summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* travis: add a "make tidy" build that runs clang-tidyDaniel Stenberg2018-10-291-0/+11
| | | | Closes #3182
* unit1300: fix stack-use-after-scope AddressSanitizer warningDaniel Stenberg2018-10-291-3/+4
| | | | Closes #3186
* Curl_auth_create_plain_message: fix too-large-input-checkDaniel Stenberg2018-10-291-1/+1
| | | | | | CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
* Curl_close: clear data->multi_easy on free to avoid use-after-freeDaniel Stenberg2018-10-291-1/+3
| | | | | | | | Regression from b46cfbc068 (7.59.0) CVE-2018-16840 Reported-by: Brian Carpenter (Geeknik Labs) Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
* system.h: use proper setting with Sun C++ as wellrandomswdev2018-10-271-1/+1
| | | | | | | | | system.h selects the proper Sun settings when __SUNPRO_C is defined. The Sun compiler does not define it when compiling C++ files. I'm adding a check also on __SUNPRO_CC to allow curl to work properly also when used in a C++ project on Sun Solaris. Closes #3181
* rand: add comment to skip a clang-tidy false positiveDaniel Stenberg2018-10-271-1/+3
|
* test1651: unit test Curl_extract_certinfo()Daniel Stenberg2018-10-274-2/+417
| | | | The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.
* x509asn1: always check return code from getASN1Element()Daniel Stenberg2018-10-271-32/+102
|
* Makefile: add 'tidy' target that runs clang-tidyDaniel Stenberg2018-10-273-1/+21
| | | | | | Available in the root, src and lib dirs. Closes #3163
* RELEASE-PROCEDURE: adjust the release datesDaniel Stenberg2018-10-271-7/+5
| | | | See: https://curl.haxx.se/mail/lib-2018-10/0107.html
* x509asn1: suppress left shift on signed valuePatrick Monnerat2018-10-271-2/+2
| | | | | | | | Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
* multi: Fix error handling in the SENDPROTOCONNECT stateMichael Kaufmann2018-10-271-1/+1
| | | | | | | If Curl_protocol_connect() returns an error code, handle the error instead of switching to the next state. Closes #3170
* RELEASE-NOTES: syncedDaniel Stenberg2018-10-271-6/+31
|
* openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg2018-10-271-1/+1
| | | | | | | | | When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
* docs/CIPHERS: fix the TLS 1.3 cipher namesDaniel Stenberg2018-10-271-5/+5
| | | | | | | | ... picked straight from the OpenSSL man page: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html Reported-by: Ricky-Tigg on github Bug: #3178
* travis: install gnutls-bin packageMarcel Raad2018-10-271-0/+1
| | | | | | This is required for gnutls-serv, which enables a few more tests. Closes https://github.com/curl/curl/pull/2958
* ssh: free the session on init failuresDaniel Gustafsson2018-10-261-1/+1
| | | | | | | | | | | | | Ensure to clear the session object in case the libssh2 initialization fails. It could be argued that the libssh2 error function should be called to get a proper error message in this case. But since the only error path in libssh2_knownhost_init() is memory a allocation failure it's safest to avoid since the libssh2 error handling allocates memory. Closes #3179 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 dateDaniel Stenberg2018-10-261-3/+1
| | | | ... I'm moving it up one week due to travels. The rest stays.
