Граф коммитов

22394 Коммитов

Автор SHA1 Сообщение Дата
Adam Sampson 45a560390c
curl: do bounds check using a double comparison
The fix for this in 8661a0aacc01492e0436275ff36a21734f2541bb wasn't
complete: if the parsed number in num is larger than will fit in a long,
the conversion is undefined behaviour (causing test1427 to fail for me
on IA32 with GCC 7.1, although it passes on AMD64 and ARMv7).  Getting
rid of the cast means the comparison will be done using doubles.

It might make more sense for the max argument to also be a double...

Fixes #1750
Closes #1749
2017-08-09 19:24:16 +02:00
Daniel Stenberg a7bbbb7c36
make install: add 8 missing man pages to the installation 2017-08-09 11:31:10 +02:00
Daniel Stenberg f864bd8c88
build: fix 'make install' with configure, install docs/libcurl/* too
Broken since d24838d4da

Reported-by: Bernard Spil
2017-08-09 10:29:49 +02:00
Daniel Stenberg 2679562dc7
RELEASE-NOTES: curl 7.55.0 2017-08-09 07:50:35 +02:00
Daniel Stenberg 7417029e19
THANKS: 20 new contributors in 7.55.0 2017-08-09 07:50:35 +02:00
Viktor Szakats 13ef623a81
docs/comments: Update to secure URL versions
Closes #1741
2017-08-08 21:41:07 +02:00
Daniel Stenberg 58845f2e2e
configure: fix recv/send/select detection on Android
... since they now provide several functions as
__attribute__((overloadable)), the argument detection logic need
updates.

Patched-by: destman at github

Fixes #1738
Closes #1739
2017-08-08 21:40:16 +02:00
Marcel Raad 18eac3df1b
ax_code_coverage.m4: update to latest version
This updates the script to aad5ad5fedb306b39f901a899b7bd305b66c418d
from August 01, 2017. Notably, this removes the lconv version whitelist.

Closes https://github.com/curl/curl/pull/1716
2017-08-08 08:43:26 +02:00
Daniel Stenberg 581011a3d2 test1427: verify command line parser integer overflow detection 2017-08-07 09:38:57 +02:00
Daniel Stenberg 5c7455fe76 curl: detect and bail out early on parameter integer overflows
Make the number parser aware of the maximum limit curl accepts for a
value and return an error immediately if larger, instead of running an
integer overflow later.

Fixes #1730
Closes #1736
2017-08-07 09:38:45 +02:00
Daniel Stenberg 453e7a7a03 glob: do not continue parsing after a strtoul() overflow range
Added test 1289 to verify.

CVE-2017-1000101

Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter
2017-08-07 09:24:30 +02:00
Daniel Stenberg 358b2b131a tftp: reject file name lengths that don't fit
... and thereby avoid telling send() to send off more bytes than the
size of the buffer!

CVE-2017-1000100

Bug: https://curl.haxx.se/docs/adv_20170809B.html
Reported-by: Even Rouault

Credit to OSS-Fuzz for the discovery
2017-08-07 09:24:30 +02:00
Even Rouault c9332fa5e8 file: output the correct buffer to the user
Regression brought by 7c312f84ea (April 2017)

CVE-2017-1000099

Bug: https://curl.haxx.se/docs/adv_20170809C.html

Credit to OSS-Fuzz for the discovery
2017-08-07 09:24:30 +02:00
Daniel Stenberg fa48987356
easy_events: make event data static
First: this function is only used in debug-builds and not in
release/real builds. It is used to drive tests using the event-based
API.

A pointer to the local struct is passed to CURLMOPT_TIMERDATA, but the
CURLMOPT_TIMERFUNCTION calback can in fact be called even after this
funtion returns, namely when curl_multi_remove_handle() is called.

Reported-by: Brian Carpenter
2017-08-06 23:42:50 +02:00
Daniel Stenberg d6c8def82a getparameter: avoid returning uninitialized 'usedarg'
Fixes #1728
2017-08-05 11:52:27 +02:00
Isaac Boukris 0b11660234
gssapi: fix memory leak of output token in multi round context
When multiple rounds are needed to establish a security context
(usually ntlm), we overwrite old token with a new one without free.
Found by proposed gss tests using stub a gss implementation (by
valgrind error), though I have confirmed the leak with a real
gssapi implementation as well.

