1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 23:15:08 -05:00
Commit Graph

19709 Commits

Author SHA1 Message Date
Daniel Stenberg
bdf89d80ca THANKS: updated with 7.43.0 names 2015-06-17 07:43:13 +02:00
Kamil Dudka
24a8359b25 http: do not leak basic auth credentials on re-used connections
CVE-2015-3236

This partially reverts commit curl-7_39_0-237-g87c4abb

Reported-by: Tomas Tomecek, Kamil Dudka
Bug: http://curl.haxx.se/docs/adv_20150617A.html
2015-06-17 07:43:13 +02:00
Kamil Dudka
24f0b6ebf7 test2040: verify basic auth on re-used connections 2015-06-17 07:43:13 +02:00
Daniel Stenberg
50c7f17e50 SMB: rangecheck values read off incoming packet
CVE-2015-3237

Detected by Coverity. CID 1299430.

Bug: http://curl.haxx.se/docs/adv_20150617B.html
2015-06-17 07:43:13 +02:00
Jay Satiro
3e7ec1e849 schannel: schannel_recv overhaul
This commit is several drafts squashed together. The changes from each
draft are noted below. If any changes are similar and possibly
contradictory the change in the latest draft takes precedence.

Bug: https://github.com/bagder/curl/issues/244
Reported-by: Chris Araman

%%
%% Draft 1
%%
- return 0 if len == 0. that will have to be documented.
- continue on and process the caches regardless of raw recv
- if decrypted data will be returned then set the error code to CURLE_OK
and return its count
- if decrypted data will not be returned and the connection has closed
(eg nread == 0) then return 0 and CURLE_OK
- if decrypted data will not be returned and the connection *hasn't*
closed then set the error code to CURLE_AGAIN --only if an error code
isn't already set-- and return -1
- narrow the Win2k workaround to only Win2k

%%
%% Draft 2
%%
- Trying out a change in flow to handle corner cases.

%%
%% Draft 3
%%
- Back out the lazier decryption change made in draft2.

%%
%% Draft 4
%%
- Some formatting and branching changes
- Decrypt all encrypted cached data when len == 0
- Save connection closed state
- Change special Win2k check to use connection closed state

%%
%% Draft 5
%%
- Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
connection isn't closed.

%%
%% Draft 6
%%
- Save the last error only if it is an unrecoverable error.

Prior to this I saved the last error state in all cases; unfortunately
the logic to cover that in all cases would lead to some muddle and I'm
concerned that could then lead to a bug in the future so I've replaced
it by only recording an unrecoverable error and that state will persist.

- Do not recurse on renegotiation.

Instead we'll continue on to process any trailing encrypted data
received during the renegotiation only.

- Move the err checks in cleanup after the check for decrypted data.

In either case decrypted data is always returned but I think it's easier
to understand when those err checks come after the decrypted data check.

%%
%% Draft 7
%%
- Regardless of len value go directly to cleanup if there is an
unrecoverable error or a close_notify was already received. Prior to
this change we only acknowledged those two states if len != 0.

- Fix a bug in connection closed behavior: Set the error state in the
cleanup, because we don't know for sure it's an error until that time.

- (Related to above) In the case the connection is closed go "greedy"
with the decryption to make sure all remaining encrypted data has been
decrypted even if it is not needed at that time by the caller. This is
necessary because we can only tell if the connection closed gracefully
(close_notify) once all encrypted data has been decrypted.

- Do not renegotiate when an unrecoverable error is pending.

%%
%% Draft 8
%%
- Don't show 'server closed the connection' info message twice.

