]> granicus.if.org Git - curl/log
curl
5 years agostrcase: fix raw lowercasing the letter X
Lucas Pardue [Tue, 24 Sep 2019 05:27:33 +0000 (01:27 -0400)]
strcase: fix raw lowercasing the letter X

Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to
this change.

Follow-up to 0023fce which added the function several days ago.

Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546

Closes https://github.com/curl/curl/pull/4408

5 years agohttp2: Expression 'stream->stream_id != - 1' is always true
Daniel Stenberg [Mon, 23 Sep 2019 09:05:37 +0000 (11:05 +0200)]
http2: Expression 'stream->stream_id != - 1' is always true

PVS-Studio warning
Fixes #4402

5 years agohttp2: A value is being subtracted from the unsigned variable
Daniel Stenberg [Mon, 23 Sep 2019 09:04:13 +0000 (11:04 +0200)]
http2: A value is being subtracted from the unsigned variable

PVS-Studio warning
Fixes #4402

5 years agolibssh: part of conditional expression is always true: !result
Daniel Stenberg [Mon, 23 Sep 2019 08:55:43 +0000 (10:55 +0200)]
libssh: part of conditional expression is always true: !result

PVS-Studio warning
Fixed #4402

5 years agolibssh: part of conditional expression is always true
Daniel Stenberg [Mon, 23 Sep 2019 08:55:05 +0000 (10:55 +0200)]
libssh: part of conditional expression is always true

PVS-Studio warning
Fixes #4402

5 years agolibssh: The expression is excessive or contains a misprint
Daniel Stenberg [Mon, 23 Sep 2019 08:54:03 +0000 (10:54 +0200)]
libssh: The expression is excessive or contains a misprint

PVS-Studio warning
Fixes #4402

5 years agoquiche: The expression must be surrounded by parentheses
Daniel Stenberg [Mon, 23 Sep 2019 08:51:00 +0000 (10:51 +0200)]
quiche: The expression must be surrounded by parentheses

PVS-Studio warning
Fixes #4402

5 years agovauth: The parameter 'status' must be surrounded by parentheses
Daniel Stenberg [Mon, 23 Sep 2019 08:48:06 +0000 (10:48 +0200)]
vauth: The parameter 'status' must be surrounded by parentheses

PVS-Studio warning
Fixes #4402

5 years agodoh: allow only http and https in debug mode
Paul Dreik [Mon, 23 Sep 2019 11:11:49 +0000 (13:11 +0200)]
doh: allow only http and https in debug mode

Otherwise curl may be told to use for instance pop3 to
communicate with the doh server, which most likely
is not what you want.

Found through fuzzing.

Closes #4406

5 years agodoh: return early if there is no time left
Paul Dreik [Mon, 23 Sep 2019 11:10:12 +0000 (13:10 +0200)]
doh: return early if there is no time left

Closes #4406

5 years agohttp: lowercase headernames for HTTP/2 and HTTP/3
Barry Pollard [Sun, 22 Sep 2019 20:17:12 +0000 (21:17 +0100)]
http: lowercase headernames for HTTP/2 and HTTP/3

Closes #4401
Fixes #4400

5 years agovtls: fix narrowing conversion warnings
Marcel Raad [Sun, 22 Sep 2019 17:04:18 +0000 (19:04 +0200)]
vtls: fix narrowing conversion warnings

Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f0.

Closes https://github.com/curl/curl/pull/4398

5 years agowinbuild: Add manifest to curl.exe for proper OS version detection
Joel Depooter [Sun, 22 Sep 2019 20:03:18 +0000 (13:03 -0700)]
winbuild: Add manifest to curl.exe for proper OS version detection

This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898
in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to
CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is
overwritten. The fix is to append values to CURL_RC_FLAGS instead of
overwriting

Closes #4399

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sun, 22 Sep 2019 20:50:12 +0000 (22:50 +0200)]
RELEASE-NOTES: synced

5 years agoopenssl: fix compiler warning with LibreSSL
Marcel Raad [Sun, 22 Sep 2019 15:45:27 +0000 (17:45 +0200)]
openssl: fix compiler warning with LibreSSL

It was already fixed for BoringSSL in commit a0f8fccb1e0.
LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
as uint16_t ever since the function was added in [0].

