Yang Tse [Wed, 24 Jul 2013 15:06:28 +0000 (17:06 +0200)]
string formatting: fix too many arguments for format
Yang Tse [Wed, 24 Jul 2013 15:05:02 +0000 (17:05 +0200)]
string formatting: fix zero-length printf format string
Yang Tse [Wed, 24 Jul 2013 14:45:30 +0000 (16:45 +0200)]
easy.c: curl_easy_getinfo() fix va_start/va_end matching
Yang Tse [Wed, 24 Jul 2013 14:44:37 +0000 (16:44 +0200)]
imap.c: imap_sendf() fix va_start/va_end matching
Yang Tse [Wed, 24 Jul 2013 14:43:13 +0000 (16:43 +0200)]
string formatting: fix 15+ printf-style format strings
Patrick Monnerat [Wed, 24 Jul 2013 14:12:35 +0000 (16:12 +0200)]
OS400: sync ILE/RPG binding with current curl.h
Yang Tse [Tue, 23 Jul 2013 13:59:07 +0000 (15:59 +0200)]
string formatting: fix 25+ printf-style format strings
Daniel Stenberg [Tue, 23 Jul 2013 19:51:12 +0000 (21:51 +0200)]
Makefile.am: use LDFLAGS as well when linking libcurl
Linking on Solaris 10 x86 with Sun Studio 12 failed when we upgraded
automake for the release builds.
Bug: http://curl.haxx.se/bug/view.cgi?id=1217
Reported-by: Dagobert Michelsen
Fabian Keil [Sat, 13 Jul 2013 12:12:18 +0000 (14:12 +0200)]
url.c: Fix dot file path cleanup when using an HTTP proxy
Previously the path was cleaned, but the URL wasn't properly updated.
Fabian Keil [Sat, 13 Jul 2013 12:15:27 +0000 (14:15 +0200)]
tests: test1232 verifies dotdot removal from path with proxy
Fabian Keil [Sat, 13 Jul 2013 11:20:11 +0000 (13:20 +0200)]
dotdot.c: Fix a RFC section number in a comment for Curl_dedotdotify()
John E. Malmberg [Mon, 22 Jul 2013 20:28:38 +0000 (22:28 +0200)]
build_vms.com: fix debug and float options
In the reorganization of the build_vms.com the debug and float options
were not fixed up correctly.
John E. Malmberg [Mon, 22 Jul 2013 20:15:27 +0000 (22:15 +0200)]
curl: fix upload of a zip file in OpenVMS
Two fixes:
1. Force output file format to be stream-lf so that partial downloads
can be continued.
This should have minor impact as if the file does not exist, it was
created with stream-lf format. The only time this was an issue is if
there was already an existing file with a different format.
2. Fix file uploads are now fixed.
a. VMS binary files such as ZIP archives are now uploaded
correctly.
b. VMS text files are read once to get the correct size
and then converted to line-feed terminated records as
they are read into curl.
The default VMS text formats do not contain either line-feed or
carriage-return terminated records. Those delimiters are added by the
operating system file read calls if the application requests them.
Bug: http://curl.haxx.se/bug/view.cgi?id=496
Yang Tse [Mon, 22 Jul 2013 19:07:06 +0000 (21:07 +0200)]
libtest: fix data type of some *_setopt() 'long' arguments
Yang Tse [Mon, 22 Jul 2013 18:03:27 +0000 (20:03 +0200)]
curl: fix symbolic names for CURL_NETRC_* enum in --libcurl output
Yang Tse [Mon, 22 Jul 2013 17:43:08 +0000 (19:43 +0200)]
curl: fix symbolic names for CURLUSESSL_* enum in --libcurl output
Yang Tse [Mon, 22 Jul 2013 16:08:23 +0000 (18:08 +0200)]
tool_operate.c: fix passing curl_easy_setopt long arg on some x64 ABIs
We no longer pass our 'bool' data type variables nor constants as
an argument to my_setopt(), instead we use proper 1L or 0L values.
