ltmain.sh | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 work around libtool --as-needed reordering bug

tests/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 always disable valgrind tests

m4/curl-compilers.m4 | 11 0 + 11 - 0 !
1 file changed, 11 deletions(-)

 do not disable debug symbols without --enable-debug

Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 enable zsh completion generation

curl-config.in | 15 3 + 12 - 0 !
1 file changed, 3 insertions(+), 12 deletions(-)

 in order to (partially) multi-arch-ify curl-config, remove all
 mention of @includedir@ and @libdir@ from the script.  On Debian, the actual
 header and library directories are architecture-dependent, but will always be
 in the C compiler's default search path, so -I and -L options are not
 necessary (and may be harmful in multi-arch environments.)

scripts/zsh.pl | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fixes for zsh completion generator

lib/multi.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] singlesocket: fix the 'sincebefore' placement

The variable wasn't properly reset within the loop and thus could remain
set for sockets that hadn't been set before and miss notifying the app.

This is a follow-up to 4c35574 (shipped in curl 7.64.0)

Reported-by: buzo-ffm on github
Detected-by: Jan Alexander Steffens
Fixes #3585
Closes #3589

lib/url.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] connection_check: set ->data to the transfer doing the check

The http2 code for connection checking needs a transfer to use. Make
sure a working one is set before handler->connection_check() is called.

Reported-by: jnbr on github
Fixes #3541
Closes #3547

lib/url.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] connection_check: restore original conn->data after the check

- Save the original conn->data before it's changed to the specified
  data transfer for the connection check and then restore it afterwards.

This is a follow-up to 38d8e1b 2019-02-11.

History:

It was discovered a month ago that before checking whether to extract a
dead connection that that connection should be associated with a "live"
transfer for the check (ie original conn->data ignored and set to the
passed in data). A fix was landed in 54b201b which did that and also
cleared conn->data after the check. The original conn->data was not
restored, so presumably it was thought that a valid conn->data was no
longer needed.

Several days later it was discovered that a valid conn->data was needed
after the check and follow-up fix was landed in bbae24c which partially
reverted the original fix and attempted to limit the scope of when
conn->data was changed to only when pruning dead connections. In that
case conn->data was not cleared and the original conn->data not
restored.

A month later it was discovered that the original fix was somewhat
correct; a "live" transfer is needed for the check in all cases
because original conn->data could be null which could cause a bad deref
at arbitrary points in the check. A fix was landed in 38d8e1b which
expanded the scope to all cases. conn->data was not cleared and the
original conn->data not restored.

A day later it was discovered that not restoring the original conn->data
may lead to busy loops in applications that use the event interface, and
given this observation it's a pretty safe assumption that there is some
code path that still needs the original conn->data. This commit is the
follow-up fix for that, it restores the original conn->data after the
connection check.

Assisted-by: tholin@users.noreply.github.com
Reported-by: tholin@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/3542
Closes #3559

lib/tftp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] tftp: use the current blksize for recvfrom()

bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436

lib/setopt.c | 7 7 + 0 - 0 !
lib/urlapi.c | 8 8 + 0 - 0 !
lib/urldata.h | 4 4 + 0 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test1559 | 44 44 + 0 - 0 !
tests/libtest/Makefile.inc | 6 4 + 2 - 0 !
tests/libtest/lib1559.c | 78 78 + 0 - 0 !
7 files changed, 146 insertions(+), 3 deletions(-)

 [patch] curl_max_input_length: largest acceptable string input size

This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805

lib/security.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 [patch] security:read_data fix bad realloc()

... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html

lib/tftp.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 [patch] tftp: alloc maximum blksize, and use default unless oack is
 received

Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482

lib/url.c | 6 4 + 2 - 0 !
tests/data/test1168 | 78 78 + 0 - 0 !
2 files changed, 82 insertions(+), 2 deletions(-)

 [patch] url: make the updated credentials url-encoded in the url

Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400

src/tool_cb_hdr.c | 22 4 + 18 - 0 !
src/tool_getparam.c | 5 5 + 0 - 0 !
2 files changed, 9 insertions(+), 18 deletions(-)

