Daniel Stenberg
85c45d153b
connectionexists: follow-up to fd9d3a1ef1
...
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.
Mistake-caught-by: Kamil Dudka
2015-04-22 13:59:04 +02:00
Daniel Stenberg
fd9d3a1ef1
connectionexists: fix build without NTLM
...
Do not access NTLM-specific struct fields when built without NTLM
enabled!
bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
2015-04-22 13:32:45 +02:00
Daniel Stenberg
d409f094a5
bump: start working toward 7.43.0
2015-04-22 13:32:45 +02:00
Kamil Dudka
b47c17d67c
nss: implement public key pinning for NSS backend
...
Bug: https://bugzilla.redhat.com/1195771
2015-04-22 13:21:31 +02:00
Daniel Stenberg
1fd33e3ec8
dist: include {src,lib}/checksrc.whitelist
2015-04-22 13:16:04 +02:00
Daniel Stenberg
22691f849a
RELEASE-NOTES: updated for 7.42.0
2015-04-22 07:56:12 +02:00
Daniel Stenberg
00e01fc0a7
THANKS: added contributors from 7.42.0 release notes
2015-04-22 07:56:12 +02:00
Daniel Stenberg
aadda65f5e
THANKS-filter: a few more alterations to squash
2015-04-22 07:56:12 +02:00
Daniel Stenberg
7166fd8a60
contrithanks.sh: helper script for maintaining THANKS
2015-04-22 07:56:12 +02:00
Daniel Stenberg
79b9d5f1a4
http_done: close Negotiate connections when done
...
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.
CVE-2015-3148
Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
2015-04-21 23:20:37 +02:00
Daniel Stenberg
0583e87ada
fix_hostname: zero length host name caused -1 index offset
...
If a URL is given with a zero-length host name, like in "http://:80 " or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.
CVE-2015-3144
Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
2015-04-21 23:20:36 +02:00
Daniel Stenberg
b5f947b8ac
cookie: cookie parser out of boundary memory access
...
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.
CVE-2015-3145
Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
2015-04-21 23:20:36 +02:00
Daniel Stenberg
31be461c6b
ConnectionExists: for NTLM re-use, require credentials to match
...
CVE-2015-3143
Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
2015-04-21 23:20:36 +02:00
byronhe
6088fbce06
openssl: add OPENSSL_NO_SSL3_METHOD check
2015-04-21 15:25:21 -04:00
Daniel Stenberg
cf2d21d86f
CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc
...
Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon
2015-04-20 23:40:40 +02:00
Mostyn Bramley-Moore
875a6d9324
configure --with-nss: remove unneeded libs from the fallback
2015-04-20 10:25:07 +02:00
Daniel Stenberg
1b8f9c95b6
contributors.sh: fix help output, filter out (-prefix from names
2015-04-20 10:15:31 +02:00
Daniel Stenberg
9d704b3df9
RELEASE-NOTES: synced with cc0e7ebc3b
2015-04-20 10:05:46 +02:00
Michael Stapelberg
cc0e7ebc3b
CURLMOPT_TIMERFUNCTION.3: Clarify, add an example
2015-04-19 23:29:51 +02:00
Viktor Szakáts
3a87bdebd1
vtls/openssl: use https in URLs and a comment typo fixed
2015-04-19 19:52:37 +02:00
Daniel Stenberg
63c64e05a4
curl_version_info.3: fixed the 'protocols' variable type
...
Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225
2015-04-18 22:46:52 +02:00
Dan Fandrich
1e6d0e06f7
test1423: added missing "file" to server section
2015-04-18 21:12:36 +02:00
Daniel Stenberg
b6e477890f
TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods
...
... and some minor edits
2015-04-17 23:53:11 +02:00
Daniel Stenberg
2eb02480ef
Revert "HTTP: don't abort connections with pending Negotiate authentication"
...
This reverts commit 5dc68dd609
.
Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
2015-04-17 23:23:42 +02:00
Jay Satiro
f70112522f
cyassl: Fix include order
...