[0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda

Closes https://github.com/curl/curl/pull/4397

5 years agocurl: exit the create_transfers loop on errors
Daniel Stenberg [Sat, 21 Sep 2019 21:46:41 +0000 (23:46 +0200)]
curl: exit the create_transfers loop on errors

When looping around the ranges and given URLs to create transfers, all
errors should exit the loop and return. Previously it would keep
looping.

Reported-by: SumatraPeter on github
Bug: #4393
Closes #4396

5 years agosocks: Fix destination host shown on SOCKS5 error
Jay Satiro [Sat, 21 Sep 2019 07:39:21 +0000 (03:39 -0400)]
socks: Fix destination host shown on SOCKS5 error

Prior to this change when a server returned a socks5 connect error then
curl would parse the destination address:port from that data and show it
to the user as the destination:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.12.206 (locally resolved)
* Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)
curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)

That's incorrect because the address:port included in the connect error
is actually a bind address:port (typically unused) and not the
destination address:port. This fix changes curl to show the destination
information that curl sent to the server instead:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved)
* Can't complete SOCKS5 connection to 172.217.7.14:99. (1)
curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1)

curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to google.com:99 (remotely resolved)
* Can't complete SOCKS5 connection to google.com:99. (1)
curl: (7) Can't complete SOCKS5 connection to google.com:99. (1)

Ref: https://tools.ietf.org/html/rfc1928#section-6

Closes https://github.com/curl/curl/pull/4394

5 years agotravis: enable ngtcp2 h3-23 builds
Daniel Stenberg [Sat, 21 Sep 2019 13:47:07 +0000 (15:47 +0200)]
travis: enable ngtcp2 h3-23 builds

5 years agoaltsvc: both backends run h3-23 now
Daniel Stenberg [Sat, 21 Sep 2019 13:46:30 +0000 (15:46 +0200)]
altsvc: both backends run h3-23 now

Closes #4395

5 years agohttp: fix warning on conversion from int to bit
Daniel Stenberg [Sat, 21 Sep 2019 21:09:59 +0000 (23:09 +0200)]
http: fix warning on conversion from int to bit

Follow-up from 03ebe66d70

5 years agourldata: use 'bool' for the bit type on MSVC compilers
Daniel Stenberg [Fri, 20 Sep 2019 07:59:55 +0000 (09:59 +0200)]
urldata: use 'bool' for the bit type on MSVC compilers

Closes #4387
Fixes #4379

5 years agoappveyor: upgrade VS2017 to VS2019
Daniel Stenberg [Thu, 19 Sep 2019 14:34:06 +0000 (16:34 +0200)]
appveyor: upgrade VS2017 to VS2019

Closes #4383

5 years agoFTP: FTPFILE_NOCWD: avoid redundant CWDs
Zenju [Thu, 19 Sep 2019 12:59:13 +0000 (14:59 +0200)]
FTP: FTPFILE_NOCWD: avoid redundant CWDs

Closes #4382

5 years agocookie: pass in the correct cookie amount to qsort()
Daniel Stenberg [Wed, 18 Sep 2019 12:29:35 +0000 (14:29 +0200)]
cookie: pass in the correct cookie amount to qsort()

As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have however not found
it a security problem.

Reported-by: Paul Dreik
Closes #4386

5 years agourlapi: avoid index underflow for short ipv6 hostnames
Paul Dreik [Fri, 20 Sep 2019 11:25:20 +0000 (13:25 +0200)]
urlapi: avoid index underflow for short ipv6 hostnames

If the input hostname is "[", hlen will underflow to max of size_t when
it is subtracted with 2.

hostname[hlen] will then cause a warning by ubsanitizer:

runtime error: addition of unsigned offset to 0x<snip> overflowed to
0x<snip>

I think that in practice, the generated code will work, and the output
of hostname[hlen] will be the first character "[".

