]> granicus.if.org Git - curl/log
curl
5 years agossh-libssh: remove unused variable
Marcel Raad [Sun, 12 May 2019 12:27:53 +0000 (14:27 +0200)]
ssh-libssh: remove unused variable

sock was only used to be assigned to fd_read.

Closes https://github.com/curl/curl/pull/3873

5 years agotest332: verify the blksize fix
Daniel Stenberg [Fri, 3 May 2019 20:21:10 +0000 (22:21 +0200)]
test332: verify the blksize fix

5 years agotftp: use the current blksize for recvfrom()
Daniel Stenberg [Fri, 3 May 2019 20:20:37 +0000 (22:20 +0200)]
tftp: use the current blksize for recvfrom()

bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436

5 years agoversion: make ssl_version buffer match for multi_ssl
Daniel Gustafsson [Sun, 19 May 2019 20:06:26 +0000 (22:06 +0200)]
version: make ssl_version buffer match for multi_ssl

When running a multi TLS backend build the version string needs more
buffer space. Make the internal ssl_buffer stack buffer match the one
in Curl_multissl_version() to allow for the longer string. For single
TLS backend builds there is no use in extended to buffer. This is a
fallout from #3863 which fixes up the multi_ssl string generation to
avoid a buffer overflow when the buffer is too small.

Closes #3875
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
5 years agohttp_ntlm_wb: Handle auth for only a single request
Steve Holme [Sat, 18 May 2019 16:30:16 +0000 (17:30 +0100)]
http_ntlm_wb: Handle auth for only a single request

Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Missed in fe6049f0.

5 years agohttp_ntlm_wb: Cleanup handshake after clean NTLM failure
Steve Holme [Sat, 18 May 2019 16:17:12 +0000 (17:17 +0100)]
http_ntlm_wb: Cleanup handshake after clean NTLM failure

Missed in 50b87c4e.

5 years agohttp_ntlm_wb: Return the correct error on receiving an empty auth message
Steve Holme [Sat, 18 May 2019 16:05:04 +0000 (17:05 +0100)]
http_ntlm_wb: Return the correct error on receiving an empty auth message

Missed in fe20826b as it wasn't implemented in http.c in b4d6db83.

Closes #3894

5 years agocurl: make code work with protocol-disabled libcurl
Daniel Stenberg [Tue, 14 May 2019 08:03:54 +0000 (10:03 +0200)]
curl: make code work with protocol-disabled libcurl

Closes #3844

5 years agolibcurl: #ifdef away more code for disabled features/protocols
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
libcurl: #ifdef away more code for disabled features/protocols

5 years agoprogress: CURL_DISABLE_PROGRESS_METER
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
progress: CURL_DISABLE_PROGRESS_METER

5 years agohostip: CURL_DISABLE_SHUFFLE_DNS
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
hostip: CURL_DISABLE_SHUFFLE_DNS

5 years agonetrc: CURL_DISABLE_NETRC
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
netrc: CURL_DISABLE_NETRC

5 years agodocs: Markdown and misc improvements [ci skip]
Viktor Szakats [Thu, 16 May 2019 22:11:27 +0000 (22:11 +0000)]
docs: Markdown and misc improvements [ci skip]

Approved-by: Daniel Stenberg
Closes #3896

5 years agodocs/RELEASE-PROCEDURE: link to live iCalendar [ci skip]
Viktor Szakats [Thu, 16 May 2019 18:56:42 +0000 (18:56 +0000)]
docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip]

Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135
Approved-by: Daniel Stenberg
Closes #3895

5 years agotravis: add an osx http-only build
Daniel Stenberg [Wed, 15 May 2019 06:57:00 +0000 (08:57 +0200)]
travis: add an osx http-only build

Closes #3887

5 years agocleanup: remove FIXME and TODO comments
Daniel Stenberg [Tue, 14 May 2019 14:36:15 +0000 (16:36 +0200)]
cleanup: remove FIXME and TODO comments

They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883

5 years agocurl: don't set FTP options for FTP-disabled builds
Daniel Stenberg [Wed, 15 May 2019 06:42:57 +0000 (08:42 +0200)]
curl: don't set FTP options for FTP-disabled builds

... since libcurl has started to be totally unaware of options for
disabled protocols they now return error.

Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937

Reported-by: Marcel Raad
Closes #3886

5 years agohttp_ntlm_wb: Move the type-2 message processing into a dedicated function
Steve Holme [Wed, 15 May 2019 15:10:56 +0000 (16:10 +0100)]
http_ntlm_wb: Move the type-2 message processing into a dedicated function

This brings the code inline with the other HTTP authentication mechanisms.

Closes #3890

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Wed, 15 May 2019 12:35:00 +0000 (14:35 +0200)]
RELEASE-NOTES: synced

5 years agodocs/RELEASE-PROCEDURE: updated coming releases dates [ci skip]
Daniel Stenberg [Wed, 15 May 2019 11:56:19 +0000 (13:56 +0200)]
docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip]

5 years agoCURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip]
Daniel Stenberg [Wed, 15 May 2019 10:05:49 +0000 (12:05 +0200)]
CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip]

Reported-by: Roy Bellingan
Bug: #3885

5 years agoparse_proxy: use the URL parser API
Daniel Stenberg [Sun, 12 May 2019 21:46:41 +0000 (23:46 +0200)]
parse_proxy: use the URL parser API

As we treat a given proxy as a URL we should use the unified URL parser
to extract the parts out of it.

Closes #3878

5 years agohttp_negotiate: Move the Negotiate state out of the negotiatedata structure
Steve Holme [Mon, 13 May 2019 20:42:35 +0000 (21:42 +0100)]
http_negotiate: Move the Negotiate state out of the negotiatedata structure

Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

Closes #3882

5 years agohttp_ntlm: Move the NTLM state out of the ntlmdata structure
Steve Holme [Mon, 13 May 2019 19:58:39 +0000 (20:58 +0100)]
http_ntlm: Move the NTLM state out of the ntlmdata structure

Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

5 years agourl: Move the negotiate state type into a dedicated enum
Steve Holme [Mon, 13 May 2019 19:29:40 +0000 (20:29 +0100)]
url: Move the negotiate state type into a dedicated enum

5 years agourl: Remove duplicate clean up of the winbind variables in conn_shutdown()
Steve Holme [Wed, 8 May 2019 10:36:08 +0000 (11:36 +0100)]
url: Remove duplicate clean up of the winbind variables in conn_shutdown()

Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior
to calling conn_shutdown() and it in turn performs this, there is no
need to perform the same action in conn_shutdown().

Closes #3881

5 years agourlapi: require a non-zero host name length when parsing URL
Daniel Stenberg [Mon, 13 May 2019 16:42:05 +0000 (18:42 +0200)]
urlapi: require a non-zero host name length when parsing URL

Updated test 1560 to verify.

Closes #3880

5 years agoconfigure: error out if OpenSSL wasn't detected when asked for
Daniel Stenberg [Thu, 2 May 2019 08:42:23 +0000 (10:42 +0200)]
configure: error out if OpenSSL wasn't detected when asked for

If --with-ssl is used and configure still couldn't enable SSL this
creates an error instead of just silently ignoring the fact.

Suggested-by: Isaiah Norton
Fixes #3824
Closes #3830

5 years agoimap: Fix typo in comment
Daniel Gustafsson [Tue, 14 May 2019 10:38:09 +0000 (12:38 +0200)]
imap: Fix typo in comment

5 years agourl: Remove unnecessary initialisation from allocate_conn()
Steve Holme [Wed, 8 May 2019 11:12:49 +0000 (12:12 +0100)]
url: Remove unnecessary initialisation from allocate_conn()

No need to set variables to zero as calloc() does this for us.

Closes #3879

5 years agoCURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip]
Daniel Stenberg [Sun, 12 May 2019 14:35:33 +0000 (16:35 +0200)]
CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip]

Clues-provided-by: Jay Satiro
Clues-provided-by: Jeroen Ooms
Fixes #3711
Closes #3874

5 years agovtls: fix potential ssl_buffer stack overflow
Daniel Gustafsson [Mon, 13 May 2019 18:27:50 +0000 (20:27 +0200)]
vtls: fix potential ssl_buffer stack overflow

In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Mon, 13 May 2019 17:23:36 +0000 (19:23 +0200)]
RELEASE-NOTES: synced

5 years agoappveyor: also build "/ci" branches like travis
Daniel Stenberg [Fri, 10 May 2019 13:52:57 +0000 (15:52 +0200)]
appveyor: also build "/ci" branches like travis

5 years agopingpong: disable more when no pingpong enabled
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
pingpong: disable more when no pingpong enabled

