| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Reported-by: lilongyan-huawei on github
Fixes #5726
|
| |
|
|
|
|
|
|
|
|
| |
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.
Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stack overflows can occur with precisions for integers and floats.
Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);
Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.
The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.
Also see CVE-2016-9586 which partially fixed the float aspect.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Closes https://github.com/curl/curl/pull/5722
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.
Also do not read behind boundaries of illegal format strings.
These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.
Closes https://github.com/curl/curl/pull/5722
|
| |
|
|
|
|
|
|
|
| |
OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379
Closes #5724
|
| |
|
|
|
|
|
| |
This enables some deprecation warnings.
Previously, autotools defaulted to 10.8.
Closes https://github.com/curl/curl/pull/5723
|
| | |
|
| |
|
|
| |
Closes https://github.com/curl/curl/pull/5716
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
GCC doesn't warn for unknown `-Wno-` options, except if there are other
warnings or errors [0]. This was problematic with `CURL_WERROR` as that
warning-as-error cannot be suppressed. Notably, this always happened
with `-Wno-pedantic-ms-format` when not targeting Windows. So test for
the positive form of the warning instead, which should always result in
a diagnostic if unknown.
[0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html
Closes https://github.com/curl/curl/pull/5714
|
| |
|
|
|
|
|
|
|
| |
CURLINFO_LASTONE should have been updated when
CURLINFO_EFFECTIVE_METHOD was added.
Reported-by: xwxbug@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/5711
|
| |
|
|
|
|
|
| |
Reviewed-by: Marcel Raad
Follow up to #5694
Closes #5706
|
| |
|
|
| |
Closes https://github.com/curl/curl/pull/5704
|
| |
|
|
|
|
| |
Previously, warnings were only visible in the output for most jobs.
Closes https://github.com/curl/curl/pull/5694
|
| |
|
|
|
|
|
|
|
|
| |
timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might
be a 64-bit integer. This is the case when building for recent macOS
versions, for example. Just treat tv_usec as an int, which should
hopefully always be sufficient on systems with
`HAVE_CLOCK_GETTIME_MONOTONIC`.
Closes https://github.com/curl/curl/pull/5695
|
| |
|
|
|
|
|
| |
They are marked as deprecated for -mmacosx-version-min >= 10.15,
which might result in warnings-as-errors.
Closes https://github.com/curl/curl/pull/5695
|
| |
|
|
|
|
|
| |
It confuses code analyzers with its use of -1 for unsigned value. Also,
a check that's not normally used in strdup() code - and not necessary.
Closes #5697
|
| |
|
|
|
|
|
|
|
|
| |
This is required after https://github.com/cloudflare/quiche/pull/593
moved BoringSSL around slightly.
This also means that Go is not needed to build BoringSSL anymore (the
one provided by quiche anyway).
Closes #5691
|
| |
|
|
|
|
|
|
|
|
| |
When using `--enable-warnings`, it was not possible to disable warnings
via CFLAGS that got explicitly enabled. Now warnings are not enabled
anymore if they are explicitly disabled (or enabled) in CFLAGS. This
works for at least GCC, clang, and TCC as they have corresponding
`-Wno-` options for every warning.
Closes https://github.com/curl/curl/pull/5689
|
| |
|
|
| |
Closes #5690
|
| |
|
|
|
|
|
|
|
| |
Add protocol and version specific information about all protocols curl
supports.
Fixes #5679
Reported-by: tbugfinder on github
Closes #5686
|
| |
|
|
|
|
|
|
|
| |
Commit 76a9c3c4be10b3d4d379d5b23ca76806bbae536a renamed DarwinSSL to the
more correct/common name Secure Transport, but a few mentions in the docs
remained.
Closes #5688
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
| |
|
|
|
|
|
|
|
| |
... to use the maximum value for 'size_t' when detecting integer overflow.
Changed the limit to max/4 as already that seems unreasonably large.
Codacy didn't like the previous approach.
Closes #5683
|
| |
|
|
|
|
|
|
|
| |
... by adding support for a new dedicated return code.
Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
|
| |
|
|
|
|
|
| |
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.
Closes #5667
|
| | |
|
| |
|
|
|
|
|
| |
So that failures will be displayed in the terminal, as it makes test failures
visually displayed easier and faster.