This also fixes macro used to pass string argument for CURLOPT_SSLCERT,
CURLOPT_SSLKEY and CURLOPT_EGDSOCKET using my_setopt_str() instead of
my_setopt().
This also casts enum or int argument data types to long when passed to
my_setopt_enum().
Daniel Stenberg [Thu, 18 Jul 2013 21:36:59 +0000 (23:36 +0200)]
curl_multi_wait: fix revents
Commit
6d30f8ebed34e7276 didn't work properly. First, it used the wrong
array index, but this fix also:
1 - only does the copying if indeed there was any activity
2 - makes sure to properly translate between internal and external
bitfields, which are not guaranteed to match
Reported-by: Evgeny Turnaev
Daniel Stenberg [Fri, 19 Jul 2013 21:38:01 +0000 (23:38 +0200)]
RELEASE-NOTES: synced with
d529f3882b9bca
Daniel Stenberg [Sun, 14 Jul 2013 15:33:24 +0000 (17:33 +0200)]
curl_easy_perform: gradually increase the delay time
Instead of going 50,100,150 etc millisecond delay time when nothing has
been found to do or wait for, we now start lower and double each loop as
in 4,8,16,32 etc.
This lowers the minimum wait without sacrifizing the longer wait too
much with unnecessary CPU cycles burnt.
Bug: http://curl.haxx.se/mail/lib-2013-07/0103.html
Reported-by: Andreas Malzahn
Daniel Stenberg [Fri, 19 Jul 2013 21:02:30 +0000 (23:02 +0200)]
ftp_do_more: consider DO_MORE complete when server connects back
In the case of an active connection when ftp_do_more() detects that the
server has connected back, it must make sure to mark it as complete so
that the multi_runsingle() function will detect this and move on to the
next state.
Bug: http://curl.haxx.se/mail/lib-2013-07/0115.html
Reported-by: Clemens Gruber
Yang Tse [Fri, 19 Jul 2013 10:05:22 +0000 (12:05 +0200)]
Makefile.b32: Borland makefile adjustments. Tested with BCC 5.5.1
Yang Tse [Fri, 19 Jul 2013 04:44:46 +0000 (06:44 +0200)]
WIN32 MemoryTracking: require UNICODE for wide strdup code support
Daniel Stenberg [Sat, 15 Jun 2013 12:57:01 +0000 (14:57 +0200)]
CURLOPT_XFERINFOFUNCTION: introducing a new progress callback
CURLOPT_XFERINFOFUNCTION is now the preferred progress callback function
and CURLOPT_PROGRESSFUNCTION is considered deprecated.
This new callback uses pure 'curl_off_t' arguments to pass on full
resolution sizes. It otherwise retains the same characteristics: the
same call rate, the same meanings for the arguments and the return code
is used the same way.
The progressfunc.c example is updated to show how to use the new
callback for newer libcurls while supporting the older one if built with
an older libcurl or even built with a newer libcurl while running with
an older.
Yang Tse [Thu, 18 Jul 2013 18:04:02 +0000 (20:04 +0200)]
Reinstate "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage".
This reverts commit 7ed25cc, reinstating commit 8ec2cb5.
As of 18-jul-2013 we still do have code in libcurl that makes use of these
memory functions. Commit 8ec2cb5 comment still applies and is yet valid.
These memory functions are solely used in Windows builds, so all related
code is protected with '#ifdef WIN32' preprocessor conditional compilation
directives.
Specifically, wcsdup() _wcsdup() are used when building a Windows target with
UNICODE and USE_WINDOWS_SSPI preprocessor symbols defined. This is the case
when building a Windows UNICODE target with Windows native SSL/TLS support
enabled.
