- Jun 22, 2013
-
-
Nick Zitzmann authored
Something (a recent security update maybe?) changed in Lion, and now it has changed SSLCopyPeerTrust such that it may return noErr but also give us a null trust, which caught us off guard and caused an eventual crash.
-
Nick Zitzmann authored
This doesn't need to be in the release notes. I cleaned up a lot of the #if lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like __MAC_10_6 or whatever were defined, because for some SDKs Apple has released they were defined out of place.
-
Alessandro Ghedini authored
-
Daniel Stenberg authored
RFC3986 details how a path part passed in as part of a URI should be "cleaned" from dot sequences before getting used. The described algorithm is now implemented in lib/dotdot.c with the accompanied test case in test 1395. Bug: http://curl.haxx.se/bug/view.cgi?id=1200 Reported-by: Alex Vinnik
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen
-
- Jun 20, 2013
-
-
Guenter Knauf authored
-
Daniel Stenberg authored
As a remedy to the problem when a socket gets closed and a new one is opened with the same file descriptor number and as a result multi.c:singlesocket() doesn't detect the difference, the new function Curl_multi_closed() gets told when a socket is closed so that it can be removed from the socket hash. When the old one has been removed, a new socket should be detected fine by the singlesocket() on next invoke. Bug: http://curl.haxx.se/bug/view.cgi?id=1248 Reported-by: Erik Johansson
-
Daniel Stenberg authored
-
- Jun 18, 2013
-
-
Daniel Stenberg authored
-
- Jun 17, 2013
-
-
Daniel Stenberg authored
When performing COOKIELIST operations the cookie lock needs to be taken for the cases where the cookies are shared among multiple handles! Verified by Benjamin Gilbert's updated test 506 Bug: http://curl.haxx.se/bug/view.cgi?id=1215 Reported-by: Benjamin Gilbert
-
Benjamin Gilbert authored
It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215
-
- Jun 15, 2013
-
-
Daniel Stenberg authored
-
- Jun 14, 2013
-
-
Daniel Stenberg authored
Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be called more frequently than once per second when things are happening.
-
- Jun 13, 2013
-
-
Daniel Stenberg authored
Mention 7 recent bug fixes and their associated contributors
-
Daniel Stenberg authored
-
Daniel Stenberg authored
When curl_multi_wait() finds no file descriptor to wait for, it returns instantly and this must be handled gracefully within curl_easy_perform() or cause a busy-loop. Starting now, repeated fast returns without any file descriptors is detected and a gradually increasing sleep will be used (up to a max of 1000 milliseconds) before continuing the loop. Bug: http://curl.haxx.se/bug/view.cgi?id=1238 Reported-by: Miguel Angel
-
- Jun 12, 2013
-
-
Yamada Yasuharu authored
The initial fix to only compare full path names were done in commit 04f52e9b but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62).
-
Sergei Nikulov authored
Makes it build on windows
-
Eric Hu authored
-
Eric Hu authored
-
- Jun 10, 2013
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
By always returning the md5 for an empty body when auth-int is asked for, libcurl now at least sometimes does the right thing. Bug: http://curl.haxx.se/bug/view.cgi?id=1235 Patched-by: Nach M. S.
-
Daniel Stenberg authored
Allow less room for "triggered too early" mistakes by applications / timers on non-windows platforms. Starting now, we assume that a timeout call is never made earlier than 3 milliseconds before the actual timeout. This greatly improves timeout accuracy on Linux. Bug: http://curl.haxx.se/bug/view.cgi?id=1228 Reported-by: Hang Su
-
Daniel Stenberg authored
In the pkcs12 code, we get a list of x509 records returned from PKCS12_parse but when iterating over the list and passing each to SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from the "stack", which made them get freed twice (both in sk_X509_pop_free() and then later in SSL_CTX_free). This isn't really documented anywhere... Bug: http://curl.haxx.se/bug/view.cgi?id=1236 Reported-by: Nikaiw
-
Daniel Stenberg authored
-
- Jun 07, 2013
-
-
Aleksey Tulinov authored
When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
-
Peter Gal authored
Update the documentation on how to specify a HTTP header with no content.
-
Daniel Stenberg authored
Added 11 bugs and 7 contributors
-
- Jun 06, 2013
-
-
Daniel Stenberg authored
After curl_multi_wait() returns, this test checked that we got exactly one file descriptor told to read from, but we cannot be sure that is true. curl_multi_wait() will sometimes return earlier without any file descriptor to handle, just just because it is a suitable time to call *perform(). This problem showed up with commit 29bf0598. Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html Reported-by: Fabian Keil
-
- Jun 04, 2013
-
-
Daniel Stenberg authored
Bug: http://curl.haxx.se/bug/view.cgi?id=1239 Reported-by: Christian Weisgerber
-
Daniel Stenberg authored
-
Daniel Stenberg authored
If an ipv6-address is provided to CONNECT, the last hexadecimal group in the address will be used as the test number! For example the address "[1234::ff]" would be treated as test case 255.
-
Daniel Stenberg authored
commit 29bf0598 introduced a problem when the "internal" timeout is prefered to the given if shorter, as it didn't consider the case where -1 was returned. Now the internal timeout is only considered if not -1. Reported-by: Tor Arntsen Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html
-
- Jun 03, 2013
-
-
Dan Fandrich authored
Also added a (correctly-escaped) backslash to the autoexec.bat example file and a new Windows character device name with a colon as examples of other characters that are special and potentially dangerous (this reverts and reworks commit 7d8d2a54).
-
Daniel Stenberg authored
If the multi handle's pending timeout is less than what is passed into this function, it will now opt to use the shorter time anyway since it is a very good hint that the handle wants to process something in a shorter time than what otherwise would happen. curl_multi_wait.3 was updated accordingly to clarify This is the reason for bug #1224 Bug: http://curl.haxx.se/bug/view.cgi?id=1224 Reported-by: Andrii Moiseiev
-
Daniel Stenberg authored
... because there's an identical check right next to it so using the operators in the check in the same order increases readability.
-