1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 21:15:08 -05:00
Commit Graph

23920 Commits

Author SHA1 Message Date
Daniel Gustafsson
39df4073e5
smtp: avoid risk of buffer overflow in strtol
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.

Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
Reported-by: Brian Carpenter (Geeknik Labs)
CVE-2019-3823
2019-02-04 08:22:32 +01:00
Daniel Stenberg
50c9484278
ntlm: fix *_type3_message size check to avoid buffer overflow
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
2019-02-04 08:22:32 +01:00
Daniel Stenberg
b780b30d13
NTLM: fix size check condition for type2 received data
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
2019-02-04 08:22:31 +01:00
georgeok
a730432e59
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
2019-02-01 09:56:27 +01:00
Daniel Stenberg
463f16d188
RELEASE-NOTES: synced 2019-02-01 09:42:37 +01:00
Daniel Stenberg
180501cb02
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504
2019-02-01 08:20:38 +01:00
Daniel Stenberg
6f61933adf
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.

Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
2019-02-01 08:19:40 +01:00
John Marshall
427fa512be
doc: use meaningless port number in CURLOPT_LOCALPORT example
Use an ephemeral port number here; previously the example had 8080
which could be confusing as the common web server port number might
be misinterpreted as suggesting this option affects the remote port.

URL: https://curl.haxx.se/mail/lib-2019-01/0084.html
Closes #3513
2019-01-31 13:54:59 +01:00
Gisle Vanem
06f744d447
Escape the '\'
A backslash should be escaped in Roff / Troff.
2019-01-29 16:42:22 +01:00
Jay Satiro
3de607415c TODO: WinSSL: 'Add option to disable client cert auto-send'
By default WinSSL selects and send a client certificate automatically,
but for privacy and consistency we should offer an option to disable the
default auto-send behavior.

Reported-by: Jeroen Ooms

Closes https://github.com/curl/curl/issues/2262
2019-01-29 00:33:14 -05:00
Jeremie Rapin
a9d9a3abbe
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application.  Use the curl mecanisms fix this behavior.

Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>

Closes #3502
2019-01-28 12:03:33 +01:00
Daniel Stenberg
1b8fe0a8ae
unit1653: make it survive torture tests 2019-01-28 08:44:15 +01:00
Michael Kujawa
b0a43aade1 timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)

Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.

Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
2019-01-28 01:16:00 -05:00
Daniel Stenberg
179311ec37
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.

Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
2019-01-26 00:29:50 +01:00
Felix Hädicke
3cbf731d9e
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.

Fixes #3493
Closes #3494
2019-01-24 09:09:45 +01:00
Felix Hädicke
15c94b310b
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.

Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.

This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.

Fixes #3491
Closes #3495
2019-01-24 09:03:11 +01:00
Daniel Stenberg
c497cab49b
RELEASE-NOTES: synced 2019-01-21 23:28:33 +01:00
Archangel_SDY
ce6f73b912
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487
2019-01-21 23:21:45 +01:00
Daniel Stenberg
458e898911
KNOWN_BUGS: tests not compatible with python3
Closes #3289
[skip ci]
2019-01-21 12:16:20 +01:00
Daniel Gustafsson
f0b2c13a9e memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.

Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2019-01-20 21:59:04 +01:00
Daniel Stenberg
6bd5bc97f4
COPYING: it's 2019
[skip ci]
2019-01-19 20:26:31 +01:00
hhb
21c3794211
configure: fix recv/send/select detection on Android
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9.

The overloadable attribute is removed again starting from
NDK17. Actually they only exist in two NDK versions (15 and 16). With
overloadable, the first condition tried will succeed. Results in wrong
detection result.

Closes #3484
2019-01-19 20:24:00 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Stenberg
6ee6729709
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
2019-01-18 16:43:21 +01:00
JDepooter
b095a1ca63
ssh: log the libssh2 error message when ssh session startup fails
When a ssh session startup fails, it is useful to know why it has
failed. This commit changes the message from:
   "Failure establishing ssh session"
to something like this, for example:
   "Failure establishing ssh session: -5, Unable to exchange encryption keys"

Closes #3481
2019-01-17 15:03:16 +01:00
Alessandro Ghedini
7c16871d0b Fix typo in manpage 2019-01-16 19:05:12 +00:00
Daniel Stenberg
a048834258
RELEASE-NOTES: synced 2019-01-16 11:33:26 +01:00
Sergei Nikulov
99c2e7e554 cmake: updated check for HAVE_POLL_FINE to match autotools 2019-01-16 11:39:34 +03:00
Daniel Stenberg
26d7f0094a
curl-compilers.m4: check for __ibmxl__ to detect xlclang
Follow-up to 2fa0d57e2e. The __xlc__ symbol is only defined there if a
particular flag is used for legacy macros.

Fixes #3474
Closes #3479
2019-01-16 08:53:56 +01:00
Daniel Stenberg
16a3307e81
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
2019-01-16 08:20:57 +01:00
Daniel Stenberg
2fa0d57e2e
curl-compilers.m4: detect xlclang
Since it isn't totally clang compatible, we detect this IBM clang
front-end and if detected, avoids some clang specific magic.

