| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The VALID_SOCK() macro was made to only check for FD_SETSIZE if curl was
built to use select(), even though the curl_multi_fdset() function
always and unconditionally uses FD_SET and needs the check.
Reported-by: 0xee on github
Fixes #7718
|
| |
|
|
|
|
|
|
| |
8.1 Why does curl use C89?
8.2 Will curl be rewritten?
Spell-checked-by: Paul Johnson
Closes #7715
|
| |
|
|
|
|
|
| |
... as they mysteriously seem to permfail without being related to
proxy.
Closes #7714
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.
This fix detects pipelined STARTTLS responses and rejects them with an
error.
CVE-2021-22947
Bug: https://curl.se/docs/CVE-2021-22947.html
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In imap and pop3, check if TLS is required even when capabilities
request has failed.
In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.
Bug: https://curl.se/docs/CVE-2021-22946.html
CVE-2021-22946
|
| |
|
|
|
|
| |
CVE-2021-22945
Bug: https://curl.se/docs/CVE-2021-22945.html
|
| |
|
|
|
|
| |
... and add -lm when using a rust library.
Closes #7701
|
| | |
|
| |
|
|
| |
Closes #7713
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It should not refer to the uagent string that is allocated and created
for the end server http request, as that pointer may be cleared on
subsequent CONNECT requests.
Added test case 1184 to verify.
Reported-by: T200proX7 on github
Fixes #7705
Closes #7707
|
| |
|
|
|
|
| |
Reported-by: Jonathan Cardoso
Fixes #7710
Closes #7711
|
| |
|
|
|
|
|
|
|
| |
ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
Check the wrapped functions instead.
ngtcp2_stream_close callback now takes flags parameter.
Closes #7709
|
| |
|
|
|
|
| |
They show the number of "body" bytes transfered.
Fixes #7702
Closes #7706
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Thus function was written to avoid doing multiple connection data
initializations, which is fine, but since it also initiates stream
related data it is crucial that it doesn't skip those even if called
again for the same connection. Solved by moving the stream
initializations before the "doing-it-again" check.
Reported-by: Inho Oh
Fixes #7630
Closes #7692
|
| |
|
|
|
|
| |
Follow-up from 2f0bb864c12
Closes #7700
|
| |
|
|
|
|
| |
Follow-up to 2f0bb864c12
Closes #7697
|
| |
|
|
|
|
|
|
| |
... to avoid the memory leak risk pointed out by scan-build.
Follow-up from 7a3e981781d6c18a
Closes #7698
|
| |
|
|
|
| |
Reviewed-by: Tatsuhiro Tsujikawa
Closes #7699
|
| |
|
|
| |
Follow-up to 2f0bb864c12
|
| |
|
|
|
|
|
| |
Also update the FAQ section a bit to encourage users to rather submit
security issues on hackerone than sending email.
Closes #7689
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's try to actually handle the server unexpectedly alive
case by first making them visible on CI builds as failures.
This is needed to detect issues with killing of the test
servers completely including nested process chains with
multiple PIDs per test server (including bash and perl).
On Windows/cygwin platforms this is especially helpful with
debugging PID mixups due to cygwin using its own PID space.
Reviewed-by: Daniel Stenberg
Closes #7180
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- avoid writing "set ..." or "enable/disable ..." or "specify ..."
*All* options for curl_easy_setopt() are about setting or enabling
things and most of the existing options didn't use that way of
description.
- start with lowercase letter, unless abbreviation. For consistency.
- Some additional touch-ups
Closes #7688
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We have and provide Curl_strerror() internally for a reason: strerror()
is not necessarily thread-safe so we should always try to avoid it.
Extended checksrc to warn for this, but feature the check disabled by
default and only enable it in lib/
Closes #7685
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
As alluded to the in the now removed comment, a 13.0 image became
available and is now ready to be used.
The sanitizer builds were running on the 12.1 image which since has
been removed from the config, leaving the builds not running at all.