- Show an info message if server closed abruptly (missing close_notify).
2015-06-17 00:17:03 -04:00
Paul Oliver
28f4fc5272 Fix typo in docs
s/curret/current/
2015-06-16 12:16:55 +02:00
Viktor Szakats
45f21e0f37 docs: update URLs 2015-06-16 09:08:00 +02:00
Daniel Stenberg
f93da27756 RELEASE-NOTES: synced with f29f2cbd00 2015-06-16 09:07:37 +02:00
Viktor Szakats
f29f2cbd00 README: use secure protocol for Git repository 2015-06-15 23:45:34 +02:00
Viktor Szakats
4fd187c677 HTTP2.md: use SSL/TLS IETF URLs 2015-06-15 11:39:41 +02:00
Viktor Szakats
496e96c242 LICENSE-MIXING: update URLs
* use SSL/TLS where available
* follow permanent redirects
2015-06-15 11:37:55 +02:00
Daniel Stenberg
bb5b29ec14 LICENSE-MIXING: refreshed 2015-06-15 10:57:43 +02:00
Daniel Stenberg
75ba107767 curl_easy_duphandle: see also *reset 2015-06-15 10:37:38 +02:00
Daniel Stenberg
b430cb2a58 rtsp_do: fix DEAD CODE
"At condition p_request, the value of p_request cannot be NULL."

Coverity CID 1306668.
2015-06-15 09:05:07 +02:00
Daniel Stenberg
99eafc49bb security:choose_mech fix DEAD CODE warning
... by removing the "do {} while (0)" block.

Coverity CID 1306669
2015-06-15 09:02:46 +02:00
Daniel Stenberg
45bad4ac97 curl.1: netrc is in man section 5 2015-06-15 08:28:42 +02:00
Daniel Stenberg
f3288196ff curl.1: small format fix
use \fI-style instead of .BR for references
2015-06-15 08:26:37 +02:00
Daniel Stenberg
ff7097f72c urldata: store POST size in state.infilesize too
... to simplify checking when PUT _or_ POST have completed.

Reported-by: Frank Meier
Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
2015-06-14 23:31:01 +02:00
Dan Fandrich
55fc47a401 test1530: added http to required features 2015-06-14 22:38:39 +02:00
Drake Arconis
d186be9510 build: Fix typo from OpenSSL 1.0.2 version detection fix 2015-06-14 16:01:18 -04:00
Drake Arconis
878c5757c0 build: Properly detect OpenSSL 1.0.2 when using configure 2015-06-14 15:15:36 -04:00
Jay Satiro
dd39a67101 curl_multi_info_read.3: fix example formatting 2015-06-13 23:25:53 -04:00
Daniel Stenberg
da08a204c2 BINDINGS: there's a new R binding in town! 2015-06-13 23:10:23 +02:00
Daniel Stenberg
a9ed0fd6cb BINDINGS: added the Xojo binding 2015-06-11 23:33:49 +02:00
Joel Depooter
a3e5a4371b schannel: Add support for optional client certificates
Some servers will request a client certificate, but not require one.
This change allows libcurl to connect to such servers when using
schannel as its ssl/tls backend. When a server requests a client
certificate, libcurl will now continue the handshake without one,
rather than terminating the handshake. The server can then decide
if that is acceptable or not. Prior to this change, libcurl would
terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
error.
2015-06-11 15:53:01 -04:00
Daniel Stenberg
4a7feea31a curl_easy_cleanup.3: provide more SEE ALSO 2015-06-11 08:32:11 +02:00
Daniel Stenberg
8d0d688296 debug: remove http2 debug leftovers 2015-06-10 23:16:37 +02:00
Daniel Stenberg
a5fb9151ee VERSIONS: now using markdown 2015-06-10 00:21:06 +02:00
Daniel Stenberg
f348b2d3bc RELEASE-PROCEDURE: remove ascii logo at the top of file 2015-06-10 00:16:48 +02:00
Daniel Stenberg
1514f3506b INTERNALS: absorbed docs/LIBCURL-STRUCTS 2015-06-10 00:11:54 +02:00
Daniel Stenberg
55f3eb588d INTERNALS: cat lib/README* >> INTERNALS
and a conversion to markdown. Removed the lib/README.* files. The idea
being to move toward having INTERNALS as the one and only "book" of
internals documentation.