Reported-by: Kees Dekker
Fixes #3474
Closes #3476
2019-01-15 16:18:45 +01:00
Daniel Stenberg
304bce55dd
README: add codacy code quality badge
[skip ci]
2019-01-15 09:13:56 +01:00
Daniel Stenberg
bbae24c3ae
extract_if_dead: follow-up to 54b201b48c
extract_if_dead() dead is called from two functions, and only one of
them should get conn->data updated and now neither call path clears it.

scan-build found a case where conn->data would be NULL dereferenced in
ConnectionExists() otherwise.

Closes #3473
2019-01-15 08:49:16 +01:00
Daniel Stenberg
fe71b2d928
multi: remove "Dead assignment"
Found by scan-build. Follow-up to 4c35574bb7.

Closes #3471
2019-01-15 08:10:17 +01:00
Daniel Stenberg
ea77fec16f
tests: move objnames-* from lib into tests
Since they're used purely for testing purposes, I think they should
rather be stored there.

Closes #3470
2019-01-15 08:09:34 +01:00
Sergei Nikulov
383fd9dcb4 travis: added cmake build for osx 2019-01-15 07:11:56 +03:00
Frank Gevaerts
c54ee668df
cookie: fix comment typo (url_path_len -> uri_path_len)
Closes #3469
2019-01-14 23:02:34 +01:00
Marcel Raad
07367e717a
winbuild: conditionally use /DZLIB_WINAPI
zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have
the ZLIB_WINAPI define set by default. Using them requires that define
too.

Ref: https://zlib.net/DLL_FAQ.txt

Fixes https://github.com/curl/curl/issues/3133
Closes https://github.com/curl/curl/pull/3460
2019-01-14 10:14:06 +01:00
Daniel Stenberg
d8852d0868
src/Makefile: make 'tidy' target work for metalink builds 2019-01-14 09:12:52 +01:00
Daniel Stenberg
54b201b48c
extract_if_dead: use a known working transfer when checking connections
Make sure that this function sets a proper "live" transfer for the
connection before calling the protocol-specific connection check
function, and then clear it again afterward as a non-used connection has
no current transfer.

Reported-by: Jeroen Ooms
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Gustafsson
Fixes #3463
Closes #3464
2019-01-13 17:09:14 +01:00
Daniel Stenberg
cf8c70594f
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
OpenSSL_version() replaces OpenSSL_version_num()

Closes #3462
2019-01-13 17:06:59 +01:00
Sergei Nikulov
52e27fe9c6 cmake: added checks for HAVE_VARIADIC_MACROS_C99 and HAVE_VARIADIC_MACROS_GCC 2019-01-11 22:48:54 +03:00
Daniel Stenberg
ba243235ec
urldata: rename easy_conn to just conn
We use "conn" everywhere to be a pointer to the connection.

Introduces two functions that "attaches" and "detaches" the connection
to and from the transfer.

Going forward, we should favour using "data->conn" (since a transfer
always only has a single connection or none at all) to "conn->data"
(since a connection can have none, one or many transfers associated with
it and updating conn->data to be correct is error prone and a frequent
reason for internal issues).

Closes #3442
2019-01-11 15:35:13 +01:00
Daniel Stenberg
61faa0b420
tool_cb_prg: avoid integer overflow
When calculating the progress bar width.

Reported-by: Peng Li
Fixes #3456
Closes #3458
2019-01-11 09:03:43 +01:00
Daniel Gustafsson
90254d0d65 travis: turn off copyright year checks in checksrc
Invoking the maintainer intended COPYRIGHTYEAR check for everyone
in the PR pipeline is too invasive, especially at the turn of the
year when many files get affected. Remove and leave it as a tool
for maintainers to verify patches before commits.

This reverts f7bdf4b2e1.

After discussion with: Daniel Stenberg
2019-01-11 00:21:27 +01:00
Daniel Stenberg
13f09f6f6b
KNOWN_BUGS: cmake makes unusable tool_hugehelp.c with MinGW
Closes #3125
2019-01-10 16:52:39 +01:00
Daniel Stenberg
411d0c7244
KNOWN_BUGS: Improve --data-urlencode space encoding
Closes #3229
2019-01-10 15:55:37 +01:00
Patrick Monnerat
30ac449042 os400: add a missing closing bracket
See https://github.com/curl/curl/issues/3453#issuecomment-453054458

Reported-by: jonrumsey on github
2019-01-10 12:04:35 +01:00
Patrick Monnerat
adf39fbfb3 os400: fix extra parameter syntax error.
Reported-by: jonrumsey on github
Closes #3453
2019-01-10 11:50:27 +01:00
Daniel Stenberg
f6bb05ccbd
test1558: verify CURLINFO_PROTOCOL on file:// transfer
Attempt to reproduce issue #3444.

Closes #3447
2019-01-10 11:22:48 +01:00