]> granicus.if.org Git - curl/log
curl
7 years agocmake: sizeof curl_off_t, remove unused detections
Daniel Stenberg [Sat, 12 Aug 2017 13:54:06 +0000 (15:54 +0200)]
cmake: sizeof curl_off_t, remove unused detections

7 years agosystem.h: remove all CURL_SIZEOF_* defines
Daniel Stenberg [Sat, 12 Aug 2017 13:54:06 +0000 (15:54 +0200)]
system.h: remove all CURL_SIZEOF_* defines

... as they're not used externally and internally we check for the sizes
already in configure etc.

Closes #1767

7 years agoftp: fix CWD when doing multicwd then nocwd on same connection
Daniel Stenberg [Tue, 15 Aug 2017 16:48:04 +0000 (18:48 +0200)]
ftp: fix CWD when doing multicwd then nocwd on same connection

Fixes #1782
Closes #1787
Reported-by: Peter Lamare
7 years agoCURLOPT_SSH_COMPRESSION.3: enable with 1L
Daniel Stenberg [Thu, 17 Aug 2017 07:52:13 +0000 (09:52 +0200)]
CURLOPT_SSH_COMPRESSION.3: enable with 1L

(leaves other values reserved for the future)

7 years agocompressed-ssh.d: "Added: 7.56.0"
Daniel Stenberg [Thu, 17 Aug 2017 07:49:33 +0000 (09:49 +0200)]
compressed-ssh.d: "Added: 7.56.0"

7 years agocurl/system.h: checksrc compliance
Daniel Stenberg [Thu, 17 Aug 2017 07:38:41 +0000 (09:38 +0200)]
curl/system.h: checksrc compliance

7 years agossh: add the ability to enable compression (for SCP/SFTP)
Viktor Szakats [Sat, 5 Aug 2017 09:26:04 +0000 (09:26 +0000)]
ssh: add the ability to enable compression (for SCP/SFTP)

The required low-level logic was already available as part of
`libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
option.)

This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
(boolean) and the new `curl` command-line option `--compressed-ssh`
to request this `libssh2` feature. To have compression enabled, it
is required that the SSH server supports a (zlib) compatible
compression method and that `libssh2` was built with `zlib` support
enabled.

[1] https://www.libssh2.org/libssh2_session_flag.html

Ref: https://github.com/curl/curl/issues/1732
Closes https://github.com/curl/curl/pull/1735

7 years agoexamples/ftpuploadresume: checksrc compliance
Jay Satiro [Wed, 16 Aug 2017 18:44:50 +0000 (14:44 -0400)]
examples/ftpuploadresume: checksrc compliance

7 years agohttp_proxy: fix build error for CURL_DOES_CONVERSIONS
Maksim Stsepanenka [Wed, 16 Aug 2017 15:33:33 +0000 (18:33 +0300)]
http_proxy: fix build error for CURL_DOES_CONVERSIONS

Closes https://github.com/curl/curl/pull/1793

7 years agoconfigure: check for __builtin_available() availability (#1788)
Nick Zitzmann [Wed, 16 Aug 2017 17:24:39 +0000 (12:24 -0500)]
configure: check for __builtin_available() availability (#1788)

This change does two things:
1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
   failing trying to compile connectx() in lib/connect.c.)
2. It finally weak-links the connectx() function, and falls back on
   connect() when run on older operating systems.

7 years agotravis: add metalink to some osx builds
Daniel Stenberg [Wed, 16 Aug 2017 09:37:07 +0000 (11:37 +0200)]
travis: add metalink to some osx builds

Closes #1790

7 years agocoverage: Use two coveralls commands to get lib/vtls results
Max Dymond [Wed, 9 Aug 2017 12:34:41 +0000 (13:34 +0100)]
coverage: Use two coveralls commands to get lib/vtls results

closes #1747

7 years agodarwinssi: fix error: variable length array used
Daniel Stenberg [Wed, 16 Aug 2017 05:58:44 +0000 (07:58 +0200)]
darwinssi: fix error: variable length array used

7 years agom4/curl-compilers.m4: use proper quotes around string, not backticks
Daniel Stenberg [Tue, 15 Aug 2017 22:03:54 +0000 (00:03 +0200)]
m4/curl-compilers.m4: use proper quotes around string, not backticks

... when setting clang version to assume 3.7

Caused a lot of "integer expression expected" warnings by configure.

