Daniel Stenberg
6b52b7eb2b
metalink: simplify the hex parsing function
...
... and now it avoids using the libcurl toupper() function
2016-11-02 00:31:49 +01:00
Michael Kaufmann
f9e51fb55d
file: fix compiler warning
...
follow-up to 46133aa5
2016-11-01 20:40:26 +01:00
Dan Fandrich
e44bfc7664
strcase: fixed Metalink builds by redefining checkprefix()
...
...to use the public function curl_strnequal(). This isn't ideal because
it adds extra overhead to any internal calls to checkprefix.
follow-up to 95bd2b3e
2016-11-01 11:44:11 +01:00
Daniel Stenberg
e5c49b9e69
curl.1: typo
2016-11-01 10:27:40 +01:00
Daniel Stenberg
b744950f43
curl.1: expand on how multiple uses of -o looks
...
Suggested-by: Dan Jacobson
Issue: https://github.com/curl/curl/issues/1097
2016-11-01 10:24:49 +01:00
Daniel Stenberg
07b95ea268
tests/util: get a private strncasecompare clone
...
... since the curlx_* code no longer provides one and we don't link
libcurl to these test servers.
2016-10-31 23:49:54 +01:00
Daniel Stenberg
95bd2b3e7f
strcase: make the tool use curl_str[n]equal instead
...
As they are after all part of the public API. Saves space and reduces
complexity. Remove the strcase defines from the curlx_ family.
Suggested-by: Dan Fandrich
Idea: https://curl.haxx.se/mail/lib-2016-10/0136.html
2016-10-31 21:51:19 +01:00
Kamil Dudka
1071680946
gskit, nss: do not include strequal.h
...
follow-up to 811a693b80
2016-10-31 17:36:22 +01:00
Dan Fandrich
47a21ca9ba
strcasecompare: include curl.h in strcase.c
...
This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
link error on Windows because of the missing CURL_EXTERN on the
prototype.
2016-10-31 15:21:13 +01:00
Daniel Stenberg
64c2d24c42
strcase: fix the remaining rawstr users
2016-10-31 15:19:26 +01:00
Daniel Stenberg
309d6e80d0
msvc builds: s/rawstr/strcase
...
Follow-up to 811a693b
2016-10-31 13:35:26 +01:00
Dan Fandrich
9363f1a37f
strcasecompare: replaced remaining rawstr.h with strcase.h
...
This is a followup to commit 811a693b
2016-10-31 12:57:58 +01:00
Marcel Raad
4f97d9832c
digest_sspi: fix include
...
Fix compile break from 811a693b80
2016-10-31 12:51:27 +01:00
Dan Fandrich
52a2c2fb51
libauthretry: use the external function curl_strequal
...
The internal version strcasecompare isn't available outside libcurl
2016-10-31 12:44:18 +01:00
Daniel Stenberg
9934f4fe9f
RELEASE-NOTES: synced with d14538d250
2016-10-31 10:50:32 +01:00
Daniel Stenberg
d14538d250
configure: raise the default minimum version for macos to 10.8
...
follow-up to 4f8d0b6f02
. Since the darwinssl code breaks
otherwise. If you build without darwinssl 10.5 works fine.
2016-10-31 10:19:22 +01:00
Daniel Stenberg
06bc2100d2
unit1301: keep testing curl_strequal
...
as that is still part of the API, fix from 8fe4bd0844
2016-10-31 09:53:34 +01:00
Daniel Stenberg
cce5250f6a
ldap: fix include
...
Fix bug from 811a693b80
2016-10-31 09:50:41 +01:00
Daniel Stenberg
c27013c05d
url: remove unconditional idn2.h include
...
Mistake brought by 9c91ec7781
2016-10-31 09:50:12 +01:00
Daniel Stenberg
8fe4bd0844
curl_strequal: part of public API/ABI, needs to be kept
...
These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.
2016-10-31 09:45:17 +01:00
Daniel Stenberg
44c53cc38b
strcase: s/strequal/strcasecompare
...
some more follow-ups to 811a693b80
2016-10-31 09:37:54 +01:00
Daniel Stenberg
532491a27c
ldap: fix strcase use
...
follow-up to 811a693b80
2016-10-31 09:30:36 +01:00
Daniel Stenberg
ad16f89791
test165: adapted to the libidn2 use and IDNA2008 fix
2016-10-31 08:46:35 +01:00
Daniel Stenberg
cff89bc088
cookie: replace use of fgets() with custom version
...
... that will ignore lines that are too long to fit in the buffer.
CVE-2016-8615
Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
811a693b80
strcasecompare: all case insensitive string compares ignore locale now
...
We had some confusions on when each function was used. We should not act
differently on different locales anyway.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
502acba2af
strcasecompare: is the new name for strequal()
...
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
1833a45dde
ftp: check for previous patch must be case sensitive!
...
... otherwise example.com/PATH and example.com/path would be assumed to
be the same and they usually aren't!
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ce8d09483e
SSH: check md5 fingerprint case sensitively
2016-10-31 08:46:35 +01:00
Daniel Stenberg
b3ee26c5df
connectionexists: use case sensitive user/password comparisons
...
CVE-2016-8616
Bug: https://curl.haxx.se/docs/adv_20161102B.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
efd24d5742
base64: check for integer overflow on large input
...
