]>
granicus.if.org Git - curl/log
Daniel Stenberg [Thu, 19 Sep 2019 13:30:16 +0000 (15:30 +0200)]
RELEASE-NOTES: synced
Daniel Stenberg [Fri, 13 Sep 2019 14:38:58 +0000 (16:38 +0200)]
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.
Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund
Closes #4347
Daniel Stenberg [Thu, 19 Sep 2019 12:00:51 +0000 (14:00 +0200)]
README: add OSS-Fuzz badge [skip ci]
Closes #4380
Michael Kaufmann [Wed, 18 Sep 2019 11:42:53 +0000 (13:42 +0200)]
http: merge two "case" statements
Zenju [Fri, 13 Sep 2019 15:32:04 +0000 (17:32 +0200)]
FTP: remove trailing slash from path for LIST/MLSD
Closes #4348
Daniel Stenberg [Mon, 16 Sep 2019 21:25:48 +0000 (23:25 +0200)]
mime: when disabled, avoid C99 macro
Closes #4368
Daniel Stenberg [Tue, 17 Sep 2019 21:47:12 +0000 (23:47 +0200)]
url: cleanup dangling DOH request headers too
Follow-up to
9bc44ff64d9081
Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17269
Closes #4372
Christoph M. Becker [Mon, 16 Sep 2019 13:32:58 +0000 (15:32 +0200)]
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.
Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html
Closes #4365
Daniel Stenberg [Mon, 16 Sep 2019 14:38:01 +0000 (16:38 +0200)]
doh: clean up dangling DOH handles and memory on easy close
If you set the same URL for target as for DoH (and it isn't a DoH
server), like "https://example.com" in both, the easy handles used for
the DoH requests could be left "dangling" and end up not getting freed.
Reported-by: Paul Dreik
Closes #4366
Daniel Stenberg [Mon, 16 Sep 2019 12:30:44 +0000 (14:30 +0200)]
unit1655: make it C90 compliant
Unclear why this was not detected in the CI.
Follow-up to
b7666027296a
Daniel Stenberg [Mon, 16 Sep 2019 08:15:05 +0000 (10:15 +0200)]
smb: check for full size message before reading message details
To avoid reading of uninitialized data.
Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
Daniel Stenberg [Mon, 16 Sep 2019 06:46:12 +0000 (08:46 +0200)]
quiche: persist connection details
... like we do for other protocols at connect time. This makes "curl -I"
and other things work.
Reported-by: George Liu
Fixes #4358
Closes #4360
Daniel Stenberg [Sun, 15 Sep 2019 21:58:49 +0000 (23:58 +0200)]
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Follow-up to
ffe34b7b59
Closes #4359
Paul Dreik [Fri, 13 Sep 2019 18:06:21 +0000 (20:06 +0200)]
doh: fix undefined behaviour and open up for gcc and clang optimization
The undefined behaviour is annoying when running fuzzing with
sanitizers. The codegen is the same, but the meaning is now not up for
dispute. See https://cppinsights.io/s/
516a2ff4
By incrementing the pointer first, both gcc and clang recognize this as
a bswap and optimizes it to a single instruction. See
https://godbolt.org/z/994Zpx
Closes #4350
Paul Dreik [Sat, 14 Sep 2019 01:16:09 +0000 (03:16 +0200)]
doh: fix (harmless) buffer overrun
Added unit test case 1655 to verify.
Close #4352
the code correctly finds the flaws in the old code,
if one temporarily restores doh.c to the old version.
Alessandro Ghedini [Sat, 14 Sep 2019 18:47:34 +0000 (19:47 +0100)]
docs: remove trailing ':' from section names in CURLOPT_TRAILER* man
Alessandro Ghedini [Sat, 14 Sep 2019 18:44:29 +0000 (19:44 +0100)]
docs: fix typo in CURLOPT_HTTP_VERSION man
Daniel Stenberg [Sat, 14 Sep 2019 18:25:43 +0000 (20:25 +0200)]
CI: inintial github action job
First shot at a CI build on github actions
Daniel Stenberg [Wed, 11 Sep 2019 11:57:32 +0000 (13:57 +0200)]
appveyor: add a winbuild
Assisted-by: Marcel Raad
Assisted-by: Jay Satiro
Closes #4324
Daniel Stenberg [Thu, 12 Sep 2019 15:50:21 +0000 (17:50 +0200)]
FTP: allow "rubbish" prepended to the SIZE response
This is a protocol violation but apparently there are legacy proprietary
servers doing this.
