summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* http: fix memleak in rewind error pathbagder/http-fuzz-leakDaniel Stenberg2018-09-251-8/+7
| | | | | | | | If the rewind would fail, a strdup() would not get freed. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
* Curl_retry_request: fix memory leakDaniel Stenberg2018-09-241-2/+7
| | | | | | | Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648 Closes #3042
* openssl: load built-in engines tooDaniel Stenberg2018-09-241-1/+1
| | | | | | | | Regression since 38203f1 Reported-by: Jean Fabrice Fixes #3023 Closes #3040
* OpenSSL: enable TLS 1.3 post-handshake authChristian Heimes2018-09-241-0/+6
| | | | | | | | | | OpenSSL 1.1.1 requires clients to opt-in for post-handshake authentication. Fixes: https://github.com/curl/curl/issues/3026 Signed-off-by: Christian Heimes <christian@python.org> Closes https://github.com/curl/curl/pull/3027
* Curl_dedotdotify(): always nul terminate returned string.Even Rouault2018-09-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes potential out-of-buffer access on "file:./" URL $ valgrind curl "file:./" ==24516== Memcheck, a memory error detector ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==24516== Command: /home/even/install-curl-git/bin/curl file:./ ==24516== ==24516== Conditional jump or move depends on uninitialised value(s) ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24516== by 0x4EBB315: seturl (urlapi.c:801) ==24516== by 0x4EBB568: parseurl (urlapi.c:861) ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199) ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044) ==24516== by 0x4E67AEF: create_conn (url.c:3613) ==24516== by 0x4E68A4F: Curl_connect (url.c:4119) ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440) ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173) ==24516== by 0x4E7558C: easy_transfer (easy.c:686) ==24516== by 0x4E75801: easy_perform (easy.c:779) ==24516== by 0x4E75868: curl_easy_perform (easy.c:798) Was originally spotted by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637 Credit to OSS-Fuzz Closes #3039
* whitespace fixesViktor Szakats2018-09-2340-206/+169
| | | | | | | | | | | - replace tabs with spaces where possible - remove line ending spaces - remove double/triple newlines at EOF - fix a non-UTF-8 character - cleanup a few indentations/line continuations in manual examples Closes https://github.com/curl/curl/pull/3037
* http: add missing return code checkDaniel Stenberg2018-09-231-6/+3
| | | | | | | | Detected by Coverity. CID 1439610. Follow-up from 46e164069d1a523 Closes #3034
* ftp: don't access pointer before NULL checkDaniel Stenberg2018-09-231-2/+1
| | | | | | Detected by Coverity. CID 1439611. Follow-up from 46e164069d1a523
* url: use the URL API internally as wellDaniel Stenberg2018-09-2219-913/+371
| | | | | | ... to make it a truly unified URL parser. Closes #3017
* URL and mailmap updates, remove an obsolete directory [ci skip]Viktor Szakats2018-09-222-2/+2
| | | | Closes https://github.com/curl/curl/pull/3031
* Curl_saferealloc: Fixed typo in docblockErik Minekus2018-09-211-1/+1
| | | | Closes #3029
* urlapi: fix support for address scope in IPv6 numerical addressesDaniel Stenberg2018-09-212-6/+6
| | | | Closes #3024
* GnutTLS: TLS 1.3 supportLoganaden Velvindron2018-09-211-9/+62
| | | | Closes #2971
* vtls: fix ssl version "or later" behavior change for many backendsJay Satiro2018-09-208-18/+1
| | | | | | | | | | | | | | | | | | | | | | | - Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
* urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptanceDaniel Stenberg2018-09-191-11/+37
| | | | | | | | | | | | | | | In order for this API to fully work for libcurl itself, it now offers a CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host name prefix just like libcurl always did. If there's no known prefix, it will guess "http://". Separately, it relaxes the check of the host name so that IDN host names can be passed in as well. Both these changes are necessary for libcurl itself to use this API. Assisted-by: Daniel Gustafsson Closes #3018
