Daniel Stenberg
07b95ea268
tests/util: get a private strncasecompare clone
...
... since the curlx_* code no longer provides one and we don't link
libcurl to these test servers.
2016-10-31 23:49:54 +01:00
Daniel Stenberg
95bd2b3e7f
strcase: make the tool use curl_str[n]equal instead
...
As they are after all part of the public API. Saves space and reduces
complexity. Remove the strcase defines from the curlx_ family.
Suggested-by: Dan Fandrich
Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
2016-10-31 21:51:19 +01:00
Kamil Dudka
1071680946
gskit, nss: do not include strequal.h
...
follow-up to 811a693b80
2016-10-31 17:36:22 +01:00
Dan Fandrich
47a21ca9ba
strcasecompare: include curl.h in strcase.c
...
This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
link error on Windows because of the missing CURL_EXTERN on the
prototype.
2016-10-31 15:21:13 +01:00
Daniel Stenberg
64c2d24c42
strcase: fix the remaining rawstr users
2016-10-31 15:19:26 +01:00
Daniel Stenberg
309d6e80d0
msvc builds: s/rawstr/strcase
...
Follow-up to 811a693b
2016-10-31 13:35:26 +01:00
Dan Fandrich
9363f1a37f
strcasecompare: replaced remaining rawstr.h with strcase.h
...
This is a followup to commit 811a693b
2016-10-31 12:57:58 +01:00
Marcel Raad
4f97d9832c
digest_sspi: fix include
...
Fix compile break from 811a693b80
2016-10-31 12:51:27 +01:00
Dan Fandrich
52a2c2fb51
libauthretry: use the external function curl_strequal
...
The internal version strcasecompare isn't available outside libcurl
2016-10-31 12:44:18 +01:00
Daniel Stenberg
9934f4fe9f
RELEASE-NOTES: synced with d14538d250
2016-10-31 10:50:32 +01:00
Daniel Stenberg
d14538d250
configure: raise the default minimum version for macos to 10.8
...
follow-up to 4f8d0b6f02
. Since the darwinssl code breaks
otherwise. If you build without darwinssl 10.5 works fine.
2016-10-31 10:19:22 +01:00
Daniel Stenberg
06bc2100d2
unit1301: keep testing curl_strequal
...
as that is still part of the API, fix from 8fe4bd0844
2016-10-31 09:53:34 +01:00
Daniel Stenberg
cce5250f6a
ldap: fix include
...
Fix bug from 811a693b80
2016-10-31 09:50:41 +01:00
Daniel Stenberg
c27013c05d
url: remove unconditional idn2.h include
...
Mistake brought by 9c91ec7781
2016-10-31 09:50:12 +01:00
Daniel Stenberg
8fe4bd0844
curl_strequal: part of public API/ABI, needs to be kept
...
These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.
2016-10-31 09:45:17 +01:00
Daniel Stenberg
44c53cc38b
strcase: s/strequal/strcasecompare
...
some more follow-ups to 811a693b80
2016-10-31 09:37:54 +01:00
Daniel Stenberg
532491a27c
ldap: fix strcase use
...
follow-up to 811a693b80
2016-10-31 09:30:36 +01:00
Daniel Stenberg
ad16f89791
test165: adapted to the libidn2 use and IDNA2008 fix
2016-10-31 08:46:35 +01:00
Daniel Stenberg
cff89bc088
cookie: replace use of fgets() with custom version
...
... that will ignore lines that are too long to fit in the buffer.
CVE-2016-8615
Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
811a693b80
strcasecompare: all case insensitive string compares ignore locale now
...
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af
strcasecompare: is the new name for strequal()
...
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
1833a45dde
ftp: check for previous patch must be case sensitive!
...
... otherwise example.com/PATH and example.com/path would be assumed to
be the same and they usually aren't!
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ce8d09483e
SSH: check md5 fingerprint case sensitively
2016-10-31 08:46:35 +01:00
Daniel Stenberg
b3ee26c5df
connectionexists: use case sensitive user/password comparisons
...
