aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-12-16gtls: respect *VERIFYHOST independently of *VERIFYPEERDaniel Stenberg
Security flaw CVE-2013-6422 This is conceptually the same problem and fix that 3c3622b6 brought to the OpenSSL backend and that resulted in CVE-2013-4545. This version of the problem was independently introduced to the GnuTLS backend with commit 59cf93cc, present in the code since the libcurl 7.21.4 release. Advisory: http://curl.haxx.se/docs/adv_20131217.html Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html Reported-by: Marc Deslauriers
2013-12-15curl.1 document -J doesn't %-decodeDaniel Stenberg
...also added as KNOWN_BUG #87 with reference to bug #1294
2013-12-15multi: add timer inaccuracy margin to timeout/connecttimeoutDaniel Stenberg
Since all systems have inaccuracy in the timeout handling it is imperative that we add an inaccuracy margin to the general timeout and connecttimeout handling with the multi interface. This way, when the timeout fires we should be fairly sure that it has passed the timeout value and will be suitably detected. For cases where the timeout fire before the actual timeout, we would otherwise consume the timeout action and still not run the timeout code since the condition wasn't met. Reported-by: He Qin Bug: http://curl.haxx.se/bug/view.cgi?id=1298
2013-12-14RELEASE-NOTES: synced with dd4d9ea542Daniel Stenberg
2013-12-14curl_easy_setopt: clarify some USERPWD and PROXYUSERPWD detailsDaniel Stenberg
2013-12-14login options: remove the ;[options] support from CURLOPT_USERPWDDaniel Stenberg
To avoid the regression when users pass in passwords containing semi- colons, we now drop the ability to set the login options with the same options. Support for login options in CURLOPT_USERPWD was added in 7.31.0. Test case 83 was modified to verify that colons and semi-colons can be used as part of the password when using -u (CURLOPT_USERPWD). Bug: http://curl.haxx.se/bug/view.cgi?id=1311 Reported-by: Petr Bahula Assisted-by: Steve Holme Signed-off-by: Daniel Stenberg <daniel@haxx.se>
2013-12-14imap: Fixed exclude of clear text when using auth=* in commit 75cd7fd66762bbSteve Holme
It is not 100% clear whether * should include clear text LOGIN or not from RFC-5092, however, including it is then consistent with current POP3 behaviour where clear text, APOP or SASL may be chosen.
2013-12-13imap: Fixed incorrect fallback to clear text authenticationSteve Holme
If a specific SASL authentication mechanism was requested by the user as part of the login options but wasn't supported by the server then curl would fallback to clear text, when it shouldn't, rather than reporting "No known authentication mechanisms supported" as the POP3 and SMTP protocols do.
2013-12-11parsedate: avoid integer overflowEric Lubin
In C, signed integer overflow is undefined behavior. Thus, the compiler is allowed to assume that it will not occur. In the check for an overflow, the developer assumes that the signed integer of type time_t will wrap around if it overflows. However, this behavior is undefined in the C standard. Thus, when the compiler sees this, it simplifies t + delta < t to delta < 0. Since delta > 0 and delta < 0 can't both be true, the entire if statement is optimized out under certain optimization levels. Thus, the parsedate function would return PARSEDATE_OK with an undefined value in the time, instead of return -1 = PARSEDATE_FAIL.
2013-12-09parseconfig: warn if unquoted white spaces are detectedDaniel Stenberg
Commit 0db811b6 made some existing config files pass on unexpected values to libcurl that made it somewhat hard to track down what was really going on. This code detects unquoted white spaces in the parameter when parsing a config file as that would be one symptom and it is generally a bad syntax anyway.
