| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Reviewed-by: Daniel Stenberg
Closes #5708
|
|
|
|
| |
Follow up to #5721
|
|
|
|
|
|
|
|
|
| |
This enables building and running the SFTP tests.
Unfortunately OpenSSH for Windows does not support SCP (yet).
Reviewed-by: Daniel Stenberg
Closes #5721
|
|
|
|
|
|
|
|
|
| |
Avoid aborted jobs due to performance issues on Azure DevOps.
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes #5738
|
|
|
|
|
|
|
|
|
| |
We should offer an option to allow abrupt server closures (server closes
SSL transfer without sending a known termination point such as length of
transfer or close_notify alert). Abrupt server closures are usually
because of misconfigured or very old servers.
Closes https://github.com/curl/curl/issues/4427
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change if the user set a URL handle (CURLOPT_CURLU) it was
incorrectly used for the location follow, resulting in infinite requests
to the original location.
Reported-by: sspiri@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/5709
Closes https://github.com/curl/curl/pull/5713
|
| |
|
|
|
|
|
|
|
|
| |
it helps make it obvious that most developers don't have to care about
the CURLM_CALL_MULTI_PERFORM value (last release using it is nearly 11
years old, November 4 2009)
Closes #5744
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Use S_IREAD and S_IWRITE mode permission flags to create the file
on Windows instead of S_IRUSR, S_IWUSR, etc.
Windows only accepts a combination of S_IREAD and S_IWRITE. It does not
acknowledge other combinations, for which it may generate an assertion.
This is a follow-up to 81b4e99 from yesterday, which improved the
existing file check with -J.
Ref: https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/open-wopen#remarks
Ref: https://github.com/curl/curl/pull/5731
Closes https://github.com/curl/curl/pull/5742
|
|
|
|
|
|
|
|
|
| |
They're not thread-safe so they should not be used in libcurl code.
Explictly enabled when deemed necessary and in examples and tests
Reviewed-by: Nicolas Sterchele
Closes #5732
|
|
|
|
| |
Closes #5734
|
|
|
|
|
|
|
|
|
| |
On systems with 32 bit long the expression is always false. Avoid
the warning.
Reported-by: Gisle Vanem
Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232
Closes #5736
|
|
|
|
|
|
|
|
|
|
| |
Previously a file that isn't user-readable but is user-writable would
not be properly avoided and would get overwritten.
Reported-by: BrumBrum on hackerone
Assisted-by: Jay Satiro
Bug: https://hackerone.com/reports/926638
Closes #5731
|
|
|
|
|
|
|
|
|
| |
Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1,
2013-08-02), the easy handle list is not circular but ends with
->next pointing to NULL.
Reported-by: Masaya Suzuki <masayasuzuki@google.com>
Closes #5737
|
|
|
|
|
|
| |
As test 1140 fails otherwise!
Follow-up to e1bac81cc815
|
|
|
|
|
| |
Reported-by: Tatsuhiro Tsujikawa
Closes #5733
|
|
|
|
|
|
|
| |
... and mention that HTTP with other methods than HEAD might get a body and
there's no option available to stop that.
Closes #5729
|
|
|
|
|
|
|
|
|
|
|
| |
Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
action but before 7.71.0 that used to switch back to GET and with this
change (assuming the method is still set to HEAD) this behavior is
brought back.
Reported-by: causal-agent on github
Fixes #5725
Closes #5728
|
|
|
|
|
|
|
| |
Also choose a different wolfSSL function to test for NTLM support.
Fixes #5605
Closes #5682
|
|
|
|
|
|
| |
Reported-by: Marc Hörsken
Fixes #5720
Closes #5730
|
|
|
|
|
|
| |
Reported-by: lilongyan-huawei on github
Fixes #5726
Closes #5727
|
|
|
|
|
|
|
|
|
| |
- Avoid re-using retry_after value from preceding request
- Add libtest 3010 to verify
Reported-by: joey-l-us on github
Fixes #5661
Closes #5672
|
|
|
|
|
|
|
|
|
|
| |
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.
Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stack overflows can occur with precisions for integers and floats.
Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);
Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.
The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.
Also see CVE-2016-9586 which partially fixed the float aspect.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Closes https://github.com/curl/curl/pull/5722
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.
Also do not read behind boundaries of illegal format strings.
These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.
Closes https://github.com/curl/curl/pull/5722
|
|
|
|
|
|
|
|
|
| |
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
Closes #5724
|
|
|
|
|
|
|
| |
This enables some deprecation warnings.
Previously, autotools defaulted to 10.8.
Closes https://github.com/curl/curl/pull/5723
|
| |
|
|
|
|
| |
Closes https://github.com/curl/curl/pull/5716
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCC doesn't warn for unknown `-Wno-` options, except if there are other
warnings or errors [0]. This was problematic with `CURL_WERROR` as that
warning-as-error cannot be suppressed. Notably, this always happened
with `-Wno-pedantic-ms-format` when not targeting Windows. So test for
the positive form of the warning instead, which should always result in
a diagnostic if unknown.
[0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
Closes https://github.com/curl/curl/pull/5714
|
|
|
|
|
|
|
|
|
| |
CURLINFO_LASTONE should have been updated when
CURLINFO_EFFECTIVE_METHOD was added.
Reported-by: xwxbug@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/5711
|
|
|
|
|
|
|
| |
Reviewed-by: Marcel Raad
Follow up to #5694
Closes #5706
|
|
|
|
| |
Closes https://github.com/curl/curl/pull/5704
|
|
|
|
|
|
| |
Previously, warnings were only visible in the output for most jobs.
Closes https://github.com/curl/curl/pull/5694
|
|
|
|
|
|
|
|
|
|
| |
timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might
be a 64-bit integer. This is the case when building for recent macOS
versions, for example. Just treat tv_usec as an int, which should
hopefully always be sufficient on systems with
`HAVE_CLOCK_GETTIME_MONOTONIC`.
Closes https://github.com/curl/curl/pull/5695
|
|
|
|
|
|
|
| |
They are marked as deprecated for -mmacosx-version-min >= 10.15,
which might result in warnings-as-errors.
Closes https://github.com/curl/curl/pull/5695
|
|
|
|
|
|
|
| |
It confuses code analyzers with its use of -1 for unsigned value. Also,
a check that's not normally used in strdup() code - and not necessary.
Closes #5697
|
|
|
|
|
|
|
|
|
|
| |
This is required after https://github.com/cloudflare/quiche/pull/593
moved BoringSSL around slightly.
This also means that Go is not needed to build BoringSSL anymore (the
one provided by quiche anyway).
Closes #5691
|
|
|
|
|
|
|
|
|
|
| |
When using `--enable-warnings`, it was not possible to disable warnings
via CFLAGS that got explicitly enabled. Now warnings are not enabled
anymore if they are explicitly disabled (or enabled) in CFLAGS. This
works for at least GCC, clang, and TCC as they have corresponding
`-Wno-` options for every warning.
Closes https://github.com/curl/curl/pull/5689
|
|
|
|
| |
Closes #5690
|
|
|
|
|
|
|
|
|
| |
Add protocol and version specific information about all protocols curl
supports.
Fixes #5679
Reported-by: tbugfinder on github
Closes #5686
|
|
|
|
|
|
|
|
|
| |
Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the
more correct/common name Secure Transport, but a few mentions in the docs
remained.
Closes #5688
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
|
|
|
|
|
|
|
| |
... to use the maximum value for 'size_t' when detecting integer overflow.
Changed the limit to max/4 as already that seems unreasonably large.
Codacy didn't like the previous approach.
Closes #5683
|
|
|
|
|
|
|
|
|
| |
... by adding support for a new dedicated return code.
Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
|
|
|
|
|
|
|
| |
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.
Closes #5667
|
| |
|
|
|
|
|
|
|
| |
So that failures will be displayed in the terminal, as it makes test failures
visually displayed easier and faster.
Closes #5644
|