This can be demonstrated by the following program (tested in both clang
and gcc, with -O3)

int main() {
  char* hostname=strdup("[");
  size_t hlen = strlen(hostname);

  hlen-=2;
  hostname++;
  printf("character is %d\n",+hostname[hlen]);
  free(hostname-1);
}

I found this through fuzzing, and even if it seems harmless, the proper
thing is to return early with an error.

Closes #4389

5 years agongtcp2: compile with latest ngtcp2 + nghttp3 draft-23
Tatsuhiro Tsujikawa [Sat, 21 Sep 2019 02:24:38 +0000 (11:24 +0900)]
ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23

Closes #4392

5 years agoTHANKS-filter: deal with my typos 'Jat' => 'Jay'
Daniel Stenberg [Fri, 20 Sep 2019 11:53:23 +0000 (13:53 +0200)]
THANKS-filter: deal with my typos 'Jat' => 'Jay'

5 years agotravis: use go master
Daniel Stenberg [Mon, 16 Sep 2019 07:02:03 +0000 (09:02 +0200)]
travis: use go master

... as the boringssl builds needs a very recent version

Co-authored-by: Jat Satiro
Closes #4361

5 years agotool_operate: removed unused variable 'done'
Daniel Stenberg [Thu, 19 Sep 2019 08:35:25 +0000 (10:35 +0200)]
tool_operate: removed unused variable 'done'

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agotool_operate: Expression 'config->resume_from' is always true
Daniel Stenberg [Thu, 19 Sep 2019 08:33:56 +0000 (10:33 +0200)]
tool_operate: Expression 'config->resume_from' is always true

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agotool_getparam: remove duplicate switch case
Daniel Stenberg [Thu, 19 Sep 2019 08:28:05 +0000 (10:28 +0200)]
tool_getparam: remove duplicate switch case

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agolibssh2: part of conditional expression is always true: !result
Daniel Stenberg [Thu, 19 Sep 2019 08:25:15 +0000 (10:25 +0200)]
libssh2: part of conditional expression is always true: !result

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agourlapi: Expression 'storep' is always true
Daniel Stenberg [Thu, 19 Sep 2019 08:20:35 +0000 (10:20 +0200)]
urlapi: Expression 'storep' is always true

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agourlapi: 'scheme' is always true
Daniel Stenberg [Thu, 19 Sep 2019 08:19:21 +0000 (10:19 +0200)]
urlapi: 'scheme' is always true

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agourlapi: part of conditional expression is always true: (relurl[0] == '/')
Daniel Stenberg [Thu, 19 Sep 2019 08:18:28 +0000 (10:18 +0200)]
urlapi: part of conditional expression is always true: (relurl[0] == '/')

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agosetopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
Daniel Stenberg [Thu, 19 Sep 2019 08:09:21 +0000 (10:09 +0200)]
setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly

Fixes bug detected by PVS-Studio
Fixes #4374

5 years agomime: make Curl_mime_duppart() assert if called without valid dst
Daniel Stenberg [Thu, 19 Sep 2019 08:06:01 +0000 (10:06 +0200)]
mime: make Curl_mime_duppart() assert if called without valid dst

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agohttp_proxy: part of conditional expression is always true: !error
Daniel Stenberg [Thu, 19 Sep 2019 07:54:12 +0000 (09:54 +0200)]
http_proxy: part of conditional expression is always true: !error

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoimap: merged two case-branches performing the same action
Daniel Stenberg [Thu, 19 Sep 2019 07:52:01 +0000 (09:52 +0200)]
imap: merged two case-branches performing the same action

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agomulti: value '2L' is assigned to a boolean
Daniel Stenberg [Thu, 19 Sep 2019 07:47:37 +0000 (09:47 +0200)]
multi: value '2L' is assigned to a boolean

