- Jun 22, 2016
-
-
Jay Satiro authored
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
-
- Jun 21, 2016
-
-
Michael Kaufmann authored
Closes #887
-
- Jun 19, 2016
-
-
Daniel Stenberg authored
-
- Jun 16, 2016
-
-
Daniel Stenberg authored
Regression introduced in 5f5b6263 (released in 7.48.0) Reported-by: Fabian Ruff Fixes #875
-
Dan Fandrich authored
-
Dan Fandrich authored
-
- Jun 08, 2016
-
-
Luo Jinghua authored
- Enable protocol family logic for IPv6 resolves even when support for synthesized addresses is enabled. This is a follow up to the parent commit that added support for synthesized IPv6 addresses from IPv4 on iOS/OS X. The protocol family logic needed for IPv6 was inadvertently excluded if support for synthesized addresses was enabled. Bug: https://github.com/curl/curl/issues/863 Ref: https://github.com/curl/curl/pull/866 Ref: https://github.com/curl/curl/pull/867
-
- Jun 07, 2016
-
-
Luo Jinghua authored
Use getaddrinfo() to resolve the IPv4 address literal on iOS/Mac OS X. If the current network interface doesn’t support IPv4, but supports IPv6, NAT64, and DNS64. Closes #866 Fixes #863
-
- Jun 06, 2016
-
-
Steve Holme authored
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL fails on Windows < 8.1 so we need to disable ALPN on these OS versions. Inspiration provide by: Daniel Seither Closes #848 Fixes #840
-
Jay Satiro authored
LoadLibrary was supplanted by Curl_load_library for security reasons in 6df916d7.
-
- Jun 05, 2016
-
-
Jay Satiro authored
- Change the parser to not require a minor version for HTTP/2. HTTP/2 connection reuse broke when we changed from HTTP/2.0 to HTTP/2 in 8243a958 because the parser still expected a minor version. Bug: https://github.com/curl/curl/issues/855 Reported-by: Andrew Robbins, Frank Gevaerts
-
- Jun 04, 2016
-
-
Steve Holme authored
connect.c:952:5: warning: suggest explicit braces to avoid ambiguous 'else'
-
Steve Holme authored
Closes #845
-
Steve Holme authored
-
Steve Holme authored
-
- Jun 01, 2016
-
-
Viktor Szakats authored
Dependency added by 6cabd785 Closes #849
-
Ivan Avdeev authored
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
-
Andrew Kurushin authored
Closes #822
-
- May 31, 2016
-
-
Daniel Stenberg authored
... to make it not look like an OpenSSL function
-
Michael Kaufmann authored
Closes #844
-
- May 30, 2016
-
-
Daniel Stenberg authored
Mostly in order to support broken web sites that redirect to broken URLs that are accepted by browsers. Browsers are typically even more leniant than this as the WHATWG URL spec they should allow an _infinite_ amount. I tested 8000 slashes with Firefox and it just worked. Added test case 1141, 1142 and 1143 to verify the new parser. Closes #791
-
Renaud Lehoux authored
Closes #837
-
Renaud Lehoux authored
Closes #838
-
Frank Gevaerts authored
Adds access to the effectively used http version to both libcurl and curl. Closes #799
-
Marcel Raad authored
With OPENSSL_NO_COMP defined, there is no function SSL_COMP_free_compression_methods Closes #836
-
Gisle Vanem authored
Fixes #828
-
Steve Holme authored
Inspiration provided by: Daniel Stenberg and Ray Satiro Bug: https://curl.haxx.se/docs/adv_20160530.html Ref: Windows DLL hijacking with curl, CVE-2016-4802
-
Daniel Stenberg authored
-
- May 28, 2016
-
-
Daniel Stenberg authored
The statvfs functionality was added to libssh2 in that version, so we switch off that functionality when built with older libraries. Fixes #831
-
- May 24, 2016
-
-
Daniel Stenberg authored
Regression from the previous *printf() rearrangements, this file missed to include the correct header to make sure snprintf() works universally. Reported-by: Moti Avrahami Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
-
- May 23, 2016
-
-
Steve Holme authored
Added support for checking the tchar, unicode and mbcs variants of strcat() and strncat() in the banned function list.
-
Daniel Stenberg authored
-
- May 20, 2016
-
-
Jay Satiro authored
- Free compression methods if OpenSSL 1.0.2 to avoid a memory leak. Bug: https://github.com/curl/curl/issues/817 Reported-by: <jveazey@users.noreply.github.com>
-
Gisle Vanem authored
While compiling lib/curl_multibyte.c with '-DUSE_WIN32_IDN' etc. I was getting: f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2054: expected '(' to follow 'CURL_EXTERN' f:\mingw32\src\inet\curl\lib\memdebug.h(38): error C2085: 'curl_domalloc': not in formal parameter list
-
- May 19, 2016
-
-
Daniel Stenberg authored
See OpenSSL commit 21e001747d4a
-
Daniel Stenberg authored
... when generating them, not "2.0" as the protocol is called just HTTP/2 and nothing else.
-
- May 18, 2016
-
-
Marcel Raad authored
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK 7.1 is used. In this case, _USING_V110_SDK71_ is defined. Closes #812
-
- May 17, 2016
-
-
Daniel Stenberg authored
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
-
Daniel Stenberg authored
CID 1361815: Explicit null dereferenced (FORWARD_NULL)
-
Daniel Stenberg authored
CID 1361811: Explicit null dereferenced (FORWARD_NULL)
-