* nss: try to connect even if libnssckbi.so fails to loadKamil Dudka2018-09-191-2/+3
| | | | | | | | | One can still use CA certificates stored in NSS database. Reported-by: Maxime Legros Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html Closes #3016
* urlapi: don't set value which is never readDaniel Gustafsson2018-09-191-1/+0
| | | | | | | | | In the CURLUPART_URL case, there is no codepath which invokes url decoding so remove the assignment of the urldecode variable. This fixes the deadstore bug-report from clang static analysis. Closes #3015 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* curl_multi_wait: call getsock before figuring out timeoutDaniel Stenberg2018-09-181-7/+7
| | | | | | | .... since getsock may update the expiry timer. Fixes #2996 Closes #3000
* darwinssl: Fix realloc memleakDaniel Gustafsson2018-09-181-1/+2
| | | | | | | | | | The reallocation was using the input pointer for the return value, which leads to a memory leak on reallication failure. Fix by instead use the safe internal API call Curl_saferealloc(). Closes #3005 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
* memory: add missing curl_printf headerDaniel Gustafsson2018-09-171-1/+3
| | | | | | | | | ftp_send_command() was using vsnprintf() without including the libcurl *rintf() replacement header. Fix by including curl_printf.h and also add curl_memory.h while at it since memdebug.h depends on it. Closes #2999 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* http: made Curl_add_buffer functions take a pointer-pointerDaniel Stenberg2018-09-165-105/+141
| | | | | | | ... so that they can clear the original pointer on failure, which makes the error-paths and their cleanups easier. Closes #2992
* http2: fix memory leaks on error-pathDaniel Stenberg2018-09-161-2/+8
|
* secure Openwall URLsViktor Szakats2018-09-142-2/+2
|
* openssl: show "proper" version number for libressl buildsDaniel Stenberg2018-09-141-6/+5
| | | | Closes #2989
* openssl: assume engine support in 0.9.8 or laterRainer Jung2018-09-141-1/+1
| | | | | Fixes #2983 Closes #2988
* sendf: use failf() rather than Curl_failf()Daniel Gustafsson2018-09-131-3/+2
| | | | | | | | The failf() macro is the name used for invoking Curl_failf(). While there isn't a way to turn off failf like there is for infof, but it's still a good idea to use the macro. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* sendf: Fix whitespace in infof/failf concatenationDaniel Gustafsson2018-09-132-2/+2
| | | | | | | | | | Strings broken on multiple rows in the .c file need to have appropriate whitespace padding on either side of the concatenation point to render a correct amalgamated string. Fix by adding a space at the occurrences found. Closes #2986 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* krb5: fix memory leak in krb_authDaniel Gustafsson2018-09-131-0/+1
| | | | | | The FTP command allocated by aprintf() must be freed after usage. Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* ftp: include command in Curl_ftpsend sendbufferDaniel Gustafsson2018-09-131-1/+5
| | | | | | | | | | Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed the actual command to be sent from the send buffer in a refactoring. Add back copying the command into the buffer. Also add more guards against malformed input while at it. Closes #2985 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* ntlm_wb: Fix memory leaks in ntlm_wb_responseDaniel Gustafsson2018-09-131-0/+1
| | | | | | | | When erroring out on a request being too large, the existing buffer was leaked. Fix by explicitly freeing on the way out. Closes #2966 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* vtls: add a MesaLink vtls backendYiming Jing2018-09-135-1/+666
| | | | Closes #2984
* configure.ac: add a MesaLink vtls backendYiming Jing2018-09-131-2/+2
|
* lib: fix gcc8 warning on WindowsViktor Szakats2018-09-121-2/+3
| | | | Closes https://github.com/curl/curl/pull/2979
* openssl: fix gcc8 warningJay Satiro2018-09-121-1/+1
