- Oct 31, 2016
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
... that will ignore lines that are too long to fit in the buffer. CVE-2016-8615 Bug: https://curl.haxx.se/docs/adv_20161102A.html Reported-by: Cure53
-
Daniel Stenberg authored
We had some confusions on when each function was used. We should not act differently on different locales anyway.
-
Daniel Stenberg authored
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
-
Daniel Stenberg authored
... otherwise example.com/PATH and example.com/path would be assumed to be the same and they usually aren't!
-
Daniel Stenberg authored
-
Daniel Stenberg authored
CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53
-
Daniel Stenberg authored
CVE-2016-8617 Bug: https://curl.haxx.se/docs/adv_20161102C.html Reported-by: Cure53
-
Daniel Stenberg authored
If the requested size is zero, bail out with error instead of doing a realloc() that would cause a double-free: realloc(0) acts as a free() and then there's a second free in the cleanup path. CVE-2016-8619 Bug: https://curl.haxx.se/docs/adv_20161102E.html Reported-by: Cure53
-
Daniel Stenberg authored
On 32bit systems we could otherwise wrap around after 2GB and allocate 0 bytes and crash. CVE-2016-8618 Bug: https://curl.haxx.se/docs/adv_20161102D.html Reported-by: Cure53
-
Daniel Stenberg authored
... which previously would lead to out of boundary reads. Reported-by: Luật Nguyễn
-
Daniel Stenberg authored
-
Daniel Stenberg authored
CVE-2016-8620 Bug: https://curl.haxx.se/docs/adv_20161102F.html Reported-by: Luật Nguyễn
-
Daniel Stenberg authored
... and don't read outside of the given buffer! CVE-2016-8621 bug: https://curl.haxx.se/docs/adv_20161102G.html Reported-by: Luật Nguyễn
-
Daniel Stenberg authored
Since the internal Curl_urldecode() function has a better API.
-
Daniel Stenberg authored
CVE-2016-8622 Bug: https://curl.haxx.se/docs/adv_20161102H.html Reported-by: Cure53
-
Daniel Stenberg authored
Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. CVE-2016-8623 Bug: https://curl.haxx.se/docs/adv_20161102I.html Reported-by: Cure53
-
Daniel Stenberg authored
-
Daniel Stenberg authored
CVE-2016-8625 Bug: https://curl.haxx.se/docs/adv_20161102K.html Reported-by: Christian Heimes
-
Daniel Stenberg authored
-
Daniel Stenberg authored
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com for the '/' document with the rest of the URL being a fragment. CVE-2016-8624 Bug: https://curl.haxx.se/docs/adv_20161102J.html Reported-by: Fernando Muñoz
-
Jay Satiro authored
- Wrap more words with underscores in backticks. Follow-up to 13f49133.
-
- Oct 30, 2016
-
-
Daniel Stenberg authored
words with underscore need to be within `these` Bug: https://github.com/curl/curl-www/issues/19 Reported-by : Jay Satiro
-
Jay Satiro authored
- Change initial message box to mention delay when downloading/parsing. Since there is no progress meter it was somewhat unexpected that after choosing a filename nothing appears to happen, when actually the cert data is in the process of being downloaded and parsed. - Warn if OpenSSL is not present. - Use a UTF-8 stream to make the ca-bundle data. - Save the UTF-8 ca-bundle stream as binary so that no BOM is added. --- This is a follow-up to d2c6d156 which switched mk-ca-bundle.vbs output to ANSI due to corrupt UTF-8 output, now fixed. This change completes making the default certificate bundle output of mk-ca-bundle.vbs as close as possible to that of mk-ca-bundle.pl, which should make it easier to review any difference between their output. Ref: https://github.com/curl/curl/pull/1012
-
- Oct 28, 2016
-
-
Daniel Stenberg authored
To make it render better on the web site, at the price of it becoming slightly less readable as text.
-
Jay Satiro authored
- Clarify that this option is only for HTTP/1.1 pipelining. Bug: https://github.com/curl/curl/issues/1059 Reported-by: Jeroen Ooms Assisted-by: Daniel Stenberg
-
- Oct 27, 2016
-
-
Daniel Stenberg authored
Closes #927
-
-
Michael Osipov authored
Some versions of test allow == for equality, but others (such as the HP-UX version) do not. Use a single = for correctness. Error output: checking for monotonic clock_gettime... ./configure[20445]: ==: A test command parameter is not valid.
-
Daniel Stenberg authored
- we allow the security push up to 48 hours before the release - add a mention about possible pre-notifications - lower case the 'curl-security' title
-
Andrei Sedoi authored
Closes #1088
-
- Oct 26, 2016
-
-
Daniel Stenberg authored
Reported-by: wyattoday Fixes #1087
-
- Oct 25, 2016
-
-
Martin Frodl authored
... in case the handshake completes before entering CURLM_STATE_PROTOCONNECT Bug: https://bugzilla.redhat.com/1388162
-
Jay Satiro authored
Bring the VBScript version more in line with the perl version: - Change timestamp to UTC. - Change URL retrieval to HTTPS-only by default. - Comment out the options that disabled SSL cert checking by default. - Assume OpenSSL is present, get SHA256. And add a flag to toggle it. - Fix cert issuer name output. The cert issuer output is now ansi, converted from UTF-8. Prior to this it was corrupt UTF-8. It turns out though we can work with UTF-8 the FSO object that writes ca-bundle can't write UTF-8, so there will have to be some alternative if UTF-8 is needed (like an ADODB.Stream). - Disable the certificate text info feature. The certificate text info doesn't work properly with any recent OpenSSL.
-
- Oct 24, 2016
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
See #1084
-
Daniel Stenberg authored
Brought in 1ad2bdcf. Now does HTTPS by default and needs -k to fall back to plain HTTP.
-
Jay Satiro authored
- Change all predefined Mozilla URLs to HTTPS (Gregory Szorc). - New option -k to allow URLs other than HTTPS and enable HTTP fallback. Prior to this change the default URL retrieval mode was to fall back to HTTP if HTTPS didn't work. Reported-by: Gregory Szorc Closes #1012
-
Daniel Stenberg authored
-