7 years agocmake: remove dead code for DISABLED_THREADSAFE
Benbuck Nason [Tue, 15 Aug 2017 15:25:36 +0000 (08:25 -0700)]
cmake: remove dead code for DISABLED_THREADSAFE

Closes #1786

7 years agocurl-confopts.m4: fix --disable-threaded-resolver
Jakub Zakrzewski [Tue, 15 Aug 2017 17:21:33 +0000 (13:21 -0400)]
curl-confopts.m4: fix --disable-threaded-resolver

Closes https://github.com/curl/curl/issues/1784

7 years agoprogress: Track total times following redirects
Ryan Winograd [Wed, 21 Jun 2017 17:15:46 +0000 (12:15 -0500)]
progress: Track total times following redirects

Update the progress timers `t_nslookup`, `t_connect`, `t_appconnect`,
`t_pretransfer`, and `t_starttransfer` to track the total times for
these activities when a redirect is followed. Previously, only the times
for the most recent request would be tracked.

Related changes:

  - Rename `Curl_pgrsResetTimesSizes` to `Curl_pgrsResetTransferSizes`
    now that the function only resets transfer sizes and no longer
    modifies any of the progress timers.

  - Add a bool to the `Progress` struct that is used to prevent
    double-counting `t_starttransfer` times.

Added test case 1399.

Fixes #522 and Known Bug 1.8
Closes #1602
Reported-by: joshhe on github
7 years agocmake: remove dead code for CURL_DISABLE_RTMP
Benbuck Nason [Tue, 15 Aug 2017 15:20:49 +0000 (08:20 -0700)]
cmake: remove dead code for CURL_DISABLE_RTMP

Closes #1785

7 years agozsh.pl: produce a working completion script again
Kamil Dudka [Mon, 14 Aug 2017 14:13:32 +0000 (16:13 +0200)]
zsh.pl: produce a working completion script again

Commit curl-7_54_0-118-g8b2f22e changed the output format of curl --help
to use <file> and <dir> instead of FILE and DIR, which caused zsh.pl to
produce a broken completion script:

% curl --<TAB>
_curl:10: no such file or directory: seconds

Closes #1779

7 years agocurlver: toward 7.56.0?
Daniel Stenberg [Tue, 15 Aug 2017 07:20:33 +0000 (09:20 +0200)]
curlver: toward 7.56.0?

7 years agoRELEASE-NOTES: synced with 91c46dc44
Daniel Stenberg [Tue, 15 Aug 2017 07:20:21 +0000 (09:20 +0200)]
RELEASE-NOTES: synced with 91c46dc44

7 years agotest1449: FTP download range with an too large size
Daniel Stenberg [Mon, 14 Aug 2017 21:33:23 +0000 (23:33 +0200)]
test1449: FTP download range with an too large size

7 years agostrtoofft: reduce integer overflow risks globally
Daniel Stenberg [Mon, 14 Aug 2017 21:33:23 +0000 (23:33 +0200)]
strtoofft: reduce integer overflow risks globally

... make sure we bail out on overflows.

