1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-11 03:55:03 -05:00
Commit Graph

24756 Commits

Author SHA1 Message Date
Daniel Stenberg
69ea985d4c
http: fix Expression 'http->postdata' is always false
Fixes warning detected by PVS-Studio
Fixes #4374
Reported-by: Valerii Zapodovnikov
2019-09-20 08:06:47 +02:00
Niall O'Reilly
0d59addff6
doh: avoid truncating DNS QTYPE to lower octet
Closes #4381
2019-09-19 22:50:38 +02:00
Jens Finkhaeuser
0a4ecbdf1c
urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not
"file:///") to override cURL's default demand that an authority exists.

Closes #4349
2019-09-19 15:57:28 +02:00
Daniel Stenberg
346188f6e4
version: next release will be 7.67.0 2019-09-19 15:57:28 +02:00
Daniel Stenberg
2d55460ec5
RELEASE-NOTES: synced 2019-09-19 15:30:16 +02:00
Daniel Stenberg
3c5f9ba899
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.

Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund

Closes #4347
2019-09-19 14:58:24 +02:00
Daniel Stenberg
fafad1496b
README: add OSS-Fuzz badge [skip ci]
Closes #4380
2019-09-19 14:02:10 +02:00
Michael Kaufmann
2a2404153b http: merge two "case" statements 2019-09-18 13:45:41 +02:00
Zenju
1c02a4e874
FTP: remove trailing slash from path for LIST/MLSD
Closes #4348
2019-09-18 09:27:21 +02:00
Daniel Stenberg
ac58c51b29
mime: when disabled, avoid C99 macro
Closes #4368
2019-09-18 08:08:41 +02:00
Daniel Stenberg
beb4350917
url: cleanup dangling DOH request headers too
Follow-up to 9bc44ff64d

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17269

Closes #4372
2019-09-18 07:48:49 +02:00
Christoph M. Becker
7c596f5dea
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.

Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html

Closes #4365
2019-09-16 23:36:22 +02:00
Daniel Stenberg
9bc44ff64d
doh: clean up dangling DOH handles and memory on easy close
If you set the same URL for target as for DoH (and it isn't a DoH
server), like "https://example.com" in both, the easy handles used for
the DoH requests could be left "dangling" and end up not getting freed.

Reported-by: Paul Dreik
Closes #4366
2019-09-16 17:31:56 +02:00
Daniel Stenberg
3ad883aeda
unit1655: make it C90 compliant
Unclear why this was not detected in the CI.

Follow-up to b766602729
2019-09-16 14:30:44 +02:00
Daniel Stenberg
6de1053692
smb: check for full size message before reading message details
To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
2019-09-16 14:16:06 +02:00
Daniel Stenberg
00da834156
quiche: persist connection details
... like we do for other protocols at connect time. This makes "curl -I"
and other things work.

Reported-by: George Liu
Fixes #4358
Closes #4360
2019-09-16 13:37:26 +02:00
Daniel Stenberg
a0f8fccb1e
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Follow-up to ffe34b7b59
Closes #4359
2019-09-16 08:49:51 +02:00
Paul Dreik
dda418266c
doh: fix undefined behaviour and open up for gcc and clang optimization
The undefined behaviour is annoying when running fuzzing with
sanitizers. The codegen is the same, but the meaning is now not up for
dispute. See https://cppinsights.io/s/516a2ff4

By incrementing the pointer first, both gcc and clang recognize this as
a bswap and optimizes it to a single instruction.  See
https://godbolt.org/z/994Zpx

Closes #4350
2019-09-15 23:27:45 +02:00
Paul Dreik
b766602729
doh: fix (harmless) buffer overrun
Added unit test case 1655 to verify.
Close #4352

the code correctly finds the flaws in the old code,
if one temporarily restores doh.c to the old version.
2019-09-15 23:25:24 +02:00
Alessandro Ghedini
5eb75d4186 docs: remove trailing ':' from section names in CURLOPT_TRAILER* man 2019-09-15 12:25:02 +01:00
Alessandro Ghedini
4a2d47e0b7 docs: fix typo in CURLOPT_HTTP_VERSION man 2019-09-15 12:25:02 +01:00
Daniel Stenberg
df26f5f9c3
CI: inintial github action job
First shot at a CI build on github actions
2019-09-14 20:25:43 +02:00
Daniel Stenberg
5977664d2f
appveyor: add a winbuild
Assisted-by: Marcel Raad
Assisted-by: Jay Satiro

Closes #4324
2019-09-13 23:17:36 +02:00
Daniel Stenberg
65f5b958c9
FTP: allow "rubbish" prepended to the SIZE response
This is a protocol violation but apparently there are legacy proprietary
servers doing this.

