1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 16:18:48 -05:00
Commit Graph

9085 Commits

Author SHA1 Message Date
Daniel Stenberg
44c53cc38b strcase: s/strequal/strcasecompare
some more follow-ups to 811a693b80
2016-10-31 09:37:54 +01:00
Daniel Stenberg
532491a27c ldap: fix strcase use
follow-up to 811a693b80
2016-10-31 09:30:36 +01:00
Daniel Stenberg
cff89bc088 cookie: replace use of fgets() with custom version
... that will ignore lines that are too long to fit in the buffer.

CVE-2016-8615

Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
811a693b80 strcasecompare: all case insensitive string compares ignore locale now
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
1833a45dde ftp: check for previous patch must be case sensitive!
... otherwise example.com/PATH and example.com/path would be assumed to
be the same and they usually aren't!
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ce8d09483e SSH: check md5 fingerprint case sensitively 2016-10-31 08:46:35 +01:00
Daniel Stenberg
b3ee26c5df connectionexists: use case sensitive user/password comparisons
CVE-2016-8616

Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
efd24d5742 base64: check for integer overflow on large input
CVE-2016-8617

Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3d6460edee krb5: avoid realloc(0)
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.

CVE-2016-8619

Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8732ec40db aprintf: detect wrap-around when growing allocation
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.

CVE-2016-8618

Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
96a80b5a26 parsedate: handle cut off numbers better
... and don't read outside of the given buffer!

CVE-2016-8621

bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536 escape: avoid using curl_easy_unescape() internally
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
53e71e47d6 unescape: avoid integer overflow
CVE-2016-8622

Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
c5be3d7267 cookies: getlist() now holds deep copies of all cookies
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.

CVE-2016-8623

Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781 idn: switch to libidn2 use and IDNA2008 support
CVE-2016-8625

Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e urlparse: accept '#' as end of host name
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.

CVE-2016-8624

Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00
Jay Satiro
2e750ce452 mk-ca-bundle.vbs: Fix UTF-8 output
- Change initial message box to mention delay when downloading/parsing.

Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.

- Warn if OpenSSL is not present.

- Use a UTF-8 stream to make the ca-bundle data.

- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.

---

This is a follow-up to d2c6d15 which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.

This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.

Ref: https://github.com/curl/curl/pull/1012
2016-10-30 01:01:29 -04:00
Daniel Stenberg
62a8095e71 mbedtls: stop using deprecated include file
Reported-by: wyattoday
Fixes #1087
2016-10-26 23:38:04 +02:00
Martin Frodl
eb84412b33 nss: fix tight loop in non-blocking TLS handhsake over proxy
... in case the handshake completes before entering
CURLM_STATE_PROTOCONNECT

Bug: https://bugzilla.redhat.com/1388162
2016-10-25 11:56:37 +02:00
Jay Satiro
d2c6d1568e mk-ca-bundle: Update the vbscript version
Bring the VBScript version more in line with the perl version:

- Change timestamp to UTC.

- Change URL retrieval to HTTPS-only by default.

- Comment out the options that disabled SSL cert checking by default.

- Assume OpenSSL is present, get SHA256. And add a flag to toggle it.

- Fix cert issuer name output.

The cert issuer output is now ansi, converted from UTF-8. Prior to this
it was corrupt UTF-8. It turns out though we can work with UTF-8 the
FSO object that writes ca-bundle can't write UTF-8, so there will have
to be some alternative if UTF-8 is needed (like an ADODB.Stream).

- Disable the certificate text info feature.

The certificate text info doesn't work properly with any recent OpenSSL.
2016-10-25 03:17:26 -04:00
Jay Satiro
1ad2bdcf11 mk-ca-bundle: Change URL retrieval to HTTPS-only by default
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc).

- New option -k to allow URLs other than HTTPS and enable HTTP fallback.

Prior to this change the default URL retrieval mode was to fall back to
HTTP if HTTPS didn't work.

Reported-by: Gregory Szorc

Closes #1012
2016-10-24 09:41:03 +02:00
Daniel Stenberg
6290c3c26b multi: force connections to get closed in close_all_connections
Several independent reports on infinite loops hanging in the
close_all_connections() function when closing a multi handle, can be
fixed by first marking the connection to get closed before calling
Curl_disconnect.

This is more fixing-the-symptom rather than the underlying problem
though.

Bug: https://curl.haxx.se/mail/lib-2016-10/0011.html
Bug: https://curl.haxx.se/mail/lib-2016-10/0059.html

Reported-by: Dan Fandrich, Valentin David, Miloš Ljumović
2016-10-22 16:10:57 +02:00
Anders Bakken
406506ca92 curl_multi_remove_handle: fix a double-free
In short the easy handle needs to be disconnected from its connection at
this point since the connection still is serving other easy handles.

In our app we can reliably reproduce a crash in our http2 stress test
that is fixed by this change. I can't easily reproduce the same test in
a small example.