Reported-by: Brian Carpenter
Closes #1758

7 years agotravis: build the examples too
Daniel Stenberg [Mon, 14 Aug 2017 12:05:08 +0000 (14:05 +0200)]
travis: build the examples too

to make sure they keep building warning-free

Closes #1777

7 years agoruntests: match keywords case insensitively
Daniel Stenberg [Mon, 14 Aug 2017 21:05:11 +0000 (23:05 +0200)]
runtests: match keywords case insensitively

7 years agoexamples/ftpuploadresume.c: use portable code
Daniel Stenberg [Mon, 14 Aug 2017 12:00:56 +0000 (14:00 +0200)]
examples/ftpuploadresume.c: use portable code

... converted from the MS specific _snscanf()

7 years agoRELEASE-NOTES/THANKS: curl 7.55.1 release time curl-7_55_1
Daniel Stenberg [Sun, 13 Aug 2017 16:22:06 +0000 (18:22 +0200)]
RELEASE-NOTES/THANKS: curl 7.55.1 release time

7 years agogitignore: ignore .xz now instead of .lzma
Daniel Stenberg [Sun, 13 Aug 2017 16:11:44 +0000 (18:11 +0200)]
gitignore: ignore .xz now instead of .lzma

7 years agocmake: Threads detection update. ref: #1702
Sergei Nikulov [Tue, 1 Aug 2017 17:40:29 +0000 (20:40 +0300)]
cmake: Threads detection update. ref: #1702

Closes #1719

7 years agoipv6_scope: support unique local addresses
Daniel Stenberg [Sun, 13 Aug 2017 15:51:52 +0000 (17:51 +0200)]
ipv6_scope: support unique local addresses

Fixes #1764
Closes #1773
Reported-by: James Slaughter
7 years agocurl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__
Alex Potapenko [Sun, 13 Aug 2017 12:11:12 +0000 (15:11 +0300)]
curl/system.h: GCC doesn't define __ppc__ on PowerPC, uses __powerpc__

Closes #1774

7 years agotest1448: verify redirect to IDN using URL
Daniel Stenberg [Sat, 12 Aug 2017 22:02:49 +0000 (00:02 +0200)]
test1448: verify redirect to IDN using URL

Closes #1772

7 years agoredirect: skip URL encoding for host names
Salah-Eddin Shaban [Sat, 12 Aug 2017 22:02:49 +0000 (00:02 +0200)]
redirect: skip URL encoding for host names

This fixes redirects to IDN URLs

Fixes #1441
Closes #1762
Reported by: David Lord

7 years agotest2032: mark as flaky (again)
Daniel Stenberg [Sat, 12 Aug 2017 22:00:39 +0000 (00:00 +0200)]
test2032: mark as flaky (again)

7 years agotravis: test cmake build on tarball too
Daniel Stenberg [Thu, 10 Aug 2017 11:27:17 +0000 (13:27 +0200)]
travis: test cmake build on tarball too

Could've prevented #1755

7 years agocmake: allow user to override CMAKE_DEBUG_POSTFIX
Simon Warta [Fri, 11 Aug 2017 12:52:43 +0000 (14:52 +0200)]
cmake: allow user to override CMAKE_DEBUG_POSTFIX

Closes #1763

7 years agoconnect-to.d: better language
Daniel Stenberg [Sat, 12 Aug 2017 15:36:12 +0000 (17:36 +0200)]
connect-to.d: better language

7 years agoconnect-to.d: clarified
Daniel Stenberg [Sat, 12 Aug 2017 15:32:33 +0000 (17:32 +0200)]
connect-to.d: clarified

7 years agobagder/Curl_tvdiff_us: fix the math
Daniel Stenberg [Sat, 12 Aug 2017 13:34:59 +0000 (15:34 +0200)]
bagder/Curl_tvdiff_us: fix the math

Regression since adef394ac5 (released in 7.55.0)

Reported-by: Han Qiao
Fixes #1769
Closes #1771

7 years agocurl/system.h: add Oracle Solaris Studio
Daniel Stenberg [Fri, 11 Aug 2017 21:40:27 +0000 (23:40 +0200)]
curl/system.h: add Oracle Solaris Studio

Fixes #1752

7 years agodocs: fix typo funtion -> function
Alessandro Ghedini [Sat, 12 Aug 2017 12:37:50 +0000 (13:37 +0100)]
docs: fix typo funtion -> function

Closes #1770

7 years agodocs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description
Alessandro Ghedini [Sat, 12 Aug 2017 12:36:24 +0000 (13:36 +0100)]
docs: fix grammar in CURL_SSLVERSION_MAX_DEFAULT description