Added a TOC to top of the document.
2015-06-09 23:57:22 +02:00
Jay Satiro
cbf2920d02 openssl: LibreSSL and BoringSSL do not use TLS_client_method
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of
TLS_client_method LibreSSL and BoringSSL didn't and still use
SSLv23_client_method.

Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009
Reported-by: asavah@users.noreply.github.com
2015-06-08 23:45:26 -04:00
Daniel Stenberg
0fcfe4d7ac RELEASE-NOTES: synced with 20ac345806 2015-06-09 00:33:23 +02:00
Daniel Stenberg
20ac345806 CURLOPT_OPENSOCKETFUNCTION: return error at once
When CURL_SOCKET_BAD is returned in the callback, it should be treated
as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently
created when trying to connect to a server.

Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
2015-06-09 00:22:02 +02:00
Daniel Stenberg
eaeeed2e8f fopen.c: fix a few compiler warnings 2015-06-08 13:47:33 +02:00
Ville Skyttä
56b7663f73 docs: Spelling fixes 2015-06-08 13:43:31 +02:00
Ville Skyttä
025dbe46df docs: man page indentation and syntax fixes 2015-06-08 13:37:14 +02:00
Linus Nielsen
1a8926d12f help: Add --proxy-service-name and --service-name to the --help output 2015-06-08 10:00:11 +02:00
Jay Satiro
b8673bb9f0 openssl: Fix verification of server-sent legacy intermediates
- Try building a chain using issuers in the trusted store first to avoid
problems with server-sent legacy intermediates.

Prior to this change server-sent legacy intermediates with missing
legacy issuers would cause verification to fail even if the client's CA
bundle contained a valid replacement for the intermediate and an
alternate chain could be constructed that would verify successfully.

https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2015-06-07 23:33:32 -04:00
Daniel Stenberg
8f4791440a BINDINGS: update several URLs
Stop linking to the curl.haxx.se anchor pages, they are usually only
themselves pointers to the real page so better point there directly
instead.
2015-06-05 09:15:40 +02:00
Daniel Stenberg
6befade68f BINDINGS: the curl-rust binding 2015-06-05 08:55:19 +02:00
Daniel Stenberg
3587da9e7c curl.h: add CURL_HTTP_VERSION_2
The protocol is named "HTTP/2" after all. It is an alias for the
existing CURL_HTTP_VERSION_2_0 enum.
2015-06-05 08:26:47 +02:00
Daniel Stenberg
1ce14037c0 openssl: removed error string #ifdef
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
2015-06-05 00:12:56 +02:00
Daniel Stenberg
30bd59ba6e openssl: removed USERDATA_IN_PWD_CALLBACK kludge
Code for OpenSSL 0.9.4 serves no purpose anymore!
2015-06-05 00:11:32 +02:00
Daniel Stenberg
ccfdd5986c openssl: remove SSL_get_session()-using code
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or
later.
2015-06-05 00:09:25 +02:00
Daniel Stenberg
fc16d9cec8 openssl: remove dummy callback use from SSL_CTX_set_verify()
The existing callback served no purpose.
2015-06-05 00:02:17 +02:00
Daniel Stenberg
7c17b58eec LIBCURL-STRUCTS: clarify for multiplexing 2015-06-04 22:43:54 +02:00
Jay Satiro
3013bb6b1c cookie: Stop exporting any-domain cookies
Prior to this change any-domain cookies (cookies without a domain that
are sent to any domain) were exported with domain name "unknown".

Bug: https://github.com/bagder/curl/issues/292
2015-06-03 21:48:47 -04:00
Daniel Stenberg
001ab7d860 RELEASE-PROCEDURE: refreshed 'coming dates' 2015-06-03 14:44:04 +02:00
Jay Satiro
59432503c0 curl_setup: Change fopen text macros to use 't' for MSDOS
Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198
Reported-by: Gisle Vanem
2015-06-02 14:04:00 -04:00