Commits on Sep 25, 2017
  1. RELEASE-NOTES: synced with d8ab5dc

    bagder committed Sep 25, 2017
Commits on Sep 24, 2017
  1. tests: adjust .gitignore for new tests

    mkauf committed Sep 24, 2017
Commits on Sep 23, 2017
  1. ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header

    jay committed Sep 22, 2017
    .. and include the core NTLM header in all NTLM-related source files.
    Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
    but did not include vtls.h where it was defined.
    Closes #1911
  2. file_range: avoid integer overflow when figuring out byte range

    bagder committed Sep 22, 2017
    When trying to bump the value with one and the value is already at max,
    it causes an integer overflow.
    Closes #1908
    Detected by oss-fuzz:
    Assisted-by: Max Dymond
  3. tests: fix a compiler warning in test 643

    mkauf committed Sep 23, 2017
  4. symbols-in-versions: fix CURLSSLSET_NO_BACKENDS entry

    jay committed Sep 23, 2017
    - Use spaces instead of tabs as the delimiter.
    Follow up to 7c52b12 which added the entry. The entry had used tabs but
    the symbol-scan parser doesn't recognize tabs and would fail the symbol.
Commits on Sep 22, 2017
  1. metalink: fix NSS issue in MultiSSL builds

    vszakats committed Sep 12, 2017
    In MultiSSL mode (i.e. when more than one SSL backend is compiled
    in), we cannot use the compile time flag `USE_NSS` as indicator that
    the NSS backend is in use. As far as Metalink is concerned, the SSL
    backend is only used for MD5, SHA-1 and SHA-256 calculations,
    therefore one of the available SSL backends is selected at compile
    time, in a strict order of preference.
    Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
    to determine whether the SSL backend used for Metalink is the NSS
    backend, and use that to guard the code that wants to de-initialize
    the NSS-specific data structure.
    Ref: #1848
  2. ntlm: use strict order for SSL backend #if branches

    vszakats committed Aug 30, 2017
    With the recently introduced MultiSSL support multiple SSL backends
    can be compiled into cURL That means that now the order of the SSL
    One option would be to use the same SSL backend as was configured
    via `curl_global_sslset()`, however, NTLMv2 support would appear
    to be available only with some SSL backends. For example, when
    eb88d77 (ntlm: Use Windows Crypt API, 2014-12-02) introduced
    support for NTLMv1 using Windows' Crypt API, it specifically did
    *not* introduce NTLMv2 support using Crypt API at the same time.
    So let's select one specific SSL backend for NTLM support when
    compiled with multiple SSL backends, using a priority order such
    that we support NTLMv2 even if only one compiled-in SSL backend can
    be used for that.
    Ref: #1848
  3. symbols-in-versions: add CURLSSLSET_NO_BACKENDS

    bagder committed Sep 22, 2017
    ...fixup from b8e0fe1
  4. imap: quote atoms properly when escaping characters

    bagder committed Sep 21, 2017
    Updates test 800 to verify
    Fixes #1902
    Closes #1903
  5. tests: make the imap server not verify user+password

    bagder committed Sep 21, 2017
    ... as the test cases themselves do that and it makes it easier to add
    crazy test cases.
    Test 800 updated to use user name + password that need quoting.
    Test 856 updated to trigger an auth fail differently.
    Ref: #1902
  6. vtls: provide curl_global_sslset() even in non-SSL builds

    bagder committed Sep 21, 2017
    ... it just returns error:
    Bug: 1328f69#commitcomment-24470367
    Reported-by: Marcel Raad
    Closes #1906
  7. form/mime: field names are not allowed to contain zero-valued bytes.

    monnerat committed Sep 22, 2017
    Also suppress length argument of curl_mime_name() (names are always
Commits on Sep 21, 2017
  1. openssl: only verify RSA private key if supported

    dirkfeytons committed with bagder Sep 21, 2017
    In some cases the RSA key does not support verifying it because it's
    located on a smart card, an engine wants to hide it, ...
    Check the flags on the key before trying to verify it.
    OpenSSL does the same thing internally; see ssl/ssl_rsa.c
    Closes #1904
  2. examples/post-callback: use long for CURLOPT_POSTFIELDSIZE

