[{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Thu 02 Jul 2026 13:23:46","branch":"master","category":"wget","codebase":"","comments":"Regression: Fix buffer overflow in html_quote_string()\nThe regression has been introduced in commit dd692d9 and\nis not part of any release.\n\nThe tests allow the address sanitizer to find the issue.\n\n* src/convert.c: Fix string size calculation.\n* tests/unit-tests.c: Added tests including tests for html_quote_string().\n* tests/unit-tests.h: Add definitions for the test functions.\n\nReported-by: Trung Nguyen <trungnh@cystack.net>","files":[{"name":"src/convert.c"},{"name":"tests/unit-tests.c"},{"name":"tests/unit-tests.h"}],"number":273698,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"f76978a51ba9365e7ecaed96c1cfb73197a38ca2","revision":"f76978a51ba9365e7ecaed96c1cfb73197a38ca2","revlink":"","when":1782991426,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"f76978a51ba9365e7ecaed96c1cfb73197a38ca2"},"submittedAt":1782986622},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Sun 05 Jul 2026 18:19:52","branch":"master","category":"wget","codebase":"","comments":"* .gitlab-ci.yml: Set 10m timeout for the MinGW job\nBecause the job randomly hangs, and default timeout is 1h.","files":[{"name":".gitlab-ci.yml"}],"number":274105,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"c4face2b2be86149602aca7fe14af86d41971327","revision":"c4face2b2be86149602aca7fe14af86d41971327","revlink":"","when":1783268392,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Sun 05 Jul 2026 18:20:07","branch":"master","category":"wget","codebase":"","comments":"cookies.c: reject cookie instead of discarding jar entry on domain mismatch\nWhen a Set-Cookie header specifies a domain attribute that fails\ncheck_domain_match() against the responding host, cookie_handle_set_cookie()\nset cookie->discard_requested = true but continued processing instead of\nrejecting the cookie outright. Since discard_requested causes\ndiscard_matching_cookie() to be invoked later using the attacker-supplied\n(victim) domain, name, path and port, a malicious server could delete an\narbitrary cookie belonging to any other domain from wget's cookie jar,\nsimply by sending a Set-Cookie header naming that domain along with a\nmatching path/name/port.\n\nFix this by immediately jumping to the cleanup path (as already done for\nthe analogous path-mismatch case a few lines below) when the domain check\nfails, so a cookie from an unauthorized domain never reaches the jar\ndiscard/store logic.\n\n* src/cookies.c (cookie_handle_set_cookie): Goto out.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/cookies.c"}],"number":274106,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"b9c6ee8a17c82d0546d27d2c6851d9d144899e05","revision":"b9c6ee8a17c82d0546d27d2c6851d9d144899e05","revlink":"","when":1783268407,"who":"Acts1631 <acts1631kjv@proton.me>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"b9c6ee8a17c82d0546d27d2c6851d9d144899e05"},"submittedAt":1783277025},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Wed 08 Jul 2026 14:16:47","branch":"master","category":"wget","codebase":"","comments":"* src/metalink.c (clean_metalink_string): Fix inverted trailing-space check\n37a40fcb added an `end > beg' bound guard to prevent a buffer\nunderflow, but accidentally flipped the condition from `isspace' to\n`!isspace'. The loop therefore walked back over non-space characters\ninstead of trailing whitespace, collapsing any string without a\ntrailing newline to \"\". Every Metalink/HTTP resource URL was wiped,\nso wget could not follow any mirror and\ntestenv/Test-metalink-http.py failed (\"Expected file test.meta not\nfound\"). Restore the `isspace' condition.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/metalink.c"}],"number":274348,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"7b1cdecc49bc77bde220fc575c8a00386c3f3bcf","revision":"7b1cdecc49bc77bde220fc575c8a00386c3f3bcf","revlink":"","when":1783513007,"who":"ChenYanpan <chenyanpan@xfusion.com>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"7b1cdecc49bc77bde220fc575c8a00386c3f3bcf"},"submittedAt":1783517122},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Thu 09 Jul 2026 15:04:20","branch":"master","category":"wget","codebase":"","comments":"* gitlab-ci.yml: Build and use