Daniel Stenberg
75ca568fa1
URL sanitize: reject URLs containing bad data
...
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).
URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.
This flaw is considered a security vulnerability: CVE-2012-0036
Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
Reported by: Dan Fandrich
2012-01-24 08:54:26 +01:00
Yang Tse
f1586cb477
stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h
2011-07-26 17:23:27 +02:00
Yang Tse
30c9799f72
compiler warning: fix
...
Fix compiler warning: expression has no effect
2011-05-23 16:55:09 +02:00
Daniel Stenberg
b903186fa0
source cleanup: unify look, style and indent levels
...
By the use of a the new lib/checksrc.pl script that checks that our
basic source style rules are followed.
2011-04-27 09:09:35 +02:00
Daniel Stenberg
c828646f60
CURL_DOES_CONVERSIONS: cleanup
...
Massively reduce #ifdefs all over (23 #ifdef lines less so far)
Moved conversion-specific code to non-ascii.c
2011-04-20 00:50:07 +02:00
Daniel Stenberg
5df13c3173
curl_easy_escape: don't escape "unreserved" characters
...
According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be
percent-encoded.
Reported by: Miguel Diaz
Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
2010-09-28 23:49:32 +02:00
Daniel Stenberg
2309b4e330
remove the CVSish $Id$ lines
2010-03-24 11:02:54 +01:00
Yang Tse
5695c4db86
fix compiler warning
2010-02-24 00:03:06 +00:00
Daniel Stenberg
33ce0ec1f1
wrap long lines and do some indent policing
2010-01-22 23:21:39 +00:00
Yang Tse
33a3753c3f
libcurl's memory.h renamed to curl_memory.h
2009-04-21 11:46:16 +00:00
Dan Fandrich
95456b8e78
Added const to some pointer variables
2008-10-08 01:17:51 +00:00
Dan Fandrich
c98ab69cc7
Factored out Curl_isalnum
2008-09-09 21:15:50 +00:00
Daniel Stenberg
cbd1a77ec2
if () => if()
...
while () => while()
and some other minor re-indentings
2007-11-07 09:21:35 +00:00
Daniel Stenberg
ec08e2f9f2
Alex Fishman reported a curl_easy_escape() problem that was made the
...
function do wrong on all input bytes that are >= 0x80 (decimal 128) due to a
signed / unsigned mistake in the code. I fixed it and added test case 543 to
verify.
2007-09-30 22:40:24 +00:00
Dan Fandrich
523767660c
Fixed some minor mismatched types found by splint.
2007-08-26 05:53:26 +00:00
Daniel Stenberg
1926f4573d
Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work on
...
non-ASCII systems.
2007-08-04 20:47:59 +00:00
Daniel Stenberg
44d84ac164
Avoid typecasting a signed char to an int when using is*() functions, as that
...
could very well cause a negate number get passed in and thus cause reading
outside of the array usually used for this purpose.
We avoid this by using the uppercase macro versions introduced just now that
does some extra crazy typecasts to avoid byte codes > 127 to cause negative
int values.
2006-10-17 21:32:56 +00:00
Daniel Stenberg
5a4b43848a
First commit of David McCreedy's EBCDIC and TPF changes.
2006-04-07 21:50:47 +00:00
Daniel Stenberg
090b89cc76
Variable type cleanups to please the picky MIPSPro compiler.
2004-07-01 08:10:21 +00:00
Daniel Stenberg
cf10df6c68
include header for our printfs
2004-06-24 14:35:45 +00:00
Daniel Stenberg
feb2dd2835
Replaced all uses of sprintf() with the safer snprintf(). It is just a
...
precaution to prevent mistakes to lead to buffer overflows.
2004-06-24 11:54:11 +00:00
Daniel Stenberg
5bf02b16a0
curl_free() doesn't free(NULL) but just returns
2004-05-13 15:16:36 +00:00
Daniel Stenberg
c123676825
return NULL on out of memory
2004-05-12 13:04:30 +00:00
Daniel Stenberg
bbafb2eb27
curl_global_init_mem() allows the memory functions to be replaced.