Added test 336 and 337 to verify.
Reported-by: Philippe Marguinaud
Closes #4339
Zenju [Wed, 11 Sep 2019 18:04:28 +0000 (20:04 +0200)]
FTP: skip CWD to entry dir when target is absolute
Closes #4332
Kamil Dudka [Wed, 11 Sep 2019 14:32:11 +0000 (16:32 +0200)]
curl: fix memory leaked by parse_metalink()
This commit fixes a regression introduced by curl-7_65_3
-5-gb88940850 .
Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind
and libmetalink enabled.
Closes #4326
Daniel Stenberg [Thu, 12 Sep 2019 21:28:00 +0000 (23:28 +0200)]
parsedate: still provide the name arrays when disabled
If FILE or FTP are enabled, since they also use them!
Reported-by: Roland Hieber
Fixes #4325
Closes #4343
Gilles Vollant [Thu, 12 Sep 2019 08:09:22 +0000 (10:09 +0200)]
curl:file2string: load large files much faster
... by using a more efficient realloc scheme.
Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html
Closes #4336
Daniel Stenberg [Thu, 12 Sep 2019 15:56:49 +0000 (17:56 +0200)]
openssl: close_notify on the FTP data connection doesn't mean closure
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!
Regression since
3f5da4e59a556fc (7.65.0)
Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
Jimmy Gaussen [Thu, 12 Sep 2019 13:15:46 +0000 (15:15 +0200)]
docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
Closes #4338
Daniel Stenberg [Thu, 12 Sep 2019 07:48:00 +0000 (09:48 +0200)]
RELEASE-NOTES: synced
Daniel Stenberg [Thu, 12 Sep 2019 07:48:27 +0000 (09:48 +0200)]
curlver: bump to 7.66.1
Zenju [Wed, 11 Sep 2019 08:41:43 +0000 (10:41 +0200)]
setopt: make it easier to add new enum values
... by using the *_LAST define names better.
Closes #4321
Daniel Stenberg [Wed, 11 Sep 2019 21:11:58 +0000 (23:11 +0200)]
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333
Bernhard Walle [Wed, 11 Sep 2019 10:56:54 +0000 (12:56 +0200)]
winbuild/MakefileBuild.vc: Add vssh
Without that modification, the Windows build using the makefiles doesn't
work.
Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
Fixes #4322
Closes #4323
Bernhard Walle [Wed, 11 Sep 2019 10:56:22 +0000 (12:56 +0200)]
winbuild/MakefileBuild.vc: Fix line endings
The file had mixed line endings.
Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
Jay Satiro [Tue, 27 Aug 2019 18:20:20 +0000 (14:20 -0400)]
ldap: Stop using wide char version of ldapp_err2string
Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).
We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:
failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));
Closes https://github.com/curl/curl/pull/4272
Daniel Stenberg [Mon, 9 Sep 2019 12:08:57 +0000 (14:08 +0200)]
RELEASE-NOTES: curl 7.66.0
Daniel Stenberg [Mon, 9 Sep 2019 12:10:32 +0000 (14:10 +0200)]
THANKS: from the 7.66.0 release
Daniel Stenberg [Tue, 10 Sep 2019 11:37:38 +0000 (13:37 +0200)]
curl: make sure the parallel transfers do them all
The logic could erroneously break the loop too early before all
transfers had been transferred.
Reported-by: Tom van der Woerdt
Fixes #4316
Closes #4317
Daniel Stenberg [Tue, 10 Sep 2019 09:51:51 +0000 (11:51 +0200)]
urlapi: one colon is enough for the strspn() input (typo)
Daniel Stenberg [Wed, 4 Sep 2019 21:49:30 +0000 (23:49 +0200)]
urlapi: verify the IPv6 numerical address
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.
Reported-by: Thomas Vegas
Closes #4315
Clément Notin [Sun, 8 Sep 2019 14:44:54 +0000 (16:44 +0200)]
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available. Existing code is preserved for older versions of
OpenSSL.
