Skip to content
Permalink
Branch: master
Commits on Feb 16, 2019
  1. cookie: Add support for cookie prefixes

    danielgustafsson committed Feb 16, 2019
    The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
    and how they should affect cookie initialization, which has been
    adopted by the major browsers. This adds support for the two prefixes
    defined, __Host- and __Secure, and updates the testcase with the
    supplied examples from the draft.
    
    Closes #3554
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  2. mbedtls: release sessionid resources on error

    danielgustafsson committed Feb 16, 2019
    If mbedtls_ssl_get_session() fails, it may still have allocated
    memory that needs to be freed to avoid leaking. Call the library
    API function to release session resources on this errorpath as
    well as on Curl_ssl_addsessionid() errors.
    
    Closes: #3574
    Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Feb 12, 2019
  1. non-ascii.c: fix typos in comments

    danielgustafsson committed Feb 12, 2019
    Fix two occurrences of s/convers/converts/ spotted while reading code.
Commits on Feb 11, 2019
  1. curl: follow-up to 3f16990

    danielgustafsson committed Feb 11, 2019
    Commit 3f16990 followed-up a bug in b49652a but was
    inadvertently introducing a new bug in the ternary expression.
    
    Close #3555
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  2. dns: release sharelock as soon as possible

    danielgustafsson committed Feb 11, 2019
    There is no benefit to holding the data sharelock when freeing the
    addrinfo in case it fails, so ensure releaseing it as soon as we can
    rather than holding on to it. This also aligns the code with other
    consumers of sharelocks.
    
    Closes #3516
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Feb 6, 2019
  1. INTERNALS.md: fix subsection depth and link

    danielgustafsson committed Feb 6, 2019
    The Kerberos subsection was mistakenly a subsubsection under FTP, and
    the curlx subsection was missing an anchor for the TOC link.
    
    Closes #3529
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Feb 5, 2019
  1. ROADMAP: remove already performed item

    danielgustafsson committed Feb 5, 2019
    Commit 7a09b52 introduced support
    for the draft-ietf-httpbis-cookie-alone-01 cookie draft, and while
    the entry was removed from the TODO it was mistakenly left here.
    Fix by removing and rewording the entry slightly.
    
    Closes #3530
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Feb 4, 2019
  1. smtp: avoid risk of buffer overflow in strtol

    danielgustafsson authored and bagder committed Jan 18, 2019
    If the incoming len 5, but the buffer does not have a termination
    after 5 bytes, the strtol() call may keep reading through the line
    buffer until is exceeds its boundary. Fix by ensuring that we are
    using a bounded read with a temporary buffer on the stack.
    
    Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
    Reported-by: Brian Carpenter (Geeknik Labs)
    CVE-2019-3823
Commits on Jan 20, 2019
  1. memcmp: avoid doing single char memcmp

    danielgustafsson committed Jan 20, 2019
    There is no real gain in performing memcmp() comparisons on single
    characters, so change these to array subscript inspections which
    saves a call and makes the code clearer.
    
    Closes #3486
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
    Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Commits on Jan 10, 2019
  1. travis: turn off copyright year checks in checksrc

    danielgustafsson committed Jan 10, 2019
    Invoking the maintainer intended COPYRIGHTYEAR check for everyone
    in the PR pipeline is too invasive, especially at the turn of the
    year when many files get affected. Remove and leave it as a tool
    for maintainers to verify patches before commits.
    
    This reverts f7bdf4b.
    
    After discussion with: Daniel Stenberg
Commits on Jan 2, 2019
  1. THANKS: add more missing names

    danielgustafsson committed Jan 2, 2019
    Add Adrian Burcea who made the artwork for the curl://up 2018 event
    which was held in Stockholm, Sweden.
  2. docs: mention potential leak in curl_slist_append

    danielgustafsson committed Jan 2, 2019
    When a non-empty list is appended to, and used as the returnvalue,
    the list pointer can leak in case of an allocation failure in the
    curl_slist_append() call. This is correctly handled in curl code
    usage but we weren't explicitly pointing it out in the API call
    documentation. Fix by extending the RETURNVALUE manpage section
    and example code.
    
