1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 08:38:49 -05:00
Commit Graph

20319 Commits

Author SHA1 Message Date
Jay Satiro
9b6598ed08 tool_doswin: Use type SANITIZEcode in sanitize_file_name 2016-02-05 02:22:24 -05:00
Jay Satiro
4520534e6d tool_doswin: Improve sanitization processing
- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-05 01:44:27 -05:00
Viktor Szakats
d49881cb19 URLs: change more http to https 2016-02-04 18:46:54 -05:00
Jay Satiro
742deff4dd sasl_sspi: Fix memory leak in domain populate
Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635
Reported-by: silveja1@users.noreply.github.com
2016-02-04 18:11:07 -05:00
Viktor Szakats
20dcd19501 URLs: follow GitHub project rename (also Travis CI)
Closes #632
2016-02-04 23:01:38 +01:00
Daniel Stenberg
0515e49b6b CHANGES.o: fix references to curl.haxx.nu
I removed the scheme prefix from the URLs references this host name, as
we don't own/run that anymore but the name is kept for historic reasons.
2016-02-03 15:33:47 +01:00
Daniel Stenberg
42f725fb9b HISTORY: add some info about when we used which host names 2016-02-03 15:33:30 +01:00
Viktor Szakats
b4f595bde4 URLs: change more http to https 2016-02-02 22:29:47 -05:00
Dan Fandrich
093f9cd38d URLs: Change more haxx.se URLs from http: to https: 2016-02-03 01:45:21 +01:00
Daniel Stenberg
493f54c6c0 RELEASE-NOTES: synced with 4af40b364 2016-02-03 00:32:07 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
d33dd0b195 configure: update the copyright year range in output 2016-02-02 22:49:05 +01:00
Daniel Stenberg
41ae9f717a dotdot: allow an empty input string too
It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-02-02 22:43:54 +01:00
Daniel Stenberg
6b485c7407 HTTPS: update a bunch of URLs from HTTP to HTTPS 2016-02-02 00:24:30 +01:00
Sergei Nikulov
7a8a7ca7b0 AppVeyor: updated to handle OpenSSL/WinSSL builds
Closes #621
2016-02-01 23:55:08 +01:00
Jay Satiro
2b6dadc52d tool_operate: Don't sanitize --output path (Windows)
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: https://github.com/bagder/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-01 04:11:46 -05:00
Jay Satiro
96596334c8 curl.1: Explain remote-name behavior if file already exists
.. also warn about letting the server pick the filename.
2016-01-29 03:28:48 -05:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Daniel Stenberg
300718382f bump: towards the next (7.47.1 ?) 2016-01-28 16:36:29 +01:00
Sergei Nikulov
a8135f0768 cmake: fixed when OpenSSL enabled on Windows and schannel detected
Closes #617
2016-01-28 16:34:01 +01:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Viktor Szakats
1597af51b1 tool_doswin: silence unused function warning
tool_doswin.c:185:14: warning: 'msdosify' defined but not used
[-Wunused-function]

Closes https://github.com/bagder/curl/pull/616
2016-01-28 02:45:36 -05:00
Daniel Stenberg
e400a89b18 getredirect.c: fix variable name
Reported-by: Bernard Spil
2016-01-27 09:35:55 +01:00
Daniel Stenberg
06bf874bbc examples/Makefile.inc: specify programs without .c! 2016-01-27 08:30:04 +01:00
Daniel Stenberg
87a5d3d13e THANKS: 6 new contributors from 7.47.0 release notes 2016-01-26 23:45:02 +01:00
Isaac Boukris
d41dcba4e9 NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26 23:42:55 +01:00
Ray Satiro
3017d8a8d8 curl: avoid local drive traversal when saving file (Windows)
curl does not sanitize colons in a remote file name that is used as the
local file name. This may lead to a vulnerability on systems where the
colon is a special path character. Currently Windows/DOS is the only OS
where this vulnerability applies.

CVE-2016-0754

Bug: http://curl.haxx.se/docs/adv_20160127B.html
2016-01-26 23:42:55 +01:00
Daniel Stenberg
cea1fd7a94 RELEASE-NOTES: 7.47.0 2016-01-26 23:42:55 +01:00
Daniel Stenberg
14f92f2d2c FAQ: language fix in 4.19 2016-01-25 11:11:29 +01:00
paulehoffman
53d1e42c41 FAQ: Update to point to GitHub
Current FAQ didn't make it clear where the main repo is.

