summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* fixup adjust for windows open(), close fd if fdopen failsbagder/curl-cd-overwrite-checkDaniel Stenberg2020-07-281-2/+13
|
* curl: improve the existing file check with -JDaniel Stenberg2020-07-283-11/+26
| | | | | | | | | Previously a file that isn't user-readable but is user-writable would not be properly avoided and would get overwritten. Reported-by: BrumBrum on hackerone Bug: https://hackerone.com/reports/926638 Closes #5731
* CURLOPT_NOBODY.3: fix the syntax for referring to optionsDaniel Stenberg2020-07-271-3/+3
| | | | | | As test 1140 fails otherwise! Follow-up to e1bac81cc815
* ngtcp2: store address in sockaddr_storageDaniel Stenberg2020-07-271-2/+3
| | | | | Reported-by: Tatsuhiro Tsujikawa Closes #5733
* CURLOPT_NOBODY.3: clarify what setting to 0 meansDaniel Stenberg2020-07-271-6/+16
| | | | | | | ... and mention that HTTP with other methods than HEAD might get a body and there's no option available to stop that. Closes #5729
* setopt: unset NOBODY switches to GET if still HEADDaniel Stenberg2020-07-271-0/+2
| | | | | | | | | | | Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented action but before 7.71.0 that used to switch back to GET and with this change (assuming the method is still set to HEAD) this behavior is brought back. Reported-by: causal-agent on github Fixes #5725 Closes #5728
* configure: cleanup wolfssl + pkg-config conflicts when cross compiling.Ehren Bendler2020-07-272-10/+21
| | | | | | | Also choose a different wolfSSL function to test for NTLM support. Fixes #5605 Closes #5682
* configure: show zstd "no" in summary when built without itDaniel Stenberg2020-07-271-0/+1
| | | | | | Reported-by: Marc Hörsken Fixes #5720 Closes #5730
* quiche: handle calling disconnect twiceDaniel Stenberg2020-07-271-2/+8
| | | | | | Reported-by: lilongyan-huawei on github Fixes #5726 Closes #5727
* getinfo: reset retry-after value in initinfoNicolas Sterchele2020-07-275-2/+130
| | | | | | | | | - Avoid re-using retry_after value from preceding request - Add libtest 3010 to verify Reported-by: joey-l-us on github Fixes #5661 Closes #5672
* WIN32: stop forcing narrow-character APIMarcel Raad2020-07-277-16/+38
| | | | | | | | | | Except where the results are only used for character output. getenv is not touched because it's part of the public API, and having it return UTF-8 instead of ANSI would be a breaking change. Fixes https://github.com/curl/curl/issues/5658 Fixes https://github.com/curl/curl/issues/5712 Closes https://github.com/curl/curl/pull/5718
* mprintf: Fix stack overflowsTobias Stoeckmann2020-07-272-1/+16
| | | | | | | | | | | | | | | | | | | | | Stack overflows can occur with precisions for integers and floats. Proof of concepts: - curl_mprintf("%d, %.*1$d", 500, 1); - curl_mprintf("%d, %+0500.*1$f", 500, 1); Ideally, compile with -fsanitize=address which makes this undefined behavior a bit more defined for debug purposes. The format strings are valid. The overflows occur due to invalid arguments. If these arguments are variables with contents controlled by an attacker, the function's stack can be corrupted. Also see CVE-2016-9586 which partially fixed the float aspect. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Closes https://github.com/curl/curl/pull/5722
* mprintf: Fix dollar string handlingTobias Stoeckmann2020-07-271-5/+15
| | | | | | | | | | | | | Verify that specified parameters are in range. If parameters are too large, fail early on and avoid out of boundary accesses. Also do not read behind boundaries of illegal format strings. These are defensive measures since it is expected that format strings are well-formed. Format strings should not be modifiable by user input due to possible generic format string attacks. Closes https://github.com/curl/curl/pull/5722
* ntlm: free target_info before (re-)mallocDaniel Stenberg2020-07-261-0/+1
| | | | | | | | | OSS-Fuzz found a way this could get called again with the pointer still pointing to a malloc'ed memory, leading to a leak. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379 Closes #5724
* CI/macos: set minimum macOS versionMarcel Raad2020-07-261-3/+17
| | | | | | | This enables some deprecation warnings. Previously, autotools defaulted to 10.8. Closes https://github.com/curl/curl/pull/5723
* RELEASE-NOTES: syncedDaniel Stenberg2020-07-261-7/+54
|
* CI/macos: enable warnings as errors for CMake buildsMarcel Raad2020-07-251-1/+3
| | | | Closes https://github.com/curl/curl/pull/5716
* CMake: fix test for warning suppressionsMarcel Raad2020-07-231-1/+10