This is the gdb/asan output:

==11785==ERROR: AddressSanitizer: heap-use-after-free on address 0xe9f4fb80 at pc 0x09f41f19 bp 0xf27be688 sp 0xf27be67c
READ of size 4 at 0xe9f4fb80 thread T13 (RESOURCE_HTTP)
    #0 0x9f41f18 in curl_multi_remove_handle /path/to/source/3rdparty/curl/lib/multi.c:666

0xe9f4fb80 is located 0 bytes inside of 1128-byte region [0xe9f4fb80,0xe9f4ffe8)
freed by thread T13 (RESOURCE_HTTP) here:
    #0 0xf7b1b5c2 in __interceptor_free /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x9f7862d in conn_free /path/to/source/3rdparty/curl/lib/url.c:2808
    #2 0x9f78c6a in Curl_disconnect /path/to/source/3rdparty/curl/lib/url.c:2876
    #3 0x9f41b09 in multi_done /path/to/source/3rdparty/curl/lib/multi.c:615
    #4 0x9f48017 in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1896
    #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
    #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
    #7 0x9c445e0 in ...
    #8 0x9c4cf1d in ...
    #9 0xa2be6b5 in ...
    #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
    #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)

previously allocated by thread T13 (RESOURCE_HTTP) here:
    #0 0xf7b1ba27 in __interceptor_calloc /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_malloc_linux.cc:70
    #1 0x9f7dfa6 in allocate_conn /path/to/source/3rdparty/curl/lib/url.c:3904
    #2 0x9f88ca0 in create_conn /path/to/source/3rdparty/curl/lib/url.c:5797
    #3 0x9f8c928 in Curl_connect /path/to/source/3rdparty/curl/lib/url.c:6438
    #4 0x9f45a8c in multi_runsingle /path/to/source/3rdparty/curl/lib/multi.c:1411
    #5 0x9f490f1 in curl_multi_perform /path/to/source/3rdparty/curl/lib/multi.c:2123
    #6 0x9c4443c in perform /path/to/source/src/net/resourcemanager/ResourceManagerCurlThread.cpp:854
    #7 0x9c445e0 in ...
    #8 0x9c4cf1d in ...
    #9 0xa2be6b5 in ...
    #10 0xf7aa5780 in asan_thread_start /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
    #11 0xf4d3a16d in __clone (/lib/i386-linux-gnu/libc.so.6+0xe716d)

SUMMARY: AddressSanitizer: heap-use-after-free /path/to/source/3rdparty/curl/lib/multi.c:666 in curl_multi_remove_handle
Shadow bytes around the buggy address:
  0x3d3e9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x3d3e9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3d3e9f70:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x3d3e9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11785==ABORTING

Thread 14 "RESOURCE_HTTP" received signal SIGABRT, Aborted.
[Switching to Thread 0xf27bfb40 (LWP 12324)]
0xf7fd8be9 in __kernel_vsyscall ()
 (gdb) bt
 #0  0xf7fd8be9 in __kernel_vsyscall ()
 #1  0xf4c7ee89 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c:54
 #2  0xf4c803e7 in __GI_abort () at abort.c:89
 #3  0xf7b2ef2e in __sanitizer::Abort () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:122
 #4  0xf7b262fa in __sanitizer::Die () at /opt/toolchain/src/gcc-6.2.0/libsanitizer/sanitizer_common/sanitizer_common.cc:145
 #5  0xf7b21ab3 in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0xf27be171, __in_chrg=<optimized out>) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:689
 #6  0xf7b214a5 in __asan::ReportGenericError (pc=166993689, bp=4068206216, sp=4068206204, addr=3925146496, is_write=false, access_size=4, exp=0, fatal=true) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_report.cc:1074
 #7  0xf7b21fce in __asan::__asan_report_load4 (addr=3925146496) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_rtl.cc:129
 #8  0x09f41f19 in curl_multi_remove_handle (multi=0xf3406080, data=0xde582400) at /path/to/source3rdparty/curl/lib/multi.c:666
 #9  0x09f6b277 in Curl_close (data=0xde582400) at /path/to/source3rdparty/curl/lib/url.c:415
 #10 0x09f3354e in curl_easy_cleanup (data=0xde582400) at /path/to/source3rdparty/curl/lib/easy.c:860
 #11 0x09c6de3f in ...
 #12 0x09c378c5 in ...
 #13 0x09c48133 in ...
 #14 0x09c4d092 in ...
 #15 0x0a2be6b6 in ...
 #16 0xf7aa5781 in asan_thread_start (arg=0xf2d22938) at /opt/toolchain/src/gcc-6.2.0/libsanitizer/asan/asan_interceptors.cc:226
 #17 0xf5de52b5 in start_thread (arg=0xf27bfb40) at pthread_create.c:333
 #18 0xf4d3a16e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:114

Fixes #1083
2016-10-22 15:50:22 +02:00
Daniel Stenberg
5c3d8d20a6 curl_multi_add_handle: set timeouts in closure handles
The closure handle only ever has default timeouts set. To improve the
state somewhat we clone the timeouts from each added handle so that the
closure handle always has the same timeouts as the most recently added
easy handle.

Fixes #739
2016-10-19 14:43:49 +02:00
Daniel Stenberg
0f1996321f s/cURL/curl
The tool was never called cURL, only the project. But even so, we have
more and more over time switched to just use lower case.
2016-10-18 13:59:54 +02:00
Daniel Stenberg
88753c1e89 polarssl: indented code, removed unused variables 2016-10-18 13:27:51 +02:00
Daniel Stenberg
8748d4787f polarssl: reduce #ifdef madness with a macro 2016-10-18 13:17:05 +02:00
Daniel Stenberg
1e3161a20d polarssl: fix unaligned SSL session-id lock 2016-10-18 13:14:11 +02:00
Daniel Stenberg
ace237ae4e Curl_polarsslthreadlock_thread_setup: clear array at init
... since if it fails to init the entire array and then tries to clean
it up, it would attempt to work on an uninitialized pointer.
2016-10-18 13:05:43 +02:00
Daniel Stenberg
9a509680f6 gopher: properly return error for poll failures 2016-10-18 11:14:48 +02:00
Daniel Stenberg
8a6e89a9eb select: switch to macros in uppercase
Curl_select_ready() was the former API that was replaced with
Curl_select_check() a while back and the former arg setup was provided
with a define (in order to leave existing code unmodified).

Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
common shortcuts where only one socket is checked. They're also more
visibly macros.
2016-10-18 11:05:45 +02:00
Daniel Stenberg
a05906190c select: use more proper macro-looking names
... so that it becomes more obvious in the code what is what. Also added
a typecast for one of the calculations.
2016-10-18 09:46:10 +02:00
Daniel Stenberg
9aa2afc3a5 Curl_socket_check: add extra check to avoid integer overflow 2016-10-18 09:45:34 +02:00
Jay Satiro
aec0c993cb url: skip to-be-closed connections when pipelining (follow-up)
- Change back behavior so that pipelining is considered possible for
connections that have not yet reached the protocol level.

This is a follow-up to e5f0b1a which had changed the behavior of
checking if pipelining is possible to ignore connections that had
'bits.close' set. Connections that have not yet reached the protocol
level also have that bit set, and we need to consider pipelining
possible on those connections.
2016-10-17 02:44:39 -04:00
Marcel Raad
422db18f15
win: fix Universal Windows Platform build
This fixes a merge error in commit 7f3df80 caused by commit 332e8d6.

Additionally, this changes Curl_verify_windows_version for Windows App
builds to assume to always be running on the target Windows version.
There seems to be no way to determine the Windows version from a
UWP app. Neither GetVersion(Ex), nor VerifyVersionInfo, nor the
Version Helper functions are supported.

Bug: https://github.com/curl/curl/pull/820#issuecomment-250889878
Reported-by: Paul Joyce

Closes https://github.com/curl/curl/pull/1048
2016-10-16 12:09:12 +02:00
Rider Linden
e5f0b1ab43 url: skip to-be-closed connections when pipelining
No longer attempt to use "doomed" to-be-closed connections when
pipelining. Prior to this change connections marked for deletion (e.g.
timeout) would be erroneously used, resulting in sporadic crashes.

As originally reported and fixed by Carlo Wood (origin unknown).

Bug: https://github.com/curl/curl/issues/627
Reported-by: Rider Linden

Closes https://github.com/curl/curl/pull/1075
Participation-by: nopjmp@users.noreply.github.com
2016-10-14 03:16:46 -04:00
Daniel Stenberg
1671d84b38 vtls: only re-use session-ids using the same scheme
To make it harder to do cross-protocol mistakes
2016-10-13 11:24:16 +02:00
Remo E
d522ff4690 cmake: add nghttp2 support
Closes #922
2016-10-10 19:47:31 +02:00
Andreas Streichardt
eb5199317e resolve: add error message when resolving using SIGALRM
Closes #1066
2016-10-10 14:14:20 +02:00
Tobias Stoeckmann
8272049062 smb: properly check incoming packet boundaries
Not all reply messages were properly checked for their lengths, which
made it possible to access uninitialized memory (but this does not lead
to out of boundary accesses).

Closes #1052
2016-10-09 00:14:26 +02:00
Daniel Stenberg
71588c9aef mprintf: return error on too many arguments
128 arguments should be enough for everyone
2016-10-08 20:47:04 +02:00
Daniel Stenberg
8238ba9c5f ftp: fix Curl_ftpsendf()
... it no longer takes printf() arguments since it was only really taken
advantage by one user and it was not written and used in a safe
way. Thus the 'f' is removed from the function name and the proto is
changed.

Although the current code wouldn't end up in badness, it was a risk that
future changes could end up springf()ing too large data or passing in a
format string inadvertently.
2016-10-08 15:13:46 +02:00
Daniel Stenberg
9885c9508e formpost: avoid silent snprintf() truncation
The previous use of snprintf() could make libcurl silently truncate some
input data and not report that back on overly large input, which could
make data get sent over the network in a bad format.

Example:

 $ curl --form 'a=b' -H "Content-Type: $(perl -e 'print "A"x4100')"
2016-10-08 13:00:45 +02:00
Daniel Stenberg
8fd2a754f0 memdup: use 'void *' as return and source type 2016-10-04 23:31:25 +02:00
Daniel Stenberg
bdf162af25 formpost: trying to attach a directory no longer crashes
The error path would previously add a freed entry to the linked list.

Reported-by: Toby Peterson

Fixes #1053
2016-10-04 09:13:02 +02:00
Sergei Kuzmin
54e48b14e1 cookies: same domain handling changed to match browser behavior
Cokie with the same domain but different tailmatching property are now
considered different and do not replace each other.  If header contains
following lines then two cookies will be set: Set-Cookie: foo=bar;
domain=.foo.com; expires=Thu Mar 3 GMT 8:56:27 2033 Set-Cookie: foo=baz;
domain=foo.com; expires=Thu Mar 3 GMT 8:56:27 2033

This matches Chrome, Opera, Safari, and Firefox behavior. When sending
stored tokens to foo.com Chrome, Opera, Firefox store send them in the
stored order, while Safari pre-sort the cookies.