Closes #612
2016-01-24 23:29:01 +01:00
Daniel Stenberg
b9da2cfed1 maketgz: generate date stamp with LC_TIME=C
bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
2016-01-24 20:31:30 +01:00
Daniel Stenberg
5a28126b22 curl_multi_socket_action.3: line wrap 2016-01-24 20:31:30 +01:00
Daniel Stenberg
1783070801 RELEASE-NOTES: synced with d58ba66eec 2016-01-24 20:31:30 +01:00
Steve Holme
b03f01742d TODO: "Create remote directories" for SMB 2016-01-21 21:05:55 +00:00
Jay Satiro
d58ba66eec mbedtls: Fix pinned key return value on fail
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
2016-01-18 03:48:10 -05:00
Jay Satiro
d566371130 tests: Add a test for pinnedpubkey fail even when insecure
Because disabling the peer verification (--insecure) must not disable
the public key pinning check (--pinnedpubkey).
2016-01-18 03:10:10 -05:00
Daniel Schauenberg
1074cca8cd CURLINFO_RESPONSE_CODE.3: add example 2016-01-16 23:05:07 -05:00
Kamil Dudka
be538e0766 ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
empty strings specially since curl-7_25_0-31-g05a443a but the behavior
was unintentionally removed in curl-7_38_0-47-gfa7d04f.

This commit restores the original behavior and clarifies it in the
documentation that NULL and "" have both the same meaning when passed
to CURLOPT_SSH_PUBLIC_KEYFILE.

Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-15 10:34:34 +01:00
Daniel Stenberg
be79d83b00 RELEASE-NOTES: synced with 35083ca60e 2016-01-14 22:09:09 +01:00
Daniel Stenberg
35083ca60e openssl: improved error detection/reporting
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
2016-01-14 21:25:30 +01:00
Daniel Stenberg
fdcc4d6daa openssl: for 1.1.0+ they now provide a SSLeay() macro of their own 2016-01-14 16:38:14 +01:00
Daniel Stenberg
133cd19244 CURLOPT_RESOLVE.3: minor language polish 2016-01-13 09:11:12 +01:00
Daniel Stenberg
4bed87f8fa configure: assume IPv6 works when cross-compiled
The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
works, and testing like that doesn't work for cross-compiles. These days
IPv6 support is widespread so a blind guess is probably more likely to
be 'yes' than 'no' now.

Further: anyone who cross-compiles can use configure's --disable-ipv6 to
explicitly disable IPv6 and that also works for cross-compiles.

Made happen after discussions in issue #594
2016-01-12 10:30:54 +01:00
Daniel Stenberg
3ea77f6add TODO: "Try to URL encode given URL"
Closes #514
2016-01-12 00:03:05 +01:00
Daniel Stenberg
13b6d3b7dd ConnectionExists: only do pipelining/multiplexing when asked
When an HTTP/2 upgrade request fails (no protocol switch), it would
previously detect that as still possible to pipeline on (which is
acorrect) and do that when PIPEWAIT was enabled even if pipelining was
not explictily enabled.

It should only pipelined if explicitly asked to.

Closes #584
2016-01-11 23:55:13 +01:00
Mohammad AlSaleh
3d209b5fb0 lib: Prefix URLs with lower-case protocol names/schemes
Before this patch, if a URL does not start with the protocol
name/scheme, effective URLs would be prefixed with upper-case protocol
names/schemes. This behavior might not be expected by library users or
end users.

For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
URL is "hostname/path". The effective URL would be
"HTTPS://hostname/path" instead of "https://hostname/path".

After this patch, effective URLs would be prefixed with a lower-case
protocol name/scheme.

Closes #597

Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11 23:38:42 +01:00
Alessandro Ghedini
ebfe00c050 scripts: don't generate and install zsh completion when cross-compiling 2016-01-11 23:32:30 +01:00
Alessandro Ghedini
fb7cbf75a5 scripts: fix zsh completion generation
The script should use the just-built curl, not the system one. This fixes
zsh completion generation when no system curl is installed.
2016-01-11 23:32:30 +01:00
Alessandro Ghedini
92a20413ac zsh.pl: fail if no curl is found
Instead of generation a broken completion file.
2016-01-11 23:32:30 +01:00
Michael Kaufmann
5d7c9379ef IDN host names: Remove the port number before converting to ACE
Closes #596
2016-01-11 00:11:28 +01:00