libmetalink","files":[{"name":".gitlab-ci.yml"}],"number":274392,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"f8c142cfd7998e09db36a04213c368bb651c6583","revision":"f8c142cfd7998e09db36a04213c368bb651c6583","revlink":"","when":1783602260,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 15:04:20","branch":"master","category":"wget","codebase":"","comments":"* src/metalink.c: Include ctype.h","files":[{"name":"src/metalink.c"}],"number":274393,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"82d945ff5dc9942b78b2bf736aac298c24fe00a1","revision":"82d945ff5dc9942b78b2bf736aac298c24fe00a1","revlink":"","when":1783602260,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"82d945ff5dc9942b78b2bf736aac298c24fe00a1"},"submittedAt":1783596834},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Thu 09 Jul 2026 19:27:20","branch":"master","category":"wget","codebase":"","comments":"http: reject chunk-size values that overflow wgint\n* src/http.c (skip_short_body): Check overflow.\n* src/retr.c (fd_read_body): Check overflow.\n\nBoth fd_read_body() (src/retr.c) and skip_short_body() (src/http.c)\nparse the hex chunk-size line of a chunked-encoded HTTP response with\nstrtol() and only check the result for being negative.  strtol()\nreturns 'long', which silently clamps to LONG_MAX and sets\nerrno = ERANGE when the input overflows; that errno was never checked.\n\nA malicious or compromised HTTP server can therefore send a chunk-size\nline such as \"FFFFFFFFFFFFFFFF\" and have wget treat it as a chunk of\nessentially unbounded size (up to LONG_MAX/INT64_MAX bytes) instead of\nrejecting it as a malformed response.  As long as the server keeps\ntrickling bytes (each successful read resets the read-timeout), wget\nwill keep reading indefinitely, which is a remote denial of service.\n\nSwitch both call sites to str_to_wgint() (strtoll(), matching the\n64-bit wgint type used to store the result on all platforms, including\nthose where long is 32-bit) and check errno for ERANGE in addition to\nthe existing negative-value check, clearing errno first so a stale\nvalue cannot cause a false positive.\n\nVerified with a fake HTTP server sending Transfer-Encoding: chunked\nwith a first chunk-size line of FFFFFFFFFFFFFFFF followed by a stream\nof data: before the fix wget accepts the bogus size and keeps reading\neverything sent to it as part of that single chunk; after the fix it\nimmediately aborts with Read error ... (Numerical result out of\nrange) instead of hanging.  Legitimate chunked responses continue to\nbe handled correctly, and the existing HTTP test suite (50 tests)\nstill passes.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/http.c"},{"name":"src/retr.c"}],"number":274407,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"6b17faf864162e16435c837cec25537b8fa4a61b","revision":"6b17faf864162e16435c837cec25537b8fa4a61b","revlink":"","when":1783618040,"who":"Acts1631 <acts1631kjv@proton.me>"},{"at":"Thu 09 Jul 2026 19:47:42","branch":"master","category":"wget","codebase":"","comments":"ftp: reject unsafe symlink targets in directory listings\n* src/ftp-ls.c: New function ftp_ls_unsafe_symlink_target(),\n  (ftp_parse_unix_ls): Reject unsafe symlink targets.\n\nftp_parse_unix_ls() copied the target of a symlink entry (the text\nafter \" -> \" in a LIST response) verbatim into f->linkto, which is\nlater passed straight to symlink() when recreating the remote\ndirectory tree locally (this only happens when the user has disabled\nthe safe default with --retr-symlinks=no; see CVE-2014-4877).  Because\nthe target was never validated, a malicious or compromised FTP server\ncould use an absolute path or a \"../\" sequence to make Wget create a\nsymlink pointing anywhere on the local filesystem.\n\nAdd ftp_ls_unsafe_symlink_target() and reject any symlink entry whose\ntarget is an absolute path or contains a \"..\" path component (as an\nexact path component, not merely the substring \"..\", so names like\n\"foo..bar\" are unaffected).  The rejected entry is skipped, same as\nany other malformed listing line.\n\nVerified with a fake FTP server returning a LIST response with a\nsymlink pointing to /tmp/opencode/evil_target and to\n../../../../etc/passwd while running with -r --retr-symlinks=no:\nbefore the fix Wget creates the symlink outside the download tree;\nafter the fix the entry is skipped with a debug message.  Legitimate\nrelative symlinks (e.g. \"somefile.txt\", \"foo..bar\") continue to be\ncreated as before.