Closes #1050
2016-10-03 16:49:35 +02:00
Michael Kaufmann
e9e5366193 New libcurl option to keep sending on error
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
sending the request body shall be completed when the server responds
early with an error status code.

This is suitable for manual NTLM authentication.

Reviewed-by: Jay Satiro

Closes https://github.com/curl/curl/pull/904
2016-09-22 22:22:31 +02:00
Kamil Dudka
d1f1c857ad nss: add chacha20-poly1305 cipher suites if supported by NSS 2016-09-22 10:20:12 +02:00
Kamil Dudka
049aa92546 nss: add cipher suites using SHA384 if supported by NSS 2016-09-22 10:17:26 +02:00
Kamil Dudka
7591220270 nss: fix typo in ecdhe_rsa_null cipher suite string
As it seems to be a rarely used cipher suite (for securely established
but _unencrypted_ connections), I believe it is fine not to provide an
alias for the misspelled variant.
2016-09-22 10:17:26 +02:00
Jay Satiro
22cfeac730 easy: Reset all statistical session info in curl_easy_reset
Bug: https://github.com/curl/curl/issues/1017
Reported-by: Jeroen Ooms
2016-09-20 01:14:01 -04:00
Daniel Gustafsson
79607eec51 darwinssl: Fix typo in comment
Closes https://github.com/curl/curl/pull/1028
2016-09-19 17:06:00 -04:00
Bernard Spil
01c8db47aa libressl: fix version output
LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
versions returning `LibreSSL/2.0.0` for any LibreSSL version.

This change provides a local OpenSSL_version_num function replacement
returning LIBRESSL_VERSION_NUMBER instead.

Closes #1029
2016-09-19 22:47:35 +02:00
Daniel Stenberg
a2b360f890 openssl: don't call ERR_remote_thread_state on >= 1.1.0
Follow-up fix to d9321562
2016-09-19 14:32:59 +02:00
Daniel Stenberg
de71e68000 openssl: don’t call CRYTPO_cleanup_all_ex_data
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
multiple times without crashing - and other libs might call it! We
basically cannot call it without risking a crash. The function is a
no-op since OpenSSL 1.1.0.

Not calling this function only risks a small memory leak with OpenSSL <
1.1.0.

Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
Reported-by: Todd Short
2016-09-19 11:33:14 +02:00
Nick Zitzmann
227ee9d84d darwinssl: disable RC4 cipher-suite support
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-18 15:01:03 -05:00
Daniel Stenberg
f423a00971 http2: debug ouput sent HTTP/2 request headers 2016-09-16 09:00:20 +02:00
Daniel Stenberg
d4c5a91722 http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
... but don't send the actual header over the wire as it isn't accepted.
Chunked uploading is still triggered using this method.

Fixes #1013
Fixes #662
2016-09-16 09:00:20 +02:00
Daniel Stenberg
d93215621f openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
so we need to clean it when easy handles are freed, in case the thread
will be killed in which the easy handle was used. All OpenSSL code in
libcurl should extract the error in association with the error already
so clearing this queue here should be harmless at worst.

Fixes #964
2016-09-14 14:35:44 +02:00
Daniel Stenberg
01cf1308ee curl_easy_unescape: deny negative string lengths as input
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14 07:49:43 +02:00
Daniel Stenberg
826a9ced2b curl_easy_escape: deny negative string lengths as input
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14 07:49:43 +02:00
Tony Kelman
665694979b mbedtls: switch off NTLM in build if md4 isn't available
NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
is built with the MD4 functions available, which it isn't in default
builds. This now adapts if the funtion isn't there and builds libcurl
without NTLM support if so.

Fixes #1004
2016-09-12 23:08:10 +02:00
Daniel Stenberg
a8e751a51a http: refuse to pass on response body with NO_NODY was set
... like when a HTTP/0.9 response comes back without any headers at all
and just a body this now prevents that body from being sent to the
callback etc.

Adapted test 1144 to verify.

Fixes #973

Assisted-by: Ray Satiro
2016-09-11 12:02:07 +02:00
Jakub Zakrzewski
6140dfcf3e CMake: Try to (un-)hide private library symbols
Detect support for compiler symbol visibility flags and apply those
according to CURL_HIDDEN_SYMBOLS option.
It should work true to the autotools build except it tries to unhide
symbols on Windows when requested and prints warning if it fails.

Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
Reported-by: Daniel Stenberg
2016-09-10 00:35:38 +02:00
Daniel Stenberg
83ef21e5e9 openssl: fix bad memory free (regression)
... by partially reverting f975f06033. The allocation could be made by
OpenSSL so the free must be made with OPENSSL_free() to avoid problems.

Reported-by: Harold Stuart
Fixes #1005
2016-09-09 23:35:10 +02:00
Daniel Stenberg
85033bcfcc http2: support > 64bit sized uploads
... by making sure we don't count down the "upload left" counter when the
uploaded size is unknown and then it can be allowed to continue forever.

Fixes #996
2016-09-09 15:41:39 +02:00
Jay Satiro
af2d679e14 errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
more of a generic "failed to parse" introduce an alias without FTP in
the name.