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoeasy: part of conditional expression is always true: !result
Daniel Stenberg [Thu, 19 Sep 2019 07:37:06 +0000 (09:37 +0200)]
easy: part of conditional expression is always true: !result

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agonetrc: part of conditional expression is always true: !done
Daniel Stenberg [Thu, 19 Sep 2019 07:34:30 +0000 (09:34 +0200)]
netrc: part of conditional expression is always true: !done

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoversion: Expression 'left > 1' is always true
Daniel Stenberg [Thu, 19 Sep 2019 07:32:03 +0000 (09:32 +0200)]
version: Expression 'left > 1' is always true

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agourl: remove dead code
Daniel Stenberg [Thu, 19 Sep 2019 07:29:02 +0000 (09:29 +0200)]
url: remove dead code

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agourl: part of expression is always true: (bundle->multiuse == 0)
Daniel Stenberg [Thu, 19 Sep 2019 07:25:29 +0000 (09:25 +0200)]
url: part of expression is always true: (bundle->multiuse == 0)

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoftp: the conditional expression is always true
Daniel Stenberg [Thu, 19 Sep 2019 07:19:44 +0000 (09:19 +0200)]
ftp: the conditional expression is always true

... both !result and (ftp->transfer != FTPTRANSFER_BODY)!

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoftp: Expression 'ftpc->wait_data_conn' is always false
Daniel Stenberg [Thu, 19 Sep 2019 07:18:26 +0000 (09:18 +0200)]
ftp: Expression 'ftpc->wait_data_conn' is always false

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoftp: Expression 'ftpc->wait_data_conn' is always true
Daniel Stenberg [Thu, 19 Sep 2019 07:16:41 +0000 (09:16 +0200)]
ftp: Expression 'ftpc->wait_data_conn' is always true

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agoftp: part of conditional expression is always true: !result
Daniel Stenberg [Thu, 19 Sep 2019 07:14:15 +0000 (09:14 +0200)]
ftp: part of conditional expression is always true: !result

Fixes warning detected by PVS-Studio
Fixes #4374

5 years agohttp: fix Expression 'http->postdata' is always false
Daniel Stenberg [Thu, 19 Sep 2019 07:10:05 +0000 (09:10 +0200)]
http: fix Expression 'http->postdata' is always false

Fixes warning detected by PVS-Studio
Fixes #4374
Reported-by: Valerii Zapodovnikov
5 years agodoh: avoid truncating DNS QTYPE to lower octet
Niall O'Reilly [Thu, 19 Sep 2019 13:38:14 +0000 (14:38 +0100)]
doh: avoid truncating DNS QTYPE to lower octet

Closes #4381

5 years agourlapi: CURLU_NO_AUTHORITY allows empty authority/host part
Jens Finkhaeuser [Thu, 19 Sep 2019 13:54:53 +0000 (15:54 +0200)]
urlapi: CURLU_NO_AUTHORITY allows empty authority/host part

CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not
"file:///") to override cURL's default demand that an authority exists.

Closes #4349

5 years agoversion: next release will be 7.67.0
Daniel Stenberg [Thu, 19 Sep 2019 13:41:59 +0000 (15:41 +0200)]
version: next release will be 7.67.0

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 19 Sep 2019 13:30:16 +0000 (15:30 +0200)]
RELEASE-NOTES: synced

5 years agourl: only reuse TLS connections with matching pinning
Daniel Stenberg [Fri, 13 Sep 2019 14:38:58 +0000 (16:38 +0200)]
url: only reuse TLS connections with matching pinning

If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.

Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund
Closes #4347

5 years agoREADME: add OSS-Fuzz badge [skip ci]
Daniel Stenberg [Thu, 19 Sep 2019 12:00:51 +0000 (14:00 +0200)]
README: add OSS-Fuzz badge [skip ci]

Closes #4380

5 years agohttp: merge two "case" statements
Michael Kaufmann [Wed, 18 Sep 2019 11:42:53 +0000 (13:42 +0200)]
http: merge two "case" statements

5 years agoFTP: remove trailing slash from path for LIST/MLSD
Zenju [Fri, 13 Sep 2019 15:32:04 +0000 (17:32 +0200)]
FTP: remove trailing slash from path for LIST/MLSD

Closes #4348

5 years agomime: when disabled, avoid C99 macro
Daniel Stenberg [Mon, 16 Sep 2019 21:25:48 +0000 (23:25 +0200)]
mime: when disabled, avoid C99 macro

Closes #4368

5 years agourl: cleanup dangling DOH request headers too
Daniel Stenberg [Tue, 17 Sep 2019 21:47:12 +0000 (23:47 +0200)]
url: cleanup dangling DOH request headers too

Follow-up to 9bc44ff64d9081

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17269

Closes #4372

5 years agohttp2: relax verification of :authority in push promise requests
Christoph M. Becker [Mon, 16 Sep 2019 13:32:58 +0000 (15:32 +0200)]
http2: relax verification of :authority in push promise requests

If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.

Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html

Closes #4365

5 years agodoh: clean up dangling DOH handles and memory on easy close
Daniel Stenberg [Mon, 16 Sep 2019 14:38:01 +0000 (16:38 +0200)]
doh: clean up dangling DOH handles and memory on easy close

If you set the same URL for target as for DoH (and it isn't a DoH
server), like "https://example.com" in both, the easy handles used for
the DoH requests could be left "dangling" and end up not getting freed.

Reported-by: Paul Dreik
Closes #4366

5 years agounit1655: make it C90 compliant
Daniel Stenberg [Mon, 16 Sep 2019 12:30:44 +0000 (14:30 +0200)]
unit1655: make it C90 compliant

Unclear why this was not detected in the CI.

Follow-up to b7666027296a

5 years agosmb: check for full size message before reading message details
Daniel Stenberg [Mon, 16 Sep 2019 08:15:05 +0000 (10:15 +0200)]
smb: check for full size message before reading message details

To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363

5 years agoquiche: persist connection details
Daniel Stenberg [Mon, 16 Sep 2019 06:46:12 +0000 (08:46 +0200)]
quiche: persist connection details

... like we do for other protocols at connect time. This makes "curl -I"
and other things work.

Reported-by: George Liu
Fixes #4358
Closes #4360

5 years agoopenssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Daniel Stenberg [Sun, 15 Sep 2019 21:58:49 +0000 (23:58 +0200)]
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version

Follow-up to ffe34b7b59
Closes #4359

5 years agodoh: fix undefined behaviour and open up for gcc and clang optimization
Paul Dreik [Fri, 13 Sep 2019 18:06:21 +0000 (20:06 +0200)]
doh: fix undefined behaviour and open up for gcc and clang optimization

The undefined behaviour is annoying when running fuzzing with
sanitizers. The codegen is the same, but the meaning is now not up for
dispute. See https://cppinsights.io/s/516a2ff4

By incrementing the pointer first, both gcc and clang recognize this as
a bswap and optimizes it to a single instruction.  See
https://godbolt.org/z/994Zpx

Closes #4350

5 years agodoh: fix (harmless) buffer overrun
Paul Dreik [Sat, 14 Sep 2019 01:16:09 +0000 (03:16 +0200)]
doh: fix (harmless) buffer overrun

Added unit test case 1655 to verify.
Close #4352

the code correctly finds the flaws in the old code,
if one temporarily restores doh.c to the old version.

