]> granicus.if.org Git - curl/log
curl
8 years agoexternalsocket.c: fix compiler warning for fwrite return type
Daniel Stenberg [Wed, 17 Feb 2016 14:00:54 +0000 (15:00 +0100)]
externalsocket.c: fix compiler warning for fwrite return type

8 years agoanyauthput.c: fix compiler warnings
Daniel Stenberg [Wed, 17 Feb 2016 14:00:34 +0000 (15:00 +0100)]
anyauthput.c: fix compiler warnings

8 years agosimplessl.c: warning: while with space
Daniel Stenberg [Wed, 17 Feb 2016 14:00:18 +0000 (15:00 +0100)]
simplessl.c: warning: while with space

8 years agocurlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function
Daniel Stenberg [Wed, 17 Feb 2016 13:51:31 +0000 (14:51 +0100)]
curlx.c: i2s_ASN1_IA5STRING() clashes with an openssl function

Reported-By: Gisle Vanem
8 years agohttp2: don't decompress gzip decoding automatically
Daniel Stenberg [Wed, 17 Feb 2016 07:25:40 +0000 (08:25 +0100)]
http2: don't decompress gzip decoding automatically

At one point during the development of HTTP/2, the commit 133cdd29ea0
introduced automatic decompression of Content-Encoding as that was what
the spec said then. Now however, HTTP/2 should work the same way as
HTTP/1 in this regard.

Reported-by: Kazuho Oku
Closes #661

8 years agohttp: Don't break the header into chunks if HTTP/2
Tatsuhiro Tsujikawa [Tue, 16 Feb 2016 19:44:57 +0000 (14:44 -0500)]
http: Don't break the header into chunks if HTTP/2

nghttp2 callback deals with TLS layer and therefore the header does not
need to be broken into chunks.

Bug: https://github.com/curl/curl/issues/659
Reported-by: Kazuho Oku
8 years agoopenssl: use macro to guard the opaque EVP_PKEY branch
Viktor Szakats [Mon, 15 Feb 2016 23:22:54 +0000 (00:22 +0100)]
openssl: use macro to guard the opaque EVP_PKEY branch

8 years agoopenssl: avoid direct PKEY access with OpenSSL 1.1.0
Viktor Szakats [Sat, 13 Feb 2016 16:09:12 +0000 (17:09 +0100)]
openssl: avoid direct PKEY access with OpenSSL 1.1.0

by using API instead of accessing an internal structure.
This is required starting OpenSSL 1.1.0-pre3.

Closes #650

8 years agoRELEASE-NOTES: synced with ede0bfc079da
Daniel Stenberg [Mon, 15 Feb 2016 09:20:05 +0000 (10:20 +0100)]
RELEASE-NOTES: synced with ede0bfc079da

8 years agoCURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option
Clint Clayton [Sun, 14 Feb 2016 21:22:19 +0000 (13:22 -0800)]
CURLOPT_CONNECTTIMEOUT_MS.3: Fix example to use milliseconds option

Change the example in the docs for CURLOPT_CONNECTTIMEOUT_MS to use
CURLOPT_CONNECTTIMEOUT_MS instead of CURLOPT_CONNECTTIMEOUT.

Closes #653

8 years agoopt-docs: add more references
Daniel Stenberg [Sun, 14 Feb 2016 14:54:47 +0000 (15:54 +0100)]
opt-docs: add more references

8 years agoSCP: use libssh2_scp_recv2 to support > 2GB files on windows
David Byron [Tue, 21 Jul 2015 03:27:12 +0000 (20:27 -0700)]
SCP: use libssh2_scp_recv2 to support > 2GB files on windows

libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
day now.

