Commits · b5f947b8ac0e282c61c75b69cd5b9d37dafc6959 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

Apr 21, 2015

cookie: cookie parser out of boundary memory access · b5f947b8

Daniel Stenberg authored Apr 16, 2015

The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck

b5f947b8

ConnectionExists: for NTLM re-use, require credentials to match · 31be461c
Daniel Stenberg authored Apr 16, 2015
```
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
```
31be461c
openssl: add OPENSSL_NO_SSL3_METHOD check · 6088fbce
byronhe authored Apr 21, 2015

6088fbce

Apr 20, 2015
- CURLOPT_HEADERFUNCTION.3: match parameter name in synopsis and desc · cf2d21d8
  Daniel Stenberg authored Apr 20, 2015
```
Bug: https://github.com/bagder/curl/issues/229
Reported-by: bsammon
```
  cf2d21d8
- configure --with-nss: remove unneeded libs from the fallback · 875a6d93
  Mostyn Bramley-Moore authored Apr 20, 2015
  
  875a6d93
- contributors.sh: fix help output, filter out (-prefix from names · 1b8f9c95
  Daniel Stenberg authored Apr 20, 2015
  
  1b8f9c95
- RELEASE-NOTES: synced with cc0e7ebc · 9d704b3d
  Daniel Stenberg authored Apr 20, 2015
  
  9d704b3d
Apr 19, 2015
- CURLMOPT_TIMERFUNCTION.3: Clarify, add an example · cc0e7ebc
  Michael Stapelberg authored Apr 11, 2015
  
  cc0e7ebc
- vtls/openssl: use https in URLs and a comment typo fixed · 3a87bdeb
  Viktor Szakats authored Dec 29, 2014
  
  3a87bdeb
Apr 18, 2015
- curl_version_info.3: fixed the 'protocols' variable type · 63c64e05
  Daniel Stenberg authored Apr 18, 2015
```
Reported-by: John Marshall
Bug: https://github.com/bagder/curl/issues/225
```
  63c64e05
- test1423: added missing "file" to server section · 1e6d0e06
  Dan Fandrich authored Apr 18, 2015
  
  1e6d0e06
Apr 17, 2015
- TheArtOfHttpScripting: Multiple URLs + Multiple HTTP methods · b6e47789
  Daniel Stenberg authored Apr 17, 2015
```
... and some minor edits
```
  b6e47789
- Revert "HTTP: don't abort connections with pending Negotiate authentication" · 2eb02480
  Daniel Stenberg authored Apr 17, 2015
```
This reverts commit 5dc68dd6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
```
  2eb02480
- cyassl: Fix include order · f7011252
  Jay Satiro authored Apr 17, 2015
```
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
```
  f7011252
- configure --with-nss: drop redundant if statement · 8dc3bbf0
  Kamil Dudka authored Apr 08, 2015
  
  8dc3bbf0
- configure --with-nss=PATH: query pkg-config if available · 67a8bbb5
  Kamil Dudka authored Apr 08, 2015
```
Bug: https://github.com/bagder/curl/pull/171
```
  67a8bbb5
- parsecfg: do not continue past a zero termination · 691a07da
  Daniel Stenberg authored Apr 17, 2015
```
When a config file line ends without newline, the parsing function could
continue reading beyond that point in memory.

Reported-by: Hanno Böck
```
  691a07da
Apr 16, 2015
- gitignore: Ignore Windows build output directories · 05e4137d
  Jay Satiro authored Apr 16, 2015
  
  05e4137d
Apr 15, 2015
- RELEASE-NOTES: synced with 1ba6e4c8 · 82805b56
  Daniel Stenberg authored Apr 15, 2015
  
  82805b56
- TODO: 17.9 Choose the name of file in braces for complex URLs · 1ba6e4c8
  Daniel Stenberg authored Apr 15, 2015
  