Realizing that wcsdup() _wcsdup() are used is a bit tricky given that usage
of these is hidden behind _tcsdup() which is MS way of dealing with code
that must tolerate UNICODE and non-UNICODE compilation. Additionally, MS
header files and those compatible from other compilers use this preprocessor
conditional compilation directive in order to select at compilation time
whether 'wide' or 'ansi' MS API functions are used.
Without this code, Windows build targets with Windows native SSL/TLS support
enabled and MemoryTracking support enabled misbehave in tracking memory usage,
regardless of being a UNICODE enabled build or not.
Yang Tse [Thu, 18 Jul 2013 14:03:15 +0000 (16:03 +0200)]
xc-am-iface.m4: comments refinement
Yang Tse [Wed, 17 Jul 2013 07:50:22 +0000 (09:50 +0200)]
configure: fix 'subdir-objects' distclean related issue
See XC_AMEND_DISTCLEAN comments for details.
Evgeny Turnaev [Wed, 17 Jul 2013 22:06:09 +0000 (00:06 +0200)]
curl_multi_wait: set revents for extra fds
Pass back the revents that happened for the user-provided file
descriptors.
Ben Greear [Mon, 8 Apr 2013 22:24:49 +0000 (15:24 -0700)]
asyn-ares: Don't blank ares servers if none configured.
Best to just let c-ares use it's defaults if none are configured
in (lib)curl.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Sergei Nikulov [Tue, 9 Jul 2013 15:20:41 +0000 (19:20 +0400)]
cmake: Fix for MSVC2010 project generation
Fixed issue with static build for MSVC2010.
After some investigation I've discovered known issue
http://public.kitware.com/Bug/view.php?id=11240 When .rc file is linked
to static lib it fails with following linker error
LINK : warning LNK4068: /MACHINE not specified; defaulting to X86
file.obj : fatal error LNK1112: module machine type 'x64' conflicts with
target machine type 'X86'
Fix add target property /MACHINE: for MSVC generation.
Also removed old workarounds - it caused errors during msvc build.
Bug: http://curl.haxx.se/mail/lib-2013-07/0046.html
Daniel Stenberg [Tue, 16 Jul 2013 22:05:29 +0000 (00:05 +0200)]
mk-ca-bundle.1: point out certdata.txt format docs
Yang Tse [Tue, 16 Jul 2013 21:56:33 +0000 (23:56 +0200)]
slist.c: Curl_slist_append_nodup() OOM handling fix
Daniel Stenberg [Mon, 15 Jul 2013 17:33:37 +0000 (19:33 +0200)]
test1414: FTP PORT download without SIZE support
Yang Tse [Tue, 16 Jul 2013 20:51:35 +0000 (22:51 +0200)]
tests/Makefile.am: add configurehelp.pm to DISTCLEANFILES
Patrick Monnerat [Mon, 15 Jul 2013 17:49:30 +0000 (19:49 +0200)]
curl_slist_append(): fix error detection
Patrick Monnerat [Mon, 15 Jul 2013 17:46:19 +0000 (19:46 +0200)]
slist.c: fix indentation
Patrick Monnerat [Mon, 15 Jul 2013 17:00:36 +0000 (19:00 +0200)]
OS400: new SSL backend GSKit
Patrick Monnerat [Mon, 15 Jul 2013 16:48:02 +0000 (18:48 +0200)]
OS400: add slist and certinfo EBCDIC support
Patrick Monnerat [Mon, 15 Jul 2013 16:38:17 +0000 (18:38 +0200)]
config-os400.h: enable system strdup(), strcmpi(), etc.
Patrick Monnerat [Mon, 15 Jul 2013 16:16:13 +0000 (18:16 +0200)]
x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extract
Use from qssl backend
Patrick Monnerat [Mon, 15 Jul 2013 15:26:59 +0000 (17:26 +0200)]
ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
Patrick Monnerat [Mon, 15 Jul 2013 14:55:30 +0000 (16:55 +0200)]
Merge branch 'master' of github.com:bagder/curl
Merge for resync
Patrick Monnerat [Mon, 15 Jul 2013 14:53:43 +0000 (16:53 +0200)]
slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
Yang Tse [Mon, 15 Jul 2013 13:54:28 +0000 (15:54 +0200)]
sslgen.c: fix Curl_rand() compiler warning
Use simple seeding method upon RANDOM_FILE seeding method failure.