7 years agodocs: fix typo stuct -> struct
Alessandro Ghedini [Sat, 12 Aug 2017 12:33:10 +0000 (13:33 +0100)]
docs: fix typo stuct -> struct

7 years agotest1447: require a curl with http support
Dan Fandrich [Sat, 12 Aug 2017 10:52:37 +0000 (12:52 +0200)]
test1447: require a curl with http support

7 years agocurl/system.h: support more architectures
Thomas Petazzoni [Fri, 11 Aug 2017 16:52:37 +0000 (18:52 +0200)]
curl/system.h: support more architectures

The long list of architectures in include/curl/system.h is annoying to
maintain, and needs to be extended for each and every architecture to
support.

Instead, let's rely on the __SIZEOF_LONG__ define of the gcc compiler
(we are in the GNUC condition anyway), which tells us if long is 4
bytes or 8 bytes.

This fixes the build of libcurl 7.55.0 on architectures such as
OpenRISC or ARC.

Closes #1766

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
7 years agotest2033: this went flaky again
Daniel Stenberg [Fri, 11 Aug 2017 21:53:47 +0000 (23:53 +0200)]
test2033: this went flaky again

Suspicion: when we enabled the threaded resolver by default.

7 years agotest1447: verifies the parse proxy fix in 6e0e152ce5c
Daniel Stenberg [Fri, 11 Aug 2017 09:58:34 +0000 (11:58 +0200)]
test1447: verifies the parse proxy fix in 6e0e152ce5c

7 years agoparse_proxy(): fix memory leak in case of invalid proxy server name
Even Rouault [Fri, 11 Aug 2017 09:29:09 +0000 (11:29 +0200)]
parse_proxy(): fix memory leak in case of invalid proxy server name

Fixes the below leak:

$ valgrind --leak-check=full ~/install-curl-git/bin/curl --proxy "http://a:b@/x" http://127.0.0.1
curl: (5) Couldn't resolve proxy name
==5048==
==5048== HEAP SUMMARY:
==5048==     in use at exit: 532 bytes in 12 blocks
==5048==   total heap usage: 5,288 allocs, 5,276 frees, 445,271 bytes allocated
==5048==
==5048== 2 bytes in 1 blocks are definitely lost in loss record 1 of 12
==5048==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5048==    by 0x4E6CB79: parse_login_details (url.c:5614)
==5048==    by 0x4E6BA82: parse_proxy (url.c:5091)
==5048==    by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
==5048==    by 0x4E6EA18: create_conn (url.c:6498)
==5048==    by 0x4E6F9B4: Curl_connect (url.c:6967)
==5048==    by 0x4E86D05: multi_runsingle (multi.c:1436)
==5048==    by 0x4E88432: curl_multi_perform (multi.c:2160)
==5048==    by 0x4E7C515: easy_transfer (easy.c:708)
==5048==    by 0x4E7C74A: easy_perform (easy.c:794)
==5048==    by 0x4E7C7B1: curl_easy_perform (easy.c:813)
==5048==    by 0x414025: operate_do (tool_operate.c:1563)
==5048==
==5048== 2 bytes in 1 blocks are definitely lost in loss record 2 of 12
==5048==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5048==    by 0x4E6CBB6: parse_login_details (url.c:5621)
==5048==    by 0x4E6BA82: parse_proxy (url.c:5091)
==5048==    by 0x4E6C46D: create_conn_helper_init_proxy (url.c:5346)
==5048==    by 0x4E6EA18: create_conn (url.c:6498)
==5048==    by 0x4E6F9B4: Curl_connect (url.c:6967)
==5048==    by 0x4E86D05: multi_runsingle (multi.c:1436)
==5048==    by 0x4E88432: curl_multi_perform (multi.c:2160)
==5048==    by 0x4E7C515: easy_transfer (easy.c:708)
==5048==    by 0x4E7C74A: easy_perform (easy.c:794)
==5048==    by 0x4E7C7B1: curl_easy_perform (easy.c:813)
==5048==    by 0x414025: operate_do (tool_operate.c:1563)