5 years agoproxy: acknowledge DISABLE_PROXY more
Daniel Stenberg [Sun, 5 May 2019 15:08:22 +0000 (17:08 +0200)]
proxy: acknowledge DISABLE_PROXY more

5 years agoparsedate: CURL_DISABLE_PARSEDATE
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
parsedate: CURL_DISABLE_PARSEDATE

5 years agosasl: only enable if there's a protocol enabled using it
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
sasl: only enable if there's a protocol enabled using it

5 years agomime: acknowledge CURL_DISABLE_MIME
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
mime: acknowledge CURL_DISABLE_MIME

5 years agowildcard: disable from build when FTP isn't present
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
wildcard: disable from build when FTP isn't present

5 years agohttp: CURL_DISABLE_HTTP_AUTH
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
http: CURL_DISABLE_HTTP_AUTH

5 years agobase64: build conditionally if there are users
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
base64: build conditionally if there are users

5 years agodoh: CURL_DISABLE_DOH
Daniel Stenberg [Sun, 5 May 2019 15:08:21 +0000 (17:08 +0200)]
doh: CURL_DISABLE_DOH

5 years agoauth: Rename the various authentication clean up functions
Steve Holme [Sat, 11 May 2019 11:57:42 +0000 (12:57 +0100)]
auth: Rename the various authentication clean up functions

For consistency and to a avoid confusion.

Closes #3869

5 years agodocs/INSTALL: fix broken link [ci skip]
Jay Satiro [Sun, 12 May 2019 14:13:42 +0000 (16:13 +0200)]
docs/INSTALL: fix broken link [ci skip]

Reported-by: Joombalaya on github
Fixes #3818

5 years agoeasy: fix another "clarify calculation precedence" warning
Marcel Raad [Sun, 12 May 2019 11:36:45 +0000 (13:36 +0200)]
easy: fix another "clarify calculation precedence" warning

I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be.

5 years agobuild: fix "clarify calculation precedence" warnings
Marcel Raad [Sat, 11 May 2019 12:51:24 +0000 (14:51 +0200)]
build: fix "clarify calculation precedence" warnings

Codacy/CppCheck warns about this. Consistently use parentheses as we
already do in some places to silence the warning.

Closes https://github.com/curl/curl/pull/3866

5 years agocmake: restore C89 compatibility of CurlTests.c
Marcel Raad [Sat, 11 May 2019 20:02:39 +0000 (22:02 +0200)]
cmake: restore C89 compatibility of CurlTests.c

I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and
97de97daefc2ed084c91eff34af2426f2e55e134.

Reported-by: Viktor Szakats
Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044
Closes https://github.com/curl/curl/pull/3868

5 years agohttp_ntlm: Corrected the name of the include guard
Steve Holme [Thu, 9 May 2019 03:51:54 +0000 (04:51 +0100)]
http_ntlm: Corrected the name of the include guard

Missed in f0bdd72c.

Closes #3867

5 years agohttp_digest: Don't expose functions when HTTP and Crypto Auth are disabled
Steve Holme [Fri, 10 May 2019 12:10:34 +0000 (13:10 +0100)]
http_digest: Don't expose functions when HTTP and Crypto Auth are disabled

Closes #3861

5 years agohttp_negotiate: Don't expose functions when HTTP is disabled
Steve Holme [Fri, 10 May 2019 12:08:04 +0000 (13:08 +0100)]
http_negotiate: Don't expose functions when HTTP is disabled

5 years agoSECURITY-PROCESS: fix links [ci skip]
Daniel Stenberg [Sat, 11 May 2019 15:50:37 +0000 (17:50 +0200)]
SECURITY-PROCESS: fix links [ci skip]

5 years agoCMake: suppress unused variable warnings
Marcel Raad [Sat, 11 May 2019 12:17:17 +0000 (14:17 +0200)]
CMake: suppress unused variable warnings

I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e.

5 years agodoh: disable DOH for the cases it doesn't work
Daniel Stenberg [Thu, 9 May 2019 08:58:04 +0000 (10:58 +0200)]
doh: disable DOH for the cases it doesn't work

Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Limitation added to KNOWN_BUGS.

Fixes #3850
Closes #3857

5 years agochecksrc.bat: Ignore snprintf warnings in docs/examples
Jay Satiro [Fri, 10 May 2019 19:28:15 +0000 (15:28 -0400)]
checksrc.bat: Ignore snprintf warnings in docs/examples

.. because we allow snprintf use in docs/examples.