Yang Tse [Mon, 15 Jul 2013 11:20:44 +0000 (13:20 +0200)]
sslgen.c: fix unreleased Curl_rand() infinite recursion
Dave Reisner [Tue, 30 Apr 2013 14:23:39 +0000 (14:23 +0000)]
src/tool: allow timeouts to accept decimal values
Implement wrappers around strtod to convert the user argument to a
double with sane error checking. Use this to allow --max-time and
--connect-timeout to accept decimal values instead of strictly integers.
The manpage is updated to make mention of this feature and,
additionally, forewarn that the actual timeout of the operation can
vary in its precision (particularly as the value increases in its
decimal precision).
Dave Reisner [Sun, 14 Jul 2013 16:33:46 +0000 (18:33 +0200)]
curl.1: fix long line, found by checksrc.pl
Dave Reisner [Sun, 14 Jul 2013 16:33:44 +0000 (18:33 +0200)]
src/tool_paramhlp: try harder to catch negatives
strto* functions happily chomp off leading whitespace, so simply
checking for str[0] can lead to false negatives. Do the full parse and
check the out value instead.
John E. Malmberg [Sun, 14 Jul 2013 15:37:49 +0000 (17:37 +0200)]
build_vms.com: detect and use zlib shared image
Update the build_vms.com to detect and use zlib shared image installed
by the ZLIB kit produced by Jean-Francois Pieronne, and the also the
future ZLIB 1.2.8 kit in addition to the older ZLIB kits.
Also fix the indentation to match one of the common standards used for
VMS DCL command files and removed the hard tab characters.
Tested on OpenVMS 8.4 Alpha and IA64, and OpenVMS 7.3 VAX.
Yang Tse [Sun, 14 Jul 2013 10:19:57 +0000 (12:19 +0200)]
url.c: fix parse_url_login() OOM handling
Yang Tse [Fri, 12 Jul 2013 17:32:13 +0000 (19:32 +0200)]
http_digest.c: SIGSEGV and OOM handling fixes
Yang Tse [Fri, 12 Jul 2013 10:16:48 +0000 (12:16 +0200)]
url.c: fix parse_login_details() OOM handling
John E. Malmberg [Fri, 12 Jul 2013 10:07:02 +0000 (12:07 +0200)]
setup-vms.h: sk_pop symbol tweak
Newer versions of curl are referencing a sk_pop symbol while the HP
OpenSSL library has the symbol in uppercase only.
Yang Tse [Thu, 11 Jul 2013 15:03:14 +0000 (17:03 +0200)]
getinfo.c: fix enumerated type mixed with another type
Yang Tse [Thu, 11 Jul 2013 15:01:02 +0000 (17:01 +0200)]
test 1511: fix enumerated type mixed with another type
Yang Tse [Thu, 11 Jul 2013 11:29:48 +0000 (13:29 +0200)]
url.c: fix SIGSEGV
Yang Tse [Thu, 11 Jul 2013 11:29:20 +0000 (13:29 +0200)]
dotdot.c: fix global declaration shadowing
Yang Tse [Thu, 11 Jul 2013 11:28:47 +0000 (13:28 +0200)]
easy.c: fix global declaration shadowing
Kamil Dudka [Tue, 9 Jul 2013 13:45:36 +0000 (15:45 +0200)]
Revert "curl.1: document the --time-cond option in the man page"
This reverts commit
3a0e931fc715a80004958794a96b12cf90503f99 because
the documentation of --time-cond was duplicated by mistake.