Closes #4304
Clément Notin [Sun, 8 Sep 2019 13:09:32 +0000 (15:09 +0200)]
openssl: indent, re-organize and add comments
migueljcrum [Fri, 6 Sep 2019 13:43:51 +0000 (13:43 +0000)]
sspi: fix memory leaks
Closes #4299
Daniel Stenberg [Tue, 10 Sep 2019 06:02:06 +0000 (08:02 +0200)]
travis: disable ngtcp2 builds (again)
Daniel Stenberg [Wed, 4 Sep 2019 22:08:21 +0000 (00:08 +0200)]
Curl_fillreadbuffer: avoid double-free trailer buf on error
Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas
Closes #4307
Daniel Stenberg [Sun, 8 Sep 2019 21:47:56 +0000 (23:47 +0200)]
tool_setopt: handle a libcurl build without netrc support
Reported-by: codesniffer13 on github
Fixes #4302
Closes #4305
Daniel Stenberg [Tue, 3 Sep 2019 20:59:32 +0000 (22:59 +0200)]
security:read_data fix bad realloc()
... that could end up a double-free
CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
Thomas Vegas [Sat, 31 Aug 2019 15:30:51 +0000 (17:30 +0200)]
tftp: Alloc maximum blksize, and use default unless OACK is received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
Thomas Vegas [Sat, 31 Aug 2019 14:59:56 +0000 (16:59 +0200)]
tftp: return error when packet is too small for options
Daniel Stenberg [Thu, 5 Sep 2019 12:21:59 +0000 (14:21 +0200)]
KNOWN_BUGS/TODO: cleanup and remove outdated issues
Daniel Stenberg [Wed, 4 Sep 2019 09:17:14 +0000 (11:17 +0200)]
RELEASE-NOTES: synced
Daniel Stenberg [Tue, 3 Sep 2019 11:46:36 +0000 (13:46 +0200)]
netrc: free 'home' on error
Follow-up to
f9c7ba9096ec2
Coverity CID
1453474
Closes #4291
Daniel Stenberg [Tue, 3 Sep 2019 11:31:44 +0000 (13:31 +0200)]
urldata: avoid 'generic', use dedicated pointers
For the 'proto' union within the connectdata struct.
Closes #4290
Daniel Stenberg [Mon, 2 Sep 2019 21:22:15 +0000 (23:22 +0200)]
cleanup: move functions out of url.c and make them static
Closes #4289
Daniel Stenberg [Mon, 2 Sep 2019 21:04:26 +0000 (23:04 +0200)]
smtp: check for and bail out on too short EHLO response
Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.
Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918
Assisted-by: Max Dymond
Closes #4287
Daniel Stenberg [Mon, 2 Sep 2019 13:28:30 +0000 (15:28 +0200)]
smb: init *msg to NULL in smb_send_and_recv()
... it might otherwise return OK from this function leaving that pointer
uninitialized.
Bug: https://crbug.com/oss-fuzz/16907
Closes #4286
Daniel Stenberg [Mon, 2 Sep 2019 07:49:31 +0000 (09:49 +0200)]
ROADMAP: updated after recent user poll
In rough prio order
Daniel Stenberg [Sat, 31 Aug 2019 10:10:36 +0000 (12:10 +0200)]
THANKS: remove duplicate
Daniel Stenberg [Fri, 30 Aug 2019 09:29:55 +0000 (11:29 +0200)]
Curl_addr2string: take an addrlen argument too
This allows the function to figure out if a unix domain socket has a
file name or not associated with it! When a socket is created with
socketpair(), as done in the fuzzer testing, the path struct member is
uninitialized and must not be accessed.
Bug: https://crbug.com/oss-fuzz/16699
Closes #4283
Rolf Eike Beer [Thu, 29 Aug 2019 12:55:24 +0000 (14:55 +0200)]
CMake: remove needless newlines at end of gss variables
Rolf Eike Beer [Thu, 29 Aug 2019 08:08:31 +0000 (10:08 +0200)]
CI: remove duplicate configure flag for LGTM.com
Rolf Eike Beer [Thu, 29 Aug 2019 07:54:10 +0000 (09:54 +0200)]
CMake: use platform dependent name for dlopen() library
Closes #4279
Daniel Stenberg [Thu, 29 Aug 2019 16:56:24 +0000 (18:56 +0200)]
quiche: expire when poll returned data
... to make sure we continue draining the queue until empty
Closes #4281
Daniel Stenberg [Thu, 29 Aug 2019 16:55:29 +0000 (18:55 +0200)]
quiche: decrease available buffer size, don't assign it!
