1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 14:35:03 -05:00
Commit Graph

18831 Commits

Author SHA1 Message Date
Daniel Stenberg
b85c625d83 detect_proxy: fix possible single-byte memory leak
Coverity CID 1202836. If the proxy environment variable returned an empty
string, it would be leaked. While an empty string is not really a proxy, other
logic in this function already allows a blank string to be returned so allow
that here to avoid the leak.
2014-10-02 23:31:01 +02:00
Daniel Stenberg
0d357155cc multi_runsingle: fix memory leak
Coverity CID 1202837. There's a potential risk that 'newurl' gets
overwritten when it was already pointing to allocated memory.
2014-10-02 23:22:01 +02:00
Daniel Stenberg
ea6c5f03a5 pop3_perform_authentication: fix memory leak
Coverity CID 1215287. There's a potential risk for a memory leak in
here, and moving the free call to be unconditional seems like a cheap
price to remove the risk.
2014-10-02 23:07:06 +02:00
Daniel Stenberg
a9beeeeeea imap_perform_authentication: fix memory leak
Coverity CID 1215296. There's a potential risk for a memory leak in
here, and moving the free call to be unconditional seems like a cheap
price to remove the risk.
2014-10-02 23:01:45 +02:00
Daniel Stenberg
a8ec986981 wait_or_timeout: return failure when Curl_poll() fails
Coverity detected this. CID 1241954. When Curl_poll() returns a negative value
'mcode' was uninitialized. Pretty harmless since this is debug code only and
would at worst cause an error to _not_ be returned...
2014-10-02 22:52:23 +02:00
Daniel Stenberg
69ce8a72f5 curl.1: mention quoting in the URL section
and separate the example URLs with newlines
2014-10-01 08:29:43 +02:00
Bill Nagel
ee0958cb4d smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" error
This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that
sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL
appears to require the same pointer on a write that follows a retry
(CURLE_AGAIN) as discussed here:

http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
2014-09-30 21:36:27 +01:00
Daniel Stenberg
0e1590b3dd RELEASE-NOTES: synced with 53cbea2231 2014-09-30 15:18:02 +02:00
Daniel Stenberg
53cbea2231 file: reject paths using embedded %00
Mostly because we use C strings and they end at a binary zero so we know
we can't open a file name using an embedded binary zero.

Reported-by: research@g0blin.co.uk
2014-09-30 07:37:38 +02:00
Dan Fandrich
46d71e7fd2 test506: Fixed a couple of memory leaks in test 2014-09-26 06:57:52 +02:00
Yousuke Kimoto
b10a838a7a CURLOPT_COOKIELIST: Added "RELOAD" command 2014-09-25 16:28:17 +02:00
Michael Wallner
9ee8efc63b CURLOPT_POSTREDIR.3: Added availability for CURL_REDIR_POST_303 2014-09-25 15:14:16 +02:00
Daniel Stenberg
d9762a7cdb threaded-resolver: revert Curl_expire_latest() switch
The switch to using Curl_expire_latest() in commit cacdc27f52 was a
mistake and was against the advice even mentioned in that commit. The
comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
Curl_expire() the suitable function to use.

Bug: http://curl.haxx.se/bug/view.cgi?id=1426
Reported-By: graysky
2014-09-23 11:44:03 +02:00
Daniel Stenberg
3ef73d9a88 libcurl docs: improvements all over 2014-09-19 15:08:26 +02:00
Steve Holme
7b85b332cb build: Added WinIDN build configuration options
Added initial support for WinIDN build configurations to the VC10+
project files.
2014-09-19 12:43:10 +01:00
Daniel Stenberg
9d49e4706e tutorial: signals aren't used for the threaded resolver 2014-09-19 12:54:19 +02:00
Daniel Stenberg
17932a8f7b FAQ: update the pronunciation section
As we weren't using the correct phonetic description and doing it correctly
involves funny letters that I'm sure will cause problems for people in a text
document so I instead rephrased it and link to a WAV file with a person
actually saying 'curl'.