Added test 336 and 337 to verify.

Reported-by: Philippe Marguinaud
Closes #4339
2019-09-13 14:21:00 +02:00
Zenju
acf1d2acd1
FTP: skip CWD to entry dir when target is absolute
Closes #4332
2019-09-13 14:05:34 +02:00
Kamil Dudka
1ca91bcdb5 curl: fix memory leaked by parse_metalink()
This commit fixes a regression introduced by curl-7_65_3-5-gb88940850.
Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind
and libmetalink enabled.

Closes #4326
2019-09-13 10:09:48 +02:00
Daniel Stenberg
83b4cfacba
parsedate: still provide the name arrays when disabled
If FILE or FTP are enabled, since they also use them!

Reported-by: Roland Hieber
Fixes #4325
Closes #4343
2019-09-13 08:25:14 +02:00
Gilles Vollant
b543f1fadb
curl:file2string: load large files much faster
... by using a more efficient realloc scheme.

Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html
Closes #4336
2019-09-13 08:22:58 +02:00
Daniel Stenberg
a56a47ac33
openssl: close_notify on the FTP data connection doesn't mean closure
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!

Regression since 3f5da4e59a (7.65.0)

Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
2019-09-13 00:10:47 +02:00
Jimmy Gaussen
4e3dfe3323
docs/HTTP3: fix --with-ssl ngtcp2 configure flag
Closes #4338
2019-09-12 15:22:57 +02:00
Daniel Stenberg
f83b2f1ae1
RELEASE-NOTES: synced 2019-09-12 09:48:46 +02:00
Daniel Stenberg
2c4590010f
curlver: bump to 7.66.1 2019-09-12 09:48:46 +02:00
Zenju
0aef91411e
setopt: make it easier to add new enum values
... by using the *_LAST define names better.

Closes #4321
2019-09-12 09:42:54 +02:00
Daniel Stenberg
e34ec7de59
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333
2019-09-12 09:37:11 +02:00
Bernhard Walle
a765a30500
winbuild/MakefileBuild.vc: Add vssh
Without that modification, the Windows build using the makefiles doesn't
work.

Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>

Fixes #4322
Closes #4323
2019-09-11 14:18:44 +02:00
Bernhard Walle
142d89edba winbuild/MakefileBuild.vc: Fix line endings
The file had mixed line endings.

Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
2019-09-11 12:56:22 +02:00
Jay Satiro
08f96982a9 ldap: Stop using wide char version of ldapp_err2string
Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).

We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:

failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));

Closes https://github.com/curl/curl/pull/4272
2019-09-11 02:44:47 -04:00
Daniel Stenberg
9cd755e1d7
RELEASE-NOTES: curl 7.66.0 2019-09-10 19:47:19 +02:00
Daniel Stenberg
fcd4aa4608
THANKS: from the 7.66.0 release 2019-09-10 19:47:19 +02:00
Daniel Stenberg
bbde0407d1
curl: make sure the parallel transfers do them all
The logic could erroneously break the loop too early before all
transfers had been transferred.

Reported-by: Tom van der Woerdt
Fixes #4316
Closes #4317
2019-09-10 19:45:19 +02:00
Daniel Stenberg
9637dbfffd
urlapi: one colon is enough for the strspn() input (typo) 2019-09-10 11:51:51 +02:00
Daniel Stenberg
eab3c580f9
urlapi: verify the IPv6 numerical address
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
2019-09-10 11:32:12 +02:00
Clément Notin
ffe34b7b59
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available.  Existing code is preserved for older versions of
OpenSSL.

Closes #4304
2019-09-10 08:11:42 +02:00
Clément Notin
9136542d33
openssl: indent, re-organize and add comments 2019-09-10 08:08:44 +02:00
migueljcrum
67b30b3418
sspi: fix memory leaks
Closes #4299
2019-09-10 08:06:05 +02:00
Daniel Stenberg
cb3dc99175
travis: disable ngtcp2 builds (again) 2019-09-10 08:03:05 +02:00
Daniel Stenberg
c4c9e070f3
Curl_fillreadbuffer: avoid double-free trailer buf on error
Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas

Closes #4307
2019-09-09 09:36:27 +02:00
Daniel Stenberg
74e152f119
tool_setopt: handle a libcurl build without netrc support
Reported-by: codesniffer13 on github
Fixes #4302
Closes #4305
2019-09-09 08:18:58 +02:00
Daniel Stenberg
9069838b30
security:read_data fix bad realloc()
... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
2019-09-09 08:14:34 +02:00
Thomas Vegas
facb0e4662
tftp: Alloc maximum blksize, and use default unless OACK is received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
2019-09-09 08:14:34 +02:00