| | | | | | | | | | | | | GCC doesn't warn for unknown `-Wno-` options, except if there are other warnings or errors [0]. This was problematic with `CURL_WERROR` as that warning-as-error cannot be suppressed. Notably, this always happened with `-Wno-pedantic-ms-format` when not targeting Windows. So test for the positive form of the warning instead, which should always result in a diagnostic if unknown. [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html Closes https://github.com/curl/curl/pull/5714
* curl.h: update CURLINFO_LASTONEJay Satiro2020-07-231-1/+1
| | | | | | | | | CURLINFO_LASTONE should have been updated when CURLINFO_EFFECTIVE_METHOD was added. Reported-by: xwxbug@users.noreply.github.com Fixes https://github.com/curl/curl/issues/5711
* CI/azure: unconditionally enable warnings-as-errors with autotoolsMarc Hoersken2020-07-221-2/+2
| | | | | | | Reviewed-by: Marcel Raad Follow up to #5694 Closes #5706
* doh: remove redundant castMarcel Raad2020-07-211-2/+2
| | | | Closes https://github.com/curl/curl/pull/5704
* CI/macos: unconditionally enable warnings-as-errors with autotoolsMarcel Raad2020-07-191-3/+6
| | | | | | Previously, warnings were only visible in the output for most jobs. Closes https://github.com/curl/curl/pull/5694
* util: silence conversion warningsMarcel Raad2020-07-193-3/+3
| | | | | | | | | | timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might be a 64-bit integer. This is the case when building for recent macOS versions, for example. Just treat tv_usec as an int, which should hopefully always be sufficient on systems with `HAVE_CLOCK_GETTIME_MONOTONIC`. Closes https://github.com/curl/curl/pull/5695
* md(4|5): don't use deprecated macOS functionsMarcel Raad2020-07-192-2/+6
| | | | | | | They are marked as deprecated for -mmacosx-version-min >= 10.15, which might result in warnings-as-errors. Closes https://github.com/curl/curl/pull/5695
* strdup: remove the odd strlen checkDaniel Stenberg2020-07-182-18/+8
| | | | | | | It confuses code analyzers with its use of -1 for unsigned value. Also, a check that's not normally used in strdup() code - and not necessary. Closes #5697
* travis: update quiche builds for new boringssl layoutAlessandro Ghedini2020-07-183-8/+6
| | | | | | | | | | This is required after https://github.com/cloudflare/quiche/pull/593 moved BoringSSL around slightly. This also means that Go is not needed to build BoringSSL anymore (the one provided by quiche anyway). Closes #5691
* configure: allow disabling warningsMarcel Raad2020-07-171-48/+74
| | | | | | | | | | When using `--enable-warnings`, it was not possible to disable warnings via CFLAGS that got explicitly enabled. Now warnings are not enabled anymore if they are explicitly disabled (or enabled) in CFLAGS. This works for at least GCC, clang, and TCC as they have corresponding `-Wno-` options for every warning. Closes https://github.com/curl/curl/pull/5689
* ngtcp2: adjust to recent sockaddr updatesDaniel Stenberg2020-07-162-9/+7
| | | | Closes #5690
* page-header: provide protocol details in the curl.1 man pageDaniel Stenberg2020-07-161-0/+49
| | | | | | | | | Add protocol and version specific information about all protocols curl supports. Fixes #5679 Reported-by: tbugfinder on github Closes #5686
* docs: Update a few leftover mentions of DarwinSSLDaniel Gustafsson2020-07-164-7/+7
| | | | | | | | | Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the more correct/common name Secure Transport, but a few mentions in the docs remained. Closes #5688 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* file2memory: use a define instead of -1 unsigned valueDaniel Stenberg2020-07-161-2/+2
| | | | | | | | | ... to use the maximum value for 'size_t' when detecting integer overflow. Changed the limit to max/4 as already that seems unreasonably large. Codacy didn't like the previous approach. Closes #5683
* CURL_PUSH_ERROROUT: allow the push callback to fail the parent streamDaniel Stenberg2020-07-165-21/+28
| | | | | | | | | ... by adding support for a new dedicated return code. Suggested-by: Jonathan Cardoso Assisted-by: Erik Johansson URL: https://curl.haxx.se/mail/lib-2020-06/0099.html Closes #5636
* nss: fix build with disabled proxy supportBaruch Siach2020-07-141-9/+35
| | | | | | | Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is defined. Closes #5667
* test1139: make it display the difference on test failuresbagder/test1119Daniel Stenberg2020-07-142-3/+9
|
* test1119: verify stdout in the testDaniel Stenberg2020-07-142-0/+9
| | | | | | | So that failures will be displayed in the terminal, as it makes test failures visually displayed easier and faster. Closes #5644
* curl: add %{method} to the -w variablesDaniel Stenberg2020-07-146-2/+103
| | | | | | Gets the CURLINFO_EFFECTIVE_METHOD from libcurl. Added test 1197 to verify.
