Skip to content
  1. Jun 18, 2015
  2. Jun 17, 2015
    • Daniel Stenberg's avatar
      libcurl-errors.3: fix typo · cf6ef2dc
      Daniel Stenberg authored
      cf6ef2dc
    • Daniel Stenberg's avatar
      3b93f1a3
    • Daniel Stenberg's avatar
      openssl: fix build with BoringSSL · 46d0eba2
      Daniel Stenberg authored
      OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression
      from cae43a10
      46d0eba2
    • Paul Howarth's avatar
      openssl: Fix build with openssl < ~ 0.9.8f · 4a239862
      Paul Howarth authored
      The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at
      around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks
      builds with older openssls (certainly with 0.9.8b, which is the latest
      older version I have to try with).
      4a239862
    • Daniel Stenberg's avatar
      FTP: do the HTTP CONNECT for data connection blocking · b88f980a
      Daniel Stenberg authored
      ** WORK-AROUND **
      
      The introduced non-blocking general behaviour for Curl_proxyCONNECT()
      didn't work for the data connection establishment unless it was very
      fast. The newly introduced function argument makes it operate in a more
      blocking manner, more like it used to work in the past. This blocking
      approach is only used when the FTP data connecting through HTTP proxy.
      
      Blocking like this is bad. A better fix would make it work more
      asynchronously.
      
      Bug: https://github.com/bagder/curl/issues/278
      b88f980a
    • Daniel Stenberg's avatar
      bump: start the journey toward 7.44.0 · 85739723
      Daniel Stenberg authored
      85739723
    • Jay Satiro's avatar
      f72b30e6
    • Jay Satiro's avatar
      CURLOPT_ERRORBUFFER.3: Improve example · 52d83cb0
      Jay Satiro authored
      52d83cb0
    • Daniel Stenberg's avatar
      RELEASE-NOTES: 7.43.0 release · 38e07886
      Daniel Stenberg authored
      curl-7_43_0
      38e07886
    • Daniel Stenberg's avatar
      THANKS: updated with 7.43.0 names · bdf89d80
      Daniel Stenberg authored
      bdf89d80
    • Kamil Dudka's avatar
      http: do not leak basic auth credentials on re-used connections · 24a8359b
      Kamil Dudka authored
      CVE-2015-3236
      
      This partially reverts commit curl-7_39_0-237-g87c4abb
      
      Reported-by: Tomas Tomecek, Kamil Dudka
      Bug: http://curl.haxx.se/docs/adv_20150617A.html
      24a8359b
    • Kamil Dudka's avatar
      24f0b6eb
    • Daniel Stenberg's avatar
      SMB: rangecheck values read off incoming packet · 50c7f17e
      Daniel Stenberg authored
      CVE-2015-3237
      
      Detected by Coverity. CID 1299430.
      
      Bug: http://curl.haxx.se/docs/adv_20150617B.html
      50c7f17e
    • Jay Satiro's avatar
      schannel: schannel_recv overhaul · 3e7ec1e8
      Jay Satiro authored
      This commit is several drafts squashed together. The changes from each
      draft are noted below. If any changes are similar and possibly
      contradictory the change in the latest draft takes precedence.
      
      Bug: https://github.com/bagder/curl/issues/244
      Reported-by: Chris Araman
      
      %%
      %% Draft 1
      %%
      - return 0 if len == 0. that will have to be documented.
      - continue on and process the caches regardless of raw recv
      - if decrypted data will be returned then set the error code to CURLE_OK
      and return its count
      - if decrypted data will not be returned and the connection has closed
      (eg nread == 0) then return 0 and CURLE_OK
      - if decrypted data will not be returned and the connection *hasn't*
      closed then set the error code to CURLE_AGAIN --only if an error code
      isn't already set-- and return -1
      - narrow the Win2k workaround to only Win2k
      
      %%
      %% Draft 2
      %%
      - Trying out a change in flow to handle corner cases.
      
      %%
      %% Draft 3
      %%
      - Back out the lazier decryption change made in draft2.
      
      %%
      %% Draft 4
      %%
      - Some formatting and branching changes
      - Decrypt all encrypted cached data when len == 0
      - Save connection closed state
      - Change special Win2k check to use connection closed state
      
      %%
      %% Draft 5
      %%
      - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
      connection isn't closed.
      
      %%
      %% Draft 6
      %%
      - Save the last error only if it is an unrecoverable error.
      
      Prior to this I saved the last error state in all cases; unfortunately
      the logic to cover that in all cases would lead to some muddle and I'm
      concerned that could then lead to a bug in the future so I've replaced
      it by only recording an unrecoverable error and that state will persist.
      
      - Do not recurse on renegotiation.
      
      Instead we'll continue on to process any trailing encrypted data
      received during the renegotiation only.
      
      - Move the err checks in cleanup after the check for decrypted data.
      
      In either case decrypted data is always returned but I think it's easier
      to understand when those err checks come after the decrypted data check.
      
      %%
      %% Draft 7
      %%
      - Regardless of len value go directly to cleanup if there is an
      unrecoverable error or a close_notify was already received. Prior to
      this change we only acknowledged those two states if len != 0.
      
      - Fix a bug in connection closed behavior: Set the error state in the
      cleanup, because we don't know for sure it's an error until that time.
      
      - (Related to above) In the case the connection is closed go "greedy"
      with the decryption to make sure all remaining encrypted data has been
      decrypted even if it is not needed at that time by the caller. This is
      necessary because we can only tell if the connection closed gracefully
      (close_notify) once all encrypted data has been decrypted.
      
      - Do not renegotiate when an unrecoverable error is pending.
      
      %%
      %% Draft 8
      %%
      - Don't show 'server closed the connection' info message twice.
      
      - Show an info message if server closed abruptly (missing close_notify).
      3e7ec1e8
  3. Jun 16, 2015
  4. Jun 15, 2015
  5. Jun 14, 2015
  6. Jun 13, 2015
  7. Jun 11, 2015