fingerprint case sensitively
2016-10-31 08:46:35 +01:00
Daniel Stenberg
b3ee26c5df
connectionexists: use case sensitive user/password comparisons
...
CVE-2016-8616
Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
efd24d5742
base64: check for integer overflow on large input
...
CVE-2016-8617
Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3d6460edee
krb5: avoid realloc(0)
...
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
CVE-2016-8619
Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8732ec40db
aprintf: detect wrap-around when growing allocation
...
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.
CVE-2016-8618
Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ee4f76606c
range: reject char globs with missing end like '[L-]'
...
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
269a889104
glob_next_url: make sure to stay within the given output buffer
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fbb5f1aa03
range: prevent negative end number in a glob range
...
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
96a80b5a26
parsedate: handle cut off numbers better
...
... and don't read outside of the given buffer!
CVE-2016-8621
bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536
escape: avoid using curl_easy_unescape() internally
...
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
53e71e47d6
unescape: avoid integer overflow
...
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
c5be3d7267
cookies: getlist() now holds deep copies of all cookies
...
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fba28277ca
TODO: remove IDNA2008
2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781
idn: switch to libidn2 use and IDNA2008 support
...
CVE-2016-8625
Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
42b650b9ea
test1246: verify URL parsing with host name ending with '#'
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e
urlparse: accept '#' as end of host name
...
'http://example.com#@127.0.0.1/x.txt ' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.
CVE-2016-8624
Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00