CVE-2016-8616
Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
efd24d5742
base64: check for integer overflow on large input
...
CVE-2016-8617
Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3d6460edee
krb5: avoid realloc(0)
...
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
CVE-2016-8619
Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8732ec40db
aprintf: detect wrap-around when growing allocation
...
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.
CVE-2016-8618
Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ee4f76606c
range: reject char globs with missing end like '[L-]'
...
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
269a889104
glob_next_url: make sure to stay within the given output buffer
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fbb5f1aa03
range: prevent negative end number in a glob range
...
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
96a80b5a26
parsedate: handle cut off numbers better
...
... and don't read outside of the given buffer!
CVE-2016-8621
bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536
escape: avoid using curl_easy_unescape() internally
...
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
53e71e47d6
unescape: avoid integer overflow
...
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
c5be3d7267
cookies: getlist() now holds deep copies of all cookies
...
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fba28277ca
TODO: remove IDNA2008
2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781
idn: switch to libidn2 use and IDNA2008 support
...
CVE-2016-8625
Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
42b650b9ea
test1246: verify URL parsing with host name ending with '#'
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e
urlparse: accept '#' as end of host name
...
'http://example.com#@127.0.0.1/x.txt ' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.
CVE-2016-8624
Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00
Jay Satiro
164ee10b0b
INTERNALS: better markdown (follow-up)
...
- Wrap more words with underscores in backticks.
Follow-up to 13f4913
.
2016-10-31 00:38:27 -04:00
Daniel Stenberg
13f4913303
INTERNALS: better markdown
...
words with underscore need to be within `these`
Bug: https://github.com/curl/curl-www/issues/19
Reported-by : Jay Satiro
2016-10-30 23:46:11 +01:00
Jay Satiro
2e750ce452
mk-ca-bundle.vbs: Fix UTF-8 output
...
- Change initial message box to mention delay when downloading/parsing.
Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.
- Warn if OpenSSL is not present.
- Use a UTF-8 stream to make the ca-bundle data.
- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
---
This is a follow-up to d2c6d15
which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.
This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.
Ref: https://github.com/curl/curl/pull/1012
2016-10-30 01:01:29 -04:00
Daniel Stenberg
d0623f856c
BINDINGS: converted to markdown
...
To make it render better on the web site, at the price of it becoming
slightly less readable as text.
2016-10-28 09:54:39 +02:00
Jay Satiro
568037f6af
CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
...
- Clarify that this option is only for HTTP/1.1 pipelining.
Bug: https://github.com/curl/curl/issues/1059
Reported-by: Jeroen Ooms
Assisted-by: Daniel Stenberg
2016-10-27 23:15:41 -04:00
Daniel Stenberg
4eb7657a13
KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
...
Closes #927
2016-10-27 23:47:59 +02:00
Daniel Stenberg
c443a8ce21
KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
...
Closes #893
2016-10-27 23:46:13 +02:00
Michael Osipov
905f493bd0
configure.in: Fix test syntax
...
Some versions of test allow == for equality, but others (such as the HP-UX
version) do not. Use a single = for correctness.
Error output:
checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
2016-10-27 13:41:26 +02:00
Daniel Stenberg
a65db0bbcb
SECURITY: minor updates
...
- we allow the security push up to 48 hours before the release
- add a mention about possible pre-notifications
- lower case the 'curl-security' title
2016-10-27 10:21:52 +02:00
Andrei Sedoi
50ef91b59a
docs: fix req->data in multi-uv example
...
Closes #1088
2016-10-27 09:14:24 +02:00
Daniel Stenberg
62a8095e71
mbedtls: stop using deprecated include file
...
Reported-by: wyattoday
Fixes #1087
2016-10-26 23:38:04 +02:00
Martin Frodl
eb84412b33
nss: fix tight loop in non-blocking TLS handhsake over proxy
...
... in case the handshake completes before entering
CURLM_STATE_PROTOCONNECT
Bug: https://bugzilla.redhat.com/1388162
2016-10-25 11:56:37 +02:00