    Closes #3424
    Reported-by: dnivras on github
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Dec 30, 2018
  1. urlapi: fix parsing ipv6 with zone index

    danielgustafsson committed Dec 30, 2018
    The previous fix for parsing IPv6 URLs with a zone index was a paddle
    short for URLs without an explicit port. This patch fixes that case
    and adds a unit test case.
    
    This bug was highlighted by issue #3408, and while it's not the full
    fix for the problem there it is an isolated bug that should be fixed
    regardless.
    
    Closes #3411
    Reported-by: GitYuanQu on github
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Dec 27, 2018
  1. RELEASE-NOTES: synced

    danielgustafsson committed Dec 27, 2018
Commits on Dec 26, 2018
  1. url: fix incorrect indentation

    danielgustafsson committed Dec 26, 2018
Commits on Dec 25, 2018
  1. FAQ: remove mention of sourceforge for github

    danielgustafsson committed Dec 25, 2018
    The project bug tracker is no longer hosted at sourceforge but is now
    hosted on the curl Github page. Update the FAQ to reflect.
    
    Closes #3410
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  2. openvms: fix typos in documentation

    danielgustafsson committed Dec 25, 2018
  3. openvms: fix OpenSSL discovery on VAX

    danielgustafsson committed Dec 25, 2018
    The DCL code had a typo in one of the commands which would make the
    OpenSSL discovery on VAX fail. The correct syntax is F$ENVIRONMENT.
    
    Closes #3407
    Reviewed-by: Viktor Szakats <commit@vszakats.net>
Commits on Dec 19, 2018
  1. cookies: extend domain checks to non psl builds

    danielgustafsson committed Dec 19, 2018
    Ensure to perform the checks we have to enforce a sane domain in
    the cookie request. The check for non-PSL enabled builds is quite
    basic but it's better than nothing.
    
    Closes #2964
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Dec 13, 2018
  1. OS400: handle memory error in list conversion

    danielgustafsson committed Dec 13, 2018
    Curl_slist_append_nodup() returns NULL when it fails to create a new
    item for the specified list, and since the coding here reassigned the
    new list on top of the old list it would result in a dangling pointer
    and lost memory. Also, in case we hit an allocation failure at some
    point during the conversion, with allocation succeeding again on the
    subsequent call(s) we will return a truncated list around the malloc
    failure point. Fix by assigning to a temporary list pointer, which can
    be checked (which is the common pattern for slist appending), and free
    all the resources on allocation failure.
    
    Closes #3372
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  2. cookies: leave secure cookies alone

    danielgustafsson committed Dec 13, 2018
    Only allow secure origins to be able to write cookies with the
    'secure' flag set. This reduces the risk of non-secure origins
    to influence the state of secure origins. This implements IETF
    Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
    RFC6265.
    
    Closes #2956
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Dec 12, 2018
  1. urlapi: Fix port parsing of eol colon

    danielgustafsson committed Dec 12, 2018
    A URL with a single colon without a portnumber should use the default
    port, discarding the colon. Fix, add a testcase and also do little bit
    of comment wordsmithing.
    
    Closes #3365
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Dec 11, 2018
  1. tests: add urlapi unittest

    danielgustafsson committed Dec 11, 2018
    This adds a new unittest intended to cover the internal functions in
    the urlapi code, starting with parse_port(). In order to avoid name
    collisions in debug builds, parse_port() is renamed Curl_parse_port()
    since it will be exported.
    
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
    Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
  2. urlapi: fix portnumber parsing for ipv6 zone index

    danielgustafsson committed Dec 11, 2018
    An IPv6 URL which contains a zone index includes a '%%25<zode id>'
    string before the ending ']' bracket. The parsing logic wasn't set
    up to cope with the zone index however, resulting in a malformed url
    error being returned. Fix by breaking the parsing into two stages
    to correctly handle the zone index.
    