Closes https://github.com/curl/curl/pull/975
2016-09-07 21:24:27 -04:00
Daniel Stenberg
5871dfcc16 checksrc: detect strtok() use
... as that function slipped through once before.
2016-09-07 10:41:57 +02:00
Viktor Szakats
8fa20da8e1 mk-ca-bundle.pl: use SHA256 instead of SHA1
This hash is used to verify the original downloaded certificate bundle
and also included in the generated bundle's comment header. Also
rename related internal symbols to algorithm-agnostic names.
2016-09-07 10:41:11 +02:00
Gaurav Malhotra
8e176a7c79 openssl: fix CURLINFO_SSL_VERIFYRESULT
CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
result when SSL_connect fails because of a certificate verification
error.

This fix saves the result of SSL_get_verify_result so that it is
returned by CURLINFO_SSL_VERIFYRESULT.

Closes https://github.com/curl/curl/pull/995
2016-09-06 16:17:37 -04:00
Daniel Gustafsson
022dbdb8ac darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
While noErr and errSecSuccess are defined as the same value, the API
documentation states that SecPKCS12Import() returns errSecSuccess if
there were no errors in importing. Ensure that a future change of the
defined value doesn't break (however unlikely) and be consistent with
the API docs.
2016-09-06 10:37:31 +02:00
Marcel Raad
4af389353a openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
now called OpenSSL_version_num().

[1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
[2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html

Closes #992
2016-09-05 22:51:12 +02:00
Daniel Stenberg
3d4c0c8b9b http2: return EOF when done uploading without known size
Fixes #982
2016-09-05 14:32:32 +02:00
Daniel Stenberg
03bb481598 http2: skip the content-length parsing, detect unknown size 2016-09-05 13:55:24 +02:00
Daniel Stenberg
cd5c03aa6d http2: minor white space edit 2016-09-05 11:08:50 +02:00
Daniel Stenberg
71e2acaad6 http2: use named define instead of magic constant in read callback 2016-09-05 11:08:17 +02:00
Olivier Brunel
4b86113f5e speed caps: not based on average speeds anymore
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE &
CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits
with the cumulative average speed of the entire transfer; While this
might work at times with good/constant connections, in other cases it
can result to the limits simply being "ignored" for more than "short
bursts" (as told in man page).

Consider a download that goes on much slower than the limit for some
time (because bandwidth is used elsewhere, server is slow, whatever the
reason), then once things get better, curl would simply ignore the limit
up until the average speed (since the beginning of the transfer) reached
the limit.  This could prove the limit useless to effectively avoid
using the entire bandwidth (at least for quite some time).

So instead, we now use a "moving starting point" as reference, and every
time at least as much as the limit as been transferred, we can reset
this starting point to the current position. This gets a good limiting
effect that applies to the "current speed" with instant reactivity (in
case of sudden speed burst).

Closes #971
2016-09-04 13:11:23 +02:00
Steve Holme
ef5d3facd5 curl_sspi.c: Updated function description comments
* Added description to Curl_sspi_free_identity()
* Added parameter and return explanations to Curl_sspi_global_init()
* Added parameter explaination to Curl_sspi_global_cleanup()
2016-08-31 11:57:28 +01:00
Daniel Stenberg
c69cafe7e2 connect: fix #ifdefs for debug versions of conn/streamclose() macros
CURLDEBUG is for the memory debugging

DEBUGBUILD is for the extra debug stuff

Pointed-out-by: Steve Holme
2016-08-30 23:38:06 +02:00
Daniel Stenberg
0d729d9e01 http2: return CURLE_HTTP2_STREAM for unexpected stream close
Follow-up to c3e906e9cd, seems like a more appropriate error code

Suggested-by: Jay Satiro
2016-08-28 23:29:38 +02:00
Tatsuhiro Tsujikawa
c3e906e9cd http2: handle closed streams when uploading
Fixes #986
2016-08-28 17:59:34 +02:00
Daniel Stenberg
3533def3d5 http2: make sure stream errors don't needlessly close the connection
With HTTP/2 each transfer is made in an indivial logical stream over the
connection, making most previous errors that caused the connection to get
forced-closed now instead just kill the stream and not the connection.

Fixes #941
2016-08-28 16:44:49 +02:00
Daniel Stenberg
a6ddd6555e Curl_verify_windows_version: minor edit to avoid compiler warnings
... instead of if() before the switch(), add a default to the switch so
that the compilers don't warn on "warning: enumeration value
'PLATFORM_DONT_CARE' not handled in switch" anymore.
2016-08-27 18:08:16 +02:00
Jay Satiro
895168bfd3 schannel: Disable ALPN for Wine since it is causing problems
- Disable ALPN on Wine.

- Don't pass input secbuffer when ALPN is disabled.

When ALPN support was added a change was made to pass an input secbuffer
to initialize the context. When ALPN is enabled the buffer contains the
ALPN information, and when it's disabled the buffer is empty. In either
case this input buffer caused problems with Wine and connections would
not complete.

Bug: https://github.com/curl/curl/issues/983
Reported-by: Christian Fillion
2016-08-26 15:35:16 -04:00
Peter Wang
3a5d5de9ef nss: work around race condition in PK11_FindSlotByName()
Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
a multi-threaded environment. The underlying cause is a race condition
in nssSlot_IsTokenPresent().

