20384 Commits

Author SHA1 Message Date
Ludwig Nussel
7b55279d1d configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569
2016-02-08 14:45:58 +01:00
Daniel Stenberg
113f04e664 Proxy-Connection: stop sending this header by default
RFC 7230 says we should stop. Firefox already stopped.

Bug: https://github.com/curl/curl/issues/633
Reported-By: Brad Fitzpatrick

Closes #633
2016-02-08 11:09:40 +01:00
Daniel Stenberg
7f97fd5a83 bump: work toward the next release 2016-02-08 10:47:44 +01:00
Daniel Stenberg
c18e86cb4f THANKS: 2 contributors from the 7.47.1 release 2016-02-08 10:46:01 +01:00
Daniel Stenberg
108bc5d860 RELEASE-PROCEDURE: remove the github upload part
... as we're HTTPS on the main site now, there's no point in that
extra step
2016-02-08 10:35:35 +01:00
Daniel Stenberg
8f995e2e00 RELEASE-NOTES: curl 7.47.1 time! curl-7_47_1 2016-02-08 10:26:24 +01:00
Jay Satiro
d572d2664d tool_operhlp: Check for backslashes in get_url_file_name
Extract the filename from the last slash or backslash. Prior to this
change backslashes could be part of the filename.

This change needed for the curl tool built for Cygwin. Refer to the
CYGWIN addendum in advisory 20160127B.

Bug: https://curl.haxx.se/docs/adv_20160127B.html
2016-02-08 03:14:04 -05:00
Daniel Stenberg
b97307047c RELEASE-NOTES: synced with d6a8869ea34 2016-02-07 16:20:23 +01:00
Jay Satiro
d6a8869ea3 openssl: Fix signed/unsigned mismatch warning in X509V3_ext
sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.

Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem
2016-02-06 19:10:49 -05:00
Daniel Stenberg
1ca54daf3e TODO: 17.11 -w output to stderr 2016-02-07 00:27:36 +01:00
Michael Kaufmann
9e7fcd4291 idn_win32: Better error checking
.. also fix a conversion bug in the unused function
curl_win32_ascii_to_idn().

And remove wprintfs on error (Jay).

Bug: https://github.com/curl/curl/pull/637
2016-02-06 17:51:51 -05:00
Gisle Vanem
c71b6a2795 examples/asiohiper: Avoid function name collision on Windows
closesocket => close_socket
Winsock already has the former.

