summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* configure/cmake: check for memmembagder/memmem-checkDaniel Stenberg2021-05-043-0/+5
|
* RELEASE-NOTES: syncedDaniel Stenberg2021-05-041-8/+61
|
* libssh2: ignore timeout during disconnectDaniel Stenberg2021-05-041-16/+15
| | | | | | | | | | | | ... to avoid memory leaks! libssh2 is tricky as we have to deal with the non-blockiness even in close and shutdown cases. In the cases when we shutdown after a timeout already expired, it is crucial that curl doen't let the timeout abort the shutdown process as that then leaks memory! Reported-by: Benjamin Riefenstahl Fixes #6990
* KNOWN_BUGS: add two HTTP/2 bugsDaniel Stenberg2021-05-031-0/+14
|
* KNOWN_BUGS: add three HTTP/3 issuesDaniel Stenberg2021-05-031-22/+45
| | | | | | | | ... and moved the HTTP/2 issues to its own section Closes #6606 Closes #6510 Closes #6494
* CURLcode: add CURLE_SSL_CLIENTCERTejanchivdorj2021-05-037-4/+26
| | | | | | | | | | When a TLS server requests a client certificate during handshake and none can be provided, libcurl now returns this new error code CURLE_SSL_CLIENTCERT Only supported by Secure Transport and OpenSSL for TLS 1.3 so far. Closes #6721
* .github/FUNDING: add link to GitHub sponsorsTobias Gabriel2021-05-031-0/+1
| | | | Closes #6985
* krb5/name_to_level: replace checkprefix with curl_strequalHarry Sintonen2021-05-031-1/+1
| | | | Closes #6993
* Curl_input_digest: require space after DigestHarry Sintonen2021-05-031-1/+1
| | | | Closes #6993
* Curl_http_header: check for colon when matching Persistent-AuthHarry Sintonen2021-05-031-1/+1
| | | | Closes #6993
* Curl_http_input_auth: require valid separator after negotiation typeHarry Sintonen2021-05-031-5/+12
| | | | Closes #6993
* http: fix the check for 'Authorization' with BearerDaniel Stenberg2021-05-022-1/+3
| | | | | | | The code would wrongly check for it using an additional colon. Reported-by: Blake Burkhart Closes #6988
* http2: fix a resource leak in push_promise()Kamil Dudka2021-05-011-0/+1
| | | | | | | | | | | | ... detected by Coverity: Error: RESOURCE_LEAK (CWE-772): lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle". lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)". lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url". lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to. Closes #6986
* http2: fix resource leaks in set_transfer_url()Kamil Dudka2021-05-011-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ... detected by Coverity: Error: RESOURCE_LEAK (CWE-772): lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to. Error: RESOURCE_LEAK (CWE-772): lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to. Error: RESOURCE_LEAK (CWE-772): lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to. Error: RESOURCE_LEAK (CWE-772): lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()". lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.] lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to. Closes #6986
* rustls: use ALPNJacob Hoffman-Andrews2021-04-303-3/+50
| | | | | | Update required rustls to 0.5.0 Closes #6960
* gskit: fix CURL_DISABLE_PROXY buildMAntoniak2021-04-301-0/+23
| | | | | | | | Removed localfd and remotefd from ssl_backend_data (ued only with proxy connection). Function pipe_ssloverssl return always 0, when proxy is not used. Closes #6981
* gskit: fix undefined reference to 'conn'MAntoniak2021-04-291-1/+3
| | | | Closes #6980
* tls: add USE_HTTP2 defineJacob Hoffman-Andrews2021-04-299-56/+55
| | | | | | | | | This abstracts across the two HTTP/2 backends: nghttp2 and Hyper. Add our own define for the "h2" ALPN protocol, so TLS backends can use it without depending on a specific HTTP backend. Closes #6959
* lib: fix 0-length Curl_client_write callsJacob Hoffman-Andrews2021-04-294-6/+16
| | | | Closes #6954
* lib: remove strlen call from Curl_client_writeJacob Hoffman-Andrews2021-04-294-15/+19
| | | | | | | At all call sites with an explicit 0 len, pass an appropriate nonzero len. Closes #6954
* docs: camelcase it like GitHub everywhereAyushman Singh Chauhan2021-04-285-7/+7
| | | | Closes #6979
* docs: fix typo in fail-with-body docLucas Servén Marín2021-04-271-1/+1
| | | | | | | This commit fixes a small typo in the documentation for the --fail-with-body flag. Closes https://github.com/curl/curl/pull/6977
* lib: fix some misuse of curlx_convert_UTF8_to_tcharJay Satiro2021-04-272-15/+22
| | | | | | | | | | | | | curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but prior to this change some uses mistakenly called free. I've reviewed all other uses of curlx_convert_UTF8_to_tchar and curlx_convert_tchar_to_UTF8. Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763 Reported-by: sergio-nsk@users.noreply.github.com Closes https://github.com/curl/curl/pull/6938
* ntlm: precaution against super huge type2 offsetsDaniel Stenberg2021-04-271-1/+2
| | | | | | | | | | ... which otherwise caused an integer overflow and circumvented the if() conditional size check. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720 Assisted-by: Max Dymond Closes #6975
* c-hyper: fix unused variable ‘wrote’Daniel Stenberg2021-04-271-1/+0
|
* libcurl-security.3: be careful of setuidDaniel Stenberg2021-04-271-0/+12
| | | | | Reported-by: Harry Sintonen Closes #6970
