Commits · 0583e87ada7a3cfb10904ae4ab61b339582c5bd3 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

21 Apr, 2015 4 commits

fix_hostname: zero length host name caused -1 index offset · 0583e87a

Daniel Stenberg authored Apr 16, 2015

If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck

0583e87a

cookie: cookie parser out of boundary memory access · b5f947b8

Daniel Stenberg authored Apr 16, 2015

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

b5f947b8

ConnectionExists: for NTLM re-use, require credentials to match · 31be461c
Daniel Stenberg authored Apr 16, 2015
```
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
```
31be461c
openssl: add OPENSSL_NO_SSL3_METHOD check · 6088fbce
byronhe authored Apr 21, 2015

6088fbce

20 Apr, 2015 4 commits
- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc · cf2d21d8
  Daniel Stenberg authored Apr 20, 2015
```
Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon
```
  cf2d21d8
- configure --with-nss: remove unneeded libs from the fallback · 875a6d93
  Mostyn Bramley-Moore authored Apr 20, 2015
  
  875a6d93
- contributors.sh: fix help output, filter out (-prefix from names · 1b8f9c95
  Daniel Stenberg authored Apr 20, 2015
  
  1b8f9c95
- RELEASE-NOTES: synced with cc0e7ebc · 9d704b3d
  Daniel Stenberg authored Apr 20, 2015
  
  9d704b3d
19 Apr, 2015 2 commits
- CURLMOPT_TIMERFUNCTION.3: Clarify, add an example · cc0e7ebc
  Michael Stapelberg authored Apr 11, 2015
  
  cc0e7ebc
- vtls/openssl: use https in URLs and a comment typo fixed · 3a87bdeb
  Viktor Szakáts authored Dec 29, 2014
  
  3a87bdeb
18 Apr, 2015 2 commits
- curl_version_info.3: fixed the 'protocols' variable type · 63c64e05
  Daniel Stenberg authored Apr 18, 2015
```
Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225
```
  63c64e05
- test1423: added missing "file" to server section · 1e6d0e06
  Dan Fandrich authored Apr 18, 2015
  
  1e6d0e06
17 Apr, 2015 6 commits
- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods · b6e47789
  Daniel Stenberg authored Apr 17, 2015
```
... and some minor edits
```
  b6e47789
- Revert "HTTP: don't abort connections with pending Negotiate authentication" · 2eb02480
  Daniel Stenberg authored Apr 17, 2015
```
This reverts commit 5dc68dd6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
```
  2eb02480
- cyassl: Fix include order · f7011252
  Jay Satiro authored Apr 17, 2015
```
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
```
  f7011252
- configure --with-nss: drop redundant if statement · 8dc3bbf0
  Kamil Dudka authored Apr 08, 2015
  
  8dc3bbf0
- configure --with-nss=PATH: query pkg-config if available · 67a8bbb5
  Kamil Dudka authored Apr 08, 2015
```
Bug: https://github.com/bagder/curl/pull/171
```
  67a8bbb5
- parsecfg: do not continue past a zero termination · 691a07da
  Daniel Stenberg authored Apr 17, 2015
```
When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.

Reported-by: Hanno Böck
```
  691a07da
16 Apr, 2015 1 commit
- gitignore: Ignore Windows build output directories · 05e4137d
  Jay Satiro authored Apr 16, 2015
  
  05e4137d
15 Apr, 2015 6 commits
- RELEASE-NOTES: synced with 1ba6e4c8 · 82805b56
  Daniel Stenberg authored Apr 15, 2015
  
  82805b56
- TODO: 17.9 Choose the name of file in braces for complex URLs · 1ba6e4c8
  Daniel Stenberg authored Apr 15, 2015
  
  1ba6e4c8
- TODO: a little caution that maybe not all ideas are still good · 8f78794f
  Daniel Stenberg authored Apr 15, 2015
  
  8f78794f
- TODO: 17.8 offer color-coded HTTP header output · 0cbbbbdc
  Daniel Stenberg authored Apr 15, 2015
  
  0cbbbbdc
- TODO: 17.7 warning when sending binary output to terminal · 78843afb
  Daniel Stenberg authored Apr 15, 2015
  
  78843afb
- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes · ad48b177
  Daniel Stenberg authored Apr 15, 2015
  
  ad48b177
14 Apr, 2015 1 commit
- cyassl: Add support for TLS extension SNI · 9430dd58
  Jay Satiro authored Apr 13, 2015
  
  9430dd58
13 Apr, 2015 7 commits
- gitignore: ignore test-driver file · 8df4b5af
  Matthew Hall authored Mar 24, 2015
  
  8df4b5af
- vtls_openssl: improve PKCS#12 load failure error message · a471a9f3
  Matthew Hall authored Mar 24, 2015
  
  a471a9f3
- vtls_openssl: fix minor typo in PKCS#12 load routine · 27ac6434
  Matthew Hall authored Mar 24, 2015
  
  27ac6434
- vtls_openssl: improve client certificate load failure error messages · b3175a76
  Matthew Hall authored Mar 24, 2015
  
  b3175a76
- vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant · 58b0a8b0
  Matthew Hall authored Mar 24, 2015
  
  58b0a8b0
- BUGS: refer to the github issue tracker now as primary · 9e7125a1
  Daniel Stenberg authored Apr 13, 2015
  
  9e7125a1
- firefox-db2pem: fix wildcard to find Firefox default profile · 7fe172d3
  Daniel Stenberg authored Apr 13, 2015
```
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.

Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
```
  7fe172d3
12 Apr, 2015 1 commit
- cyassl: Include the CyaSSL build config · 72bea7cc
  Jay Satiro authored Apr 11, 2015
```
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
```
  72bea7cc
11 Apr, 2015 1 commit

build: Generate source prerequisites for Visual Studio in generate.bat · 139141f8

Jay Satiro authored Apr 08, 2015

Prior to this change Visual Studio builds could fail due to missing
prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.

http://curl.haxx.se/mail/lib-2015-04/0034.html

139141f8

09 Apr, 2015 1 commit

lib/makefile.m32: add missing libs to build libcurl.dll · e4415515

Viktor Szakats authored Apr 09, 2015

Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.

e4415515

08 Apr, 2015 3 commits
- test142[23]: verify that an empty file is stored on success · 992a7311
  Kamil Dudka authored Apr 07, 2015
  
  992a7311
- src/tool_operate: create output file on successful download · 261a0fed
  Kamil Dudka authored Mar 30, 2015
```
... of an empty file

Bug: https://github.com/bagder/curl/issues/183
```
  261a0fed
- src/tool_cb_wrt: separate fnc for output file creation · f251417d
  Kamil Dudka authored Mar 30, 2015
  
  f251417d
07 Apr, 2015 1 commit

lib/transfer.c: Remove factor of 8 from sleep time calculation · a9e46749

Da-Yoon Chung authored Apr 06, 2015

The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
rate_bps are both in bytes. When using the rate limiting option, curl
waits 8 times too long, and then transfers very quickly until the
average rate reaches the limit. The average rate follows the limit over
time, but the actual traffic is bursty.

Thanks-to: Benjamin Gilbert

a9e46749