Reported by: Dave Reisner
Kamil Dudka [Tue, 9 Jul 2013 12:59:01 +0000 (14:59 +0200)]
curl.1: document the --sasl-ir option in the man page
Kamil Dudka [Tue, 9 Jul 2013 12:59:01 +0000 (14:59 +0200)]
curl.1: document the --post303 option in the man page
Kamil Dudka [Tue, 9 Jul 2013 12:59:01 +0000 (14:59 +0200)]
curl.1: document the --time-cond option in the man page
Yang Tse [Mon, 8 Jul 2013 22:10:38 +0000 (00:10 +0200)]
configure: automake 1.14 compatibility tweak (use XC_AUTOMAKE)
Yang Tse [Mon, 8 Jul 2013 22:07:26 +0000 (00:07 +0200)]
xc-am-iface.m4: provide XC_AUTOMAKE macro
Guenter Knauf [Mon, 8 Jul 2013 15:46:15 +0000 (17:46 +0200)]
Added winssl-zlib target to VC builds.
Guenter Knauf [Mon, 8 Jul 2013 13:05:10 +0000 (15:05 +0200)]
Synced Makefile.vc6 with recent changes.
Issue posted to the list by malinowsky AT FTW DOT at.
Guenter Knauf [Thu, 4 Jul 2013 02:35:22 +0000 (04:35 +0200)]
Added libmetalink URL; added Android versions.
Dan Fandrich [Wed, 3 Jul 2013 19:09:50 +0000 (21:09 +0200)]
examples: Moved usercertinmem.c to COMPLICATED_EXAMPLES
This prevents it from being built during a "make check" since it
depends on OpenSSL.
Nick Zitzmann [Wed, 3 Jul 2013 01:40:14 +0000 (19:40 -0600)]
Merge branch 'master' of https://github.com/bagder/curl
Nick Zitzmann [Wed, 3 Jul 2013 01:34:54 +0000 (19:34 -0600)]
darwinssl: SSLv2 connections are aborted if unsupported by the OS
I just noticed that OS X no longer supports SSLv2. Other TLS engines return
an error if the requested protocol isn't supported by the underlying
engine, so we do that now for SSLv2 if the framework returns an error
when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is
only enabled in curl when starting the app with the -2 argument; it's off
by default. SSLv2 is really old and insecure.)
Marc Hoersken [Mon, 1 Jul 2013 19:42:15 +0000 (21:42 +0200)]
lib506.c: Fixed possible use of uninitialized variables
Kamil Dudka [Sun, 30 Jun 2013 17:51:16 +0000 (19:51 +0200)]
url: restore the functionality of 'curl -u :'
This commit fixes a regression introduced in
fddb7b44a79d78e05043e1c97e069308b6b85f79.
Reported by: Markus Moeller
Bug: http://curl.haxx.se/mail/archive-2013-06/0052.html
Daniel Stenberg [Tue, 25 Jun 2013 09:37:27 +0000 (11:37 +0200)]
digest: append the timer to the random for the nonce
Daniel Stenberg [Tue, 25 Jun 2013 09:28:22 +0000 (11:28 +0200)]
digest: improve nonce generation
Use the new improved Curl_rand() to generate better random nonce for
Digest auth.
Daniel Stenberg [Tue, 25 Jun 2013 08:41:16 +0000 (10:41 +0200)]
curl.1: fix typo in --xattr description
Bug: http://curl.haxx.se/bug/view.cgi?id=1252
Reported-by: Jean-Noël Rouvignac
Daniel Stenberg [Tue, 25 Jun 2013 08:35:21 +0000 (10:35 +0200)]
RELEASE-NOTES: synced with
365c5ba39591
The 10 first bug fixes for the pending release...
Daniel Stenberg [Mon, 24 Jun 2013 20:24:35 +0000 (22:24 +0200)]
formpost: better random boundaries
When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
data that is provided with users who then can guess how the boundary
string will look like and then they can forge a different formpost part
and trick the receiver.