When enabled it turns out that they don't actually work due to very
long timeouts in executing the tests, so keep the disabled for now
but a bit more controlled.
Closes #7592
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Reported-by: Jonathan Cardoso
Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
Closes #7681
|
| |
|
|
|
|
| |
--continue-at - and --remote-header-name are known incompatible parameters
Closes #7674
|
| |
|
|
| |
Closes #7678
|
| |
|
|
| |
Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0
|
| |
|
|
|
|
|
|
|
|
|
| |
If Retry-After: specifies a period that is longer than what fits within
--retry-max-time, then stop retrying immediately.
Added test 366 to verify.
Reported-by: Kari Pahula
Fixes #7675
Closes #7676
|
| |
|
|
|
|
|
|
|
| |
Use dynamic memory allocation for the buffer used in checking "pinned
public key". The PUB_DER_MAX_BYTES parameter with default settings is
set to a value greater than 2kB.
Co-authored-by: Daniel Stenberg
Closes #7586
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The AC_ARG_ENABLE() macro itself uses a variable called
'enable_[option]', so when our script also used a variable with that
name for the purpose of storing what the user wants, it also
accidentally made it impossible to switch off the feature with
--disable-hsts. Fix this by renaming our variable.
Reported-by: Michał Antoniak
Fixes #7669
Closes #7672
|
| |
|
|
|
|
|
| |
Bug: https://github.com/curl/curl/pull/7666#issuecomment-912214751
Reported-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/7667
|
| | |
|
| |
|
|
|
|
|
| |
... that they refer to actual existing libcurl options.
Reviewed-by: Daniel Gustafsson
Closes #7656
|
| |
|
|
| |
Closes #7656
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In every libcurl option man page there are now 8 mandatory sections that
must use the right name in the correct order and test 1173 verifies
this. Only 14 man pages needed adjustments.
The sections and the order is as follows:
- NAME
- SYNOPSIS
- DESCRIPTION
- PROTOCOLS
- EXAMPLE
- AVAILABILITY
- RETURN VALUE
- SEE ALSO
Reviewed-by: Daniel Gustafsson
Closes #7656
|
| |
|
|
|
|
|
|
|
| |
Extended manpage-syntax.pl (run by test 1173) to check that every man
page for a libcurl option has an EXAMPLE section that is more than two
lines. Then fixed all errors it found and added examples.
Reviewed-by: Daniel Gustafsson
Closes #7656
|
| |
|
|
| |
Closes #7668
|
| |
|
|
| |
Closes #7665
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Regression. In d6a37c23a3c (7.75.0) we removed the duplicated storage
(connection + easy handle), so this info needs be extracted again even
for re-used connections.
Add test 435 to verify
Reported-by: Max Dymond
Fixes #7660
Closes #7662
|
| |
|
|
|
|
| |
`use_wakeup` is unused in this case.
Closes https://github.com/curl/curl/pull/7661
|
| |
|
|
|
|
|
|
|
|
| |
By making them look less like http headers, the hyper mode "tweak"
doesn't interfere.
Enable test 2002 and 2003 in hyper builds (and 1280 which is unrelated
but should be enabled).
Closes #7658
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the previously unhandled supplemental data which
in -v output was printed like:
TLSv1.2 (IN), TLS header, Unknown (23):
These will now be printed with proper annotation:
TLSv1.2 (OUT), TLS header, Supplemental data (23):
Closes #7652
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
| |
|
|
|
|
|
|
|
|
|
| |
The file format for each option now features a "Example:" header that
can provide one or more examples that get rendered appropriately in the
output. All options MUST have at least one example or gen.pl complains
at build-time.
This fix also does a few other minor format and consistency cleanups.
Closes #7654
|
| |
|
|
|
|
|
|
| |
and compiler warnings for data conversions.
Reported-by: Michał Antoniak
Fixes #7645
Closes #7653
|
| | |
|