Reported-By: Dimitar Boevski
2014-09-19 10:01:45 +02:00
Daniel Stenberg
841c9884b2 CURLOPT_COOKIE*: added more cross-references 2014-09-18 22:58:12 +02:00
Daniel Stenberg
30fc601e6c BINDINGS: add node-libcurl
Reported-By: Jonathan Cardoso Machado
URL: http://curl.haxx.se/mail/lib-2014-09/0102.html
2014-09-18 09:05:29 +02:00
Daniel Stenberg
d1638fe08b README.http2: updated to reflect current status 2014-09-15 23:13:35 +02:00
Daniel Stenberg
fb4726d571 formdata: removed unnecessary USE_SSLEAY use 2014-09-13 19:09:56 +02:00
Daniel Stenberg
d57d041d67 curlssl: make tls backend symbols use curlssl in the name 2014-09-13 15:31:12 +02:00
Daniel Stenberg
4c2e40a488 url: let the backend decide CURLOPT_SSL_CTX_ support
... to further remove specific TLS backend knowledge from url.c
2014-09-13 15:28:08 +02:00
Daniel Stenberg
7494f0f498 vtls: have the backend tell if it supports CERTINFO 2014-09-13 15:11:26 +02:00
Catalin Patulea
4da70dea28 configure: allow --with-ca-path with PolarSSL too
Missed this in af45542c.

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
2014-09-13 14:57:21 +02:00
Daniel Stenberg
8250f93d41 CURLOPT_CAPATH: return failure if set without backend support 2014-09-13 14:56:27 +02:00
Tatsuhiro Tsujikawa
7d9bef9286 http2: Fix busy loop when EOF is encountered
Previously we did not handle EOF from underlying transport socket and
wrongly just returned error code CURL_AGAIN from http2_recv, which
caused busy loop since socket has been closed.  This patch adds the
code to handle EOF situation and tells the upper layer that we got
EOF.
2014-09-13 13:54:08 +02:00
Steve Holme
1d2ffb4712 build: Added batch wrapper to checksrc.pl 2014-09-13 11:33:54 +01:00
Steve Holme
88e925f3f5 RELEASE-NOTES: Synced with bd3df5ec6d 2014-09-13 10:23:36 +01:00
Marcel Raad
bd3df5ec6d sasl_sspi: Fixed Unicode build
Bug: http://curl.haxx.se/bug/view.cgi?id=1422
Verified-by: Steve Holme
2014-09-13 10:06:44 +01:00
Daniel Stenberg
06b27ea24c libcurl-tutorial.3: fix GnuTLS link to thread-safety guidelines
The former link was turned into a 404 at some point.

Reported-By: Askar Safin
2014-09-12 21:02:12 +02:00
Daniel Stenberg
1b314a85db contributors.sh: split list of names at comma
... to support a list of names provided in a commit message.
2014-09-12 15:12:06 +02:00
Ulrich Telle
8ee182288a ntlm: Fixed HTTP proxy authentication when using Windows SSPI
Removed ISC_REQ_* flags from calls to InitializeSecurityContext to fix
bug in NTLM handshake for HTTP proxy authentication.

NTLM handshake for HTTP proxy authentication failed with error
SEC_E_INVALID_TOKEN from InitializeSecurityContext for certain proxy
servers on generating the NTLM Type-3 message.

The flag ISC_REQ_CONFIDENTIALITY seems to cause the problem according
to the observations and suggestions made in a bug report for the
QT project (https://bugreports.qt-project.org/browse/QTBUG-17322).

Removing all the flags solved the problem.

Bug: http://curl.haxx.se/mail/lib-2014-08/0273.html
Reported-by: Ulrich Telle
Assisted-by: Steve Holme, Daniel Stenberg
2014-09-12 13:05:02 +01:00
Ray Satiro
006b61eb0b newlines: fix mixed newlines to LF-only
I use the curl repo mainly on Windows with the typical Windows git
checkout which converts the LF line endings in the curl repo to CRLF
automatically on checkout. The automatic conversion is not done on files
in the repo with mixed line endings. I recently noticed some weird
output with projects/build-openssl.bat that I traced back to mixed line
endings, so I scanned the repo and there are files (excluding the
test data) that have mixed line endings.

