Commit Graph

23923 Commits

Author SHA1 Message Date
Daniel Stenberg
350306e472
test2080: verify the fix for CVE-2018-16842 2018-10-30 07:47:50 +01:00
Daniel Stenberg
d530e92f59
voutf: fix bad arethmetic when outputting warnings to stderr
CVE-2018-16842
Reported-by: Brian Carpenter
Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
2018-10-30 07:47:25 +01:00
Tuomo Rinne
e97679a360
cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in
Closes #3123
2018-10-29 17:10:31 +01:00
Tuomo Rinne
dd98c1f34b
cmake: add find_dependency call for ZLIB to CMake config file 2018-10-29 17:10:27 +01:00
Tuomo Rinne
fc0672b447
cmake: add support for transitive ZLIB target 2018-10-29 17:10:24 +01:00
Daniel Stenberg
5728229a4f
unit1650: fix "null pointer passed as argument 1 to memcmp"
Detected by UndefinedBehaviorSanitizer

Closes #3187
2018-10-29 16:14:40 +01:00
Daniel Stenberg
0c9b09dff4
travis: add a "make tidy" build that runs clang-tidy
Closes #3182
2018-10-29 08:11:33 +01:00
Daniel Stenberg
0b58ffe0c9
unit1300: fix stack-use-after-scope AddressSanitizer warning
Closes #3186
2018-10-29 08:05:23 +01:00
Daniel Stenberg
f3a24d7916
Curl_auth_create_plain_message: fix too-large-input-check
CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
81d135d671
Curl_close: clear data->multi_easy on free to avoid use-after-free
Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-29 08:05:23 +01:00
randomswdev
9d8dad1a9d
system.h: use proper setting with Sun C++ as well
system.h selects the proper Sun settings when __SUNPRO_C is defined. The
Sun compiler does not define it when compiling C++ files.  I'm adding a
check also on __SUNPRO_CC to allow curl to work properly also when used
in a C++ project on Sun Solaris.

Closes #3181
2018-10-27 16:07:24 +02:00
Daniel Stenberg
75b94d77e8
rand: add comment to skip a clang-tidy false positive 2018-10-27 15:59:44 +02:00
Daniel Stenberg
a669e06946
test1651: unit test Curl_extract_certinfo()
The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.
2018-10-27 15:59:43 +02:00
Daniel Stenberg
feea1259e4
x509asn1: always check return code from getASN1Element() 2018-10-27 15:59:43 +02:00
Daniel Stenberg
be20814191
Makefile: add 'tidy' target that runs clang-tidy
Available in the root, src and lib dirs.

Closes #3163
2018-10-27 15:59:38 +02:00
Daniel Stenberg
803496fa10
RELEASE-PROCEDURE: adjust the release dates
See: https://curl.haxx.se/mail/lib-2018-10/0107.html
2018-10-27 15:14:51 +02:00
Patrick Monnerat
c335b7f1f7 x509asn1: suppress left shift on signed value
Use an unsigned variable: as the signed operation behavior is undefined,
this change silents clang-tidy about it.

Ref: https://github.com/curl/curl/pull/3163
Reported-By: Daniel Stenberg
2018-10-27 15:04:50 +02:00
Michael Kaufmann
3793761a37 multi: Fix error handling in the SENDPROTOCONNECT state
If Curl_protocol_connect() returns an error code,
handle the error instead of switching to the next state.

Closes #3170
2018-10-27 13:03:50 +02:00
Daniel Stenberg
4441d3c548
RELEASE-NOTES: synced 2018-10-27 11:14:13 +02:00
Daniel Stenberg
44a9e9f80f
openssl: output the correct cipher list on TLS 1.3 error
When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178
Closes #3180
2018-10-27 10:46:38 +02:00
Daniel Stenberg
067992baa7
docs/CIPHERS: fix the TLS 1.3 cipher names
... picked straight from the OpenSSL man page:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

Reported-by: Ricky-Tigg on github
Bug: #3178
2018-10-27 10:46:36 +02:00
Marcel Raad
ac85e49d7a
travis: install gnutls-bin package
This is required for gnutls-serv, which enables a few more tests.

Closes https://github.com/curl/curl/pull/2958
2018-10-27 08:41:18 +02:00
Daniel Gustafsson
5c8c310edb ssh: free the session on init failures
Ensure to clear the session object in case the libssh2 initialization
fails.

It could be argued that the libssh2 error function should be called to
get a proper error message in this case. But since the only error path
in libssh2_knownhost_init() is memory a allocation failure it's safest
to avoid since the libssh2 error handling allocates memory.