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2984
Credit to OSS Fuzz for discovery

Closes #1761

7 years agoRELEASE-NOTES: synced with 37f2195a9
Daniel Stenberg [Fri, 11 Aug 2017 08:30:02 +0000 (10:30 +0200)]
RELEASE-NOTES: synced with 37f2195a9

7 years agocurlver: bump to 7.55.1
Daniel Stenberg [Fri, 11 Aug 2017 08:29:43 +0000 (10:29 +0200)]
curlver: bump to 7.55.1

7 years agoopenssl: fix "error: this statement may fall through"
Daniel Stenberg [Fri, 11 Aug 2017 06:15:16 +0000 (08:15 +0200)]
openssl: fix "error: this statement may fall through"

A gcc7 warning.

7 years agoopenssl: remove CONST_ASN1_BIT_STRING.
David Benjamin [Thu, 10 Aug 2017 20:37:17 +0000 (16:37 -0400)]
openssl: remove CONST_ASN1_BIT_STRING.

Just making the pointer as const works for the pre-1.1.0 path too.

Closes #1759

7 years agomaketgz: remove old *.dist files before making the tarball
Daniel Stenberg [Thu, 10 Aug 2017 20:52:28 +0000 (22:52 +0200)]
maketgz: remove old *.dist files before making the tarball

To avoid "old crap" unintentionally getting shipped.

Bug: https://curl.haxx.se/mail/lib-2017-08/0050.html
Reported-by: Christian Weisgerber
7 years agomkhelp.pl: allow executing this script directly
Jay Satiro [Wed, 9 Aug 2017 06:59:18 +0000 (02:59 -0400)]
mkhelp.pl: allow executing this script directly

- Enable execute permission (chmod +x)

- Change interpreter to /usr/bin/env perl

Ref: https://github.com/curl/curl/issues/1743

7 years agoconfigure: use the threaded resolver backend by default if possible
Daniel Stenberg [Thu, 10 Aug 2017 13:07:40 +0000 (15:07 +0200)]
configure: use the threaded resolver backend by default if possible

Closes #1647

7 years agocmake: move cmake_uninstall.cmake to CMake/
Daniel Stenberg [Thu, 10 Aug 2017 11:24:15 +0000 (13:24 +0200)]
cmake: move cmake_uninstall.cmake to CMake/

Closes #1756

7 years agometalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
Daniel Stenberg [Thu, 10 Aug 2017 12:54:55 +0000 (14:54 +0200)]
metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead

7 years agodist: fix the cmake build by shipping cmake_uninstall.cmake.in too
Daniel Stenberg [Thu, 10 Aug 2017 11:20:26 +0000 (13:20 +0200)]
dist: fix the cmake build by shipping cmake_uninstall.cmake.in too

Fixes #1755

7 years agotravis: verify "make install"
Daniel Stenberg [Wed, 9 Aug 2017 22:13:20 +0000 (00:13 +0200)]
travis: verify "make install"

Help-by: Jay Satiro
Closes #1753

7 years agobuild: check out *.sln files with Windows line endings
Marcel Raad [Wed, 9 Aug 2017 12:11:27 +0000 (14:11 +0200)]
build: check out *.sln files with Windows line endings

Visual Studio doesn't like LF line endings in solution files and always
converts them to CRLF when doing changes to the solution. Notably, this
affects the solutions in the release archive.

Closes https://github.com/curl/curl/pull/1746

7 years agogitignore: ignore top-level .vs folder
Marcel Raad [Wed, 9 Aug 2017 12:07:37 +0000 (14:07 +0200)]
gitignore: ignore top-level .vs folder

This folder is generated when using the CMake build system from within
Visual Studio.