Bug: https://curl.haxx.se/mail/lib-2016-02/0016.html
2016-02-06 17:04:38 -05:00
Gisle Vanem
6f702ebaa2 examples/htmltitle: Use _stricmp on Windows
Bug: https://curl.haxx.se/mail/lib-2016-02/0017.html
2016-02-06 17:02:55 -05:00
Daniel Stenberg
86d3d62f5a COPYING: clarify that Daniel is not the sole author
... done on request and as it is a fair point.
2016-02-06 18:40:27 +01:00
Jay Satiro
a6208704e7 unit1604: Fix unit setup return code 2016-02-05 13:37:39 -05:00
Jay Satiro
9b6598ed08 tool_doswin: Use type SANITIZEcode in sanitize_file_name 2016-02-05 02:22:24 -05:00
Jay Satiro
4520534e6d tool_doswin: Improve sanitization processing
- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes https://github.com/curl/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-05 01:44:27 -05:00
Viktor Szakats
d49881cb19 URLs: change more http to https 2016-02-04 18:46:54 -05:00
Jay Satiro
742deff4dd sasl_sspi: Fix memory leak in domain populate
Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635
Reported-by: silveja1@users.noreply.github.com
2016-02-04 18:11:07 -05:00
Viktor Szakats
20dcd19501 URLs: follow GitHub project rename (also Travis CI)
Closes #632
2016-02-04 23:01:38 +01:00
Daniel Stenberg
0515e49b6b CHANGES.o: fix references to curl.haxx.nu
I removed the scheme prefix from the URLs references this host name, as
we don't own/run that anymore but the name is kept for historic reasons.
2016-02-03 15:33:47 +01:00
Daniel Stenberg
42f725fb9b HISTORY: add some info about when we used which host names 2016-02-03 15:33:30 +01:00
Viktor Szakats
b4f595bde4 URLs: change more http to https 2016-02-02 22:29:47 -05:00
Dan Fandrich
093f9cd38d URLs: Change more haxx.se URLs from http: to https: 2016-02-03 01:45:21 +01:00
Daniel Stenberg
493f54c6c0 RELEASE-NOTES: synced with 4af40b364 2016-02-03 00:32:07 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
d33dd0b195 configure: update the copyright year range in output 2016-02-02 22:49:05 +01:00
Daniel Stenberg
41ae9f717a dotdot: allow an empty input string too
It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-02-02 22:43:54 +01:00
Daniel Stenberg
6b485c7407 HTTPS: update a bunch of URLs from HTTP to HTTPS 2016-02-02 00:24:30 +01:00
Sergei Nikulov
7a8a7ca7b0 AppVeyor: updated to handle OpenSSL/WinSSL builds
Closes #621
2016-02-01 23:55:08 +01:00
Jay Satiro
2b6dadc52d tool_operate: Don't sanitize --output path (Windows)
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: https://github.com/bagder/curl/issues/624
Reported-by: Octavio Schroeder
2016-02-01 04:11:46 -05:00
Jay Satiro
96596334c8 curl.1: Explain remote-name behavior if file already exists
.. also warn about letting the server pick the filename.
2016-01-29 03:28:48 -05:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Daniel Stenberg
300718382f bump: towards the next (7.47.1 ?) 2016-01-28 16:36:29 +01:00
Sergei Nikulov
a8135f0768 cmake: fixed when OpenSSL enabled on Windows and schannel detected
Closes #617
2016-01-28 16:34:01 +01:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Viktor Szakats
1597af51b1 tool_doswin: silence unused function warning
tool_doswin.c:185:14: warning: 'msdosify' defined but not used
[-Wunused-function]

Closes https://github.com/bagder/curl/pull/616
2016-01-28 02:45:36 -05:00
Daniel Stenberg
e400a89b18 getredirect.c: fix variable name
Reported-by: Bernard Spil
2016-01-27 09:35:55 +01:00
Daniel Stenberg
06bf874bbc examples/Makefile.inc: specify programs without .c! curl-7_47_0 2016-01-27 08:30:04 +01:00
Daniel Stenberg
87a5d3d13e THANKS: 6 new contributors from 7.47.0 release notes 2016-01-26 23:45:02 +01:00
Isaac Boukris
d41dcba4e9 NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26 23:42:55 +01:00
Ray Satiro
3017d8a8d8 curl: avoid local drive traversal when saving file (Windows)
curl does not sanitize colons in a remote file name that is used as the
local file name. This may lead to a vulnerability on systems where the
colon is a special path character. Currently Windows/DOS is the only OS
where this vulnerability applies.

CVE-2016-0754

Bug: http://curl.haxx.se/docs/adv_20160127B.html
2016-01-26 23:42:55 +01:00
Daniel Stenberg
cea1fd7a94 RELEASE-NOTES: 7.47.0 2016-01-26 23:42:55 +01:00
Daniel Stenberg
14f92f2d2c FAQ: language fix in 4.19 2016-01-25 11:11:29 +01:00
paulehoffman
53d1e42c41 FAQ: Update to point to GitHub
Current FAQ didn't make it clear where the main repo is.

Closes #612
2016-01-24 23:29:01 +01:00
Daniel Stenberg
b9da2cfed1 maketgz: generate date stamp with LC_TIME=C
bug: http://curl.haxx.se/mail/lib-2016-01/0123.html
2016-01-24 20:31:30 +01:00
Daniel Stenberg
5a28126b22 curl_multi_socket_action.3: line wrap 2016-01-24 20:31:30 +01:00
Daniel Stenberg
1783070801 RELEASE-NOTES: synced with d58ba66eeceb 2016-01-24 20:31:30 +01:00
Steve Holme
b03f01742d TODO: "Create remote directories" for SMB 2016-01-21 21:05:55 +00:00
Jay Satiro
d58ba66eec mbedtls: Fix pinned key return value on fail
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
2016-01-18 03:48:10 -05:00