Closes https://github.com/curl/curl/pull/3862

5 years agovauth: Fix incorrect function description for Curl_auth_user_contains_domain()
Steve Holme [Fri, 10 May 2019 12:01:16 +0000 (13:01 +0100)]
vauth: Fix incorrect function description for Curl_auth_user_contains_domain()

...and misalignment of these comments. From a78c61a4.

Closes #3860

5 years agoRevert "multi: support verbose conncache closure handle"
Jay Satiro [Thu, 9 May 2019 06:01:34 +0000 (02:01 -0400)]
Revert "multi: support verbose conncache closure handle"

This reverts commit b0972bc.

- No longer show verbose output for the conncache closure handle.

The offending commit was added so that the conncache closure handle
would inherit verbose mode from the user's easy handle. (Note there is
no way for the user to set options for the closure handle which is why
that was necessary.) Other debug settings such as the debug function
were not also inherited since we determined that could lead to crashes
if the user's per-handle private data was used on an unexpected handle.

The reporter here says he has a debug function to capture the verbose
output, and does not expect or want any output to stderr; however
because the conncache closure handle does not inherit the debug function
the verbose output for that handle does go to stderr.

There are other plausible scenarios as well such as the user redirects
stderr on their handle, which is also not inherited since it could lead
to crashes when used on an unexpected handle.

Short of allowing the user to set options for the conncache closure
handle I don't think there's much we can safely do except no longer
inherit the verbose setting.

Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html
Reported-by: Kristoffer Gleditsch
Ref: https://github.com/curl/curl/pull/3598
Ref: https://github.com/curl/curl/pull/3618

Closes https://github.com/curl/curl/pull/3856

5 years agontlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup()
Steve Holme [Thu, 9 May 2019 09:54:46 +0000 (10:54 +0100)]
ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup()

From 6012fa5a.

Closes #3858

5 years agoBUG-BOUNTY: minor formatting fixes [ci skip]
Daniel Stenberg [Thu, 9 May 2019 21:30:26 +0000 (23:30 +0200)]
BUG-BOUNTY: minor formatting fixes [ci skip]

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 9 May 2019 13:26:14 +0000 (15:26 +0200)]
RELEASE-NOTES: synced

5 years agoBUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
Daniel Stenberg [Sat, 4 May 2019 21:58:11 +0000 (23:58 +0200)]
BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]

Closes #3839

5 years agohttp_negotiate: do not treat failure of gss_init_sec_context() as fatal
Kamil Dudka [Mon, 6 May 2019 12:32:00 +0000 (14:32 +0200)]
http_negotiate: do not treat failure of gss_init_sec_context() as fatal

Fixes #3726
Closes #3849

5 years agospnego_gssapi: fix return code on gss_init_sec_context() failure
Kamil Dudka [Mon, 6 May 2019 12:16:35 +0000 (14:16 +0200)]
spnego_gssapi: fix return code on gss_init_sec_context() failure

Fixes #3726
Closes #3849

5 years agogen_resp_file.bat: Removed unnecessary @ from all but the first command
Steve Holme [Wed, 8 May 2019 09:44:41 +0000 (10:44 +0100)]
gen_resp_file.bat: Removed unnecessary @ from all but the first command

There is need to use @ on every command once echo has been turned off.

Closes #3854

5 years agohttp: Ignore HTTP/2 prior knowledge setting for HTTP proxies
Jay Satiro [Wed, 8 May 2019 07:39:53 +0000 (03:39 -0400)]
http: Ignore HTTP/2 prior knowledge setting for HTTP proxies

- Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to
  the destination host.

We already do something similar for HTTPS proxies by not sending h2. [1]

Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would
incorrectly use HTTP/2 to talk to the proxy, which is not something we
support (yet?). Also it's debatable whether or not that setting should
apply to HTTP/2 proxies.

[1]: https://github.com/curl/curl/commit/17c5d05

Bug: https://github.com/curl/curl/issues/3570
Bug: https://github.com/curl/curl/issues/3832

Closes https://github.com/curl/curl/pull/3853

5 years agotravis: update mesalink build to xenial
Marcel Raad [Sat, 4 May 2019 17:39:49 +0000 (19:39 +0200)]
travis: update mesalink build to xenial

Closes https://github.com/curl/curl/pull/3842

5 years agoOpenSSL: Report -fips in version if OpenSSL is built with FIPS
Ricky Leverence [Fri, 12 Apr 2019 18:53:12 +0000 (11:53 -0700)]
OpenSSL: Report -fips in version if OpenSSL is built with FIPS

Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Closes #3771

5 years agonss: allow fifos and character devices for certificates.
Frank Gevaerts [Fri, 26 Apr 2019 09:23:15 +0000 (11:23 +0200)]
nss: allow fifos and character devices for certificates.

Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.

I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.

Closes #3807

5 years agotest2100: Fix typos in test description
Daniel Gustafsson [Mon, 6 May 2019 17:12:39 +0000 (20:12 +0300)]
test2100: Fix typos in test description

5 years agossh: define USE_SSH if SSH is enabled (any backend)
Daniel Stenberg [Sun, 5 May 2019 21:42:29 +0000 (23:42 +0200)]
ssh: define USE_SSH if SSH is enabled (any backend)

Closes #3846

5 years agowinbuild: Add our standard copyright header to the winbuild batch files
Steve Holme [Sun, 5 May 2019 19:17:58 +0000 (20:17 +0100)]
winbuild: Add our standard copyright header to the winbuild batch files

5 years agomakedebug: Fix ERRORLEVEL detection after running where.exe
Steve Holme [Sat, 4 May 2019 21:46:52 +0000 (22:46 +0100)]
makedebug: Fix ERRORLEVEL detection after running where.exe

Closes #3838

5 years agourlapi: add CURLUPART_ZONEID to set and get
Daniel Stenberg [Fri, 3 May 2019 11:18:12 +0000 (13:18 +0200)]
urlapi: add CURLUPART_ZONEID to set and get

The zoneid can be used with IPv6 numerical addresses.

Updated test 1560 to verify.

Closes #3834

5 years agoWRITEFUNCTION: add missing set_in_callback around callback
Taiyu Len [Sat, 4 May 2019 06:59:28 +0000 (23:59 -0700)]
WRITEFUNCTION: add missing set_in_callback around callback

Closes #3837

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sat, 4 May 2019 21:50:18 +0000 (23:50 +0200)]
RELEASE-NOTES: synced

5 years agoCURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip]
Daniel Stenberg [Fri, 3 May 2019 13:44:49 +0000 (15:44 +0200)]
CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip]

Reported-by: Ricardo Gomes
Bug: #3537
Closes #3836

5 years agoCURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value
Daniel Stenberg [Fri, 3 May 2019 11:43:13 +0000 (13:43 +0200)]
CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value

The time field in the curl_fileinfo struct will always be zero. No code
was ever implemented to actually convert the date string to a time_t.

Fixes #3829
Closes #3835

5 years agoOS400/ccsidcurl.c: code style fixes
Daniel Stenberg [Fri, 3 May 2019 21:18:58 +0000 (23:18 +0200)]
OS400/ccsidcurl.c: code style fixes

5 years agoOS400/ccsidcurl: replace use of Curl_vsetopt
Daniel Stenberg [Fri, 3 May 2019 21:05:32 +0000 (23:05 +0200)]
OS400/ccsidcurl: replace use of Curl_vsetopt

(and make the code style comply)

Fixes #3833

5 years agourlapi: strip off scope id from numerical IPv6 addresses
Daniel Stenberg [Tue, 30 Apr 2019 14:59:08 +0000 (16:59 +0200)]
urlapi: strip off scope id from numerical IPv6 addresses

... to make the host name "usable". Store the scope id and put it back
when extracting a URL out of it.

Also makes curl_url_set() syntax check CURLUPART_HOST.

Fixes #3817
Closes #3822

5 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 2 May 2019 09:13:57 +0000 (11:13 +0200)]
RELEASE-NOTES: synced

5 years agomultiif.h: remove unused protos
Daniel Stenberg [Wed, 1 May 2019 20:56:14 +0000 (22:56 +0200)]
multiif.h: remove unused protos

... for functions related to pipelining. Those functions were removed in
2f44e94efb3df.

