Commits · 79b9d5f1a42578f807a6c94914bc65cbaa304b6d · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

Apr 21, 2015

http_done: close Negotiate connections when done · 79b9d5f1

Daniel Stenberg authored Apr 18, 2015

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

79b9d5f1

fix_hostname: zero length host name caused -1 index offset · 0583e87a

Daniel Stenberg authored Apr 16, 2015

If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck

0583e87a

cookie: cookie parser out of boundary memory access · b5f947b8

Daniel Stenberg authored Apr 16, 2015

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

b5f947b8

ConnectionExists: for NTLM re-use, require credentials to match · 31be461c
Daniel Stenberg authored Apr 16, 2015
```
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
```
31be461c
openssl: add OPENSSL_NO_SSL3_METHOD check · 6088fbce
byronhe authored Apr 21, 2015

6088fbce

Apr 20, 2015
- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc · cf2d21d8
  Daniel Stenberg authored Apr 20, 2015
```
Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon
```
  cf2d21d8
- configure --with-nss: remove unneeded libs from the fallback · 875a6d93
  Mostyn Bramley-Moore authored Apr 20, 2015
  
  875a6d93
- contributors.sh: fix help output, filter out (-prefix from names · 1b8f9c95
  Daniel Stenberg authored Apr 20, 2015
  
  1b8f9c95
- RELEASE-NOTES: synced with cc0e7ebc · 9d704b3d
  Daniel Stenberg authored Apr 20, 2015
  
  9d704b3d
Apr 19, 2015
- CURLMOPT_TIMERFUNCTION.3: Clarify, add an example · cc0e7ebc
  Michael Stapelberg authored Apr 11, 2015
  
  cc0e7ebc
- vtls/openssl: use https in URLs and a comment typo fixed · 3a87bdeb
  Viktor Szakats authored Dec 29, 2014
  
  3a87bdeb
Apr 18, 2015
- curl_version_info.3: fixed the 'protocols' variable type · 63c64e05
  Daniel Stenberg authored Apr 18, 2015
```
Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225
```
  63c64e05
- test1423: added missing "file" to server section · 1e6d0e06
  Dan Fandrich authored Apr 18, 2015
  
  1e6d0e06
Apr 17, 2015
- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods · b6e47789
  Daniel Stenberg authored Apr 17, 2015
```
... and some minor edits
```
  b6e47789
- Revert "HTTP: don't abort connections with pending Negotiate authentication" · 2eb02480
  Daniel Stenberg authored Apr 17, 2015
```
This reverts commit 5dc68dd6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
```
  2eb02480
- cyassl: Fix include order · f7011252
  Jay Satiro authored Apr 17, 2015
```
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
```
  f7011252
- configure --with-nss: drop redundant if statement · 8dc3bbf0
  Kamil Dudka authored Apr 08, 2015
  
  8dc3bbf0
- configure --with-nss=PATH: query pkg-config if available · 67a8bbb5
  Kamil Dudka authored Apr 08, 2015
```
Bug: https://github.com/bagder/curl/pull/171
```
  67a8bbb5
- parsecfg: do not continue past a zero termination · 691a07da
  Daniel Stenberg authored Apr 17, 2015
```
When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.

Reported-by: Hanno Böck
```
  691a07da
Apr 16, 2015
- gitignore: Ignore Windows build output directories · 05e4137d
  Jay Satiro authored Apr 16, 2015
  
  05e4137d
Apr 15, 2015
- RELEASE-NOTES: synced with 1ba6e4c8 · 82805b56
  Daniel Stenberg authored Apr 15, 2015
  
  82805b56
- TODO: 17.9 Choose the name of file in braces for complex URLs · 1ba6e4c8
  Daniel Stenberg authored Apr 15, 2015
  
  1ba6e4c8
- TODO: a little caution that maybe not all ideas are still good · 8f78794f
  Daniel Stenberg authored Apr 15, 2015
  
  8f78794f
- TODO: 17.8 offer color-coded HTTP header output · 0cbbbbdc
  Daniel Stenberg authored Apr 15, 2015
  
  0cbbbbdc
- TODO: 17.7 warning when sending binary output to terminal · 78843afb
  Daniel Stenberg authored Apr 15, 2015
  
  78843afb
- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes · ad48b177
  Daniel Stenberg authored Apr 15, 2015
  
  ad48b177
Apr 14, 2015
- cyassl: Add support for TLS extension SNI · 9430dd58
  Jay Satiro authored Apr 13, 2015
  
  9430dd58
Apr 13, 2015
- gitignore: ignore test-driver file · 8df4b5af
  Matthew Hall authored Mar 24, 2015
  
  8df4b5af
- vtls_openssl: improve PKCS#12 load failure error message · a471a9f3
  Matthew Hall authored Mar 24, 2015
  
  a471a9f3
- vtls_openssl: fix minor typo in PKCS#12 load routine · 27ac6434
  Matthew Hall authored Mar 24, 2015
  
  27ac6434
- vtls_openssl: improve client certificate load failure error messages · b3175a76
  Matthew Hall authored Mar 24, 2015
  
  b3175a76
- vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant · 58b0a8b0
  Matthew Hall authored Mar 24, 2015
  
  58b0a8b0
- BUGS: refer to the github issue tracker now as primary · 9e7125a1
  Daniel Stenberg authored Apr 13, 2015
  
  9e7125a1
- firefox-db2pem: fix wildcard to find Firefox default profile · 7fe172d3
  Daniel Stenberg authored Apr 13, 2015
```
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.

Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
```
  7fe172d3
Apr 12, 2015
- cyassl: Include the CyaSSL build config · 72bea7cc
  Jay Satiro authored Apr 11, 2015
```
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
```
  72bea7cc
Apr 11, 2015

build: Generate source prerequisites for Visual Studio in generate.bat · 139141f8

Jay Satiro authored Apr 08, 2015

Prior to this change Visual Studio builds could fail due to missing
prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.

http://curl.haxx.se/mail/lib-2015-04/0034.html

139141f8

Apr 09, 2015

lib/makefile.m32: add missing libs to build libcurl.dll · e4415515

Viktor Szakats authored Apr 09, 2015

Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.

e4415515

Apr 08, 2015
- test142[23]: verify that an empty file is stored on success · 992a7311
  Kamil Dudka authored Apr 07, 2015
  
  992a7311
- src/tool_operate: create output file on successful download · 261a0fed
  Kamil Dudka authored Mar 30, 2015
```
... of an empty file

Bug: https://github.com/bagder/curl/issues/183
```
  261a0fed
- src/tool_cb_wrt: separate fnc for output file creation · f251417d
  Kamil Dudka authored Mar 30, 2015
  
  f251417d