My advice to such implementors is (still even after this change) to not
rely on the boundary strings being cryptographically strong. Fix your
code and logic to not depend on them that much!
I moved the Curl_rand() function into the sslgen.c source file now to be
able to take advantage of the SSL library's random function if it
provides one. If not, try to use the RANDOM_FILE for seeding and as a
last resort keep the old logic, just modified to also add microseconds
which makes it harder to properly guess the exact seed.
The formboundary() function in formdata.c is now using 64 bit entropy
for the boundary and therefore the string of dashes was reduced by 4
letters and there are 16 hex digits following it. The total length is
thus still the same.
Bug: http://curl.haxx.se/bug/view.cgi?id=1251
Reported-by: "Floris"
Daniel Stenberg [Tue, 25 Jun 2013 07:52:06 +0000 (09:52 +0200)]
printf: make sure %x are treated unsigned
When using %x, the number must be treated as unsigned as otherwise it
would get sign-extended on for example 64bit machines and do wrong
output. This problem showed when doing printf("%08x", 0xffeeddcc) on a
64bit host.
Daniel Stenberg [Mon, 24 Jun 2013 07:25:58 +0000 (09:25 +0200)]
tests: add test1395 to the tarball
Daniel Stenberg [Mon, 24 Jun 2013 07:02:19 +0000 (09:02 +0200)]
SIGPIPE: don't use 'data' in sigpipe restore
Follow-up fix from
7d80ed64e43515.
The SessionHandle may not be around to use when we restore the sigpipe
sighandler so we store the no_signal boolean in the local struct to know
if/how to restore.
Daniel Stenberg [Sun, 23 Jun 2013 20:48:39 +0000 (22:48 +0200)]
TODO: 1.8 Modified buffer size approach
Thoughts around buffer sizes and what might be possible to do...
Daniel Stenberg [Sun, 23 Jun 2013 18:25:38 +0000 (20:25 +0200)]
c-ares: improve error message on failed resolve
When the c-ares based resolver backend failed to resolve a name, it
tried to show the name that failed from existing structs. This caused
the wrong output and shown hostname when for example --interface
[hostname] was used and that name resolving failed.
Now we use the hostname used in the actual resolve attempt in the error
message as well.
Bug: http://curl.haxx.se/bug/view.cgi?id=1191
Reported-by: Kim Vandry
Daniel Stenberg [Sun, 23 Jun 2013 08:31:04 +0000 (10:31 +0200)]
ossl_recv: check for an OpenSSL error, don't assume
When we recently started to treat a zero return code from SSL_read() as
an error we also got false positives - which primarily looks to be
because the OpenSSL documentation is wrong and a zero return code is not
at all an error case in many situations.
Now ossl_recv() will check with ERR_get_error() to see if there is a
stored error and only then consider it to be a true error if SSL_read()
returned zero.
Bug: http://curl.haxx.se/bug/view.cgi?id=1249
Reported-by: Nach M. S.
Patch-by: Nach M. S.
Nick Zitzmann [Sat, 22 Jun 2013 21:16:05 +0000 (15:16 -0600)]
Merge branch 'master' of https://github.com/bagder/curl
Nick Zitzmann [Sat, 22 Jun 2013 21:13:36 +0000 (15:13 -0600)]
darwinssl: fix crash that started happening in Lion
Something (a recent security update maybe?) changed in Lion, and now it
has changed SSLCopyPeerTrust such that it may return noErr but also give
us a null trust, which caught us off guard and caused an eventual crash.
Daniel Stenberg [Sun, 10 Mar 2013 23:39:52 +0000 (00:39 +0100)]
SIGPIPE: ignored while inside the library
... and restore the ordinary handling again when it returns. This is
done for curl_easy_perform() and curl_easy_cleanup() only for now - and
only when built to use OpenSSL as backend as this is the known culprit
for the spurious SIGPIPEs people have received.