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/ftp-ls.c"}],"number":274408,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"6b5166521a95318648a64d09dbf23b27d979ac4e","revision":"6b5166521a95318648a64d09dbf23b27d979ac4e","revlink":"","when":1783619262,"who":"Acts1631 <acts1631kjv@proton.me>"},{"at":"Thu 09 Jul 2026 19:47:42","branch":"master","category":"wget","codebase":"","comments":"ftp: validate PASV/LPSV response address against control connection peer\n* src/ftp-basic.c (ftp_pasv): Reject if peer address doesn't match advertised\n  address,\n  (ftp_lpsv): Likewise.\n\nftp_pasv() and ftp_lpsv() copied the IP address and port advertised in\nthe server's 227 response without checking that it matched the peer\nof the control connection.  A malicious or compromised FTP server\ncould therefore direct wget's data connection to an arbitrary host and\nport of its choosing (e.g. an internal service unreachable from the\nattacker directly), which is a server-side request forgery.\n\nftp_epsv() was already safe since it only extracts a port and reuses\nthe pre-filled control-connection address.\n\nFix ftp_pasv() and ftp_lpsv() the same way: capture the control\nconnection's peer address via socket_ip_address() before parsing the\nresponse, and reject the response (FTPINVPASV) if the parsed address\ndoes not match.\n\nVerified with a fake FTP server that returns a PASV response pointing\nat a different loopback address (127.0.0.2 instead of the real peer\n127.0.0.1): before the fix wget connects to the spoofed address, after\nthe fix it rejects the response with \"Cannot parse PASV response.\"\nLegitimate transfers using a correctly-addressed PASV response\ncontinue to work.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/ftp-basic.c"}],"number":274409,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"4f85853f641863d5915786a8413e1a213726a62b","revision":"4f85853f641863d5915786a8413e1a213726a62b","revlink":"","when":1783619262,"who":"Acts1631 <acts1631kjv@proton.me>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"4f85853f641863d5915786a8413e1a213726a62b"},"submittedAt":1783613704},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Thu 09 Jul 2026 20:43:24","branch":"master","category":"wget","codebase":"","comments":"* src/wget.h (DO_REALLOC): Avoid -Wpointer-arith warnings","files":[{"name":"src/wget.h"}],"number":274420,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"17d5da075d3d04aa9d72e5e5eda48e824df13b29","revision":"17d5da075d3d04aa9d72e5e5eda48e824df13b29","revlink":"","when":1783622604,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 20:46:48","branch":"master","category":"wget","codebase":"","comments":"* src/main.c: Avoid -Wzero-as-null-pointer-constant","files":[{"name":"src/main.c"}],"number":274421,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"4cbdaa598e817c8e9eacf33b789d18de94ab5457","revision":"4cbdaa598e817c8e9eacf33b789d18de94ab5457","revlink":"","when":1783622808,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 20:50:03","branch":"master","category":"wget","codebase":"","comments":"* src/retr.c (retrieve_from_file): Remove unused variable","files":[{"name":"src/retr.c"}],"number":274422,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"67d1686ae83a17ff1d81de62ce7d7df78e0274d0","revision":"67d1686ae83a17ff1d81de62ce7d7df78e0274d0","revlink":"","when":1783623003,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 20:51:39","branch":"master","category":"wget","codebase":"","comments":"* src/http.c (establish_connection): Avoid -Wzero-as-null-pointer-constant","files":[{"name":"src/http.c"}],"number":274423,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"471f625e05db1de876e41c3a70f22918705b79ce","revision":"471f625e05db1de876e41c3a70f22918705b79ce","revlink":"","when":1783623099,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 21:02:57","branch":"master","category":"wget","codebase":"","comments":"* src/utils.c (xsleep): Avoid -Wfloat-conversion","files":[{"name":"src/utils.c"}],"number":274424,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"705e9e3a749f9f0430c1fad9892227c210c66dee","revision":"705e9e3a749f9f0430c1fad9892227c210c66dee","revlink":"","when":1783623777,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"705e9e3a749f9f0430c1fad9892227c210c66dee"},"submittedAt":1783619036},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Thu 09 Jul 2026 22:46:04","branch":"master","category":"wget","codebase":"","comments":"* src/init.h: Increase MAX_LONGOPTION to 27\nFixes:\nmain.c:330:14: warning: initializer-string for array of 'char' truncates NUL\n terminator but destination lacks 'nonstring' attribute (27 chars into 26\n available) [-Wunterminated-string-initialization]\n  330 |     IF_SSL ( \"ftps-clear-data-connection\", 0, OPT_BOOLEAN, \"ftpscleardataconnection\", -1 )\n      |              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~","files":[{"name":"src/init.h"}],"number":274429,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"46531d7d4efc8760ef527b563006bd7aab521aa2","revision":"46531d7d4efc8760ef527b563006bd7aab521aa2","revlink":"","when":1783629964,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 22:48:11","branch":"master","category":"wget","codebase":"","comments":"* src/init.c (cleanup): Avoid -Wunterminated-string-initialization","files":[{"name":"src/init.c"}],"number":274431,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"64fc592ad66a1fba5f968721f54c2a03749cd40a","revision":"64fc592ad66a1fba5f968721f54c2a03749cd40a","revlink":"","when":1783630091,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 22:58:03","branch":"master","category":"wget","codebase":"","comments":"Fix -Wmissing-variable-declarations\n* src/init.c: Remove extern timer and cleaned_up vars.\n* src/main.c: Declare hsts_store as extern.\n* src/wget.h: Declare cleaned_up, ares and timer vars as extern.","files":[{"name":"src/init.c"},{"name":"src/main.c"},{"name":"src/wget.h"}],"number":274432,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"600d8fe6bd7e0d4f6b573de529a9591383cfd343","revision":"600d8fe6bd7e0d4f6b573de529a9591383cfd343","revlink":"","when":1783630683,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 23:01:51","branch":"master","category":"wget","codebase":"","comments":"* src/ftp.c (has_insecure_name_p): Avoid -Wzero-as-null-pointer-constant","files":[{"name":"src/ftp.c"}],"number":274433,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"c241000c1a2c9e1a655d940581efd8d802092161","revision":"c241000c1a2c9e1a655d940581efd8d802092161","revlink":"","when":1783630911,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 23:23:57","branch":"master","category":"wget","codebase":"","comments":"* src/iri.c (do_conversion): Drop unused variable","files":[{"name":"src/iri.c"}],"number":274434,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"c76a8c588ad9102763f0e516d325402a5ab8e771","revision":"c76a8c588ad9102763f0e516d325402a5ab8e771","revlink":"","when":1783632237,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 23:26:06","branch":"master","category":"wget","codebase":"","comments":"* src/retr.c (fd_read_body): Avoid -Wzero-as-null-pointer-constant","files":[{"name":"src/retr.c"}],"number":274435,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"b081023a479579b1e34ef3878ab3fce652003f8f","revision":"b081023a479579b1e34ef3878ab3fce652003f8f","revlink":"","when":1783632366,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 23:30:26","branch":"master","category":"wget","codebase":"","comments":"* tests/unit-tests.c: Avoid -Wzero-as-null-pointer-constant","files":[{"name":"tests/unit-tests.c"}],"number":274436,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"9d5cf9131242db406f3af6a1dbfadc69d995b19d","revision":"9d5cf9131242db406f3af6a1dbfadc69d995b19d","revlink":"","when":1783632626,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Thu 09 Jul 2026 23:31:45","branch":"master","category":"wget","codebase":"","comments":"* tests/unit-tests.c: Remove redundant redeclarations","files":[{"name":"tests/unit-tests.c"}],"number":274437,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"d00b2f2761507ba4f0471c84b2c6932bb0853f71","revision":"d00b2f2761507ba4f0471c84b2c6932bb0853f71","revlink":"","when":1783632705,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"d00b2f2761507ba4f0471c84b2c6932bb0853f71"},"submittedAt":1783627519},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Sat 11 Jul 2026 17:51:43","branch":"master","category":"wget","codebase":"","comments":"http: scope cached Basic credentials to the origin\n* src/http.c: New function basic_auth_key(),\n  (maybe_send_basic_creds): Make use of basic_auth_key(),\n  (register_basic_auth_host): Likewise,\n  (register_basic_auth_host): Change param hostname to struct url,\n  (initialize_request): Amend calls to maybe_send_basic_creds() and\n  register_basic_auth_host().