Bug: https://bugzilla.mozilla.org/1297397

Closes #985
2016-08-26 14:42:22 +02:00
Kamil Dudka
7700fcba64 nss: refuse previously loaded certificate from file
... when we are not asked to use a certificate from file
2016-08-26 13:30:27 +02:00
Daniel Stenberg
822082d832 ftp_done: remove dead code 2016-08-26 12:26:21 +02:00
Daniel Stenberg
39ba8dd09b TLS: random file/egd doesn't have to match for conn reuse 2016-08-26 10:01:19 +02:00
Michael Kaufmann
7bda07b046 HTTP: stop parsing headers when switching to unknown protocols
- unknown protocols probably won't send more headers (e.g. WebSocket)
- improved comments and moved them to the correct case statements

Closes #899
2016-08-25 14:49:39 +02:00
Daniel Stenberg
9cb851e371 openssl: make build with 1.1.0 again
synced with OpenSSL git master commit cc06906707
2016-08-25 12:27:31 +02:00
Jay Satiro
2c36cb1cbb http2: Remove incorrect comments
.. also remove same from scp
2016-08-25 02:43:19 -04:00
Ales Novak
7ad50a61f2 ftp: fix wrong poll on the secondary socket
When we're uploading using FTP and the server issues a tiny pause
between opening the connection to the client's secondary socket, the
client's initial poll() times out, which leads to second poll() which
does not wait for POLLIN on the secondary socket. So that poll() also
has to time out, creating a long (200ms) pause.

This patch adds the correct flag to the secondary socket, making the
second poll() correctly wait for the connection there too.

Signed-off-by: Ales Novak <alnovak@suse.cz>

Closes #978
2016-08-23 15:31:07 +02:00
Marco Deckel
7f3df80408 win: Basic support for Universal Windows Platform apps
Closes #820
2016-08-21 13:56:22 +02:00
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
43dbd76616 vauth: Added check for supported SSPI based authentication mechanisms
Completing commit 00417fd66c and 2708d4259b.
2016-08-21 10:27:09 +01:00
Steve Holme
317795d1bf http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
From commit 2708d4259b.
2016-08-21 10:25:45 +01:00
Marc Hoersken
b820e40f34 socks.c: display the hostname returned by the SOCKS5 proxy server
Instead of displaying the requested hostname the one returned
by the SOCKS5 proxy server is used in case of connection error.
The requested hostname is displayed earlier in the connection sequence.

The upper-value of the port is moved to a temporary variable and
replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 21:38:43 +02:00
Steve Holme
670802bd0b urldata.h: Corrected comment for httpcode which is also populated by SMTP
As of 7.25.0 and commit 5430007222.
2016-08-20 20:20:32 +01:00
Marc Hoersken
d6bf400e9f socks.c: use Curl_printable_address in SOCKS5 connection sequence
Replace custom string formatting with Curl_printable_address.
Add additional debug and error output in case of failures.
2016-08-20 21:15:00 +02:00
Marc Hoersken
213c27e487 socks.c: align SOCKS4 connection sequence with SOCKS5
Calling sscanf is not required since the raw IPv4 address is
available and the protocol can be detected using ai_family.
2016-08-20 21:15:00 +02:00
Steve Holme
c6b869ec79 http.c: Corrected indentation change from commit 2708d4259b
Made by Visual Studio's auto-correct feature and missed by me in my own
code reviews!
2016-08-20 19:34:54 +01:00
Steve Holme
2708d4259b http: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the HTTP authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

As per commit 00417fd66c existing functionality is maintained for now.
2016-08-20 19:15:13 +01:00
Marc Hoersken
d1bfb1cf54 socks.c: improve verbose output of SOCKS5 connection sequence 2016-08-20 20:07:10 +02:00
Steve Holme
00417fd66c sasl: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the SASL authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

For now existing functionality is maintained.
2016-08-20 14:02:44 +01:00
Miroslav Franc
0796a99317 spnego_sspi: fix memory leak in case *outlen is zero (#970) 2016-08-19 14:46:07 +02:00
Steve Holme
a0f212946b vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
As Windows SSPI authentication calls fail when a particular mechanism
isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
and Negotiate to allow both HTTP and SASL authentication the opportunity
to query support for a supported mechanism before selecting it.

For now each function returns TRUE to maintain compatability with the
existing code when called.
2016-08-18 20:31:20 +01:00
Daniel Stenberg
667fcb04a6 nss: make the global variables static 2016-08-17 10:50:06 +02:00
Daniel Stenberg
f975f06033 openssl: use regular malloc instead of OPENSSL_malloc
This allows for better memmory debugging and torture tests.
2016-08-16 10:58:33 +02:00
Daniel Stenberg
93b0d907d5 Revert "Proxy-Connection: stop sending this header by default"
This reverts commit 113f04e664.
2016-08-16 08:36:04 +02:00
Daniel Stenberg
321c897c06 proxy: polished the error message for unsupported schemes
Follow up to a96319ebb9
2016-08-15 11:11:46 +02:00
Daniel Stenberg
a96319ebb9 proxy: reject attempts to use unsupported proxy schemes
I discovered some people have been using "https://example.com" style
strings as proxy and it "works" (curl doesn't complain) because curl
ignores unknown schemes and then assumes plain HTTP instead.

