- Feb 01, 2016
-
-
Sergei Nikulov authored
Closes #621
-
Jay Satiro authored
Due to path separators being incorrectly sanitized in --output pathnames, eg -o c:\foo => c__foo This is a partial revert of 3017d8a8 until I write a proper fix. The remote-name will continue to be sanitized, but if the user specified an --output with string replacement (#1, #2, etc) that data is unsanitized until I finish a fix. Bug: https://github.com/bagder/curl/issues/624 Reported-by: Octavio Schroeder
-
- Jan 29, 2016
-
-
Jay Satiro authored
.. also warn about letting the server pick the filename.
-
Gisle Vanem authored
-
- Jan 28, 2016
-
-
Daniel Stenberg authored
-
Sergei Nikulov authored
Closes #617
-
Sergei Nikulov authored
Closes https://github.com/bagder/curl/pull/618
-
Viktor Szakats authored
tool_doswin.c:185:14: warning: 'msdosify' defined but not used [-Wunused-function] Closes https://github.com/bagder/curl/pull/616
-
- Jan 27, 2016
-
-
Daniel Stenberg authored
Reported-by: Bernard Spil
-
Daniel Stenberg authored
-
- Jan 26, 2016
-
-
Daniel Stenberg authored
-
Isaac Boukris authored
Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] CVE-2016-0755 Bug: http://curl.haxx.se/docs/adv_20160127A.html
-
Ray Satiro authored
curl does not sanitize colons in a remote file name that is used as the local file name. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows/DOS is the only OS where this vulnerability applies. CVE-2016-0754 Bug: http://curl.haxx.se/docs/adv_20160127B.html
-
Daniel Stenberg authored
-
- Jan 25, 2016
-
-
Daniel Stenberg authored
-
- Jan 24, 2016
-
-
paulehoffman authored
Current FAQ didn't make it clear where the main repo is. Closes #612
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
- Jan 21, 2016
-
-
Steve Holme authored
-
- Jan 18, 2016
-
-
Jay Satiro authored
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
-
Jay Satiro authored
Because disabling the peer verification (--insecure) must not disable the public key pinning check (--pinnedpubkey).
-
- Jan 17, 2016
-
-
Daniel Schauenberg authored
-
- Jan 15, 2016
-
-
Kamil Dudka authored
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
-
- Jan 14, 2016
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
-
Daniel Stenberg authored
-
- Jan 13, 2016
-
-
Daniel Stenberg authored
-
- Jan 12, 2016
-
-
Daniel Stenberg authored
The configure test uses AC_TRY_RUN to figure out if an ipv6 socket works, and testing like that doesn't work for cross-compiles. These days IPv6 support is widespread so a blind guess is probably more likely to be 'yes' than 'no' now. Further: anyone who cross-compiles can use configure's --disable-ipv6 to explicitly disable IPv6 and that also works for cross-compiles. Made happen after discussions in issue #594
-
- Jan 11, 2016
-
-
Daniel Stenberg authored
Closes #514
-
Daniel Stenberg authored
When an HTTP/2 upgrade request fails (no protocol switch), it would previously detect that as still possible to pipeline on (which is acorrect) and do that when PIPEWAIT was enabled even if pipelining was not explictily enabled. It should only pipelined if explicitly asked to. Closes #584
-
Mohammad AlSaleh authored
Before this patch, if a URL does not start with the protocol name/scheme, effective URLs would be prefixed with upper-case protocol names/schemes. This behavior might not be expected by library users or end users. For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the URL is "hostname/path". The effective URL would be "HTTPS://hostname/path" instead of "https://hostname/path ". After this patch, effective URLs would be prefixed with a lower-case protocol name/scheme. Closes #597 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-
Alessandro Ghedini authored
-
Alessandro Ghedini authored
The script should use the just-built curl, not the system one. This fixes zsh completion generation when no system curl is installed.
-
Alessandro Ghedini authored
Instead of generation a broken completion file.
-
- Jan 10, 2016
-
-
Michael Kaufmann authored
Closes #596
-
Jay Satiro authored
.. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
-
- Jan 09, 2016
-
-
Thomas Glanzmann authored
-
Tatsuhiro Tsujikawa authored
-
- Jan 08, 2016
-
-
Tatsuhiro Tsujikawa authored
Previously, when HTTP/2 is enabled and used, and stream has content length known, Curl_read was not called when there was no bytes left to read. Because of this, we could not make sure that http2_handle_stream_close was called for every stream. Since we use http2_handle_stream_close to emit trailer fields, they were effectively ignored. This commit changes the code so that Curl_read is called even if no bytes left to read, to ensure that http2_handle_stream_close is called for every stream. Discussed in https://github.com/bagder/curl/pull/564
-