\n\nWget records completed Basic challenges in basic_authed_hosts using only the\nhostname. A subsequent request to the same hostname on another port\nautomatically sends Basic credentials, even though the redirect logic\ncorrectly treats a port change as a different origin.\n\nAn operator of a separately controlled service on an alternate port can obtain\ncredentials intended for the first origin when an authenticated flow follows a\nURL to that port.\n\nThis patch keys the Basic challenge cache by scheme, host, and port, ensuring\ncredentials are not reused across origin boundaries.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/http.c"}],"number":274528,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"bf87865276d3db0b917424dc47f797b7caf8aa36","revision":"bf87865276d3db0b917424dc47f797b7caf8aa36","revlink":"","when":1783785103,"who":"Acts1631 <acts1611kjv@proton.me>"},{"at":"Sat 11 Jul 2026 17:53:01","branch":"master","category":"wget","codebase":"","comments":"http: keep NTLM authorization on its original host\n* src/http.c (persistent_available_p): Check for different hosts on same\n  authorized connection.\n\nFor cleartext HTTP, Wget's persistent-connection optimization reuses a socket\nfor a different hostname when that name resolves to the existing peer address.\nAfter NTLM authentication succeeds, Wget marks the socket authorized because\nNTLM is connection-bound. A request for the alternate virtual host can\ntherefore run on the victim host's authenticated connection.\n\nThis patch refuses a different-hostname reuse when the persistent connection\nis NTLM-authorized, forcing a new TCP connection.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/http.c"}],"number":274529,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"d82590289cfa1bc1b772ec5963d869c784189211","revision":"d82590289cfa1bc1b772ec5963d869c784189211","revlink":"","when":1783785181,"who":"Acts1631 <acts1611kjv@proton.me>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"d82590289cfa1bc1b772ec5963d869c784189211"},"submittedAt":1783780464},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Sun 12 Jul 2026 11:00:01","branch":"master","category":"wget","codebase":"","comments":"* .gitlab-ci.yml (Tarball-Build): Remove second artifacts section","files":[{"name":".gitlab-ci.yml"}],"number":274567,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"77b5ad4d25cd33fb24430275c1a8eab7d3c26706","revision":"77b5ad4d25cd33fb24430275c1a8eab7d3c26706","revlink":"","when":1783846801,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"77b5ad4d25cd33fb24430275c1a8eab7d3c26706"},"submittedAt":1783841015},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Sun 12 Jul 2026 11:03:50","branch":"master","category":"wget","codebase":"","comments":"http: reject symlink replacement before retry writes\n* src/http.c (open_output_stream): Safely reopen download targets\n  after a partial transfer.\n* src/ftp.c (getftp): Likewise.\n* src/utils.c (fopen_nofollow): New function.\n* src/utils.h: Declare it.\n\nAfter a partial HTTP or FTP transfer, Wget reopens the local target by\npathname. An attacker who can modify the download directory can replace the\npartially written file with a symlink before that reopen, causing Wget to\nappend to or overwrite the symlink target with its own privileges.\n\nUse an inode-checked reopen helper for existing regular files. It uses\nO_NOFOLLOW where available and validates the opened descriptor before writing\nor truncating it. A replacement symlink is rejected, and later pathname\nchanges cannot redirect the already-open descriptor.\n\nWhen --start-pos requests a non-existent target, create it exclusively so the\nnormal download path continues to work.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/ftp.c"},{"name":"src/http.c"},{"name":"src/utils.c"},{"name":"src/utils.h"}],"number":274574,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"5a31b8481cf9144acdec71159ade7bba1fa97ee7","revision":"5a31b8481cf9144acdec71159ade7bba1fa97ee7","revlink":"","when":1783847030,"who":"Acts1631 <acts1611kjv@proton.me>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"5a31b8481cf9144acdec71159ade7bba1fa97ee7"},"submittedAt":1783843435},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Mon 13 Jul 2026 02:15:39","branch":"master","category":"wget","codebase":"","comments":"hsts: normalize trailing-dot hostnames\n* src/hsts.c (hsts_canonical_host): New function.\n  (hsts_find_entry, hsts_new_entry_internal, hsts_store_entry): Use\n  canonical HSTS host keys.