Closes https://github.com/curl/curl/pull/1746

7 years agodigest_sspi: Don't reuse context if the user/passwd has changed
Jay Satiro [Tue, 8 Aug 2017 23:32:19 +0000 (19:32 -0400)]
digest_sspi: Don't reuse context if the user/passwd has changed

Bug: https://github.com/curl/curl/issues/1685
Reported-by: paulharris@users.noreply.github.com
Assisted-by: Isaac Boukris
Closes https://github.com/curl/curl/pull/1742

7 years agodist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST
Adam Sampson [Wed, 9 Aug 2017 09:48:41 +0000 (10:48 +0100)]
dist: Add dictserver.py/negtelnetserver.py to EXTRA_DIST

These weren't included in the 7.55.0 release, but are required in order
to run the full test suite.

Closes #1744

7 years agocurl: do bounds check using a double comparison
Adam Sampson [Wed, 9 Aug 2017 13:11:17 +0000 (14:11 +0100)]
curl: do bounds check using a double comparison

The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
complete: if the parsed number in num is larger than will fit in a long,
the conversion is undefined behaviour (causing test1427 to fail for me
on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7).  Getting
rid of the cast means the comparison will be done using doubles.

It might make more sense for the max argument to also be a double...

Fixes #1750
Closes #1749

7 years agomake install: add 8 missing man pages to the installation
Daniel Stenberg [Wed, 9 Aug 2017 09:31:10 +0000 (11:31 +0200)]
make install: add 8 missing man pages to the installation

7 years agobuild: fix 'make install' with configure, install docs/libcurl/* too
Daniel Stenberg [Wed, 9 Aug 2017 08:28:06 +0000 (10:28 +0200)]
build: fix 'make install' with configure, install docs/libcurl/* too

Broken since d24838d4da9faa

Reported-by: Bernard Spil
7 years agoRELEASE-NOTES: curl 7.55.0 curl-7_55_0
Daniel Stenberg [Tue, 8 Aug 2017 07:32:36 +0000 (09:32 +0200)]
RELEASE-NOTES: curl 7.55.0

7 years agoTHANKS: 20 new contributors in 7.55.0
Daniel Stenberg [Tue, 8 Aug 2017 07:32:36 +0000 (09:32 +0200)]
THANKS: 20 new contributors in 7.55.0

7 years agodocs/comments: Update to secure URL versions
Viktor Szakats [Tue, 8 Aug 2017 19:22:34 +0000 (19:22 +0000)]
docs/comments: Update to secure URL versions

Closes #1741

7 years agoconfigure: fix recv/send/select detection on Android
Daniel Stenberg [Tue, 8 Aug 2017 15:36:49 +0000 (17:36 +0200)]
configure: fix recv/send/select detection on Android

... since they now provide several functions as
__attribute__((overloadable)), the argument detection logic need
updates.

Patched-by: destman at github
Fixes #1738
Closes #1739

7 years agoax_code_coverage.m4: update to latest version
Marcel Raad [Mon, 31 Jul 2017 18:44:04 +0000 (20:44 +0200)]
ax_code_coverage.m4: update to latest version

This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
from August 01, 2017. Notably, this removes the lconv version whitelist.

Closes https://github.com/curl/curl/pull/1716

7 years agotest1427: verify command line parser integer overflow detection
Daniel Stenberg [Sun, 6 Aug 2017 19:33:25 +0000 (21:33 +0200)]
test1427: verify command line parser integer overflow detection

7 years agocurl: detect and bail out early on parameter integer overflows
Daniel Stenberg [Sun, 6 Aug 2017 18:10:40 +0000 (20:10 +0200)]
curl: detect and bail out early on parameter integer overflows

Make the number parser aware of the maximum limit curl accepts for a
value and return an error immediately if larger, instead of running an
integer overflow later.

Fixes #1730
Closes #1736

7 years agoglob: do not continue parsing after a strtoul() overflow range
Daniel Stenberg [Tue, 1 Aug 2017 15:16:07 +0000 (17:16 +0200)]
glob: do not continue parsing after a strtoul() overflow range

Added test 1289 to verify.

CVE-2017-1000101

Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter
7 years agotftp: reject file name lengths that don't fit
Daniel Stenberg [Tue, 1 Aug 2017 15:16:46 +0000 (17:16 +0200)]
tftp: reject file name lengths that don't fit

... and thereby avoid telling send() to send off more bytes than the
size of the buffer!