5 years agodocs: remove trailing ':' from section names in CURLOPT_TRAILER* man
Alessandro Ghedini [Sat, 14 Sep 2019 18:47:34 +0000 (19:47 +0100)]
docs: remove trailing ':' from section names in CURLOPT_TRAILER* man

5 years agodocs: fix typo in CURLOPT_HTTP_VERSION man
Alessandro Ghedini [Sat, 14 Sep 2019 18:44:29 +0000 (19:44 +0100)]
docs: fix typo in CURLOPT_HTTP_VERSION man

5 years agoCI: inintial github action job
Daniel Stenberg [Sat, 14 Sep 2019 18:25:43 +0000 (20:25 +0200)]
CI: inintial github action job

First shot at a CI build on github actions

5 years agoappveyor: add a winbuild
Daniel Stenberg [Wed, 11 Sep 2019 11:57:32 +0000 (13:57 +0200)]
appveyor: add a winbuild

Assisted-by: Marcel Raad
Assisted-by: Jay Satiro
Closes #4324

5 years agoFTP: allow "rubbish" prepended to the SIZE response
Daniel Stenberg [Thu, 12 Sep 2019 15:50:21 +0000 (17:50 +0200)]
FTP: allow "rubbish" prepended to the SIZE response

This is a protocol violation but apparently there are legacy proprietary
servers doing this.

Added test 336 and 337 to verify.

Reported-by: Philippe Marguinaud
Closes #4339

5 years agoFTP: skip CWD to entry dir when target is absolute
Zenju [Wed, 11 Sep 2019 18:04:28 +0000 (20:04 +0200)]
FTP: skip CWD to entry dir when target is absolute

Closes #4332

5 years agocurl: fix memory leaked by parse_metalink()
Kamil Dudka [Wed, 11 Sep 2019 14:32:11 +0000 (16:32 +0200)]
curl: fix memory leaked by parse_metalink()

This commit fixes a regression introduced by curl-7_65_3-5-gb88940850.
Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind
and libmetalink enabled.

Closes #4326

5 years agoparsedate: still provide the name arrays when disabled
Daniel Stenberg [Thu, 12 Sep 2019 21:28:00 +0000 (23:28 +0200)]
parsedate: still provide the name arrays when disabled

If FILE or FTP are enabled, since they also use them!

Reported-by: Roland Hieber
Fixes #4325
Closes #4343

5 years agocurl:file2string: load large files much faster
Gilles Vollant [Thu, 12 Sep 2019 08:09:22 +0000 (10:09 +0200)]
curl:file2string: load large files much faster

... by using a more efficient realloc scheme.

Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html
Closes #4336

5 years agoopenssl: close_notify on the FTP data connection doesn't mean closure
Daniel Stenberg [Thu, 12 Sep 2019 15:56:49 +0000 (17:56 +0200)]
openssl: close_notify on the FTP data connection doesn't mean closure

For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!

Regression since 3f5da4e59a556fc (7.65.0)

Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340

5 years agodocs/HTTP3: fix `--with-ssl` ngtcp2 configure flag
Jimmy Gaussen [Thu, 12 Sep 2019 13:15:46 +0000 (15:15 +0200)]
docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag

Closes #4338

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 12 Sep 2019 07:48:00 +0000 (09:48 +0200)]
RELEASE-NOTES: synced

5 years agocurlver: bump to 7.66.1
Daniel Stenberg [Thu, 12 Sep 2019 07:48:27 +0000 (09:48 +0200)]
curlver: bump to 7.66.1

5 years agosetopt: make it easier to add new enum values
Zenju [Wed, 11 Sep 2019 08:41:43 +0000 (10:41 +0200)]
setopt: make it easier to add new enum values

... by using the *_LAST define names better.

Closes #4321

5 years agoasyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
Daniel Stenberg [Wed, 11 Sep 2019 21:11:58 +0000 (23:11 +0200)]
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris

Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333

5 years agowinbuild/MakefileBuild.vc: Add vssh
Bernhard Walle [Wed, 11 Sep 2019 10:56:54 +0000 (12:56 +0200)]
winbuild/MakefileBuild.vc: Add vssh

Without that modification, the Windows build using the makefiles doesn't
work.

Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
Fixes #4322
Closes #4323

5 years agowinbuild/MakefileBuild.vc: Fix line endings
Bernhard Walle [Wed, 11 Sep 2019 10:56:22 +0000 (12:56 +0200)]
winbuild/MakefileBuild.vc: Fix line endings

The file had mixed line endings.