* c-hyper: don't write to set.writeheader if nullKevin Burke2021-04-271-8/+6
| | | | | | | | | | | | | | | | | | Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to the data->set.writeheader header buffer, even though it is null. This led to NPE segfaults attempting to use libcurl+Hyper with Git, for example. Instead, process the client write for the status line using the same logic we use to process the client write for the later HTTP headers, which contains the appropriate guard logic. As a side benefit, data->set.writeheader is now only read in one file instead of two. Fixes #6619 Fixes abetterinternet/crustls#49 Fixes hyperium/hyper#2438 Closes #6971
* wolfssl: handle SSL_write() returns 0 for errorDaniel Stenberg2021-04-261-1/+1
| | | | | | Reported-by: Timo Lange Closes #6967
* easy: ignore sigpipe in curl_easy_sendDaniel Stenberg2021-04-261-0/+3
| | | | Closes #6965
* sigpipe: ignore SIGPIPE when using wolfSSL as wellDaniel Stenberg2021-04-261-2/+2
| | | | Closes #6966
* libcurl-security.3: don't try to filter IPv4 hosts based on the URLDaniel Stenberg2021-04-261-1/+7
| | | | Closes #6942
* nss_set_blocking: avoid static for sock_optHarry Sintonen2021-04-261-1/+1
| | | | | Reviewed-by: Kamil Dudka Closes #6945
* RELEASE-NOTES: syncedDaniel Stenberg2021-04-261-7/+30
|
* docs/HTTP3.md: fix nghttp2's HTTP/3 server portYusuke Nakamura2021-04-261-1/+1
| | | | | | | | Port 8443 does not work now. Correct origin is in the quicwg's wiki. https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2 Closes #6964
* krb5: don't use 'static' to store PBSZ size responseDaniel Stenberg2021-04-261-1/+1
| | | | | | | | ... because it makes the knowledge and usage cross-transfer in funny and unexpected ways. Reported-by: Harry Sintonen Closes #6963
* m4: add security frameworks on Mac when compiling rustlsKevin Burke2021-04-251-0/+3
| | | | | | | | | | | | | | | | Previously compiling rustls on Mac would only complete if you also compiled the SecureTransport TLS backend, which curl would prefer to the Rust backend. Appending these flags to LDFLAGS makes it possible to compile the Rustls backend on Mac without the SecureTransport backend, which means this patch will make it possible for Mac users to use the Rustls backend for TLS. Reviewed-by: Jacob Hoffman-Andrews Fixes #6955 Cloes #6956
* krb5: remove the unused 'overhead' functionDaniel Stenberg2021-04-252-14/+1
| | | | Closes #6947
* curl_url_set.3: add memory management informationJohann1502021-04-251-0/+3
| | | | | | | | | wording taken from man page for CURLOPT_URL.3 As far as I can see, the URL part is either malloc'ed before due to encoding or it is strdup'ed. Closes #6953
* c-hpyer: fix handling of zero-byte chunk from hyperJacob Hoffman-Andrews2021-04-251-0/+2
| | | | Closes #6951
* CURLOPT_POSTFIELDS.3: clarify how it gets the size of the dataDaniel Stenberg2021-04-231-1/+6
| | | | | Ref: https://curl.se/mail/lib-2021-04/0085.html Closes #6943
* cmake: make libcurl output filename configurableRalph Langendam2021-04-231-1/+5
| | | | | Reviewed-by: Jakub Zakrzewski Closes #6933
* vtls: reset ssl use flag upon negotiation failurePatrick Monnerat2021-04-231-1/+5
| | | | | | | | Fixes the segfault in ldaps disconnect. Reported-by: Illarion Taev Fixes #6934 Closes #6937
* configure: fix typo in TLS error messageDaniel Stenberg2021-04-231-1/+1
| | | | Reported-by: Pontus Lundkvist
* README: link to the commercial support optionDaniel Stenberg2021-04-231-0/+5
|
* version: add gsasl_version to curl_version_info_dataMartin Halle2021-04-226-5/+32
| | | | | | | | - Add gsasl_version string and bump to CURLVERSION_TENTH. Ref: https://curl.se/mail/lib-2021-04/0003.html Closes https://github.com/curl/curl/pull/6843
* schannel: Support strong crypto optionMorten Minde Neergaard2021-04-222-0/+15
| | | | | | | | | | | | | | | | - Support enabling strong crypto via optional user cipher list when USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list. MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known weak cryptographic algorithms, cipher suites, and SSL/TLS protocol versions that may be otherwise enabled for better interoperability." Ref: https://curl.se/mail/lib-2021-02/0066.html Ref: https://curl.se/docs/manpage.html#--ciphers Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred Closes https://github.com/curl/curl/pull/6734
* RELEASE-NOTES: syncedDaniel Stenberg2021-04-221-6/+49
|
* ci: adapt to configure requiring an explicit TLS choiceDaniel Stenberg2021-04-227-69/+74
|
* configure: split out each TLS library detector into its own functionDaniel Stenberg2021-04-2212-1202/+1437
| | | | ... and put those functions in separate m4 files per TLS library.
* configure: make the TLS library choice(s) explicitDaniel Stenberg2021-04-223-148/+150
| | | | | | | | | | | | | | | configure no longer tries to find a TLS library by default, but all libraries are now equal: the user needs to explicitly ask what TLS library or libraries to use. If no TLS library is selected, configure will error out unless --without-ssl is explicitly used to request a built without TLS (as that is very rare these days). Removes: --with-winssl, --with-darwinssl and all --without-* options for TLS libraries. Closes #6897
View Lorry Controller Status