    MarcelRaad committed Sep 21, 2017
    Otherwise, typecheck-gcc.h warns on MinGW-w64.
Commits on Sep 20, 2017
  1. mime: rephrase the multipart output state machine (#1898) ...

    monnerat committed Sep 20, 2017
    ... in hope coverity will like it much.
  2. mime: fix an explicit null dereference (#1899)

    monnerat committed Sep 20, 2017
  3. curl: check fseek() return code and bail on error

    bagder committed Sep 20, 2017
    Detected by coverity. CID 1418137.
  4. smtp: fix memory leak in OOM

    bagder committed Sep 20, 2017
    Regression since ce0881e
    Coverity CID 1418139 and CID 1418136 found it, but it was also seen in
    torture testing.
  5. RELEASE-NOTES: synced with 5fe8558

    bagder committed Sep 20, 2017
Commits on Sep 19, 2017
  1. cookies: use lock when using CURLINFO_COOKIELIST

    pps83 committed with bagder Sep 18, 2017
    Closes #1896
Commits on Sep 18, 2017
  1. ossfuzz: changes before merging the generated corpora

    cmeister2 committed with bagder Sep 11, 2017
    Before merging in the oss-fuzz corpora from Google, there are some changes
    to the fuzzer.
    - Add a read corpus script, to display corpus files nicely.
    - Change the behaviour of the fuzzer so that TLV parse failures all now
      go down the same execution paths, which should reduce the size of the
    - Make unknown TLVs a failure to parse, which should decrease the size
      of the corpora as well.
    Closes #1881
  2. mime:escape_string minor clarification change

    bagder committed Sep 17, 2017
    ... as it also removes a warning with old gcc versions.
    Reported-by: Ben Greear
  3. ossfuzz: don't write out to stdout

    cmeister2 committed with bagder Sep 11, 2017
    Don't make the fuzzer write out to stdout - instead write some of the
    contents to a memory block so we exercise the data output code but
    Closes #1885
  4. cookies: reject oversized cookies

    bagder committed Sep 17, 2017
    ... instead of truncating them.
    There's no fixed limit for acceptable cookie names in RFC 6265, but the
    entire cookie is said to be less than 4096 bytes (section 6.1). This is
    also what browsers seem to implement.
    We now allow max 5000 bytes cookie header. Max 4095 bytes length per
    cookie name and value. Name + value together may not exceed 4096 bytes.
    Added test 1151 to verify
    Reported-by: Kevin Smith
    Closes #1894
  5. travis: on mac, don't install openssl or libidn

    bagder committed Sep 18, 2017
    - openssl is already installed and causes warnings when trying to
      install again
    - libidn isn't used these days, and homebrew doesn't seem to have a
      libidn2 package to replace with easily
    Closes #1895
  6. curl: make str2udouble not return values on error

    bagder committed Sep 15, 2017
    ... previously it would store a return value even when it returned
    error, which could make the value get used anyway!
    Reported-by: Brian Carpenter
    Closes #1893
  7. socks: fix incorrect port number in SOCKS4 error message

    jay committed Sep 18, 2017
    Prior to this change it appears the SOCKS5 port parsing was erroneously
    used for the SOCKS4 error message, and as a result an incorrect port
    would be shown in the error message.
    Bug: #1892
Commits on Sep 16, 2017
  1. schannel: Support partial send for when data is too large

    marc-groundctl committed with jay Sep 15, 2017
    Schannel can only encrypt a certain amount of data at once.  Instead of
    failing when too much data is to be sent at once, send as much data as
    we can and let the caller send the remaining data by calling send again.
    Closes #1890
  2. openssl: add missing includes

    davidben committed with jay Sep 15, 2017
    lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
    their headers directly rather than relying on other OpenSSL headers
    including things.
    Closes #1891
Commits on Sep 15, 2017
  1. conversions: fix several compiler warnings

    bagder committed Sep 10, 2017
  2. docs: clarify the CURLOPT_INTERLEAVE* options behavior

    bagder committed Sep 15, 2017