Skip to content
  1. Feb 05, 2016
    • Jay Satiro's avatar
      tool_doswin: Improve sanitization processing · 4520534e
      Jay Satiro authored
      - Add unit test 1604 to test the sanitize_file_name function.
      
      - Use -DCURL_STATICLIB when building libcurltool for unit testing.
      
      - Better detection of reserved DOS device names.
      
      - New flags to modify sanitize behavior:
      
      SANITIZE_ALLOW_COLONS: Allow colons
      SANITIZE_ALLOW_PATH: Allow path separators and colons
      SANITIZE_ALLOW_RESERVED: Allow reserved device names
      SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename
      
      - Restore sanitization of banned characters from user-specified outfile.
      
      Prior to this commit sanitization of a user-specified outfile was
      temporarily disabled in 2b6dadc5 because there was no way to allow path
      separators and colons through while replacing other banned characters.
      Now in such a case we call the sanitize function with
      SANITIZE_ALLOW_PATH which allows path separators and colons to pass
      through.
      
      
      Closes https://github.com/curl/curl/issues/624
      Reported-by: Octavio Schroeder
      4520534e
  2. Feb 04, 2016
  3. Feb 03, 2016
  4. Feb 02, 2016
  5. Feb 01, 2016
  6. Jan 29, 2016
  7. Jan 28, 2016
  8. Jan 27, 2016
  9. Jan 26, 2016
  10. Jan 25, 2016
  11. Jan 24, 2016
  12. Jan 21, 2016
  13. Jan 18, 2016
    • Jay Satiro's avatar
      mbedtls: Fix pinned key return value on fail · d58ba66e
      Jay Satiro authored
      - Switch from verifying a pinned public key in a callback during the
      certificate verification to inline after the certificate verification.
      
      The callback method had three problems:
      
      1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
      was not returned.
      
      2. If peer certificate verification was disabled the pinned key
      verification did not take place as it should.
      
      3. (related to #2) If there was no certificate of depth 0 the callback
      would not have checked the pinned public key.
      
      Though all those problems could have been fixed it would have made the
      code more complex. Instead we now verify inline after the certificate
      verification in mbedtls_connect_step2.
      
      Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
      Ref: https://github.com/bagder/curl/pull/601
      d58ba66e
    • Jay Satiro's avatar
      tests: Add a test for pinnedpubkey fail even when insecure · d5663711
      Jay Satiro authored
      Because disabling the peer verification (--insecure) must not disable
      the public key pinning check (--pinnedpubkey).
      d5663711
  14. Jan 17, 2016
  15. Jan 15, 2016
  16. Jan 14, 2016