1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 00:28:48 -05:00
Commit Graph

21442 Commits

Author SHA1 Message Date
Daniel Stenberg
efd24d5742 base64: check for integer overflow on large input
CVE-2016-8617

Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3d6460edee krb5: avoid realloc(0)
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.

CVE-2016-8619

Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8732ec40db aprintf: detect wrap-around when growing allocation
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.

CVE-2016-8618

Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ee4f76606c range: reject char globs with missing end like '[L-]'
... which previously would lead to out of boundary reads.

Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
269a889104 glob_next_url: make sure to stay within the given output buffer 2016-10-31 08:46:35 +01:00
Daniel Stenberg
fbb5f1aa03 range: prevent negative end number in a glob range
CVE-2016-8620

Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
96a80b5a26 parsedate: handle cut off numbers better
... and don't read outside of the given buffer!

CVE-2016-8621

bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536 escape: avoid using curl_easy_unescape() internally
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
53e71e47d6 unescape: avoid integer overflow
CVE-2016-8622

Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
c5be3d7267 cookies: getlist() now holds deep copies of all cookies
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.

CVE-2016-8623

Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fba28277ca TODO: remove IDNA2008 2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781 idn: switch to libidn2 use and IDNA2008 support
CVE-2016-8625

Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
42b650b9ea test1246: verify URL parsing with host name ending with '#' 2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e urlparse: accept '#' as end of host name
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.

CVE-2016-8624

Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00
Jay Satiro
164ee10b0b INTERNALS: better markdown (follow-up)
- Wrap more words with underscores in backticks.

Follow-up to 13f4913.
2016-10-31 00:38:27 -04:00
Daniel Stenberg
13f4913303 INTERNALS: better markdown
words with underscore need to be within `these`

Bug: https://github.com/curl/curl-www/issues/19
Reported-by : Jay Satiro
2016-10-30 23:46:11 +01:00
Jay Satiro
2e750ce452 mk-ca-bundle.vbs: Fix UTF-8 output
- Change initial message box to mention delay when downloading/parsing.

Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.

- Warn if OpenSSL is not present.

- Use a UTF-8 stream to make the ca-bundle data.

- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.

---

This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.

This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.

Ref: https://github.com/curl/curl/pull/1012
2016-10-30 01:01:29 -04:00
Daniel Stenberg
d0623f856c BINDINGS: converted to markdown
To make it render better on the web site, at the price of it becoming
slightly less readable as text.
2016-10-28 09:54:39 +02:00
Jay Satiro
568037f6af CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
- Clarify that this option is only for HTTP/1.1 pipelining.

Bug: https://github.com/curl/curl/issues/1059
Reported-by: Jeroen Ooms

Assisted-by: Daniel Stenberg
2016-10-27 23:15:41 -04:00
Daniel Stenberg
4eb7657a13 KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
Closes #927
2016-10-27 23:47:59 +02:00
Daniel Stenberg
c443a8ce21 KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
Closes #893
2016-10-27 23:46:13 +02:00
Michael Osipov
905f493bd0 configure.in: Fix test syntax
Some versions of test allow == for equality, but others (such as the HP-UX
version) do not.  Use a single = for correctness.

Error output:
checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
2016-10-27 13:41:26 +02:00
Daniel Stenberg
a65db0bbcb SECURITY: minor updates
- we allow the security push up to 48 hours before the release

- add a mention about possible pre-notifications

- lower case the 'curl-security' title
2016-10-27 10:21:52 +02:00
Andrei Sedoi
50ef91b59a docs: fix req->data in multi-uv example
Closes #1088
2016-10-27 09:14:24 +02:00
Daniel Stenberg
62a8095e71 mbedtls: stop using deprecated include file
Reported-by: wyattoday
Fixes #1087
2016-10-26 23:38:04 +02:00
Martin Frodl
eb84412b33 nss: fix tight loop in non-blocking TLS handhsake over proxy
... in case the handshake completes before entering
CURLM_STATE_PROTOCONNECT

Bug: https://bugzilla.redhat.com/1388162
2016-10-25 11:56:37 +02:00
Jay Satiro
d2c6d1568e mk-ca-bundle: Update the vbscript version
Bring the VBScript version more in line with the perl version:

- Change timestamp to UTC.

- Change URL retrieval to HTTPS-only by default.

- Comment out the options that disabled SSL cert checking by default.

- Assume OpenSSL is present, get SHA256. And add a flag to toggle it.

- Fix cert issuer name output.

The cert issuer output is now ansi, converted from UTF-8. Prior to this
it was corrupt UTF-8. It turns out though we can work with UTF-8 the
FSO object that writes ca-bundle can't write UTF-8, so there will have
to be some alternative if UTF-8 is needed (like an ADODB.Stream).

- Disable the certificate text info feature.

The certificate text info doesn't work properly with any recent OpenSSL.
2016-10-25 03:17:26 -04:00
Daniel Stenberg
4d7fc0a9bb TODO: indent code to make it render properly 2016-10-24 14:03:08 +02:00
Daniel Stenberg
cc8c8f957e TODO: Remove the generated include file 2016-10-24 13:38:29 +02:00
Daniel Stenberg
21b9e54058 TODO: add "--retry should resume"
See #1084
2016-10-24 11:56:26 +02:00
Daniel Stenberg
f435308cfa mk-ca-bundle.1: document -k
Brought in 1ad2bdcf11. Now does HTTPS by default and needs -k to
fall back to plain HTTP.
2016-10-24 10:24:27 +02:00
Jay Satiro
1ad2bdcf11 mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).