Closes #451

8 years agogtls: fix for builds lacking encrypted key file support
Shine Fan [Sun, 14 Feb 2016 02:54:45 +0000 (10:54 +0800)]
gtls: fix for builds lacking encrypted key file support

Bug: https://github.com/curl/curl/pull/651

8 years agotest1604: Add to Makefile.inc so it gets run
Dan Fandrich [Sat, 13 Feb 2016 21:49:45 +0000 (22:49 +0100)]
test1604: Add to Makefile.inc so it gets run

8 years agogenerate.bat: Fix comment bug by removing old comments
Jay Satiro [Sat, 13 Feb 2016 04:48:54 +0000 (23:48 -0500)]
generate.bat: Fix comment bug by removing old comments

Remove NOTES section, it's no longer needed since we aren't setting the
errorlevel and more importantly the recently updated URL in the comments
is causing some unusual behavior that breaks the script.

Closes https://github.com/curl/curl/issues/649

8 years agocurl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts
Kamil Dudka [Fri, 12 Feb 2016 17:39:57 +0000 (18:39 +0100)]
curl.1: --disable-{eprt,epsv} are ignored for IPv6 hosts

The behavior has been clarified in CURLOPT_FTP_USE_{EPRT,EPSV}.3 man
pages since curl-7_12_3~131.  This patch makes it clear in the curl.1
man page, too.

Bug: https://bugzilla.redhat.com/1305970

8 years agodist: ship buildconf.bat too
Daniel Stenberg [Fri, 12 Feb 2016 15:45:25 +0000 (16:45 +0100)]
dist: ship buildconf.bat too

As the winbuild/* stuff uses it!

8 years agocurlx_tvdiff: handle 32bit time_t overflows
Daniel Stenberg [Thu, 11 Feb 2016 22:52:43 +0000 (23:52 +0100)]
curlx_tvdiff: handle 32bit time_t overflows

On 32bit systems, make sure we don't overflow and return funky values
for very large time differences.

Reported-by: Anders Bakken
Closes #646

8 years agoexamples: fix some compiler warnings
Daniel Stenberg [Thu, 11 Feb 2016 09:21:09 +0000 (10:21 +0100)]
examples: fix some compiler warnings

8 years agosimplessl.c: fix my breakage
Daniel Stenberg [Thu, 11 Feb 2016 09:20:48 +0000 (10:20 +0100)]
simplessl.c: fix my breakage

8 years agoexamples: adhere to curl code style
Daniel Stenberg [Thu, 11 Feb 2016 08:42:38 +0000 (09:42 +0100)]
examples: adhere to curl code style

All plain C examples now (mostly) adhere to the curl code style. While
they are only examples, they had diverted so much and contained all
sorts of different mixed code styles by now. Having them use a unified
style helps users and readability. Also, as they get copy-and-pasted
widely by users, making sure they're clean and nice is a good idea.

573 checksrc warnings were addressed.

8 years agoexamples/cookie_interface.c: add cleanup call
Daniel Stenberg [Thu, 11 Feb 2016 07:44:59 +0000 (08:44 +0100)]
examples/cookie_interface.c: add cleanup call

cleaning up handles is a good idea as we leak memory otherwise

Also, line wrapped before 80 columns.

8 years agonss: search slash in forward direction in dup_nickname()
Kamil Dudka [Thu, 4 Feb 2016 09:44:52 +0000 (10:44 +0100)]
nss: search slash in forward direction in dup_nickname()

It is wasteful to search it backwards if we look for _any_ slash.

8 years agonss: do not count enabled cipher-suites
Kamil Dudka [Thu, 4 Feb 2016 09:41:15 +0000 (10:41 +0100)]
nss: do not count enabled cipher-suites

We only care if at least one cipher-suite is enabled, so it does
not make any sense to iterate till the end and count all enabled
cipher-suites.