* CURLINFO_EFFECTIVE_METHOD: addedDaniel Stenberg2020-07-148-8/+102
| | | | | | | Provide the HTTP method that was used on the latest request, which might be relevant for users when there was one or more redirects involved. Closes #5511
* windows: add unicode to feature listViktor Szakats2020-07-146-0/+12
| | | | | | | Reviewed-by: Marcel Raad Reviewed-by: Marc Hörsken Closes #5491
* multi: remove two checks always trueDaniel Stenberg2020-07-141-2/+2
| | | | | Detected by Codacy Closes #5676
* workflows: limit what branches to run CodeQL onMarc Hoersken2020-07-131-4/+9
| | | | | | | | | | Align CodeQL action with existing CI actions: - Update branch filter to avoid duplicate CI runs. - Shorten workflow name due to informative job name. Reviewed-by: Daniel Stenberg Closes #5660
* appveyor: collect libcurl.dll variants with prefix or suffixMarc Hoersken2020-07-131-1/+1
| | | | | | | | | On some platforms libcurl is build with a platform-specific prefix and/or a version number suffix. Assisted-by: Jay Satiro Closes #5659
* socks: use size_t for size variableihsinme2020-07-121-3/+3
| | | | | | | | Use the unsigned type (size_t) in the arithmetic of pointers. In this context, the signed type (ssize_t) is used unnecessarily. Authored-by: ihsinme on github Closes #5654
* RELEASE-NOTES: syncedDaniel Stenberg2020-07-122-9/+22
| | | | ... and bumped to 7.72.0 as the next release version number
* content_encoding: add zstd decoding supportGilles Vollant2020-07-1221-16/+813
| | | | | | | | | include zstd curl patch for Makefile.m32 from vszakats and include Add CMake support for zstd from Peter Wu Helped-by: Viktor Szakats Helped-by: Peter Wu Closes #5453
* asyn.h: remove the Curl_resolver_getsock defineDaniel Stenberg2020-07-121-1/+0
| | | | | | | | - not used - used the wrong number of arguments - confused the Codeacy code analyzer Closes #5647
* configure.ac: Sort features name in summaryNicolas Sterchele2020-07-121-0/+4
| | | | | | - Same as protocols Closes #5656
* cmake: fix windows xp buildMatthias Naegler2020-07-121-0/+3
| | | | | Reviewed-by: Marcel Raad Closes #5662
* ngtcp2: update to modified qlog callback prototypeDaniel Stenberg2020-07-121-1/+3
| | | | Closes #5675
* transfer: fix memory-leak with CURLOPT_CURLU in a duped handleDaniel Stenberg2020-07-125-3/+146
| | | | | | | | Added test case 674 to reproduce and verify the bug report. Fixes #5665 Reported-by: NobodyXu on github Closes #5673
* bearssl: fix build with disabled proxy supportBaruch Siach2020-07-121-2/+9
| | | | | | | | Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is defined. Reviewed-by: Nicolas Sterchele Closes #5666
View Lorry Controller Status