Closes https://github.com/curl/curl/pull/1733
2017-08-05 00:23:24 +02:00
Marcel Raad 61046e7bd5
darwinssl: fix compiler warning
clang complains:
vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
[-Werror,-Wextra-tokens]

This breaks the darwinssl build on Travis. Fix it by making this token
a comment.

Closes https://github.com/curl/curl/pull/1734
2017-08-05 00:11:01 +02:00
Marcel Raad 54aef857b3
CMake: fix CURL_WERROR for MSVC
When using CURL_WERROR in MSVC builds, the debug flags were overridden
by the release flags and /WX got added twice in debug mode.

Closes https://github.com/curl/curl/pull/1715
2017-08-04 12:01:24 +02:00
Daniel Stenberg 26e02eae4b
RELEASE-NOTES: synced with 561e9217c 2017-08-04 10:32:38 +02:00
Daniel Stenberg 561e9217c7 test1010: verify that #1718 is fixed
... by doing two transfers in nocwd mode and check that there's no
superfluous CWD command.
2017-08-04 10:01:23 +02:00
Daniel Stenberg 2ccd65af3b FTP: skip unnecessary CWD when in nocwd mode
... when reusing a connection. If it didn't do any CWD previously.

Fixes #1718
2017-08-04 10:01:23 +02:00
Marcel Raad b7386c0ac9
travis: explicitly specify dist
This makes the builds more reproducible as travis is currently rolling
out trusty as default dist [1]. Specifically, this avoids coverage
check failures when trusty is used as seen in [2] until we figure out
what's wrong.

[1] https://blog.travis-ci.com/2017-07-11-trusty-as-default-linux-is-coming
[2] https://github.com/curl/curl/pull/1692

Closes https://github.com/curl/curl/pull/1725
2017-08-04 09:59:42 +02:00
Daniel Stenberg fdb163c73a travis: BUILD_TYPE => T
(to make the full line appear nicer on travis web UI)
2017-08-04 00:07:08 +02:00
Daniel Stenberg 2b7ce3f56d travis: add osx build with darwinssl
Closes #1706
2017-08-04 00:07:08 +02:00
Daniel Stenberg af271ce9b9 darwin: silence compiler warnings
With a clang pragma and three type fixes

Fixes #1722
2017-08-04 00:07:02 +02:00
Daniel Stenberg 6f6cfc90be
BUILD.WINDOWS: mention buildconf.bat for builds off git 2017-08-03 13:50:44 +02:00
Daniel Stenberg fa2f134cbd darwinssl: fix curlssl_sha256sum() compiler warnings on first argument 2017-08-03 10:24:06 +02:00
Daniel Stenberg 58752b78c7 test130: verify comments in .netrc 2017-08-03 10:04:16 +02:00
Gisle Vanem a8e1c2e466 netrc: skip lines starting with '#'
Bug: https://curl.haxx.se/mail/lib-2017-08/0008.html
2017-08-03 10:04:16 +02:00
Marcel Raad 866e02935d
CMake: set MSVC warning level to 4
The MSVC warning level defaults to 3 in CMake. Change it to 4, which is
consistent with the Visual Studio and NMake builds. Disable level 4
warning C4127 for the library and additionally C4306 for the test
servers to get a clean CURL_WERROR build as that warning is raised in
some macros in older Visual Studio versions.