I think this misleads users into believing curl uses HTTPS to proxies
when it doesn't. Now curl rejects proxy strings using unsupported
schemes instead of just ignoring and defaulting to HTTP.
2016-08-15 10:46:27 +02:00
Marc Hoersken
b7ee5316c2 socks.c: Correctly calculate position of port in response packet
Third commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:07:11 +02:00
Marc Hoersken
cc3384a254 socks.c: Do not modify and invalidate calculated response length
Second commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:05:32 +02:00
Marc Hoersken
59580e12ba socks.c: Move error output after reading the whole response packet
First commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:01:13 +02:00
Jay Satiro
b6fcdc32eb openssl: accept subjectAltName iPAddress if no dNSName match
Undo change introduced in d4643d6 which caused iPAddress match to be
ignored if dNSName was present but did not match.

Also, if iPAddress is present but does not match, and dNSName is not
present, fail as no-match. Prior to this change in such a case the CN
would be checked for a match.

Bug: https://github.com/curl/curl/issues/959
Reported-by: wmsch@users.noreply.github.com
2016-08-13 02:14:46 -04:00
Daniel Stenberg
2c8ccdac14 rtsp: ignore whitespace in session id
Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
whitespace as well.

Help-by: Erik Janssen
2016-08-11 14:02:12 +02:00
Daniel Stenberg
31e33a9a46 HTTP: retry failed HEAD requests too
Mark's new document about HTTP Retries
(https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
spotted that we don't retry failed HEAD requests which seems totally
inconsistent and I can't see any reason for that separate treatment.

So, no separate treatment for HEAD starting now. A HTTP request sent
over a reused connection that gets cut off before a single byte is
received will be retried on a fresh connection.

Made-aware-by: Mark Nottingham
2016-08-11 08:33:36 +02:00
Erik Janssen
e577c43bb5 rtsp: accept any RTSP session id
Makes libcurl work in communication with gstreamer-based RTSP
servers. The original code validates the session id to be in accordance
with the RFC. I think it is better not to do that:

- For curl the actual content is a don't care.

- The clarity of the RFC is debatable, is $ allowed or only as \$, that
  is imho not clear

- Gstreamer seems to url-encode the session id but % is not allowed by
the RFC

- less code

With this patch curl will correctly handle real-life lines like:
Session: biTN4Kc.8%2B1w-AF.; timeout=60

Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
2016-08-10 08:58:10 +02:00
Jay Satiro
82617e7499 cmake: Enable win32 threaded resolver by default
- Turn on USE_THREADS_WIN32 in Windows if ares isn't on

This change is similar to what we already do in the autotools build.
2016-08-08 02:37:29 -04:00
Jay Satiro
11049e007a cmake: Enable win32 large file support by default
All compilers used by cmake in Windows should support large files.

- Add test SIZEOF_OFF_T
- Remove outdated test SIZEOF_CURL_OFF_T
- Turn on USE_WIN32_LARGE_FILES in Windows
- Check for 'Largefile' during the features output
2016-08-08 00:25:03 -04:00
Daniel Stenberg
ea45b4334f http2: always wait for readable socket
Since the server can at any time send a HTTP/2 frame to us, we need to
wait for the socket to be readable during all transfers so that we can
act on incoming frames even when uploading etc.

Reminded-by: Tatsuhiro Tsujikawa
2016-08-05 00:44:01 +02:00
Thomas Glanzmann
7b4bf37a44 mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
to 0.  This patch also adds a comment how mbedtls must be compiled in
order to make debugging work, and explains the possible debug levels.
2016-08-05 00:23:17 +02:00
Daniel Stenberg
4732ca5724 CURLOPT_TCP_NODELAY: now enabled by default
After a few wasted hours hunting down the reason for slowness during a
TLS handshake that turned out to be because of TCP_NODELAY not being
set, I think we have enough motivation to toggle the default for this
option. We now enable TCP_NODELAY by default and allow applications to
switch it off.

This also makes --tcp-nodelay unnecessary, but --no-tcp-nodelay can be
used to disable it.

Thanks-to: Tim Rühsen
Bug: https://curl.haxx.se/mail/lib-2016-06/0143.html
2016-08-05 00:12:57 +02:00
Serj Kalichev
edeabf741f TFTP: Fix upload problem with piped input
When input stream for curl is stdin and input stream is not a file but
generated by a script then curl can truncate data transfer to arbitrary
size since a partial packet is treated as end of transfer by TFTP.

Fixes #857
2016-08-04 00:30:31 +02:00
Daniel Stenberg
600bb4e852 mk-ca-bundle.pl: -m keeps ca cert meta data in output
Makes the script pass on comments holding meta data to the output
file. Like fingerprinters, issuer, date ranges etc.

Closes #937
2016-08-04 00:28:28 +02:00
Daniel Stenberg
bde2f09d5e multi: make Curl_expire() work with 0 ms timeouts
Previously, passing a timeout of zero to Curl_expire() was a magic code
for clearing all timeouts for the handle. That is now instead made with
the new Curl_expire_clear() function and thus a 0 timeout is fine to set
and will trigger a timeout ASAP.

This will help removing short delays, in particular notable when doing
HTTP/2.
2016-08-04 00:26:01 +02:00
Daniel Stenberg
6eb60c2dc5 transfer: return without select when the read loop reached maxcount
Regression added in 790d6de485. The was then added to avoid one
particular transfer to starve out others. But when aborting due to
reading the maxcount, the connection must be marked to be read from
again without first doing a select as for some protocols (like SFTP/SCP)
the data may already have been read off the socket.