  1ba6e4c8
- TODO: a little caution that maybe not all ideas are still good · 8f78794f
  Daniel Stenberg authored Apr 15, 2015
  
  8f78794f
- TODO: 17.8 offer color-coded HTTP header output · 0cbbbbdc
  Daniel Stenberg authored Apr 15, 2015
  
  0cbbbbdc
- TODO: 17.7 warning when sending binary output to terminal · 78843afb
  Daniel Stenberg authored Apr 15, 2015
  
  78843afb
- KNOWN_BUGS: #90 IMAP "SEARCH ALL" truncates output on large boxes · ad48b177
  Daniel Stenberg authored Apr 15, 2015
  
  ad48b177
Apr 14, 2015
- cyassl: Add support for TLS extension SNI · 9430dd58
  Jay Satiro authored Apr 13, 2015
  
  9430dd58
Apr 13, 2015
- gitignore: ignore test-driver file · 8df4b5af
  Matthew Hall authored Mar 24, 2015
  
  8df4b5af
- vtls_openssl: improve PKCS#12 load failure error message · a471a9f3
  Matthew Hall authored Mar 24, 2015
  
  a471a9f3
- vtls_openssl: fix minor typo in PKCS#12 load routine · 27ac6434
  Matthew Hall authored Mar 24, 2015
  
  27ac6434
- vtls_openssl: improve client certificate load failure error messages · b3175a76
  Matthew Hall authored Mar 24, 2015
  
  b3175a76
- vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant · 58b0a8b0
  Matthew Hall authored Mar 24, 2015
  
  58b0a8b0
- BUGS: refer to the github issue tracker now as primary · 9e7125a1
  Daniel Stenberg authored Apr 13, 2015
  
  9e7125a1
- firefox-db2pem: fix wildcard to find Firefox default profile · 7fe172d3
  Daniel Stenberg authored Apr 13, 2015
```
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.

Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
```
  7fe172d3
Apr 12, 2015
- cyassl: Include the CyaSSL build config · 72bea7cc
  Jay Satiro authored Apr 11, 2015
```
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
```
  72bea7cc
Apr 11, 2015

build: Generate source prerequisites for Visual Studio in generate.bat · 139141f8

Jay Satiro authored Apr 08, 2015

Prior to this change Visual Studio builds could fail due to missing
prerequisites src/tool_hugehelp.c and include/curl/curlbuild.h.

http://curl.haxx.se/mail/lib-2015-04/0034.html

139141f8

Apr 09, 2015

lib/makefile.m32: add missing libs to build libcurl.dll · e4415515

Viktor Szakats authored Apr 09, 2015

Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.

e4415515

Apr 08, 2015
- test142[23]: verify that an empty file is stored on success · 992a7311
  Kamil Dudka authored Apr 07, 2015
  
  992a7311
- src/tool_operate: create output file on successful download · 261a0fed
  Kamil Dudka authored Mar 30, 2015
```
... of an empty file

Bug: https://github.com/bagder/curl/issues/183
```
  261a0fed
- src/tool_cb_wrt: separate fnc for output file creation · f251417d
  Kamil Dudka authored Mar 30, 2015
  
  f251417d
Apr 07, 2015

lib/transfer.c: Remove factor of 8 from sleep time calculation · a9e46749

Da-Yoon Chung authored Apr 06, 2015

The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
rate_bps are both in bytes. When using the rate limiting option, curl
waits 8 times too long, and then transfers very quickly until the
average rate reaches the limit. The average rate follows the limit over
time, but the actual traffic is bursty.

Thanks-to: Benjamin Gilbert

a9e46749

Apr 06, 2015

x509asn1: Silence x64 loss-of-data warning on RSA key length assignment · c3101ae2

Jay Satiro authored Apr 05, 2015

The key length in bits will always fit in an unsigned long so the
loss-of-data warning assigning the result of x64 pointer arithmetic to
an unsigned long is unnecessary.

c3101ae2