Found-by: Jeremy Lainé
Daniel Stenberg [Thu, 29 Aug 2019 21:43:44 +0000 (23:43 +0200)]
RELEASE-NOTES: synced
lufia [Wed, 28 Aug 2019 16:11:47 +0000 (01:11 +0900)]
curl: fix include conditions
lufia [Wed, 28 Aug 2019 16:09:49 +0000 (01:09 +0900)]
plan9: fix installation instructions
Closes #4276
Daniel Stenberg [Wed, 28 Aug 2019 12:39:07 +0000 (14:39 +0200)]
ngtcp2: on h3 stream close, call expire
... to trigger a new read to detect the stream close!
Closes #4275
Tatsuhiro Tsujikawa [Thu, 29 Aug 2019 07:09:26 +0000 (16:09 +0900)]
ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4278
Daniel Stenberg [Wed, 28 Aug 2019 10:19:42 +0000 (12:19 +0200)]
ngtcp2: set flow control window to stream buffer size
Closes #4274
Christopher Head [Wed, 28 Aug 2019 03:01:25 +0000 (20:01 -0700)]
CURLOPT_HEADERFUNCTION.3: clarify
Closes #4273
Daniel Stenberg [Mon, 26 Aug 2019 21:36:39 +0000 (23:36 +0200)]
CURLINFO docs: mention that in redirects times are added
Suggested-by: Brandon Dong
Fixes #4250
Closes #4269
Daniel Stenberg [Tue, 27 Aug 2019 15:03:40 +0000 (17:03 +0200)]
travis: enable ngtcp2 builds again
Switched to the openssl-quic-draft-22 openssl branch.
Closes #4271
Daniel Stenberg [Tue, 27 Aug 2019 15:07:47 +0000 (17:07 +0200)]
HTTP3: switched openssl branch to use
Tatsuhiro Tsujikawa [Tue, 27 Aug 2019 13:00:34 +0000 (22:00 +0900)]
ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4270
Daniel Stenberg [Mon, 26 Aug 2019 14:00:05 +0000 (16:00 +0200)]
http2: when marked for closure and wanted to close == OK
It could otherwise return an error even when closed correctly if GOAWAY
had been received previously.
Reported-by: Tom van der Woerdt
Fixes #4267
Closes #4268
Daniel Stenberg [Mon, 26 Aug 2019 12:45:41 +0000 (14:45 +0200)]
RELEASE-NOTES: synced
Daniel Stenberg [Mon, 26 Aug 2019 10:06:47 +0000 (12:06 +0200)]
build-openssl: fix build with Visual Studio 2019
Reviewed-by: Marcel Raad
Contributed-by: osabc on github
Fixes #4188
Closes #4266
Kamil Dudka [Wed, 14 Aug 2019 07:47:17 +0000 (09:47 +0200)]
vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure
This is a follow-up to https://github.com/curl/curl/pull/3864 .
Closes #4224
Daniel Stenberg [Mon, 26 Aug 2019 10:11:29 +0000 (12:11 +0200)]
KNOWN_BUGS: USE_UNIX_SOCKETS on Windows
Closes #4040
Daniel Stenberg [Fri, 23 Aug 2019 15:47:36 +0000 (17:47 +0200)]
quiche: send the HTTP body correctly on callback uploads
Closes #4265
Daniel Stenberg [Sun, 25 Aug 2019 21:25:20 +0000 (23:25 +0200)]
travis: disable ngtcp2 builds (temporarily)
Just too many API changes right now
Closes #4264
Daniel Stenberg [Sat, 24 Aug 2019 17:11:25 +0000 (19:11 +0200)]
ngtcp2: add support for SSLKEYLOGFILE
Closes #4260
Daniel Stenberg [Sat, 24 Aug 2019 16:43:31 +0000 (18:43 +0200)]
ngtcp2: improve h3 response receiving
Closes #4259
Daniel Stenberg [Sun, 25 Aug 2019 16:09:37 +0000 (18:09 +0200)]
ngtcp2: use nghttp3_version()
Daniel Stenberg [Sat, 24 Aug 2019 22:06:30 +0000 (00:06 +0200)]
ngtcp2: sync with upstream API changes
Assisted-by: Tatsuhiro Tsujikawa
Kyle Abramowitz [Thu, 22 Aug 2019 20:58:26 +0000 (20:58 +0000)]
scp: fix directory name length used in memcpy
Fix read off end of array due to bad pointer math in getworkingpath for
SCP home directory case.