Reported-by: Dan Donahue
Bug: https://curl.haxx.se/mail/lib-2016-07/0057.html
2016-08-04 00:23:27 +02:00
Bill Nagel
497e7c9d34 mbedtls: Added support for NTLM 2016-08-03 19:33:59 +01:00
Daniel Stenberg
11ec5ad435 TLS: only reuse connections with the same client cert
CVE-2016-5420
Bug: https://curl.haxx.se/docs/adv_20160803B.html
2016-08-03 00:34:27 +02:00
Daniel Stenberg
247d890da8 TLS: switch off SSL session id when client cert is used
CVE-2016-5419
Bug: https://curl.haxx.se/docs/adv_20160803A.html
Reported-by: Bru Rom
Contributions-by: Eric Rescorla and Ray Satiro
2016-08-03 00:34:27 +02:00
Daniel Stenberg
75dc096e01 curl_multi_cleanup: clear connection pointer for easy handles
CVE-2016-5421
Bug: https://curl.haxx.se/docs/adv_20160803C.html
Reported-by: Marcelo Echeverria and Fernando Muñoz
2016-08-03 00:34:27 +02:00
Thomas Glanzmann
aa9f536a18 mbedtls: Fix debug function name
This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
defined.

Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
2016-08-01 13:16:42 -04:00
Martin Vejnár
608b11a91f win32: fix a potential memory leak in Curl_load_library
If a call to GetSystemDirectory fails, the `path` pointer that was
previously allocated would be leaked. This makes sure that `path` is
always freed.

Closes #938
2016-08-01 10:43:10 +02:00
Steve Holme
3fc845914a vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGO
As SPNEGO is only defined when these pre-processor variables are defined
there is no need to query them explicitly.
2016-07-23 21:29:16 +01:00
Steve Holme
25bf71ab07 spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
Typo introduced in commit ad5e9bfd5d.
2016-07-23 21:29:16 +01:00
Jay Satiro
c5cffce56e vauth: Fix memleak by freeing credentials if out of memory
This is a follow up to the parent commit dcdd4be which fixes one leak
but creates another by failing to free the credentials handle if out of
memory. Also there's a second location a few lines down where we fail to
do same. This commit fixes both of those issues.
2016-07-20 22:00:45 -04:00
Saurav Babu
dcdd4be352 vauth: Fixed memory leak due to function returning without free
This patch allocates memory to "output_token" only when it is required
so that memory is not leaked if function returns.
2016-07-20 23:21:49 +02:00
Jay Satiro
4ee203542d connect: disable TFO on Linux when using SSL
- Linux TFO + TLS is not implemented yet.

Bug: https://github.com/curl/curl/issues/907
2016-07-20 02:49:19 -04:00
Brian Prodoehl
c50980807c curl_global_init: Check if IPv6 works
- Curl_ipv6works() is not thread-safe until after the first call, so
call it once during global init to avoid a possible race condition.

Bug: https://github.com/curl/curl/issues/915
PR: https://github.com/curl/curl/pull/918
2016-07-18 02:42:28 -04:00
Miroslav Franc
bf430ecdef library: Fix memory leaks found during static analysis
Closes https://github.com/curl/curl/pull/913
2016-07-14 02:52:56 -04:00
Viktor Szakats
bcc8f485e5 cookie.c: Fix misleading indentation
Closes https://github.com/curl/curl/pull/911
2016-07-13 03:09:20 -04:00
Daniel Stenberg
6655e30691 conn: don't free easy handle data in handler->disconnect
Reported-by: Gou Lingfeng
Bug: https://curl.haxx.se/mail/lib-2016-06/0139.html
2016-06-29 23:13:09 +02:00
Michael Kaufmann
38685f86c8 cleanup: minor code cleanup in Curl_http_readwrite_headers()
- the expression of an 'if' was always true
- a 'while' contained a condition that was always true
- use 'if(k->exp100 > EXP100_SEND_DATA)' instead of 'if(k->exp100)'
- fixed a typo

Closes #889
2016-06-28 20:48:44 +02:00
Daniel Stenberg
b6ddc0ac07 SFTP: set a generic error when no SFTP one exists...
... as otherwise we could get a 0 which would count as no error and we'd
wrongly continue and could end up segfaulting.

Bug: https://curl.haxx.se/mail/lib-2016-06/0052.html
Reported-by: 暖和的和暖
2016-06-28 15:30:17 +02:00
Daniel Stenberg
7530ef5c15 Makefile.vc: link with crypt32.lib for winssl builds
Necessary since 6cabd78531

Fixes #853
2016-06-22 11:08:47 +02:00
Daniel Stenberg
05a69ce32c vc: fix the build for schannel certinfo support
Broken since 6cabd785, which adds use of the Curl_extract_certinfo
function from the x509asn1.c file.
2016-06-22 10:53:28 +02:00
Daniel Stenberg
80388edefc typedefs: use the full structs in internal code...
... and save the typedef'ed names for headers and external APIs.
2016-06-22 10:28:41 +02:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Jay Satiro
04b4ee5498 vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and
Curl_ssl_addsessionid regardless of whether session ID reusing was
enabled. According to comments that is in case session ID reuse was
disabled but then later enabled.

The old way was not intuitive and probably not something users expected.
When a user disables session ID caching I'd guess they don't expect the
session ID to be cached anyway in case the caching is later enabled.
2016-06-22 02:33:29 -04:00