CVE-2017-1000100

Bug: https://curl.haxx.se/docs/adv_20170809B.html
Reported-by: Even Rouault
Credit to OSS-Fuzz for the discovery

7 years agofile: output the correct buffer to the user
Even Rouault [Tue, 1 Aug 2017 15:17:06 +0000 (17:17 +0200)]
file: output the correct buffer to the user

Regression brought by 7c312f84ea930d8 (April 2017)

CVE-2017-1000099

Bug: https://curl.haxx.se/docs/adv_20170809C.html

Credit to OSS-Fuzz for the discovery

7 years agoeasy_events: make event data static
Daniel Stenberg [Sun, 6 Aug 2017 21:42:50 +0000 (23:42 +0200)]
easy_events: make event data static

First: this function is only used in debug-builds and not in
release/real builds. It is used to drive tests using the event-based
API.

A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
funtion returns, namely when curl_multi_remove_handle() is called.

Reported-by: Brian Carpenter
7 years agogetparameter: avoid returning uninitialized 'usedarg'
Daniel Stenberg [Fri, 4 Aug 2017 09:49:27 +0000 (11:49 +0200)]
getparameter: avoid returning uninitialized 'usedarg'

Fixes #1728

7 years agogssapi: fix memory leak of output token in multi round context
Isaac Boukris [Fri, 21 Jul 2017 23:00:46 +0000 (02:00 +0300)]
gssapi: fix memory leak of output token in multi round context

When multiple rounds are needed to establish a security context
(usually ntlm), we overwrite old token with a new one without free.
Found by proposed gss tests using stub a gss implementation (by
valgrind error), though I have confirmed the leak with a real
gssapi implementation as well.

Closes https://github.com/curl/curl/pull/1733

7 years agodarwinssl: fix compiler warning
Marcel Raad [Fri, 4 Aug 2017 20:47:16 +0000 (22:47 +0200)]
darwinssl: fix compiler warning

clang complains:
vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
[-Werror,-Wextra-tokens]

This breaks the darwinssl build on Travis. Fix it by making this token
a comment.

Closes https://github.com/curl/curl/pull/1734

7 years agoCMake: fix CURL_WERROR for MSVC
Marcel Raad [Tue, 18 Jul 2017 16:31:41 +0000 (18:31 +0200)]
CMake: fix CURL_WERROR for MSVC

When using CURL_WERROR in MSVC builds, the debug flags were overridden
by the release flags and /WX got added twice in debug mode.

Closes https://github.com/curl/curl/pull/1715

7 years agoRELEASE-NOTES: synced with 561e9217c
Daniel Stenberg [Fri, 4 Aug 2017 08:32:38 +0000 (10:32 +0200)]
RELEASE-NOTES: synced with 561e9217c

7 years agotest1010: verify that #1718 is fixed
Daniel Stenberg [Thu, 3 Aug 2017 21:50:02 +0000 (23:50 +0200)]
test1010: verify that #1718 is fixed

... by doing two transfers in nocwd mode and check that there's no
superfluous CWD command.

7 years agoFTP: skip unnecessary CWD when in nocwd mode
Daniel Stenberg [Thu, 3 Aug 2017 21:48:57 +0000 (23:48 +0200)]
FTP: skip unnecessary CWD when in nocwd mode

... when reusing a connection. If it didn't do any CWD previously.

Fixes #1718

7 years agotravis: explicitly specify dist
Marcel Raad [Thu, 3 Aug 2017 09:01:25 +0000 (11:01 +0200)]
travis: explicitly specify dist

This makes the builds more reproducible as travis is currently rolling
out trusty as default dist [1]. Specifically, this avoids coverage
check failures when trusty is used as seen in [2] until we figure out
what's wrong.