8 years agocontributors.sh: make 79 the max column width (from 80)
Daniel Stenberg [Wed, 10 Feb 2016 12:49:42 +0000 (13:49 +0100)]
contributors.sh: make 79 the max column width (from 80)

8 years agoRELEASE-NOTES: synced with c276aefee3995
Daniel Stenberg [Wed, 10 Feb 2016 12:49:34 +0000 (13:49 +0100)]
RELEASE-NOTES: synced with c276aefee3995

8 years agombedtls.c: re-indent to better match curl standards
Daniel Stenberg [Wed, 10 Feb 2016 09:46:57 +0000 (10:46 +0100)]
mbedtls.c: re-indent to better match curl standards

8 years agombedtls: fix memory leak when destroying SSL connection data
Rafael Antonio [Mon, 1 Feb 2016 22:13:10 +0000 (23:13 +0100)]
mbedtls: fix memory leak when destroying SSL connection data

Closes #626

8 years agombedtls: fix ALPN usage segfault
Daniel Stenberg [Tue, 9 Feb 2016 22:37:14 +0000 (23:37 +0100)]
mbedtls: fix ALPN usage segfault

Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642

8 years agoopts: update references to renamed options
Timotej Lazar [Tue, 9 Feb 2016 18:40:24 +0000 (19:40 +0100)]
opts: update references to renamed options

8 years agoKNOWN_BUGS: Update #92 - Windows device prefix
Jay Satiro [Tue, 9 Feb 2016 08:29:19 +0000 (03:29 -0500)]
KNOWN_BUGS: Update #92 - Windows device prefix

8 years agotool_doswin: Support for literal path prefix \\?\
Jay Satiro [Tue, 9 Feb 2016 08:28:58 +0000 (03:28 -0500)]
tool_doswin: Support for literal path prefix \\?\

For example something like --output \\?\C:\foo

8 years agoconfigure: state "BoringSSL" in summary when that was detected
Daniel Stenberg [Tue, 9 Feb 2016 07:44:26 +0000 (08:44 +0100)]
configure: state "BoringSSL" in summary when that was detected

8 years agoopenssl: remove most BoringSSL #ifdefs.
David Benjamin [Tue, 9 Feb 2016 04:19:31 +0000 (23:19 -0500)]
openssl: remove most BoringSSL #ifdefs.

As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640

8 years agoKNOWN_BUGS: Windows device prefix is required for devices
Jay Satiro [Mon, 8 Feb 2016 22:40:53 +0000 (17:40 -0500)]
KNOWN_BUGS: Windows device prefix is required for devices

8 years agotool_urlglob: Allow reserved dos device names (Windows)
Jay Satiro [Mon, 8 Feb 2016 20:09:42 +0000 (15:09 -0500)]
tool_urlglob: Allow reserved dos device names (Windows)

Allow --output to reserved dos device names without the device prefix
for backwards compatibility.

Example: --output NUL can be used instead of --output \\.\NUL

Bug: https://github.com/curl/curl/commit/4520534#commitcomment-15954863
Reported-by: Gisle Vanem
8 years agocookies: allow spaces in cookie names, cut of trailing spaces
Daniel Stenberg [Mon, 8 Feb 2016 14:48:18 +0000 (15:48 +0100)]
cookies: allow spaces in cookie names, cut of trailing spaces

It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639

8 years agoMerge branch 'master' of github.com:curl/curl
Patrick Monnerat [Mon, 8 Feb 2016 13:52:18 +0000 (14:52 +0100)]
Merge branch 'master' of github.com:curl/curl

8 years agoos400: sync ILE/RPG definitions with latest public header files.
Patrick Monnerat [Mon, 8 Feb 2016 13:50:53 +0000 (14:50 +0100)]
os400: sync ILE/RPG definitions with latest public header files.

8 years agoSSLCERTS: update wrt SSL CA certificate store
Ludwig Nussel [Fri, 27 Mar 2015 07:22:39 +0000 (08:22 +0100)]
SSLCERTS: update wrt SSL CA certificate store

8 years agoconfigure: --with-ca-fallback: use built-in TLS CA fallback
Ludwig Nussel [Tue, 24 Mar 2015 12:25:17 +0000 (13:25 +0100)]
configure: --with-ca-fallback: use built-in TLS CA fallback

When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569

8 years agoProxy-Connection: stop sending this header by default
Daniel Stenberg [Thu, 4 Feb 2016 14:07:02 +0000 (15:07 +0100)]
Proxy-Connection: stop sending this header by default

RFC 7230 says we should stop. Firefox already stopped.