\n  (test_hsts_url_rewrite_superdomain,\n  test_hsts_url_rewrite_congruent): Test trailing-dot hostnames.\n\nTreat terminal DNS root labels as aliases when applying HSTS policies.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/hsts.c"}],"number":274792,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"a579e8617882a85e5920835c32ca7645c9181a61","revision":"a579e8617882a85e5920835c32ca7645c9181a61","revlink":"","when":1783901739,"who":"Acts1631 <acts1611kjv@proton.me>"},{"at":"Mon 13 Jul 2026 02:15:39","branch":"master","category":"wget","codebase":"","comments":"hsts: apply port-zero policies to alternate ports\n* src/hsts.c (hsts_match): Fall back to a port-zero HSTS policy\n  after a port-specific lookup fails.\n  (test_hsts_url_rewrite_superdomain,\n  test_hsts_url_rewrite_congruent): Test alternate-port rewrites.\n\nApply host-wide HSTS policies to HTTP URLs on non-default ports.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/hsts.c"}],"number":274796,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"66757f66e6ebc25d3e9ea4b79b97c7ac324b0b32","revision":"66757f66e6ebc25d3e9ea4b79b97c7ac324b0b32","revlink":"","when":1783901739,"who":"Acts1631 <acts1611kjv@proton.me>"},{"at":"Mon 13 Jul 2026 21:22:41","branch":"master","category":"wget","codebase":"","comments":"http: filter Proxy-Authorization on cross-host redirects\n* src/http.c (unredirectable_headerline): Filter Proxy-Authorization headers.\n\nA user-provided Proxy-Authorization header is forwarded after a redirect to a\ndifferent hostname or port.  A redirect destination can then obtain a value\nthat was intended for the original site.\n\nDrop this header along with Authorization and Cookie on such redirects.\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/http.c"}],"number":274799,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"402095ad274b0e052ee1932f12844d4dc1a056be","revision":"402095ad274b0e052ee1932f12844d4dc1a056be","revlink":"","when":1783970561,"who":"Acts1631 <acts1611kjv@proton.me>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"402095ad274b0e052ee1932f12844d4dc1a056be"},"submittedAt":1783993515},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Tue 14 Jul 2026 21:43:32","branch":"master","category":"wget","codebase":"","comments":"Moving async signal unsafe functions out of signal handler\nThere is a very rare race condition in function redirect_output_signal().\nIf SIGHUP is received while wget is in malloc() function and a new\nlogfile is opened with fopen, another malloc() is called. malloc() is\nnot an async signal safe function and should not be called from within a\nsignal handler.\n\n* src/main.c (redirect_output_signal): do not call redirect_output(),\nadd an atomic flag.\n* src/log.c (check_redirect_output): move redirect_output() here since this\nis not in a signal handler\n\nCopyright-paperwork-exempt: Yes","files":[{"name":"src/log.c"},{"name":"src/main.c"}],"number":274908,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"e1f2559efad5e2733ded804f9f1ba8acd8c4de61","revision":"e1f2559efad5e2733ded804f9f1ba8acd8c4de61","revlink":"","when":1784058212,"who":"Michal Ruprich <michalruprich@gmail.com>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"e1f2559efad5e2733ded804f9f1ba8acd8c4de61"},"submittedAt":1784055831},{"builderName":"wget-solaris10-i386","builds":[],"properties":[["scheduler","schedule-wget-solaris10-i386","Scheduler"]],"source":{"branch":"master","changes":[{"at":"Tue 14 Jul 2026 23:12:55","branch":"master","category":"wget","codebase":"","comments":"* src/http-ntlm.c: Compile with Nettle 4+","files":[{"name":"src/http-ntlm.c"}],"number":274916,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"fd4487b629edea789fc22baac8a6b641e942bb49","revision":"fd4487b629edea789fc22baac8a6b641e942bb49","revlink":"","when":1784063575,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"},{"at":"Tue 14 Jul 2026 23:15:57","branch":"master","category":"wget","codebase":"","comments":"* .gitlab-ci.yml (ArchLinux): Enable NTLM","files":[{"name":".gitlab-ci.yml"}],"number":274918,"project":"wget","properties":[],"repository":"https://gitlab.com/gnuwget/wget.git","rev":"896fcbfcd577c29956a059b9e6ea7c01a109eefc","revision":"896fcbfcd577c29956a059b9e6ea7c01a109eefc","revlink":"","when":1784063757,"who":"Tim R\u00fchsen <tim.ruehsen@gmx.de>"}],"codebase":"","hasPatch":false,"project":"wget","repository":"https://gitlab.com/gnuwget/wget.git","revision":"896fcbfcd577c29956a059b9e6ea7c01a109eefc"},"submittedAt":1784058237}]