- New option -k to allow URLs other than HTTPS and enable HTTP fallback.

Prior to this change the default URL retrieval mode was to fall back to
HTTP if HTTPS didn't work.

Reported-by: Gregory Szorc

Closes #1012
2016-10-24 09:41:03 +02:00
Daniel Stenberg
c30a2d97ed RELEASE-NOTES: synced with 50ee3aaf1a 2016-10-24 08:03:07 +02:00
Dan Fandrich
50ee3aaf1a INSTALL.md: Updated minimum file sizes for 7.50.3 2016-10-23 22:42:19 +02:00
Daniel Stenberg
6290c3c26b multi: force connections to get closed in close_all_connections
Several independent reports on infinite loops hanging in the
close_all_connections() function when closing a multi handle, can be
fixed by first marking the connection to get closed before calling
Curl_disconnect.

This is more fixing-the-symptom rather than the underlying problem
though.

Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html

Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
2016-10-22 16:10:57 +02:00
Anders Bakken
406506ca92 curl_multi_remove_handle: fix a double-free
In short the easy handle needs to be disconnected from its connection at
this point since the connection still is serving other easy handles.

In our app we can reliably reproduce a crash in our http2 stress test
that is fixed by this change. I can't easily reproduce the same test in
a small example.

This is the gdb/asan output:

==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
    #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666

0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
freed by thread T13 (RESOURCE_HTTP) here:
    #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
    #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
    #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
    #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
    #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
    #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
    #7 0x9c445e0 in ...
    #8 0x9c4cf1d in ...
    #9 0xa2be6b5 in ...
    #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
    #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)

previously allocated by thread T13 (RESOURCE_HTTP) here:
    #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
    #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
    #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
    #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
    #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
    #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
    #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
    #7 0x9c445e0 in ...
    #8 0x9c4cf1d in ...
    #9 0xa2be6b5 in ...
    #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
    #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)

SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
Shadow bytes around the buggy address:
  0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11785==ABORTING

Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
[Switching to Thread 0xf27bfb40 (LWP 12324)]
0xf7fd8be9 in __kernel_vsyscall ()
 (gdb) bt
 #0  0xf7fd8be9 in __kernel_vsyscall ()
 #1  0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
 #2  0xf4c803e7 in __GI_abort () at abort.c:89
 #3  0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
 #4  0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
 #5  0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
 #6  0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
 #7  0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
 #8  0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
 #9  0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
 #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
 #11 0x09c6de3f in ...
 #12 0x09c378c5 in ...
 #13 0x09c48133 in ...
 #14 0x09c4d092 in ...
 #15 0x0a2be6b6 in ...
 #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
 #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
 #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114

Fixes #1083
2016-10-22 15:50:22 +02:00
Daniel Stenberg
fc458679ca testcurl.1: fix the URL to the autobuild summary 2016-10-22 15:15:34 +02:00
Daniel Stenberg
a84e0713e8 testcurl.1: update URLs 2016-10-22 14:57:20 +02:00
Daniel Stenberg
8571d1c0b4 INSTALL: converted to markdown => INSTALL.md
Also heavily edited for content. Removed lots of old cruft that we added
like 10+ years ago that is likely incorrect by now.

Also removed INSTALL.devcpp for same reason.
2016-10-21 15:57:29 +02:00
Martin Storsjo
c9cb17fbd6 configure: Check for other variants of the -m*os*-version-min flags
In addition to -miphoneos-version-min, the same version can be set
using -mios-version-min. And for WatchOS and TvOS, there's
-mwatchos-version-min and -mtvos-version-min.
2016-10-20 12:40:17 +02:00
Daniel Stenberg
4f8d0b6f02 configure: set min version flags for builds on mac
This helps building binaries that can work on multiple macOS versions.

Help-by: Martin Storsjö

Fixes #1069
2016-10-20 10:17:04 +02:00
Daniel Stenberg
5c3d8d20a6 curl_multi_add_handle: set timeouts in closure handles
The closure handle only ever has default timeouts set. To improve the
state somewhat we clone the timeouts from each added handle so that the
closure handle always has the same timeouts as the most recently added
easy handle.

Fixes #739
2016-10-19 14:43:49 +02:00
Daniel Stenberg
a34c7ce754 configure/CURL_CHECK_FUNC_POLL: disable poll completely on mac
... so that the same libcurl build easier can run on any version.

Follow-up to issue #1057
2016-10-18 23:03:27 +02:00
Daniel Stenberg
97dfe38641 RELEASE-NOTES: synced with f36f8c1455 2016-10-18 17:17:54 +02:00
Daniel Stenberg
f36f8c1455 test14xx: fixed --libcurl output tests again after 8e8afa82cb 2016-10-18 14:15:03 +02:00
Daniel Stenberg
0f1996321f s/cURL/curl
The tool was never called cURL, only the project. But even so, we have
more and more over time switched to just use lower case.
2016-10-18 13:59:54 +02:00
Daniel Stenberg
88753c1e89 polarssl: indented code, removed unused variables 2016-10-18 13:27:51 +02:00
Daniel Stenberg
8748d4787f polarssl: reduce #ifdef madness with a macro 2016-10-18 13:17:05 +02:00
Daniel Stenberg
1e3161a20d polarssl: fix unaligned SSL session-id lock 2016-10-18 13:14:11 +02:00
Daniel Stenberg
ace237ae4e Curl_polarsslthreadlock_thread_setup: clear array at init
... since if it fails to init the entire array and then tries to clean
it up, it would attempt to work on an uninitialized pointer.
2016-10-18 13:05:43 +02:00