- Jan 26, 2016
-
-
Isaac Boukris authored
Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] CVE-2016-0755 Bug: http://curl.haxx.se/docs/adv_20160127A.html
-
Ray Satiro authored
curl does not sanitize colons in a remote file name that is used as the local file name. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows/DOS is the only OS where this vulnerability applies. CVE-2016-0754 Bug: http://curl.haxx.se/docs/adv_20160127B.html
-
Daniel Stenberg authored
-
- Jan 25, 2016
-
-
Daniel Stenberg authored
-
- Jan 24, 2016
-
-
paulehoffman authored
Current FAQ didn't make it clear where the main repo is. Closes #612
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
- Jan 21, 2016
-
-
Steve Holme authored
-
- Jan 18, 2016
-
-
Jay Satiro authored
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
-
Jay Satiro authored
Because disabling the peer verification (--insecure) must not disable the public key pinning check (--pinnedpubkey).
-
- Jan 17, 2016
-
-
Daniel Schauenberg authored
-
- Jan 15, 2016
-
-
Kamil Dudka authored
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
-
- Jan 14, 2016
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
-
Daniel Stenberg authored
-
- Jan 13, 2016
-
-
Daniel Stenberg authored
-
- Jan 12, 2016
-
-
Daniel Stenberg authored
The configure test uses AC_TRY_RUN to figure out if an ipv6 socket works, and testing like that doesn't work for cross-compiles. These days IPv6 support is widespread so a blind guess is probably more likely to be 'yes' than 'no' now. Further: anyone who cross-compiles can use configure's --disable-ipv6 to explicitly disable IPv6 and that also works for cross-compiles. Made happen after discussions in issue #594
-
- Jan 11, 2016
-
-
Daniel Stenberg authored
Closes #514
-
Daniel Stenberg authored
When an HTTP/2 upgrade request fails (no protocol switch), it would previously detect that as still possible to pipeline on (which is acorrect) and do that when PIPEWAIT was enabled even if pipelining was not explictily enabled. It should only pipelined if explicitly asked to. Closes #584
-
Mohammad AlSaleh authored
Before this patch, if a URL does not start with the protocol name/scheme, effective URLs would be prefixed with upper-case protocol names/schemes. This behavior might not be expected by library users or end users. For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the URL is "hostname/path". The effective URL would be "HTTPS://hostname/path" instead of "https://hostname/path ". After this patch, effective URLs would be prefixed with a lower-case protocol name/scheme. Closes #597 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
-
Alessandro Ghedini authored
-
Alessandro Ghedini authored
The script should use the just-built curl, not the system one. This fixes zsh completion generation when no system curl is installed.
-
Alessandro Ghedini authored
Instead of generation a broken completion file.
-
- Jan 10, 2016
-
-
Michael Kaufmann authored
Closes #596
-
Jay Satiro authored
.. and enable SSLpinning tests for mbedTLS, BoringSSL and LibreSSL.
-
- Jan 09, 2016
-
-
Thomas Glanzmann authored
-
Tatsuhiro Tsujikawa authored
-
- Jan 08, 2016
-
-
Tatsuhiro Tsujikawa authored
Previously, when HTTP/2 is enabled and used, and stream has content length known, Curl_read was not called when there was no bytes left to read. Because of this, we could not make sure that http2_handle_stream_close was called for every stream. Since we use http2_handle_stream_close to emit trailer fields, they were effectively ignored. This commit changes the code so that Curl_read is called even if no bytes left to read, to ensure that http2_handle_stream_close is called for every stream. Discussed in https://github.com/bagder/curl/pull/564
-
Daniel Stenberg authored
This regression landed in 5778e6f5 and made libcurl not act on received settings and instead stayed with its internal defaults. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html Reported-by: Bankde
-
Daniel Stenberg authored
This reverts commit 46cb70e9. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
-
Tatsuhiro Tsujikawa authored
Discussed in https://github.com/bagder/curl/pull/564
-
- Jan 07, 2016
-
-
Michael Kaufmann authored
Use the ACE form of IDN hostnames as key in the connection cache. Add new tests. Closes #592
-
Daniel Stenberg authored
-
Jay Satiro authored
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
-
Jay Satiro authored
Check that the trailer buffer exists before attempting a client write for trailers on stream close. Refer to comments in https://github.com/bagder/curl/pull/564
-
- Jan 06, 2016
-
-
Daniel Stenberg authored
-
- Jan 05, 2016
-
-
Daniel Stenberg authored
Mistake from commit a464f338
-
Daniel Stenberg authored
To make sure curl doesn't allow multiplexing before a connection is upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the connection uses HTTP/2 as well and not only check what's wanted. Closes #584 Patch-by: c0ff
-
- Jan 04, 2016
-
-
Jay Satiro authored
- Add to both curl_global_init.3 and libcurl.3 the caveat for Windows that initializing libcurl via a DLL's DllMain or static initializer could cause a deadlock. Bug: https://github.com/bagder/curl/issues/586 Reported-by: <marc-groundctl@users.noreply.github.com>
-