...
memory.h is included everywhere for this.
2004-05-11 11:30:23 +00:00
Daniel Stenberg
a684c51c9b
size_t/int/long fixes
2004-03-08 08:38:29 +00:00
Daniel Stenberg
4d17d6876e
Dan Fandrich's cleanup patch to make pedantic compiler options cause less
...
warnings. Minor edits by me.
2004-01-29 13:56:45 +00:00
Daniel Stenberg
053f6c85ef
updated year in the copyright string
2004-01-07 09:19:33 +00:00
Daniel Stenberg
2bd71d70ff
use CURLDEBUG instead of MALLOCDEBUG
2003-06-26 06:50:32 +00:00
Daniel Stenberg
2356325592
David Balazic pointed out the lack of checks for a valid %XX code when
...
we unescape a string. We now check and decode only valid %XX strings.
2003-05-21 15:53:59 +00:00
Daniel Stenberg
a7c72b7abf
removed the local variables for emacs and vim, use the new sample.emacs
...
way for emacs, and vim users should provide a similar non-polluting style
2003-01-29 10:14:20 +00:00
Daniel Stenberg
f26a338a54
copyright year update in the source header
2003-01-16 21:08:12 +00:00
Jean-Philippe Barette-LaPierre
6a7e53a7c7
fixed a very, very rare and very, very little memory leak
2003-01-08 02:27:47 +00:00
Daniel Stenberg
6883f0c49f
Walter J. Mack added curl_free
2002-09-25 12:26:07 +00:00
Daniel Stenberg
ba4e69bebc
updated source code boilerplate/header
2002-09-03 11:52:59 +00:00
Daniel Stenberg
2f8e7f56b3
ignore '+' in URLs, generate only %-codes
2002-06-26 07:15:31 +00:00
Daniel Stenberg
974f314f57
copyright string (year) update
2002-03-19 07:54:55 +00:00
Sterling Hughes
8e91d5de8e
looks nicer and is better compatible with older vim versions
2001-10-11 09:32:19 +00:00
Sterling Hughes
6147879837
Added formatting sections for emacs and vim
2001-09-07 04:01:32 +00:00
Daniel Stenberg
08655d8d5d
Georg Huettenegger's patch curl-7.8.1-pre5-patch-20010819
2001-08-21 13:18:07 +00:00
Daniel Stenberg
7b4b166718
added typecasts when converting from unsigned int to int
2001-08-14 08:20:17 +00:00
Daniel Stenberg
2827f5327a
curl_escape() no longer attempts to detect already encoded stuff (in order
...
not to re-encode it).
2001-08-05 12:34:07 +00:00
Daniel Stenberg
84e71e1c50
Andrés García fixed curl_escape()
2001-04-07 18:35:28 +00:00
Daniel Stenberg
58085dbbf6
Jim Drash suggested and I made it not encode what looks like an already
...
encoded letter (in curl_escape)
2001-03-22 18:06:08 +00:00
Daniel Stenberg
f8d883355d
the new escape/unescape function setup
2001-03-22 11:40:58 +00:00
Daniel Stenberg
0dc8c4d451
use unsigned int hex to receive the hex digit in, caused a warning with
...
-Wall and a new gcc
2001-03-09 15:11:39 +00:00
Daniel Stenberg
24dee483e9
dual-license fix
2001-01-03 09:29:33 +00:00
Daniel Stenberg
b734bc37eb
curl_unescape() did not stop at the set length properly when %-codes were
...
used
2000-11-21 19:01:53 +00:00
Daniel Stenberg
0f8facb49b
added memory debugging include file
2000-10-09 11:12:34 +00:00
Daniel Stenberg
60eab89f10
in unescape(), '+' is now only converted to space after the first '?'
2000-08-31 12:03:04 +00:00
Daniel Stenberg
1ef3600a07
haxx.nu => haxx.se
2000-06-20 15:31:26 +00:00