Bug: https://github.com/curl/curl/issues/633
Reported-By: Brad Fitzpatrick
Closes #633

8 years agobump: work toward the next release
Daniel Stenberg [Mon, 8 Feb 2016 09:47:44 +0000 (10:47 +0100)]
bump: work toward the next release

8 years agoTHANKS: 2 contributors from the 7.47.1 release
Daniel Stenberg [Mon, 8 Feb 2016 09:46:01 +0000 (10:46 +0100)]
THANKS: 2 contributors from the 7.47.1 release

8 years agoRELEASE-PROCEDURE: remove the github upload part
Daniel Stenberg [Mon, 8 Feb 2016 09:35:35 +0000 (10:35 +0100)]
RELEASE-PROCEDURE: remove the github upload part

... as we're HTTPS on the main site now, there's no point in that
extra step

8 years agoRELEASE-NOTES: curl 7.47.1 time! curl-7_47_1
Daniel Stenberg [Mon, 8 Feb 2016 09:26:24 +0000 (10:26 +0100)]
RELEASE-NOTES: curl 7.47.1 time!

8 years agotool_operhlp: Check for backslashes in get_url_file_name
Jay Satiro [Sun, 7 Feb 2016 09:49:07 +0000 (04:49 -0500)]
tool_operhlp: Check for backslashes in get_url_file_name

Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

This change needed for the curl tool built for Cygwin. Refer to the
CYGWIN addendum in advisory 20160127B.

Bug: https://curl.haxx.se/docs/adv_20160127B.html

8 years agoRELEASE-NOTES: synced with d6a8869ea34
Daniel Stenberg [Sun, 7 Feb 2016 15:20:23 +0000 (16:20 +0100)]
RELEASE-NOTES: synced with d6a8869ea34

8 years agoopenssl: Fix signed/unsigned mismatch warning in X509V3_ext
Jay Satiro [Sun, 7 Feb 2016 00:10:49 +0000 (19:10 -0500)]
openssl: Fix signed/unsigned mismatch warning in X509V3_ext

sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.

Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem
8 years agoTODO: 17.11 -w output to stderr
Daniel Stenberg [Sat, 6 Feb 2016 23:27:28 +0000 (00:27 +0100)]
TODO: 17.11 -w output to stderr

8 years agoidn_win32: Better error checking
Michael Kaufmann [Fri, 5 Feb 2016 20:15:43 +0000 (21:15 +0100)]
idn_win32: Better error checking

.. also fix a conversion bug in the unused function
curl_win32_ascii_to_idn().

And remove wprintfs on error (Jay).

Bug: https://github.com/curl/curl/pull/637

8 years agoexamples/asiohiper: Avoid function name collision on Windows
Gisle Vanem [Sat, 6 Feb 2016 22:04:37 +0000 (17:04 -0500)]
examples/asiohiper: Avoid function name collision on Windows

closesocket => close_socket
Winsock already has the former.

Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html

8 years agoexamples/htmltitle: Use _stricmp on Windows
Gisle Vanem [Sat, 6 Feb 2016 22:02:53 +0000 (17:02 -0500)]
examples/htmltitle: Use _stricmp on Windows

Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html

8 years agoCOPYING: clarify that Daniel is not the sole author
Daniel Stenberg [Sat, 6 Feb 2016 17:39:41 +0000 (18:39 +0100)]
COPYING: clarify that Daniel is not the sole author

... done on request and as it is a fair point.

8 years agounit1604: Fix unit setup return code
Jay Satiro [Fri, 5 Feb 2016 18:37:39 +0000 (13:37 -0500)]
unit1604: Fix unit setup return code

8 years agotool_doswin: Use type SANITIZEcode in sanitize_file_name
Jay Satiro [Fri, 5 Feb 2016 07:22:24 +0000 (02:22 -0500)]
tool_doswin: Use type SANITIZEcode in sanitize_file_name

8 years agotool_doswin: Improve sanitization processing
Jay Satiro [Fri, 5 Feb 2016 06:44:27 +0000 (01:44 -0500)]
tool_doswin: Improve sanitization processing

- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.

Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder
8 years agoURLs: change more http to https
Viktor Szakats [Wed, 3 Feb 2016 04:09:25 +0000 (05:09 +0100)]
URLs: change more http to https

8 years agosasl_sspi: Fix memory leak in domain populate
Jay Satiro [Thu, 4 Feb 2016 23:11:07 +0000 (18:11 -0500)]
sasl_sspi: Fix memory leak in domain populate

Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635
Reported-by: silveja1@users.noreply.github.com
8 years agoURLs: follow GitHub project rename (also Travis CI)
Viktor Szakats [Wed, 3 Feb 2016 17:34:16 +0000 (18:34 +0100)]
URLs: follow GitHub project rename (also Travis CI)

Closes #632

8 years agoCHANGES.o: fix references to curl.haxx.nu
Daniel Stenberg [Wed, 3 Feb 2016 14:33:47 +0000 (15:33 +0100)]
CHANGES.o: fix references to curl.haxx.nu

I removed the scheme prefix from the URLs references this host name, as
we don't own/run that anymore but the name is kept for historic reasons.

8 years agoHISTORY: add some info about when we used which host names
Daniel Stenberg [Wed, 3 Feb 2016 14:33:30 +0000 (15:33 +0100)]
HISTORY: add some info about when we used which host names

8 years agoURLs: change more http to https
Viktor Szakats [Wed, 3 Feb 2016 03:16:52 +0000 (04:16 +0100)]
URLs: change more http to https

8 years agoURLs: Change more haxx.se URLs from http: to https:
Dan Fandrich [Wed, 3 Feb 2016 00:45:21 +0000 (01:45 +0100)]
URLs: Change more haxx.se URLs from http: to https:

8 years agoRELEASE-NOTES: synced with 4af40b364
Daniel Stenberg [Tue, 2 Feb 2016 23:32:07 +0000 (00:32 +0100)]
RELEASE-NOTES: synced with 4af40b364

8 years agoURLs: change all http:// URLs to https://
Daniel Stenberg [Tue, 2 Feb 2016 23:19:02 +0000 (00:19 +0100)]
URLs: change all http:// URLs to https://

8 years agoconfigure: update the copyright year range in output
Daniel Stenberg [Tue, 2 Feb 2016 21:49:05 +0000 (22:49 +0100)]
configure: update the copyright year range in output

8 years agodotdot: allow an empty input string too
Daniel Stenberg [Tue, 2 Feb 2016 21:43:54 +0000 (22:43 +0100)]
dotdot: allow an empty input string too

It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.

8 years agoHTTPS: update a bunch of URLs from HTTP to HTTPS
Daniel Stenberg [Mon, 1 Feb 2016 23:24:30 +0000 (00:24 +0100)]
HTTPS: update a bunch of URLs from HTTP to HTTPS

8 years agoAppVeyor: updated to handle OpenSSL/WinSSL builds
Sergei Nikulov [Thu, 28 Jan 2016 12:57:28 +0000 (15:57 +0300)]
AppVeyor: updated to handle OpenSSL/WinSSL builds

Closes #621

8 years agotool_operate: Don't sanitize --output path (Windows)
Jay Satiro [Mon, 1 Feb 2016 09:11:46 +0000 (04:11 -0500)]
tool_operate: Don't sanitize --output path (Windows)

Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: https://github.com/bagder/curl/issues/624
Reported-by: Octavio Schroeder
8 years agocurl.1: Explain remote-name behavior if file already exists
Jay Satiro [Fri, 29 Jan 2016 08:28:48 +0000 (03:28 -0500)]
curl.1: Explain remote-name behavior if file already exists

.. also warn about letting the server pick the filename.