[1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
[2] https://github.com/curl/curl/pull/1692

Closes https://github.com/curl/curl/pull/1725

7 years agotravis: BUILD_TYPE => T
Daniel Stenberg [Thu, 3 Aug 2017 22:04:39 +0000 (00:04 +0200)]
travis: BUILD_TYPE => T

(to make the full line appear nicer on travis web UI)

7 years agotravis: add osx build with darwinssl
Daniel Stenberg [Thu, 3 Aug 2017 22:04:39 +0000 (00:04 +0200)]
travis: add osx build with darwinssl

Closes #1706

7 years agodarwin: silence compiler warnings
Daniel Stenberg [Thu, 3 Aug 2017 22:04:39 +0000 (00:04 +0200)]
darwin: silence compiler warnings

With a clang pragma and three type fixes

Fixes #1722

7 years agoBUILD.WINDOWS: mention buildconf.bat for builds off git
Daniel Stenberg [Thu, 3 Aug 2017 11:50:03 +0000 (13:50 +0200)]
BUILD.WINDOWS: mention buildconf.bat for builds off git

7 years agodarwinssl: fix curlssl_sha256sum() compiler warnings on first argument
Daniel Stenberg [Wed, 2 Aug 2017 21:22:53 +0000 (23:22 +0200)]
darwinssl: fix curlssl_sha256sum() compiler warnings on first argument

7 years agotest130: verify comments in .netrc
Daniel Stenberg [Wed, 2 Aug 2017 12:25:21 +0000 (14:25 +0200)]
test130: verify comments in .netrc

7 years agonetrc: skip lines starting with '#'
Gisle Vanem [Wed, 2 Aug 2017 12:24:51 +0000 (14:24 +0200)]
netrc: skip lines starting with '#'

Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html

7 years agoCMake: set MSVC warning level to 4
Marcel Raad [Tue, 18 Jul 2017 16:46:53 +0000 (18:46 +0200)]
CMake: set MSVC warning level to 4

The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
consistent with the Visual Studio and NMake builds. Disable level 4
warning C4127 for the library and additionally C4306 for the test
servers to get a clean CURL_WERROR build as that warning is raised in
some macros in older Visual Studio versions.

Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
Closes https://github.com/curl/curl/pull/1711

7 years agoCURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2
Daniel Stenberg [Wed, 2 Aug 2017 13:29:27 +0000 (15:29 +0200)]
CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2

Reported-by: Viktor Szakats
7 years agoCURLOPT_NETRC.3: mention the file name on windows
Daniel Stenberg [Wed, 2 Aug 2017 12:34:26 +0000 (14:34 +0200)]
CURLOPT_NETRC.3: mention the file name on windows

... and CURLOPT_NETRC_FILE(3).

7 years agotravis: build osx with libressl too
Daniel Stenberg [Wed, 2 Aug 2017 08:32:15 +0000 (10:32 +0200)]
travis: build osx with libressl too

7 years agotravis: build osx with openssl too
Daniel Stenberg [Wed, 2 Aug 2017 08:28:00 +0000 (10:28 +0200)]
travis: build osx with openssl too

7 years agotests/server/util: fix curltime mistake from 4dee50b9c80f9
Daniel Stenberg [Wed, 2 Aug 2017 09:53:27 +0000 (11:53 +0200)]
tests/server/util: fix curltime mistake from 4dee50b9c80f9

7 years agocurl_threads: fix MSVC compiler warning
Marcel Raad [Tue, 1 Aug 2017 09:56:41 +0000 (11:56 +0200)]
curl_threads: fix MSVC compiler warning

Use LongToHandle to convert from long to HANDLE in the Win32
implementation.
This should fix the following warning when compiling with
MSVC 11 (2012) in 64-bit mode:
lib\curl_threads.c(113): warning C4306:
'type cast' : conversion from 'long' to 'HANDLE' of greater size

Closes https://github.com/curl/curl/pull/1717

7 years agoBUGS: improved phrasing about security bugs
Daniel Stenberg [Tue, 1 Aug 2017 13:06:08 +0000 (15:06 +0200)]
BUGS: improved phrasing about security bugs

Reported-by: Max Dymond