Ref: https://github.com/curl/curl/pull/1667#issuecomment-314082794
Closes https://github.com/curl/curl/pull/1711
2017-08-03 08:39:23 +02:00
Daniel Stenberg 70934885d0 CURLOPT_NETRC.3: fix typo in 7e48aa3861
Reported-by: Viktor Szakats
2017-08-02 15:29:27 +02:00
Daniel Stenberg 7e48aa3861 CURLOPT_NETRC.3: mention the file name on windows
... and CURLOPT_NETRC_FILE(3).
2017-08-02 14:34:26 +02:00
Daniel Stenberg 1767adf439 travis: build osx with libressl too 2017-08-02 12:50:30 +02:00
Daniel Stenberg 23b4a05210 travis: build osx with openssl too 2017-08-02 12:50:30 +02:00
Daniel Stenberg 920f777fc8 tests/server/util: fix curltime mistake from 4dee50b9c8 2017-08-02 11:53:27 +02:00
Marcel Raad 0139545607
curl_threads: fix MSVC compiler warning
Use LongToHandle to convert from long to HANDLE in the Win32
implementation.
This should fix the following warning when compiling with
MSVC 11 (2012) in 64-bit mode:
lib\curl_threads.c(113): warning C4306:
'type cast' : conversion from 'long' to 'HANDLE' of greater size

Closes https://github.com/curl/curl/pull/1717
2017-08-01 17:22:30 +02:00
Daniel Stenberg 62495ff31a BUGS: improved phrasing about security bugs
Reported-by: Max Dymond
2017-08-01 15:06:08 +02:00
Daniel Stenberg 821a0854f6 BUGS: clarify how to report security related bugs 2017-08-01 14:39:13 +02:00
Brad Spencer 164a09368d multi: fix request timer management
There are some bugs in how timers are managed for a single easy handle
that causes the wrong "next timeout" value to be reported to the
application when a new minimum needs to be recomputed and that new
minimum should be an existing timer that isn't currently set for the
easy handle.  When the application drives a set of easy handles via the
`curl_multi_socket_action()` API (for example), it gets told to wait the
wrong amount of time before the next call, which causes requests to
linger for a long time (or, it is my guess, possibly forever).

Bug: https://curl.haxx.se/mail/lib-2017-07/0033.html
2017-08-01 13:39:38 +02:00
Jay Satiro 53d137d94a curl_setup: Define CURL_NO_OLDIES for building libcurl
.. to catch accidental use of deprecated error codes.

Ref: https://github.com/curl/curl/issues/1688#issuecomment-316764237
2017-08-01 02:56:48 -04:00
Jeremy Tan f262b3586c configure: fix the check for IdnToUnicode
Fixes #1669
Closes #1713
2017-08-01 01:04:45 +02:00
Daniel Stenberg 909283ae5a http: fix response code parser to avoid integer overflow
test 1429 and 1433 were updated to work with the stricter HTTP status line
parser.

Closes #1714
Reported-by: Brian Carpenter
2017-07-31 18:37:43 +02:00
Dwarakanath Yadavalli 512f8c774a libcurl: Stop using error codes defined under CURL_NO_OLDIES
Fixes https://github.com/curl/curl/issues/1688
Closes https://github.com/curl/curl/pull/1712
2017-07-31 02:59:05 -04:00
Jay Satiro 436cd490fc include.d: clarify --include is only for response headers
Follow-up to 171f8de and de6de94.

Bug: https://github.com/curl/curl/commit/de6de94#commitcomment-23370851
Reported-by: Daniel Stenberg
2017-07-30 02:29:36 -04:00
jasjuang 27e2a4733c cmake: support make uninstall
Closes #1674
2017-07-30 01:56:14 +02:00
Daniel Stenberg e88f133298 RELEASE-NOTES: synced with 001701c47 2017-07-30 01:25:57 +02:00
Marcel Raad 001701c47e
AppVeyor: now really use CURL_WERROR
It was misspelled as CURL_ERROR in commit
2d86e8d128.

Closes https://github.com/curl/curl/pull/1686
2017-07-29 18:47:18 +02:00
Jay Satiro de6de94c9a tool_help: clarify --include is only for response headers
Follow-up to 171f8de.

Ref: https://github.com/curl/curl/issues/1704
2017-07-29 01:33:25 -04:00
Jay Satiro f8614af527 splay: fix signed/unsigned mismatch warning
Follow-up to 4dee50b.

Ref: https://github.com/curl/curl/pull/1693
2017-07-29 01:13:42 -04:00
Daniel Stenberg 171f8ded26 include.d: clarify that it concerns the response headers
Reported-by: olesteban at github
Fixes #1704
2017-07-28 18:22:50 +02:00