- Feb 04, 2019
-
-
Daniel Gustafsson authored
If the incoming len 5, but the buffer does not have a termination after 5 bytes, the strtol() call may keep reading through the line buffer until is exceeds its boundary. Fix by ensuring that we are using a bounded read with a temporary buffer on the stack. Bug: https://curl.haxx.se/docs/CVE-2019-3823.html Reported-by: Brian Carpenter (Geeknik Labs) CVE-2019-3823
-
Daniel Stenberg authored
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html Reported-by: Wenxiang Qian CVE-2019-3822
-
Daniel Stenberg authored
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html Reported-by: Wenxiang Qian CVE-2018-16890
-
- Feb 01, 2019
-
-
georgeok authored
Attempt to add support for Secure Channel binding when negotiate authentication is used. The problem to solve is that by default IIS accepts channel binding and curl doesn't utilise them. The result was a 401 response. Scope affects only the Schannel(winssl)-SSPI combination. Fixes https://github.com/curl/curl/issues/3503 Closes https://github.com/curl/curl/pull/3509
-
Daniel Stenberg authored
-
Daniel Stenberg authored
Stick to "Schannel" everywhere. The configure option --with-winssl is kept to allow existing builds to work but --with-schannel is added as an alias. Closes #3504
-
Daniel Stenberg authored
To make sure Curl_timeleft() also thinks the timeout has been reached when one of the EXPIRE_*TIMEOUTs expires. Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html Reported-by: Zhao Yisha Closes #3501
-
- Jan 31, 2019
-
-
John Marshall authored
Use an ephemeral port number here; previously the example had 8080 which could be confusing as the common web server port number might be misinterpreted as suggesting this option affects the remote port. URL: https://curl.haxx.se/mail/lib-2019-01/0084.html Closes #3513
-
- Jan 29, 2019
-
-
Gisle Vanem authored
A backslash should be escaped in Roff / Troff.
-
Jay Satiro authored
By default WinSSL selects and send a client certificate automatically, but for privacy and consistency we should offer an option to disable the default auto-send behavior. Reported-by: Jeroen Ooms Closes https://github.com/curl/curl/issues/2262
-
- Jan 28, 2019
-
-
Jeremie Rapin authored
mbedTLS doesn't have a sigpipe management. If a write/read occurs when the remote closes the socket, the signal is raised and kills the application. Use the curl mecanisms fix this behavior. Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com> Closes #3502
-
Daniel Stenberg authored
-
Michael Kujawa authored
Compiling with msvc /analyze and a recent Windows SDK warns against using GetTickCount (Suggests to use GetTickCount64 instead.) Since GetTickCount is only being used when GetTickCount64 isn't available, I am disabling that warning. Fixes https://github.com/curl/curl/issues/3437 Closes https://github.com/curl/curl/pull/3440
-
- Jan 25, 2019
-
-
Daniel Stenberg authored
The previously used ax_code_coverage.m4 is not license compatible and must not be used. Reported-by: William A. Rowe Jr Fixes #3497 Closes #3499
-
- Jan 24, 2019
-
-
Felix Hädicke authored
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for libssh as well. So accepting these options only when compiling with libssh2 is wrong here. Fixes #3493 Closes #3494
-
Felix Hädicke authored
By default, libssh creates a new socket, instead of using the socket created by curl for SSH connections. Pass the socket created by curl to libssh using ssh_options_set() with SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket instead of creating a new one. This approach is very similar to what is done in the libssh2 code, where the socket created by curl is passed to libssh2 when libssh2_session_startup() is called. Fixes #3491 Closes #3495
-
- Jan 21, 2019
-
-
Daniel Stenberg authored
-
Archangel_SDY authored
Fixes #3480 Closes #3487
-
Daniel Stenberg authored
Closes #3289 [skip ci]
-
- Jan 20, 2019
-
-
Daniel Gustafsson authored
There is no real gain in performing memcmp() comparisons on single characters, so change these to array subscript inspections which saves a call and makes the code clearer. Closes #3486 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
-
- Jan 19, 2019
-
-
Daniel Stenberg authored
[skip ci]
-
hhb authored
This reverts commit d4f25201fb7da03fc88f90d51101beb3d0026db9. The overloadable attribute is removed again starting from NDK17. Actually they only exist in two NDK versions (15 and 16). With overloadable, the first condition tried will succeed. Results in wrong detection result. Closes #3484
-
georgeok authored
Windows extended potection (aka ssl channel binding) is required to login to ntlm IIS endpoint, otherwise the server returns 401 responses. Fixes #3280 Closes #3321
-
- Jan 18, 2019
-
-
Daniel Stenberg authored
Reported-by: Marcel Raad Fixes #3412 Closes #3483
-
- Jan 17, 2019
-
-
Joel Depooter authored
When a ssh session startup fails, it is useful to know why it has failed. This commit changes the message from: "Failure establishing ssh session" to something like this, for example: "Failure establishing ssh session: -5, Unable to exchange encryption keys" Closes #3481
-
- Jan 16, 2019
-
-
Alessandro Ghedini authored
-
Daniel Stenberg authored
-
Sergei Nikulov authored
-
Daniel Stenberg authored
Follow-up to 2fa0d57e. The __xlc__ symbol is only defined there if a particular flag is used for legacy macros. Fixes #3474 Closes #3479
-
Daniel Stenberg authored
.... to not pass in a const in the second argument as that's not how it is supposed to be used and might cause compiler warnings. Reported-by: Pavel Pavlov Fixes #3477 Closes #3478
-
- Jan 15, 2019
-
-
Daniel Stenberg authored
Since it isn't totally clang compatible, we detect this IBM clang front-end and if detected, avoids some clang specific magic. Reported-by: Kees Dekker Fixes #3474 Closes #3476
-
Daniel Stenberg authored
[skip ci]
-
Daniel Stenberg authored
extract_if_dead() dead is called from two functions, and only one of them should get conn->data updated and now neither call path clears it. scan-build found a case where conn->data would be NULL dereferenced in ConnectionExists() otherwise. Closes #3473
-
Daniel Stenberg authored
Found by scan-build. Follow-up to 4c35574b. Closes #3471
-
Daniel Stenberg authored
Since they're used purely for testing purposes, I think they should rather be stored there. Closes #3470
-
Sergei Nikulov authored
-
- Jan 14, 2019
-
-
Frank Gevaerts authored
Closes #3469
-
Marcel Raad authored
zlibwapi.lib (dynamic library) and zlibstat.lib (static library) have the ZLIB_WINAPI define set by default. Using them requires that define too. Ref: https://zlib.net/DLL_FAQ.txt Fixes https://github.com/curl/curl/issues/3133 Closes https://github.com/curl/curl/pull/3460
-
Daniel Stenberg authored
-
- Jan 13, 2019
-
-
Daniel Stenberg authored
Make sure that this function sets a proper "live" transfer for the connection before calling the protocol-specific connection check function, and then clear it again afterward as a non-used connection has no current transfer. Reported-by: Jeroen Ooms Reviewed-by: Marcel Raad Reviewed-by: Daniel Gustafsson Fixes #3463 Closes #3464
-