    Closes #3355
    Closes #3319
    Reported-by: tonystz on Github
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
    Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Commits on Dec 3, 2018
  1. travis: enable COPYRIGHTYEAR extended warning

    danielgustafsson committed Dec 3, 2018
    The extended warning for checking incorrect COPYRIGHTYEAR is quite
    expensive to run, so rather than expecting every developer to do it
    we ensure it's turned on locally for Travis.
  2. checksrc: add COPYRIGHTYEAR check

    danielgustafsson committed Dec 3, 2018
    Forgetting to bump the year in the copyright clause when hacking has
    been quite common among curl developers, but a traditional checksrc
    check isn't a good fit as it would penalize anyone hacking on January
    1st (among other things). This adds a more selective COPYRIGHTYEAR
    check which intends to only cover the currently hacked on changeset.
    
    The check for updated copyright year is currently not enforced on all
    files but only on files edited and/or committed locally. This is due to
    the amount of files which aren't updated with their correct copyright
    year at the time of their respective commit.
    
    To further avoid running this expensive check for every developer, it
    adds a new local override mode for checksrc where a .checksrc file can
    be used to turn on extended warnings locally.
    
    Closes #3303
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Nov 29, 2018
  1. TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry

    danielgustafsson committed Nov 29, 2018
    Commit 7c5837e deprecated the option
    making it a manual code-edit operation to turn it back on. The removal
    process has thus started and is now documented in docs/DEPRECATE.md so
    remove from the TODO to avoid anyone looking for something to pick up
    spend cycles on an already in-progress entry.
    
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Nov 26, 2018
  1. doh: fix typo in infof call

    danielgustafsson committed Nov 26, 2018
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
  2. cmdline-opts/gen.pl: define the correct varname

    danielgustafsson committed Nov 26, 2018
    The variable definition had a small typo making it declare another
    variable then the intended.
    
    Closes #3304
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Nov 21, 2018
  1. configure: Fix typo in comment

    danielgustafsson committed Nov 21, 2018
Commits on Nov 18, 2018
  1. tool_doswin: Fix uninitialized field warning

    danielgustafsson committed Nov 18, 2018
    The partial struct initialization in 397664a caused
    a warning on uninitialized MODULEENTRY32 struct members:
    
      /src/tool_doswin.c:681:3: warning: missing initializer for field
      'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}'
      [-Wmissing-field-initializers]
    
    This is sort of a bogus warning as the remaining members will be set
    to zero by the compiler, as all omitted members are. Nevertheless,
    remove the warning by omitting all members and setting the dwSize
    members explicitly.
    
    Closes #3254
    Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
    Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Commits on Nov 17, 2018
  1. openssl: Remove SSLEAY leftovers

    danielgustafsson committed Nov 17, 2018
    Commit 709cf76 deprecated USE_SSLEAY, as curl since long isn't
    compatible with the SSLeay library. This removes the few leftovers that
    were omitted in the less frequently used platform targets.
    
    Closes #3270
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Nov 13, 2018
  1. tool_cb_wrt: Silence function cast compiler warning

    danielgustafsson committed Nov 12, 2018
    Commit 5bfaa86 introduced a new
    compiler warning on Windows cross compilation with GCC. See below
    for an example of the warning from the autobuild logs (whitespace
    edited to fit):
    
    /src/tool_cb_wrt.c:175:9: warning: cast from function call of type
        'intptr_t {aka long long int}' to non-matching type 'void *'
        [-Wbad-function-cast]
    (HANDLE) _get_osfhandle(fileno(outs->stream)),
    ^
    
    Store the return value from _get_osfhandle() in an intermediate
    variable and cast the variable in WriteConsoleW() rather than the
    function call directly to avoid a compiler warning.
    
    In passing, also add inspection of the MultiByteToWideChar() return
    value and return failure in case an error is reported.
    
    Closes #3263
    Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
    Reviewed-by: Viktor Szakats <commit@vszakats.net>
Commits on Nov 9, 2018
  1. KNOWN_BUGS: add --proxy-any connection issue

    danielgustafsson committed Nov 9, 2018
    Add the identified issue with --proxy-any and proxy servers which
    advertise authentication schemes other than the supported one.
    
    Closes #876
    Closes #3250
    Reported-by: NTMan on Github
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Commits on Nov 7, 2018
  1. winssl: be consistent in Schannel capitalization

    danielgustafsson committed Nov 7, 2018
    The productname from Microsoft is "Schannel", but in infof/failf
    reporting we use "schannel". This removes different versions.
    
    Closes #3243
    Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Older
You can’t perform that action at this time.