I used this command below to do the scan. Unfortunately it's not as easy
as git grep, at least not on Windows. This gets the names of all the
files in the repo's HEAD, gets each of those files raw from HEAD, checks
for mixed line endings of both LF and CRLF, and prints the name if
mixed. I excluded path tests/data/test* because those can have mixed
line endings if I understand correctly.

for f in `git ls-tree --name-only --full-tree -r HEAD`;
do if [ -n "${f##tests/data/test*}" ];
    then git show "HEAD:$f" | \
        perl -0777 -ne 'exit 1 if /([^\r]\n.*\r\n)|(\r\n.*[^\r]\n)/';
    if [ $? -ne 0 ];
        then echo "$f";
    fi;
fi;
done
2014-09-12 10:22:34 +02:00
Viktor Szakáts
82b8b6865c mk-ca-bundle.pl: converted tabs to spaces, deleted trailing spaces 2014-09-11 16:59:03 +02:00
Daniel Stenberg
748644b72d ROADMAP: markdown eats underscores
It interprets them as italic indictors unless we backtick the word.
2014-09-11 10:56:20 +02:00
Daniel Stenberg
110cf8bc9e ROADMAP: tiny formatting edit for nicer web output 2014-09-11 00:15:12 +02:00
Steve Holme
376f3c10de ROADMAP.md: Updated GSSAPI authentication following 7.38.0 additions 2014-09-10 22:51:07 +01:00
Steve Holme
ae975713c2 INTERNALS: Added email and updated Kerberos details 2014-09-10 22:11:49 +01:00
Steve Holme
ca2c12d353 FEATURES: Updated Kerberos details
Added support for Kerberos 5 to the email protocols following the recent
additions in 7.38.0.

Removed Kerberos 4 as this has been gone for a while now.
2014-09-10 22:11:46 +01:00
Paul Howarth
785395b07e openssl: build fix for versions < 0.9.8e
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-10 13:09:42 +02:00
Daniel Stenberg
df0a480058 mk-ca-bundle.pl: first, try downloading HTTPS with curl
As a sort of step forward, this script will now first try to get the
data from the HTTPS URL using curl, and only if that fails it will
switch back to the HTTP transfer using perl's native LWP functionality.
To reduce the risk of this script being tricked.

Using HTTPS to get a cert bundle introduces a chicken-and-egg problem so
we can't really ever completely disable HTTP, but chances are that most
users already have a ca cert bundle that trusts the mozilla.org site
that this script downloads from.

A future version of this script will probably switch to require a
dedicated "insecure" command line option to allow downloading over HTTP
(or unverified HTTPS).
2014-09-10 12:14:13 +02:00
Daniel Stenberg
e3be3e69c0 LICENSE-MIXING: removed krb4 info
krb4 has been dropped since a while now
2014-09-10 10:38:31 +02:00
Daniel Stenberg
9c89133a1f bump: on the 7.38.1-DEV train now! 2014-09-10 10:15:30 +02:00
Daniel Stenberg
f213c0db09 SSLCERTS: minor updates
Edited format to look better on the web, added a "it is about trust"
section.
2014-09-10 10:13:04 +02:00
Daniel Stenberg
202aa9f775 dist: two cmake files are no more
CMake/FindOpenSSL.cmake and FindZLIB.cmake are gone since 14aa8f0c11
2014-09-10 08:07:58 +02:00
Daniel Stenberg
9636fc2588 RELEASE-NOTES: final update for 7.38.0 2014-09-10 07:34:36 +02:00
Daniel Stenberg
a76825a5ef cookies: reject incoming cookies set for TLDs
Test 61 was modified to verify this.

CVE-2014-3620

Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html
2014-09-10 07:32:36 +02:00
Tim Ruehsen
8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00
Daniel Stenberg
1ccfabb66d HISTORY: fix the 1998 title position 2014-09-10 00:40:11 +02:00