Closes #5644
|
| |
|
|
|
|
| |
Gets the CURLINFO_EFFECTIVE_METHOD from libcurl.
Added test 1197 to verify.
|
| |
|
|
|
|
|
| |
Provide the HTTP method that was used on the latest request, which might
be relevant for users when there was one or more redirects involved.
Closes #5511
|
| |
|
|
|
|
|
| |
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken
Closes #5491
|
| |
|
|
|
| |
Detected by Codacy
Closes #5676
|
| |
|
|
|
|
|
|
|
|
| |
Align CodeQL action with existing CI actions:
- Update branch filter to avoid duplicate CI runs.
- Shorten workflow name due to informative job name.
Reviewed-by: Daniel Stenberg
Closes #5660
|
| |
|
|
|
|
|
|
|
| |
On some platforms libcurl is build with a platform-specific
prefix and/or a version number suffix.
Assisted-by: Jay Satiro
Closes #5659
|
| |
|
|
|
|
|
|
| |
Use the unsigned type (size_t) in the arithmetic of pointers. In this
context, the signed type (ssize_t) is used unnecessarily.
Authored-by: ihsinme on github
Closes #5654
|
| |
|
|
| |
... and bumped to 7.72.0 as the next release version number
|
| |
|
|
|
|
|
|
|
| |
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu
Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
|
| |
|
|
|
|
|
|
| |
- not used
- used the wrong number of arguments
- confused the Codeacy code analyzer
Closes #5647
|
| |
|
|
|
|
| |
- Same as protocols
Closes #5656
|
| |
|
|
|
| |
Reviewed-by: Marcel Raad
Closes #5662
|
| |
|
|
| |
Closes #5675
|
| |
|
|
|
|
|
|
| |
Added test case 674 to reproduce and verify the bug report.
Fixes #5665
Reported-by: NobodyXu on github
Closes #5673
|
| |
|
|
|
|
|
|
| |
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.
Reviewed-by: Nicolas Sterchele
Closes #5666
|
| | |
|
| |
|
|
|
|
|
|
| |
Meant to be the last of the 11 series and so make sure that all
other references reflect all 11 versions so they can be retired
together later.
Closes https://github.com/curl/curl/pull/5668
|
| |
|
|
| |
Closes https://github.com/curl/curl/pull/5655
|
| |
|
|
|
|
|
| |
Follow-up to ef86daf4d3
Closes #5650
Fixes #5646
|
| |
|
|
|
|
|
|
|
| |
`http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
if `CURL_DISABLE_PROXY` is enabled. Repair the build with that
configuration.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Closes #5645
|
| |
|
|
|
| |
Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge")
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Well-behaving HTTP2 servers send two GOAWAY messages. The first
message is a warning that indicates that the server is going to
stop accepting streams. The second one actually closes the stream.
nghttp2 reports this state (and the other state of no more stream
identifiers) via the call nghttp2_session_check_request_allowed().
In this state the client should not create more streams on the
session (tcp connection), and in curl this means that the server
has requested that the connection is closed.
It would be also be possible to put the connclose() call into the
on_http2_frame_recv() function that triggers on the GOAWAY message.
This fixes a bug seen when the client sees the following sequence of
frames:
// advisory GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = -1]
... some additional frames
// final GOAWAY
HTTP2 GOAWAY [stream-id = 0, promised-stream-id = N ]
Before this change, curl will attempt to reuse the connection even
after the last stream, will encounter this error:
* Found bundle for host localhost: 0x5595f0a694e0 [can multiplex]
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 10443 (#0)
* Using Stream ID: 9 (easy handle 0x5595f0a72e30)
> GET /index.html?5 HTTP/2
> Host: localhost:10443
> user-agent: curl/7.68.0
> accept: */*
>
* stopped the pause stream!
* Connection #0 to host localhost left intact
curl: (16) Error in the HTTP2 framing layer
This error may posion the connection cache, causing future requests
which resolve to the same curl connection to go through the same error
path.
Closes #5643
|
| |
|
|
|
|
|
| |
Rely on tests asking the names to get refused instead - test servers
should be as dumb as possible. Edited test 914, 955 and 959 accordingly.
Closes #5639
|
| |
|
|
|
|
|
| |
This came up in #5640. It make sense to clarify this in the docs!
Reminded-by: Kamil Dudka
Closes #5642
|