8 years agourldata: Error on missing SSL backend-specific connect info
Gisle Vanem [Fri, 29 Jan 2016 05:11:41 +0000 (00:11 -0500)]
urldata: Error on missing SSL backend-specific connect info

8 years agobump: towards the next (7.47.1 ?)
Daniel Stenberg [Thu, 28 Jan 2016 15:36:29 +0000 (16:36 +0100)]
bump: towards the next (7.47.1 ?)

8 years agocmake: fixed when OpenSSL enabled on Windows and schannel detected
Sergei Nikulov [Wed, 27 Jan 2016 12:22:39 +0000 (15:22 +0300)]
cmake: fixed when OpenSSL enabled on Windows and schannel detected

Closes #617

8 years agourldata: moved common variable out of ifdef
Sergei Nikulov [Wed, 27 Jan 2016 13:01:05 +0000 (16:01 +0300)]
urldata: moved common variable out of ifdef

Closes https://github.com/bagder/curl/pull/618

8 years agotool_doswin: silence unused function warning
Viktor Szakats [Wed, 27 Jan 2016 10:04:18 +0000 (11:04 +0100)]
tool_doswin: silence unused function warning

tool_doswin.c:185:14: warning: 'msdosify' defined but not used
[-Wunused-function]

Closes https://github.com/bagder/curl/pull/616

8 years agogetredirect.c: fix variable name
Daniel Stenberg [Wed, 27 Jan 2016 08:35:55 +0000 (09:35 +0100)]
getredirect.c: fix variable name

Reported-by: Bernard Spil
8 years agoexamples/Makefile.inc: specify programs without .c! curl-7_47_0
Daniel Stenberg [Wed, 27 Jan 2016 07:30:04 +0000 (08:30 +0100)]
examples/Makefile.inc: specify programs without .c!

8 years agoTHANKS: 6 new contributors from 7.47.0 release notes
Daniel Stenberg [Tue, 26 Jan 2016 22:45:02 +0000 (23:45 +0100)]
THANKS: 6 new contributors from 7.47.0 release notes

8 years agoNTLM: Fix ConnectionExists to compare Proxy credentials
Isaac Boukris [Wed, 13 Jan 2016 09:05:51 +0000 (11:05 +0200)]
NTLM: Fix ConnectionExists to compare Proxy credentials

Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html

8 years agocurl: avoid local drive traversal when saving file (Windows)
Ray Satiro [Tue, 26 Jan 2016 22:23:15 +0000 (23:23 +0100)]
curl: avoid local drive traversal when saving file (Windows)

curl does not sanitize colons in a remote file name that is used as the
local file name. This may lead to a vulnerability on systems where the
colon is a special path character. Currently Windows/DOS is the only OS
where this vulnerability applies.

CVE-2016-0754

Bug: http://curl.haxx.se/docs/adv_20160127B.html

8 years agoRELEASE-NOTES: 7.47.0
Daniel Stenberg [Tue, 26 Jan 2016 22:34:10 +0000 (23:34 +0100)]
RELEASE-NOTES: 7.47.0

8 years agoFAQ: language fix in 4.19
Daniel Stenberg [Mon, 25 Jan 2016 10:11:29 +0000 (11:11 +0100)]
FAQ: language fix in 4.19

8 years agoFAQ: Update to point to GitHub
paulehoffman [Sun, 24 Jan 2016 22:27:08 +0000 (14:27 -0800)]
FAQ: Update to point to GitHub

Current FAQ didn't make it clear where the main repo is.