Closes #4258
Daniel Stenberg [Sat, 24 Aug 2019 08:45:18 +0000 (10:45 +0200)]
http: the 'closed' struct field is used by both ngh2 and ngh3
and remove 'header_recvbuf', not used for anything
Reported-by: Jeremy Lainé
Closes #4257
Daniel Stenberg [Thu, 22 Aug 2019 12:08:18 +0000 (14:08 +0200)]
ngtcp2: accept upload via callback
Closes #4256
Daniel Stenberg [Thu, 22 Aug 2019 13:29:14 +0000 (15:29 +0200)]
defines: avoid underscore-prefixed defines
Double-underscored or underscore plus uppercase letter at least.
... as they're claimed to be reserved.
Reported-by: patnyb on github
Fixes #4254
Closes #4255
Daniel Stenberg [Thu, 22 Aug 2019 07:03:30 +0000 (09:03 +0200)]
travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL)
Runs no tests
Closes #4253
Daniel Stenberg [Wed, 21 Aug 2019 06:29:59 +0000 (08:29 +0200)]
travis: bump to using nghttp2 version 1.39.2
Closes #4252
Gisle Vanem [Tue, 20 Aug 2019 13:17:16 +0000 (15:17 +0200)]
docs/examples/curlx: fix errors
Initialise 'mimetype' and require the -p12 arg.
Closes #4248
Daniel Stenberg [Tue, 20 Aug 2019 11:22:15 +0000 (13:22 +0200)]
cleanup: remove DOT_CHAR completely
Follow-up to
f9c7ba9096ec
The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
now.
Pointed-out-by: Gisle Vanem
Bug: https://github.com/curl/curl/pull/4230#issuecomment-
522960638
Closes #4247
Daniel Stenberg [Tue, 20 Aug 2019 09:44:18 +0000 (11:44 +0200)]
spnego_sspi: add typecast to fix build warning
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-
20170516 "
Closes #4245
Daniel Stenberg [Tue, 20 Aug 2019 09:30:25 +0000 (11:30 +0200)]
openssl: build warning free with boringssl
Closes #4244
Daniel Stenberg [Tue, 20 Aug 2019 09:10:28 +0000 (11:10 +0200)]
curl: make --libcurl use CURL_HTTP_VERSION_3
Closes #4243
Daniel Stenberg [Tue, 20 Aug 2019 09:01:36 +0000 (11:01 +0200)]
ngtcp2: make postfields-set posts work
Closes #4242
Daniel Stenberg [Tue, 20 Aug 2019 07:59:28 +0000 (09:59 +0200)]
http: remove chunked-encoding and expect header use for HTTP/3
Alessandro Ghedini [Sun, 18 Aug 2019 14:03:51 +0000 (15:03 +0100)]
configure: use pkg-config to detect quiche
This removes the need to hard-code the quiche target path in
configure.ac.
This depends on https://github.com/cloudflare/quiche/pull/128
Closes #4237
Daniel Stenberg [Tue, 20 Aug 2019 07:13:55 +0000 (09:13 +0200)]
CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
For a long time (since 7.28.1) we've returned error when setting the
value to 1 to make applications notice that we stopped supported the old
behavior for 1. Starting now, we treat 1 and 2 exactly the same.
Closes #4241
Daniel Stenberg [Fri, 16 Aug 2019 09:31:29 +0000 (11:31 +0200)]
curl: use .curlrc (with a dot) on Windows as well
Fall-back to _curlrc if the dot-version is missing.
Co-Authored-By: Steve Holme
Closes #4230