Closes #3179
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26 15:39:15 +02:00
Daniel Stenberg
a0c2779d61
docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date
... I'm moving it up one week due to travels. The rest stays.
2018-10-26 14:12:44 +02:00
Daniel Gustafsson
68348461dc
openssl: make 'done' a proper boolean
Closes #3176
2018-10-26 13:51:25 +02:00
Daniel Stenberg
ebfe02f73c
gtls: Values stored to but never read
Detected by clang-tidy

Closes #3176
2018-10-26 13:51:07 +02:00
Alexey Eremikhin
bbce45fb00
curl.1: --ipv6 mutexes ipv4 (fixed typo)
Fixes #3171
Closes #3172
2018-10-26 08:45:08 +02:00
Daniel Stenberg
ae925ddcc3
tool_main: make TerminalSettings static
Reported-by: Gisle Vanem
Bug: becfe1233f (commitcomment-31008819)
Closes #3161
2018-10-26 00:59:50 +02:00
Daniel Stenberg
abfdf6a0b7
curl-config.in: remove dependency on bc
Reported-by: Dima Pasechnik
Fixes #3143
Closes #3174
2018-10-26 00:06:19 +02:00
Gisle Vanem
639d052e44
rtmp: fix for compiling with lwIP
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
  curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
    setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
    ^
  curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
  #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                 ^
Closes #3155
2018-10-26 00:04:02 +02:00
Daniel Stenberg
25d287d1e5
configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
Follow-up to #3166 which did the cmake part of this. This type/define is
not used.

Closes #3168
2018-10-25 13:18:23 +02:00
Ruslan Baratov
b04e624038
cmake: remove unused variables
Remove variables:
* HAVE_SOCKLEN_T
* CURL_SIZEOF_CURL_SOCKLEN_T
* CURL_TYPEOF_CURL_SOCKLEN_T

Closes #3166
2018-10-25 13:18:23 +02:00
Michael Kaufmann
daabc91581 urldata: Fix comment in header
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25 13:04:03 +02:00
Michael Kaufmann
d48e6b7f95 netrc: free temporary strings if memory allocation fails
- Change the inout parameters after all needed memory has been
  allocated. Do not change them if something goes wrong.
- Free the allocated temporary strings if strdup() fails.

Closes #3122
2018-10-25 12:54:55 +02:00
Ruslan Baratov
4f2541f975
config: Remove unused SIZEOF_VOIDP
Closes #3162
2018-10-24 11:20:57 +02:00
Daniel Stenberg
eecfe974b7
RELEASE-NOTES: synced 2018-10-24 09:22:18 +02:00
Gisle Vanem
eda0998894
Fix for compiling with lwIP (3)
lwIP on Windows does not have a WSAIoctl() function. 
But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23 12:55:07 +02:00
Daniel Stenberg
6535b9303d
Curl_follow: return better errors on URL problems
... by making the converter function global and accessible.

Closes #3153
2018-10-23 11:43:41 +02:00
Daniel Stenberg
ca10fae6fc
Curl_follow: remove remaining free(newurl)
Follow-up to 05564e750e. This function no longer frees the passed-in
URL.

Reported-by: Michael Kaufmann
Bug: 05564e750e (commitcomm)
ent-30985666
2018-10-23 11:43:41 +02:00
Daniel Gustafsson
06d8f16b87 headers: end all headers with guard comment
Most headerfiles end with a /* <headerguard> */ comment, but it was
missing from some. The comment isn't the most important part of our
code documentation but consistency has an intrinsic value in itself.
This adds header guard comments to the files that were lacking it.

Closes #3158
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-23 10:02:24 +02:00
Jay Satiro
a023dfa19a CIPHERS.md: Mention the options used to set TLS 1.3 ciphers
Closes https://github.com/curl/curl/pull/3159
2018-10-23 03:37:37 -04:00
Daniel Stenberg
db1338474c
docs/BUG-BOUNTY: the sponsors actually decide the amount
Retract the previous approach as the sponsors will be the ones to set the
final amounts.

Closes #3152
[ci skip]
2018-10-20 12:07:52 +02:00
Daniel Stenberg
05564e750e
multi: avoid double-free
Curl_follow() no longer frees the string. Make sure it happens in the
caller function, like we normally handle allocations.

This bug was introduced with the use of the URL API internally, it has
never been in a release version

Reported-by: Dario Weißer
Closes #3149
2018-10-19 15:29:31 +02:00
Daniel Stenberg
8a49f91d32
multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
Otherwise, closing that handle can still cause surprises!

Reported-by: Martin Ankerl
Fixes #3138
Closes #3147
2018-10-19 11:03:17 +02:00
Marcel Raad
e693a15722
VS projects: add USE_IPV6
The Visual Studio builds didn't use IPv6. Add it to all projects since
Visual Studio 2008, which is verified to build via AppVeyor.

Closes https://github.com/curl/curl/pull/3137
2018-10-19 09:23:15 +02:00
Marcel Raad
abebb2b893
config_win32: enable LDAPS
As done in the autotools and CMake builds by default.

Closes https://github.com/curl/curl/pull/3137
2018-10-19 09:23:14 +02:00
Daniel Stenberg
ad547fcf7b
travis: add build for "configure --disable-verbose"
Closes #3144
2018-10-18 14:51:49 +02:00
Kamil Dudka
6b6ba1dc29 tool_cb_hdr: handle failure of rename()
Detected by Coverity.

Closes #3140
Reviewed-by: Jay Satiro
2018-10-17 09:15:05 +02:00
Daniel Stenberg
21ac06888f
RELEASE-NOTES: synced 2018-10-17 08:17:04 +02:00
Daniel Stenberg
1a0cf36fbf
docs/SECURITY-PROCESS: the hackerone IBB program drops curl
... now there's only BountyGraph.
2018-10-17 08:02:37 +02:00