Prior to this change CyaSSL's build options could redefine some generic
build symbols.
http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-17 15:24:04 -04:00
Kamil Dudka
8dc3bbf0f8
configure --with-nss: drop redundant if statement
2015-04-17 16:43:20 +02:00
Kamil Dudka
67a8bbb51a
configure --with-nss=PATH: query pkg-config if available
...
Bug: https://github.com/bagder/curl/pull/171
2015-04-17 16:43:20 +02:00
Daniel Stenberg
691a07dac6
parsecfg: do not continue past a zero termination
...
When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.
Reported-by: Hanno Böck
2015-04-17 11:44:57 +02:00
Jay Satiro
05e4137d31
gitignore: Ignore Windows build output directories
2015-04-16 18:24:42 -04:00
Daniel Stenberg
82805b56b9
RELEASE-NOTES: synced with 1ba6e4c88e
2015-04-15 23:21:49 +02:00
Daniel Stenberg
1ba6e4c88e
TODO: 17.9 Choose the name of file in braces for complex URLs
2015-04-15 21:13:25 +02:00
Daniel Stenberg
8f78794fd5
TODO: a little caution that maybe not all ideas are still good
2015-04-15 20:56:43 +02:00
Daniel Stenberg
0cbbbbdc31
TODO: 17.8 offer color-coded HTTP header output
2015-04-15 14:29:30 +02:00
Daniel Stenberg
78843afb9f
TODO: 17.7 warning when sending binary output to terminal
2015-04-15 14:27:32 +02:00
Daniel Stenberg
ad48b177c3
KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes
2015-04-15 02:48:20 +02:00
Jay Satiro
9430dd583e
cyassl: Add support for TLS extension SNI
2015-04-14 02:05:25 -04:00
Matthew Hall
8df4b5af3f
gitignore: ignore test-driver file
2015-04-13 22:25:04 +02:00
Matthew Hall
a471a9f3b6
vtls_openssl: improve PKCS#12 load failure error message
2015-04-13 22:25:04 +02:00
Matthew Hall
27ac643455
vtls_openssl: fix minor typo in PKCS#12 load routine
2015-04-13 22:25:04 +02:00
Matthew Hall
b3175a767d
vtls_openssl: improve client certificate load failure error messages
2015-04-13 22:25:04 +02:00
Matthew Hall
58b0a8b059
vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant
2015-04-13 22:25:04 +02:00
Daniel Stenberg
9e7125a1db
BUGS: refer to the github issue tracker now as primary
2015-04-13 16:43:52 +02:00
Daniel Stenberg
7fe172d3b2
firefox-db2pem: fix wildcard to find Firefox default profile
...
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.
Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
2015-04-13 15:31:26 +02:00
Jay Satiro
72bea7cc65
cyassl: Include the CyaSSL build config
...
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
2015-04-11 23:58:42 -04:00
Jay Satiro
139141f8d7
build: Generate source prerequisites for Visual Studio in generate.bat
...
Prior to this change Visual Studio builds could fail due to missing
prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.
http://curl.haxx.se/mail/lib-2015-04/0034.html
2015-04-11 02:16:59 -04:00
Viktor Szakats
e44155156a
lib/makefile.m32: add missing libs to build libcurl.dll
...
Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.
2015-04-09 21:34:14 +02:00
Kamil Dudka
992a731116
test142[23]: verify that an empty file is stored on success
2015-04-08 09:43:13 +02:00
Kamil Dudka
261a0fedcf
src/tool_operate: create output file on successful download
...
... of an empty file
Bug: https://github.com/bagder/curl/issues/183
2015-04-08 09:43:08 +02:00
Kamil Dudka
f251417d85
src/tool_cb_wrt: separate fnc for output file creation
2015-04-08 09:36:56 +02:00
Da-Yoon Chung
a9e46749b2
lib/transfer.c: Remove factor of 8 from sleep time calculation
...
The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
rate_bps are both in bytes. When using the rate limiting option, curl
waits 8 times too long, and then transfers very quickly until the
average rate reaches the limit. The average rate follows the limit over
time, but the actual traffic is bursty.
Thanks-to: Benjamin Gilbert
2015-04-07 21:55:23 +02:00