* openssl: make 'done' a proper booleanDaniel Gustafsson2018-10-261-6/+6
| | | | Closes #3176
* gtls: Values stored to but never readDaniel Stenberg2018-10-261-9/+7
| | | | | | Detected by clang-tidy Closes #3176
* curl.1: --ipv6 mutexes ipv4 (fixed typo)Alexey Eremikhin2018-10-261-1/+1
| | | | | Fixes #3171 Closes #3172
* tool_main: make TerminalSettings staticDaniel Stenberg2018-10-261-5/+5
| | | | | | Reported-by: Gisle Vanem Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819 Closes #3161
* curl-config.in: remove dependency on bcDaniel Stenberg2018-10-261-10/+22
| | | | | | Reported-by: Dima Pasechnik Fixes #3143 Closes #3174
* rtmp: fix for compiling with lwIPGisle Vanem2018-10-261-1/+3
| | | | | | | | | | | Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, ^ curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) ^ Closes #3155
* configure: remove CURL_CONFIGURE_CURL_SOCKLEN_TDaniel Stenberg2018-10-252-126/+0
| | | | | | | Follow-up to #3166 which did the cmake part of this. This type/define is not used. Closes #3168
* cmake: remove unused variablesRuslan Baratov2018-10-251-19/+0
| | | | | | | | | Remove variables: * HAVE_SOCKLEN_T * CURL_SIZEOF_CURL_SOCKLEN_T * CURL_TYPEOF_CURL_SOCKLEN_T Closes #3166
* urldata: Fix comment in headerMichael Kaufmann2018-10-251-1/+1
| | | | The "connecting" function is used by multiple protocols, not only FTP
* netrc: free temporary strings if memory allocation failsMichael Kaufmann2018-10-251-9/+39
| | | | | | | | - Change the inout parameters after all needed memory has been allocated. Do not change them if something goes wrong. - Free the allocated temporary strings if strdup() fails. Closes #3122
* config: Remove unused SIZEOF_VOIDPRuslan Baratov2018-10-242-6/+0
| | | | Closes #3162
* RELEASE-NOTES: syncedDaniel Stenberg2018-10-241-9/+21
|
* Fix for compiling with lwIP (3)Gisle Vanem2018-10-231-1/+1
| | | | lwIP on Windows does not have a WSAIoctl() function. But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
* Curl_follow: return better errors on URL problemsDaniel Stenberg2018-10-233-13/+12
| | | | | | ... by making the converter function global and accessible. Closes #3153
* Curl_follow: remove remaining free(newurl)Daniel Stenberg2018-10-231-3/+1
| | | | | | | | | Follow-up to 05564e750e8f0c. This function no longer frees the passed-in URL. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm ent-30985666
* headers: end all headers with guard commentDaniel Gustafsson2018-10-234-4/+4
| | | | | | | | | | | Most headerfiles end with a /* <headerguard> */ comment, but it was missing from some. The comment isn't the most important part of our code documentation but consistency has an intrinsic value in itself. This adds header guard comments to the files that were lacking it. Closes #3158 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* CIPHERS.md: Mention the options used to set TLS 1.3 ciphersJay Satiro2018-10-231-3/+12
| | | | Closes https://github.com/curl/curl/pull/3159
* docs/BUG-BOUNTY: the sponsors actually decide the amountDaniel Stenberg2018-10-201-14/+8
| | | | | | | | Retract the previous approach as the sponsors will be the ones to set the final amounts. Closes #3152 [ci skip]
* multi: avoid double-freeDaniel Stenberg2018-10-192-10/+6
| | | | | | | | | | | Curl_follow() no longer frees the string. Make sure it happens in the caller function, like we normally handle allocations. This bug was introduced with the use of the URL API internally, it has never been in a release version Reported-by: Dario Weißer Closes #3149
* multi: make the closure handle "inherit" CURLOPT_NOSIGNALDaniel Stenberg2018-10-191-0/+2
| | | | | | | | Otherwise, closing that handle can still cause surprises! Reported-by: Martin Ankerl Fixes #3138 Closes #3147
* VS projects: add USE_IPV6Marcel Raad2018-10-196-328/+328
| | | | | | | The Visual Studio builds didn't use IPv6. Add it to all projects since Visual Studio 2008, which is verified to build via AppVeyor. Closes https://github.com/curl/curl/pull/3137
* config_win32: enable LDAPSMarcel Raad2018-10-191-0/+1
| | | | | | As done in the autotools and CMake builds by default. Closes https://github.com/curl/curl/pull/3137
* travis: add build for "configure --disable-verbose"Daniel Stenberg2018-10-186-13/+45
| | | | Closes #3144
* tool_cb_hdr: handle failure of rename()Kamil Dudka2018-10-171-2/+11
| | | | | | | Detected by Coverity. Closes #3140 Reviewed-by: Jay Satiro
* RELEASE-NOTES: syncedDaniel Stenberg2018-10-171-5/+19
|
* docs/SECURITY-PROCESS: the hackerone IBB program drops curlDaniel Stenberg2018-10-171-14/+0
| | | | ... now there's only BountyGraph.
* x509asn1: Fix SAN IP address verificationMatthew Whitehead2018-10-161-2/+2
| | | | | | | | | | | | | | | For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
* INSTALL: mention mesalink in TLS sectionDaniel Gustafsson2018-10-151-0/+1
| | | | | | | | | Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the MesaLink vtls backend, but missed updating the TLS section containing supported backends in the docs. Closes #3134 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* nonblock: fix unused parameter warningMarcel Raad2018-10-141-1/+2
| | | | | If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not used.
* Curl_follow: Always free the passed new URLMichael Kaufmann2018-10-132-1/+4
| | | | Closes #3124
* replace rawgit links [ci skip]Viktor Szakats2018-10-122-2/+2
| | | | | | Ref: https://rawgit.com/ "RawGit has reached the end of its useful life" Ref: https://news.ycombinator.com/item?id=18202481 Closes https://github.com/curl/curl/pull/3131
* docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018Daniel Stenberg2018-10-121-0/+4
| | | | [ci skip]