Closes #3828

5 years agotravis: mesalink: temporarily disable test 3001
Yiming Jing [Wed, 1 May 2019 01:23:37 +0000 (18:23 -0700)]
travis: mesalink: temporarily disable test 3001

... due to SHA-1 signatures in test certs

5 years agotravis: upgrade the MesaLink TLS backend to v1.0.0
Yiming Jing [Tue, 30 Apr 2019 22:46:46 +0000 (15:46 -0700)]
travis: upgrade the MesaLink TLS backend to v1.0.0

Closes #3823
Closes #3776

5 years agoConnectionExists: improve non-multiplexing use case
Daniel Stenberg [Tue, 30 Apr 2019 09:16:53 +0000 (11:16 +0200)]
ConnectionExists: improve non-multiplexing use case

- better log output

- make sure multiplex is enabled for it to be used

5 years agomulti: provide Curl_multiuse_state to update information
Daniel Stenberg [Tue, 30 Apr 2019 09:14:38 +0000 (11:14 +0200)]
multi: provide Curl_multiuse_state to update information

As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.

5 years agoprocess_pending_handles: mark queued transfers as previously pending
Daniel Stenberg [Tue, 30 Apr 2019 09:12:12 +0000 (11:12 +0200)]
process_pending_handles: mark queued transfers as previously pending

With transfers being queued up, we only move one at a a time back to the
CONNECT state but now we mark moved transfers so that when a moved
transfer is confirmed "successful" (it connected) it will trigger the
move of another pending transfer. Previously, it would otherwise wait
until the transfer was done before doing this. This makes queued up
pending transfers get processed (much) faster.

5 years agohttp: mark bundle as not for multiuse on < HTTP/2 response
Daniel Stenberg [Tue, 30 Apr 2019 09:09:10 +0000 (11:09 +0200)]
http: mark bundle as not for multiuse on < HTTP/2 response

Fixes #3813
Closes #3815

5 years agocookie: Guard against possible NULL ptr deref
Daniel Gustafsson [Wed, 1 May 2019 11:14:15 +0000 (13:14 +0200)]
cookie: Guard against possible NULL ptr deref

In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
5 years agoos400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings
Patrick Monnerat [Tue, 30 Apr 2019 12:29:16 +0000 (14:29 +0200)]
os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings

5 years agonss: provide more specific error messages on failed init
Kamil Dudka [Fri, 26 Apr 2019 10:20:21 +0000 (12:20 +0200)]
nss: provide more specific error messages on failed init

Closes #3808

5 years agodocs: minor polish to the bug bounty / security docs
Reed Loden [Sun, 28 Apr 2019 21:14:23 +0000 (14:14 -0700)]
docs: minor polish to the bug bounty / security docs

Closes #3811

5 years agoCURL_MAX_INPUT_LENGTH: largest acceptable string input size
Daniel Stenberg [Mon, 29 Apr 2019 06:00:49 +0000 (08:00 +0200)]
CURL_MAX_INPUT_LENGTH: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805

5 years agocurlver.h: use parenthesis in CURL_VERSION_BITS macro
Tseng Jun [Sun, 28 Apr 2019 07:25:15 +0000 (15:25 +0800)]
curlver.h: use parenthesis in CURL_VERSION_BITS macro

Closes #3809

5 years agocmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
Simon Warta [Fri, 12 Apr 2019 12:44:59 +0000 (14:44 +0200)]
cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP

Closes https://github.com/curl/curl/pull/3769

5 years agontlm: Missed pre-processor || (or) during rebase for cd15acd0
Steve Holme [Tue, 23 Apr 2019 19:26:02 +0000 (20:26 +0100)]
ntlm: Missed pre-processor || (or) during rebase for cd15acd0

5 years agontlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
Steve Holme [Sat, 13 Apr 2019 20:47:56 +0000 (21:47 +0100)]
ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4

Just like we do for mbed TLS, use our local implementation of MD4 when
OpenSSL doesn't support it. This allows a type-3 message to include the
NT response.

5 years agoINTERNALS: fix misindentation of ToC item
Daniel Gustafsson [Tue, 23 Apr 2019 10:38:31 +0000 (12:38 +0200)]
INTERNALS: fix misindentation of ToC item

Kerberos was incorrectly indented as a subsection under FTP, which is
incorrect as they are both top level sections. A fix for this was first
attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that
was a few paddles short of being complete.

5 years agoINTERNALS: Add structs to ToC
Aron Bergman [Tue, 23 Apr 2019 09:36:22 +0000 (11:36 +0200)]
INTERNALS: Add structs to ToC

Add the subsections under "Structs in libcurl" to the table of contents.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
5 years agoINTERNALS: Add code highlighting
Aron Bergman [Tue, 23 Apr 2019 09:29:47 +0000 (11:29 +0200)]
INTERNALS: Add code highlighting

Make all struct members under the Curl_handler section
print in monospace font.

Closes #3801
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>