Signed-off-by: Bernhard Walle <bernhard.walle@posteo.eu>
5 years agoldap: Stop using wide char version of ldapp_err2string
Jay Satiro [Tue, 27 Aug 2019 18:20:20 +0000 (14:20 -0400)]
ldap: Stop using wide char version of ldapp_err2string

Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).

We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:

failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));

Closes https://github.com/curl/curl/pull/4272

5 years agoRELEASE-NOTES: curl 7.66.0 curl-7_66_0
Daniel Stenberg [Mon, 9 Sep 2019 12:08:57 +0000 (14:08 +0200)]
RELEASE-NOTES: curl 7.66.0

5 years agoTHANKS: from the 7.66.0 release
Daniel Stenberg [Mon, 9 Sep 2019 12:10:32 +0000 (14:10 +0200)]
THANKS: from the 7.66.0 release

5 years agocurl: make sure the parallel transfers do them all
Daniel Stenberg [Tue, 10 Sep 2019 11:37:38 +0000 (13:37 +0200)]
curl: make sure the parallel transfers do them all

The logic could erroneously break the loop too early before all
transfers had been transferred.

Reported-by: Tom van der Woerdt
Fixes #4316
Closes #4317

5 years agourlapi: one colon is enough for the strspn() input (typo)
Daniel Stenberg [Tue, 10 Sep 2019 09:51:51 +0000 (11:51 +0200)]
urlapi: one colon is enough for the strspn() input (typo)

5 years agourlapi: verify the IPv6 numerical address
Daniel Stenberg [Wed, 4 Sep 2019 21:49:30 +0000 (23:49 +0200)]
urlapi: verify the IPv6 numerical address

It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315

5 years agoopenssl: use SSL_CTX_set_<min|max>_proto_version() when available
Clément Notin [Sun, 8 Sep 2019 14:44:54 +0000 (16:44 +0200)]
openssl: use SSL_CTX_set_<min|max>_proto_version() when available

OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available.  Existing code is preserved for older versions of
OpenSSL.

Closes #4304

5 years agoopenssl: indent, re-organize and add comments
Clément Notin [Sun, 8 Sep 2019 13:09:32 +0000 (15:09 +0200)]
openssl: indent, re-organize and add comments

5 years agosspi: fix memory leaks
migueljcrum [Fri, 6 Sep 2019 13:43:51 +0000 (13:43 +0000)]
sspi: fix memory leaks

Closes #4299

5 years agotravis: disable ngtcp2 builds (again)
Daniel Stenberg [Tue, 10 Sep 2019 06:02:06 +0000 (08:02 +0200)]
travis: disable ngtcp2 builds (again)

5 years agoCurl_fillreadbuffer: avoid double-free trailer buf on error
Daniel Stenberg [Wed, 4 Sep 2019 22:08:21 +0000 (00:08 +0200)]
Curl_fillreadbuffer: avoid double-free trailer buf on error

Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas
Closes #4307

5 years agotool_setopt: handle a libcurl build without netrc support
Daniel Stenberg [Sun, 8 Sep 2019 21:47:56 +0000 (23:47 +0200)]
tool_setopt: handle a libcurl build without netrc support

Reported-by: codesniffer13 on github
Fixes #4302
Closes #4305

5 years agosecurity:read_data fix bad realloc()
Daniel Stenberg [Tue, 3 Sep 2019 20:59:32 +0000 (22:59 +0200)]
security:read_data fix bad realloc()

... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html

5 years agotftp: Alloc maximum blksize, and use default unless OACK is received
Thomas Vegas [Sat, 31 Aug 2019 15:30:51 +0000 (17:30 +0200)]
tftp: Alloc maximum blksize, and use default unless OACK is received

Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482

5 years agotftp: return error when packet is too small for options
Thomas Vegas [Sat, 31 Aug 2019 14:59:56 +0000 (16:59 +0200)]
tftp: return error when packet is too small for options