summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* curl: do bounds check using a double comparisonAdam Sampson2017-08-091-1/+1
| | | | | | | | | | | | | The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't complete: if the parsed number in num is larger than will fit in a long, the conversion is undefined behaviour (causing test1427 to fail for me on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7). Getting rid of the cast means the comparison will be done using doubles. It might make more sense for the max argument to also be a double... Fixes #1750 Closes #1749
* make install: add 8 missing man pages to the installationDaniel Stenberg2017-08-092-1/+8
|
* build: fix 'make install' with configure, install docs/libcurl/* tooDaniel Stenberg2017-08-091-0/+2
| | | | | | Broken since d24838d4da9faa Reported-by: Bernard Spil
* RELEASE-NOTES: curl 7.55.0curl-7_55_0Daniel Stenberg2017-08-091-9/+24
|
* THANKS: 20 new contributors in 7.55.0Daniel Stenberg2017-08-092-0/+21
|
* docs/comments: Update to secure URL versionsViktor Szakats2017-08-0816-21/+21
| | | | Closes #1741
* configure: fix recv/send/select detection on AndroidDaniel Stenberg2017-08-081-6/+20
| | | | | | | | | | | ... since they now provide several functions as __attribute__((overloadable)), the argument detection logic need updates. Patched-by: destman at github Fixes #1738 Closes #1739
* ax_code_coverage.m4: update to latest versionMarcel Raad2017-08-081-69/+114
| | | | | | | This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d from August 01, 2017. Notably, this removes the lconv version whitelist. Closes https://github.com/curl/curl/pull/1716
* test1427: verify command line parser integer overflow detectionDaniel Stenberg2017-08-072-1/+30
|
* curl: detect and bail out early on parameter integer overflowsDaniel Stenberg2017-08-075-14/+36
| | | | | | | | | Make the number parser aware of the maximum limit curl accepts for a value and return an error immediately if larger, instead of running an integer overflow later. Fixes #1730 Closes #1736
* glob: do not continue parsing after a strtoul() overflow rangeDaniel Stenberg2017-08-073-2/+40
| | | | | | | | | Added test 1289 to verify. CVE-2017-1000101 Bug: https://curl.haxx.se/docs/adv_20170809A.html Reported-by: Brian Carpenter
* tftp: reject file name lengths that don't fitDaniel Stenberg2017-08-071-1/+6
| | | | | | | | | | | | ... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery
* file: output the correct buffer to the userEven Rouault2017-08-071-1/+1
| | | | | | | | | | Regression brought by 7c312f84ea930d8 (April 2017) CVE-2017-1000099 Bug: https://curl.haxx.se/docs/adv_20170809C.html Credit to OSS-Fuzz for the discovery
* easy_events: make event data staticDaniel Stenberg2017-08-061-1/+3
| | | | | | | | | | | | First: this function is only used in debug-builds and not in release/real builds. It is used to drive tests using the event-based API. A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the CURLMOPT_TIMERFUNCTION calback can in fact be called even after this funtion returns, namely when curl_multi_remove_handle() is called. Reported-by: Brian Carpenter
* getparameter: avoid returning uninitialized 'usedarg'Daniel Stenberg2017-08-052-3/+3
| | | | Fixes #1728
* gssapi: fix memory leak of output token in multi round contextIsaac Boukris2017-08-051-0/+4
| | | | | | | | | | When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
* darwinssl: fix compiler warningMarcel Raad2017-08-051-1/+1
| | | | | | | | | | | clang complains: vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive [-Werror,-Wextra-tokens] This breaks the darwinssl build on Travis. Fix it by making this token a comment. Closes https://github.com/curl/curl/pull/1734
* CMake: fix CURL_WERROR for MSVCMarcel Raad2017-08-041-1/+1
| | | | | | | When using CURL_WERROR in MSVC builds, the debug flags were overridden by the release flags and /WX got added twice in debug mode. Closes https://github.com/curl/curl/pull/1715
* RELEASE-NOTES: synced with 561e9217cDaniel Stenberg2017-08-041-4/+34
|
* test1010: verify that #1718 is fixedDaniel Stenberg2017-08-041-1/+3
| | | | | ... by doing two transfers in nocwd mode and check that there's no superfluous CWD command.