Bug: http://curl.haxx.se/bug/view.cgi?id=1180
Reported by: Lluís Batlle i Rossell
Daniel Stenberg [Sat, 22 Jun 2013 20:24:36 +0000 (22:24 +0200)]
KNOWN_BUGS: #83 unable to load non-default openssl engines
Daniel Stenberg [Sat, 22 Jun 2013 20:20:31 +0000 (22:20 +0200)]
test1396: invoke the correct test tool!
This erroneously run unit test 1310 instead of 1396!
Kamil Dudka [Sat, 22 Jun 2013 20:12:49 +0000 (22:12 +0200)]
test1230: avoid using hard-wired port number
... to prevent failure when a non-default -b option is given
Kamil Dudka [Sat, 22 Jun 2013 20:08:42 +0000 (22:08 +0200)]
curl-config.in: replace tabs by spaces
Nick Zitzmann [Sat, 22 Jun 2013 18:23:26 +0000 (12:23 -0600)]
darwinssl: reform OS-specific #defines
This doesn't need to be in the release notes. I cleaned up a lot of the #if
lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and
MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like
__MAC_10_6 or whatever were defined, because for some SDKs Apple has released
they were defined out of place.
Alessandro Ghedini [Sat, 22 Jun 2013 13:21:19 +0000 (15:21 +0200)]
docs: fix typo in curl_easy_getinfo manpage
Daniel Stenberg [Sat, 15 Jun 2013 21:47:02 +0000 (23:47 +0200)]
dotdot: introducing dot file path cleanup
RFC3986 details how a path part passed in as part of a URI should be
"cleaned" from dot sequences before getting used. The described
algorithm is now implemented in lib/dotdot.c with the accompanied test
case in test 1395.
Bug: http://curl.haxx.se/bug/view.cgi?id=1200
Reported-by: Alex Vinnik
Daniel Stenberg [Sat, 22 Jun 2013 12:13:28 +0000 (14:13 +0200)]
bump: start working towards what most likely will become 7.32.0
Daniel Stenberg [Sat, 22 Jun 2013 11:52:27 +0000 (13:52 +0200)]
THANKS: added 24 new contributors from the 7.31.0 release
Daniel Stenberg [Sat, 22 Jun 2013 09:30:31 +0000 (11:30 +0200)]
RELEASE-NOTES: synced with
0de7249bb39a2 - 7.31.0
Daniel Stenberg [Sun, 19 May 2013 21:30:06 +0000 (23:30 +0200)]
unit1396: unit tests to verify curl_easy_(un)escape
Daniel Stenberg [Sun, 19 May 2013 21:24:29 +0000 (23:24 +0200)]
Curl_urldecode: no peeking beyond end of input buffer
Security problem: CVE-2013-2174
If a program would give a string like "%FF" to curl_easy_unescape() but
ask for it to decode only the first byte, it would still parse and
decode the full hex sequence. The function then not only read beyond the
allowed buffer but it would also deduct the *unsigned* counter variable
for how many more bytes there's left to read in the buffer by two,
making the counter wrap. Continuing this, the function would go on
reading beyond the buffer and soon writing beyond the allocated target
buffer...
Bug: http://curl.haxx.se/docs/adv_20130622.html
Reported-by: Timo Sirainen
Guenter Knauf [Thu, 20 Jun 2013 20:53:37 +0000 (22:53 +0200)]
Use opened body.out file and write content to it.
Daniel Stenberg [Wed, 19 Jun 2013 21:54:28 +0000 (23:54 +0200)]
multi_socket: react on socket close immediately
As a remedy to the problem when a socket gets closed and a new one is
opened with the same file descriptor number and as a result
multi.c:singlesocket() doesn't detect the difference, the new function
Curl_multi_closed() gets told when a socket is closed so that it can be
removed from the socket hash. When the old one has been removed, a new
socket should be detected fine by the singlesocket() on next invoke.
Bug: http://curl.haxx.se/bug/view.cgi?id=1248
Reported-by: Erik Johansson