Closes #612

8 years agomaketgz: generate date stamp with LC_TIME=C
Daniel Stenberg [Sun, 24 Jan 2016 19:30:07 +0000 (20:30 +0100)]
maketgz: generate date stamp with LC_TIME=C

bug: http://curl.haxx.se/mail/lib-2016-01/0123.html

8 years agocurl_multi_socket_action.3: line wrap
Daniel Stenberg [Sun, 24 Jan 2016 19:29:51 +0000 (20:29 +0100)]
curl_multi_socket_action.3: line wrap

8 years agoRELEASE-NOTES: synced with d58ba66eeceb
Daniel Stenberg [Thu, 21 Jan 2016 22:57:52 +0000 (23:57 +0100)]
RELEASE-NOTES: synced with d58ba66eeceb

8 years agoTODO: "Create remote directories" for SMB
Steve Holme [Thu, 21 Jan 2016 21:05:55 +0000 (21:05 +0000)]
TODO: "Create remote directories" for SMB

8 years agombedtls: Fix pinned key return value on fail
Jay Satiro [Mon, 18 Jan 2016 08:48:10 +0000 (03:48 -0500)]
mbedtls: Fix pinned key return value on fail

- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601

8 years agotests: Add a test for pinnedpubkey fail even when insecure
Jay Satiro [Mon, 18 Jan 2016 08:10:10 +0000 (03:10 -0500)]
tests: Add a test for pinnedpubkey fail even when insecure

Because disabling the peer verification (--insecure) must not disable
the public key pinning check (--pinnedpubkey).

8 years agoCURLINFO_RESPONSE_CODE.3: add example
Daniel Schauenberg [Sun, 17 Jan 2016 04:04:46 +0000 (23:04 -0500)]
CURLINFO_RESPONSE_CODE.3: add example

8 years agossh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
Kamil Dudka [Fri, 15 Jan 2016 09:27:33 +0000 (10:27 +0100)]
ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL

The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
empty strings specially since curl-7_25_0-31-g05a443a but the behavior
was unintentionally removed in curl-7_38_0-47-gfa7d04f.

This commit restores the original behavior and clarifies it in the
documentation that NULL and "" have both the same meaning when passed
to CURLOPT_SSH_PUBLIC_KEYFILE.

Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html

8 years agoRELEASE-NOTES: synced with 35083ca60ed035a
Daniel Stenberg [Thu, 14 Jan 2016 21:09:09 +0000 (22:09 +0100)]
RELEASE-NOTES: synced with 35083ca60ed035a

8 years agoopenssl: improved error detection/reporting
Daniel Stenberg [Thu, 14 Jan 2016 20:25:30 +0000 (21:25 +0100)]
openssl: improved error detection/reporting

... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.

8 years agoopenssl: for 1.1.0+ they now provide a SSLeay() macro of their own
Daniel Stenberg [Thu, 14 Jan 2016 15:38:14 +0000 (16:38 +0100)]
openssl: for 1.1.0+ they now provide a SSLeay() macro of their own

8 years agoCURLOPT_RESOLVE.3: minor language polish
Daniel Stenberg [Wed, 13 Jan 2016 08:11:12 +0000 (09:11 +0100)]
CURLOPT_RESOLVE.3: minor language polish

8 years agoconfigure: assume IPv6 works when cross-compiled
Daniel Stenberg [Tue, 12 Jan 2016 09:30:54 +0000 (10:30 +0100)]
configure: assume IPv6 works when cross-compiled

The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
works, and testing like that doesn't work for cross-compiles. These days
IPv6 support is widespread so a blind guess is probably more likely to
be 'yes' than 'no' now.

Further: anyone who cross-compiles can use configure's --disable-ipv6 to
explicitly disable IPv6 and that also works for cross-compiles.

Made happen after discussions in issue #594

8 years agoTODO: "Try to URL encode given URL"
Daniel Stenberg [Mon, 11 Jan 2016 23:03:05 +0000 (00:03 +0100)]
TODO: "Try to URL encode given URL"

Closes #514

8 years agoConnectionExists: only do pipelining/multiplexing when asked
Daniel Stenberg [Sun, 10 Jan 2016 00:00:06 +0000 (01:00 +0100)]
ConnectionExists: only do pipelining/multiplexing when asked

When an HTTP/2 upgrade request fails (no protocol switch), it would
previously detect that as still possible to pipeline on (which is
acorrect) and do that when PIPEWAIT was enabled even if pipelining was
not explictily enabled.

It should only pipelined if explicitly asked to.

Closes #584