| | | | | | | | | | - Use memcpy instead of strncpy to copy a string without termination, since gcc8 warns about using strncpy to copy as many bytes from a string as its length. Suggested-by: Viktor Szakats Closes https://github.com/curl/curl/issues/2980
* cookies: Move failure case label to end of functionDaniel Gustafsson2018-09-101-6/+7
| | | | | | | | Rather than jumping backwards to where failure cleanup happens to be performed, move the failure case to end of the function where it is expected per existing coding convention. Closes #2965
* misc: fix typos in commentsDaniel Gustafsson2018-09-102-2/+2
| | | | Closes #2963
* cookies: fix leak when writing cookies to fileDaniel Gustafsson2018-09-101-3/+2
| | | | | | | | | If the formatting fails, we error out on a fatal error and clean up on the way out. The array was however freed within the wrong scope and was thus never freed in case the cookies were written to a file instead of STDOUT. Closes #2957
* cookies: Remove redundant expired checkDaniel Gustafsson2018-09-101-6/+2
| | | | | | | Expired cookies have already been purged at a later expiration time before this check, so remove the redundant check. closes #2962
* ntlm_wb: bail out if the response gets overly largeDaniel Stenberg2018-09-091-1/+10
| | | | | | | | Exit the realloc() loop if the response turns out ridiculously large to avoid worse problems. Reported-by: Harry Sintonen Closes #2959
* url.c: fix comment typo and indentationDaniel Gustafsson2018-09-081-2/+2
| | | | Closes #2960
* urlapi: avoid derefencing a possible NULL pointerDaniel Stenberg2018-09-081-2/+2
| | | | Coverity CID 1439134
* URL-APIDaniel Stenberg2018-09-089-340/+1394
| | | | | | | See header file and man pages for API. All documented API details work and are tested in the 1560 test case. Closes #2842
* curl_easy_upkeep: removed 'conn' from the nameDaniel Stenberg2018-09-074-5/+5
| | | | | | | ... including the associated option. Fixes #2951 Closes #2952
* upkeep: add a connection upkeep API: curl_easy_conn_upkeep()Max Dymond2018-09-076-0/+105
| | | | | | | | | Add functionality so that protocols can do custom keepalive on their connections, when an external API function is called. Add docs for the new options in 7.62.0 Closes #1641
* configure: add option to disable automatic OpenSSL config loadingPhilipp Waehnert2018-09-071-0/+2
| | | | | | | | | | | | | | | Sometimes it may be considered a security risk to load an external OpenSSL configuration automatically inside curl_global_init(). The configuration option --disable-ssl-auto-load-config disables this automatism. The Windows build scripts winbuild/Makefile.vs provide a corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value. Setting neither of these options corresponds to the previous behavior loading the external OpenSSL configuration automatically. Fixes #2724 Closes #2791
* doh: minor edits to please CoverityDaniel Stenberg2018-09-071-2/+5
| | | | | | | The gcc typecheck macros and coverity combined made it warn on the 2nd argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it. Coverity CID 1439115 and CID 1439114.
* schannel: avoid switch-cases that go to default anywayDaniel Stenberg2018-09-071-0/+4
| | | | | | | | | | SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of mingw and would require an ifdef otherwise. Reported-by: Thomas Glanzmann Approved-by: Marc Hörsken Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html Closes #2950
* imap: change from "FETCH" to "UID FETCH"Nicklas Avén2018-09-062-21/+43
| | | | | | | | | | | | ... and add "MAILINDEX". As described in #2789, this is a suggested solution. Changing UID=xx to actually get mail with UID xx and add "MAILINDEX" to get a mail with a special index in the mail box (old behavior). So MAILINDEX=1 gives the first non deleted mail in the mail box. Fixes #2789 Closes #2815
* CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer sizeDaniel Stenberg2018-09-068-17/+39
| | | | | | | This is step 3 of #2888. Fixes #2888 Closes #2896
* DOH: add test case 1650 and 2100Daniel Stenberg2018-09-062-65/+92
|
View Lorry Controller Status