 [patch] tool_getparam: -i is not ok if -j is used

Reported-by: sn on hackerone
Bug: https://curl.haxx.se/docs/CVE-2020-8177.html

lib/connect.c | 19 10 + 9 - 0 !
lib/easy.c | 3 1 + 2 - 0 !
lib/multi.c | 5 3 + 2 - 0 !
lib/url.c | 2 1 + 1 - 0 !
lib/urldata.h | 2 1 + 1 - 0 !
5 files changed, 16 insertions(+), 15 deletions(-)

 [patch] curl_easy: remember last connection by id, not by pointer

CVE-2020-8231

Bug: https://curl.haxx.se/docs/CVE-2020-8231.html

Reported-by: Marc Aldorasi
Closes #5824

docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 2 + 0 - 0 !
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 5 + 3 - 0 !
lib/url.c | 1 1 + 0 - 0 !
src/tool_cfgable.c | 1 1 + 0 - 0 !
tests/data/test1400 | 1 1 + 0 - 0 !
tests/data/test1401 | 1 1 + 0 - 0 !
tests/data/test1402 | 1 1 + 0 - 0 !
tests/data/test1403 | 1 1 + 0 - 0 !
tests/data/test1404 | 1 1 + 0 - 0 !
tests/data/test1405 | 1 1 + 0 - 0 !
tests/data/test1406 | 1 1 + 0 - 0 !
tests/data/test1407 | 1 1 + 0 - 0 !
tests/data/test1420 | 1 1 + 0 - 0 !
13 files changed, 18 insertions(+), 3 deletions(-)

 [patch] ftp: curlopt_ftp_skip_pasv_ip by default

The command line tool also independently sets --ftp-skip-pasv-ip by
default.

Ten test cases updated to adapt the modified --libcurl output.

Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284

Reported-by: Varnavas Papaioannou

lib/ftp.c | 211 107 + 104 - 0 !
1 file changed, 107 insertions(+), 104 deletions(-)

 [patch] ftp: make wc_statemach loop instead of recurse

CVE-2020-8285

Fixes #6255
Bug: https://curl.se/docs/CVE-2020-8285.html
Reported-by: xnynx on github

lib/vtls/openssl.c | 94 60 + 34 - 0 !
1 file changed, 60 insertions(+), 34 deletions(-)

 [patch] openssl: make the ocsp verification verify the certificate id

CVE-2020-8286

Reported by anonymous

Bug: https://curl.se/docs/CVE-2020-8286.html

lib/transfer.c | 25 23 + 2 - 0 !
tests/data/Makefile.inc | 2 1 + 1 - 0 !
tests/data/test2081 | 66 66 + 0 - 0 !
3 files changed, 90 insertions(+), 3 deletions(-)

 [patch] transfer: strip credentials from the auto-referer header
 field

Added test 2081 to verify.

CVE-2021-22876

Bug: https://curl.se/docs/CVE-2021-22876.html

lib/vtls/gtls.c | 13 9 + 4 - 0 !
lib/vtls/mbedtls.c | 11 8 + 3 - 0 !
lib/vtls/mesalink.c | 11 7 + 4 - 0 !
lib/vtls/openssl.c | 49 36 + 13 - 0 !
lib/vtls/schannel.c | 11 7 + 4 - 0 !
lib/vtls/vtls.c | 7 5 + 2 - 0 !
lib/vtls/vtls.h | 2 2 + 0 - 0 !
7 files changed, 74 insertions(+), 30 deletions(-)

 [patch] vtls: add 'isproxy' argument to curl_ssl_get/addsessionid()

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
lib/libcurl.vers.in | 2 1 + 1 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
5 files changed, 25 insertions(+), 25 deletions(-)

 build with gnutls.

docs/examples/Makefile.am | 4 2 + 2 - 0 !
lib/Makefile.am | 32 16 + 16 - 0 !
src/Makefile.am | 4 2 + 2 - 0 !
tests/libtest/Makefile.am | 8 4 + 4 - 0 !
4 files changed, 24 insertions(+), 24 deletions(-)

 build with nss.