CVE-2016-8617
Bug: https://curl.haxx.se/docs/adv_20161102C.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3d6460edee
krb5: avoid realloc(0)
...
If the requested size is zero, bail out with error instead of doing a
realloc() that would cause a double-free: realloc(0) acts as a free()
and then there's a second free in the cleanup path.
CVE-2016-8619
Bug: https://curl.haxx.se/docs/adv_20161102E.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8732ec40db
aprintf: detect wrap-around when growing allocation
...
On 32bit systems we could otherwise wrap around after 2GB and allocate 0
bytes and crash.
CVE-2016-8618
Bug: https://curl.haxx.se/docs/adv_20161102D.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
ee4f76606c
range: reject char globs with missing end like '[L-]'
...
... which previously would lead to out of boundary reads.
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
269a889104
glob_next_url: make sure to stay within the given output buffer
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fbb5f1aa03
range: prevent negative end number in a glob range
...
CVE-2016-8620
Bug: https://curl.haxx.se/docs/adv_20161102F.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
96a80b5a26
parsedate: handle cut off numbers better
...
... and don't read outside of the given buffer!
CVE-2016-8621
bug: https://curl.haxx.se/docs/adv_20161102G.html
Reported-by: Luật Nguyễn
2016-10-31 08:46:35 +01:00
Daniel Stenberg
46133aa536
escape: avoid using curl_easy_unescape() internally
...
Since the internal Curl_urldecode() function has a better API.
2016-10-31 08:46:35 +01:00
Daniel Stenberg
53e71e47d6
unescape: avoid integer overflow
...
CVE-2016-8622
Bug: https://curl.haxx.se/docs/adv_20161102H.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
c5be3d7267
cookies: getlist() now holds deep copies of all cookies
...
Previously it only held references to them, which was reckless as the
thread lock was released so the cookies could get modified by other
handles that share the same cookie jar over the share interface.
CVE-2016-8623
Bug: https://curl.haxx.se/docs/adv_20161102I.html
Reported-by: Cure53
2016-10-31 08:46:35 +01:00
Daniel Stenberg
fba28277ca
TODO: remove IDNA2008
2016-10-31 08:46:35 +01:00
Daniel Stenberg
9c91ec7781
idn: switch to libidn2 use and IDNA2008 support
...
CVE-2016-8625
Bug: https://curl.haxx.se/docs/adv_20161102K.html
Reported-by: Christian Heimes
2016-10-31 08:46:35 +01:00
Daniel Stenberg
42b650b9ea
test1246: verify URL parsing with host name ending with '#'
2016-10-31 08:46:35 +01:00
Daniel Stenberg
3bb273db7e
urlparse: accept '#' as end of host name
...
'http://example.com#@127.0.0.1/x.txt ' equals a request to example.com
for the '/' document with the rest of the URL being a fragment.
CVE-2016-8624
Bug: https://curl.haxx.se/docs/adv_20161102J.html
Reported-by: Fernando Muñoz
2016-10-31 08:46:35 +01:00
Jay Satiro
164ee10b0b
INTERNALS: better markdown (follow-up)
...
- Wrap more words with underscores in backticks.
Follow-up to 13f4913
.
2016-10-31 00:38:27 -04:00
Daniel Stenberg
13f4913303
INTERNALS: better markdown
...
words with underscore need to be within `these`
Bug: https://github.com/curl/curl-www/issues/19
Reported-by : Jay Satiro
2016-10-30 23:46:11 +01:00
Jay Satiro
2e750ce452
mk-ca-bundle.vbs: Fix UTF-8 output
...
- Change initial message box to mention delay when downloading/parsing.
Since there is no progress meter it was somewhat unexpected that after
choosing a filename nothing appears to happen, when actually the cert
data is in the process of being downloaded and parsed.
- Warn if OpenSSL is not present.
- Use a UTF-8 stream to make the ca-bundle data.
- Save the UTF-8 ca-bundle stream as binary so that no BOM is added.
---
This is a follow-up to d2c6d15
which switched mk-ca-bundle.vbs output to
ANSI due to corrupt UTF-8 output, now fixed.
This change completes making the default certificate bundle output of
mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which
should make it easier to review any difference between their output.
Ref: https://github.com/curl/curl/pull/1012
2016-10-30 01:01:29 -04:00
Daniel Stenberg
d0623f856c
BINDINGS: converted to markdown
...
To make it render better on the web site, at the price of it becoming
slightly less readable as text.
2016-10-28 09:54:39 +02:00
Jay Satiro
568037f6af
CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2
...
- Clarify that this option is only for HTTP/1.1 pipelining.
Bug: https://github.com/curl/curl/issues/1059
Reported-by: Jeroen Ooms
Assisted-by: Daniel Stenberg
2016-10-27 23:15:41 -04:00
Daniel Stenberg
4eb7657a13
KNOWN_BUGS: HTTP/2 server push enabled when no pushes can be accepted
...
Closes #927
2016-10-27 23:47:59 +02:00
Daniel Stenberg
c443a8ce21
KNOWN_BUGS: c-ares deviates from stock resolver on http://1346569778
...
Closes #893
2016-10-27 23:46:13 +02:00