* FTP: skip unnecessary CWD when in nocwd modeDaniel Stenberg2017-08-042-11/+15
| | | | | | ... when reusing a connection. If it didn't do any CWD previously. Fixes #1718
* travis: explicitly specify distMarcel Raad2017-08-041-0/+4
| | | | | | | | | | | | This makes the builds more reproducible as travis is currently rolling out trusty as default dist [1]. Specifically, this avoids coverage check failures when trusty is used as seen in [2] until we figure out what's wrong. [1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming [2] https://github.com/curl/curl/pull/1692 Closes https://github.com/curl/curl/pull/1725
* travis: BUILD_TYPE => TDaniel Stenberg2017-08-041-16/+16
| | | | (to make the full line appear nicer on travis web UI)
* travis: add osx build with darwinsslDaniel Stenberg2017-08-041-4/+7
| | | | Closes #1706
* darwin: silence compiler warningsDaniel Stenberg2017-08-041-2/+12
| | | | | | With a clang pragma and three type fixes Fixes #1722
* BUILD.WINDOWS: mention buildconf.bat for builds off gitDaniel Stenberg2017-08-031-3/+10
|
* darwinssl: fix curlssl_sha256sum() compiler warnings on first argumentDaniel Stenberg2017-08-032-7/+8
|
* test130: verify comments in .netrcDaniel Stenberg2017-08-031-0/+1
|
* netrc: skip lines starting with '#'Gisle Vanem2017-08-031-1/+4
| | | | Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
* CMake: set MSVC warning level to 4Marcel Raad2017-08-033-0/+10
| | | | | | | | | | | The MSVC warning level defaults to 3 in CMake. Change it to 4, which is consistent with the Visual Studio and NMake builds. Disable level 4 warning C4127 for the library and additionally C4306 for the test servers to get a clean CURL_WERROR build as that warning is raised in some macros in older Visual Studio versions. Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794 Closes https://github.com/curl/curl/pull/1711
* CURLOPT_NETRC.3: fix typo in 7e48aa386156f9c2Daniel Stenberg2017-08-021-2/+2
| | | | Reported-by: Viktor Szakats
* CURLOPT_NETRC.3: mention the file name on windowsDaniel Stenberg2017-08-021-2/+4
| | | | ... and CURLOPT_NETRC_FILE(3).
* travis: build osx with libressl tooDaniel Stenberg2017-08-021-0/+3
|
* travis: build osx with openssl tooDaniel Stenberg2017-08-021-1/+4
|
* tests/server/util: fix curltime mistake from 4dee50b9c80f9Daniel Stenberg2017-08-021-1/+1
|
* curl_threads: fix MSVC compiler warningMarcel Raad2017-08-011-1/+1
| | | | | | | | | | | Use LongToHandle to convert from long to HANDLE in the Win32 implementation. This should fix the following warning when compiling with MSVC 11 (2012) in 64-bit mode: lib\curl_threads.c(113): warning C4306: 'type cast' : conversion from 'long' to 'HANDLE' of greater size Closes https://github.com/curl/curl/pull/1717
* BUGS: improved phrasing about security bugsDaniel Stenberg2017-08-011-3/+3
| | | | Reported-by: Max Dymond
* BUGS: clarify how to report security related bugsDaniel Stenberg2017-08-011-15/+32
|
* multi: fix request timer managementBrad Spencer2017-08-011-14/+13
| | | | | | | | | | | | | There are some bugs in how timers are managed for a single easy handle that causes the wrong "next timeout" value to be reported to the application when a new minimum needs to be recomputed and that new minimum should be an existing timer that isn't currently set for the easy handle. When the application drives a set of easy handles via the `curl_multi_socket_action()` API (for example), it gets told to wait the wrong amount of time before the next call, which causes requests to linger for a long time (or, it is my guess, possibly forever). Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
* curl_setup: Define CURL_NO_OLDIES for building libcurlJay Satiro2017-08-011-0/+4
| | | | | | .. to catch accidental use of deprecated error codes. Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
* configure: fix the check for IdnToUnicodeJeremy Tan2017-08-011-1/+6
| | | | | Fixes #1669 Closes #1713
* http: fix response code parser to avoid integer overflowDaniel Stenberg2017-07-313-21/+16
| | | | | | | | test 1429 and 1433 were updated to work with the stricter HTTP status line parser. Closes #1714 Reported-by: Brian Carpenter
* libcurl: Stop using error codes defined under CURL_NO_OLDIESDwarakanath Yadavalli2017-07-312-2/+2
| | | | | Fixes https://github.com/curl/curl/issues/1688 Closes https://github.com/curl/curl/pull/1712
* include.d: clarify --include is only for response headersJay Satiro2017-07-301-1/+1
| | | | | | | Follow-up to 171f8de and de6de94. Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851 Reported-by: Daniel Stenberg
* cmake: support make uninstalljasjuang2017-07-302-0/+37
| | | | Closes #1674
* RELEASE-NOTES: synced with 001701c47Daniel Stenberg2017-07-301-3/+37
|
* AppVeyor: now really use CURL_WERRORMarcel Raad2017-07-291-1/+1
| | | | | | | It was misspelled as CURL_ERROR in commit 2d86e8d1286e0fbe3d811e2e87fa0b5e53722db4. Closes https://github.com/curl/curl/pull/1686
* tool_help: clarify --include is only for response headersJay Satiro2017-07-291-1/+1
| | | | | | Follow-up to 171f8de. Ref: https://github.com/curl/curl/issues/1704
* splay: fix signed/unsigned mismatch warningJay Satiro2017-07-291-2/+2
| | | | | | Follow-up to 4dee50b. Ref: https://github.com/curl/curl/pull/1693
* include.d: clarify that it concerns the response headersDaniel Stenberg2017-07-281-2/+5
| | | | | Reported-by: olesteban at github Fixes #1704
View Lorry Controller Status