2013-12-09RELEASE-NOTES: recount contributors and libcurl optionsDaniel Stenberg
2013-12-07RELEASE-NOTES: synced with c4f46e97ca6cDaniel Stenberg
2013-12-07TFTP: let tftp_multi_statemach()'s return codes throughJames Dury
It would otherwise always clobber the return code with new function calls and it couldn't return timeout etc. Bug: http://curl.haxx.se/bug/view.cgi?id=1310
2013-12-07darwinssl: Fix #if 10.6.0 for SecKeychainSearchMelissa Mears
The comment here says that SecKeychainSearch causes a deprecation warning when used with a minimum Mac OS X SDK version of 10.7.0, which is correct. However, the #if guard did not match. It was intended to only use the code if 10.6.0 support was enabled, but it had 10.7.0 instead. This caused a warning if the minimum was exactly 10.7.0.
2013-12-06curl.h: <sys/select.h> for OpenBSDChristian Weisgerber
curl.h should also include <sys/select.h> on OpenBSD to reliably pull in select(). Typically, including <sys/time.h> will be enough, but not if strict standards-compliance is requested (e.g. by defining _XOPEN_SOURCE).
2013-12-04digest: fix CURLAUTH_DIGEST_IEDaniel Stenberg
The URI that is passed in as part of the Authorization: header needs to be cut off at '?' if CURLAUTH_DIGEST_IE is set. Previously the code only did when calculating the MD5sum. Bug: http://curl.haxx.se/bug/view.cgi?id=1308 Patched-by: Sergey Tatarincev
2013-12-04Curl_is_connected: use proxy name in error message when proxy is usedDaniel Stenberg
(bug introduced in 255826c4, never present in a release) Reported-by: Dima Tisnek Bug: http://curl.haxx.se/mail/lib-2013-12/0006.html
2013-12-04imap/pop3: Post graceful cancellation consistency changesSteve Holme
2013-12-04pop3: Fix POP3_TYPE_ANY signed compilation warningMelissa Mears
POP3_TYPE_ANY, or ~0, is written to pop3c->preftype in lib/pop3c.c, an unsigned int variable. The result of ~0 is -1, which caused a warning due to writing a negative number to an unsigned variable. To fix this, make the expression ~0U so that its value is considered the unsigned number UINT_MAX which is what SASL_AUTH_ANY does in curl_sasl.h.
2013-12-02tool_metalink: do not use HAVE_NSS_INITCONTEXTKamil Dudka
... no longer provided by the configure script
2013-12-02nss: make sure that 'sslver' is always initializedKamil Dudka
2013-12-02nss: unconditionally require NSS_InitContext()Kamil Dudka
... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway
2013-12-02nss: allow to use TLS > 1.0 if built against recent NSSKamil Dudka
Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html
2013-12-02nss: put SSL version selection into separate fncKamil Dudka
2013-12-02nss: use a better API for controlling SSL versionKamil Dudka
This change introduces a dependency on NSS 3.14+.
2013-12-02OS400: sync wrappers and RPG binding.Patrick Monnerat
2013-12-01multi.c: Fixed compilation warningSteve Holme
warning: declaration of 'pipe' shadows a global declaration
2013-12-01RELEASE-NOTES: Synced with ad3836448efbb7Steve Holme
2013-12-01base64: Corrected typo from commit f3ee587775c88aSteve Holme
2013-12-01base64: Post extended extended validation tidy upSteve Holme
Reduced the separate processing of the last quantum to be performed in the main decoding loop and renamed some variables for consistency.
2013-12-01base64: Extended validation to look for invalid charactersSteve Holme
Extended the basic validation in commit e17c1b25bc33eb to return a failure when invalid base64 characters are included.
2013-11-30base64: Post basic validation tidy upSteve Holme
Due to the length checks introduced in commit e17c1b25bc33eb there is no need to allow for extra space in the output buffer for a non-padded last quantum.
2013-11-30curl_easy_getinfo: Post CURLINFO_TLS_SESSION tidy upSteve Holme
1) Renamed curl_tlsinfo to curl_tlssessioninfo as discussed on the mailing list. 2) Renamed curl_ssl_backend to curl_sslbackend so it doesn't follow our function naming convention. 3) Updated sessioninfo.c example accordingly.
2013-11-29parseconfig: dash options can't specified with colon or equalsDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1297 Reported-by: Michael Osipov
2013-11-29curl.1: -G also takes --data-urlencode dataDaniel Stenberg
2013-11-28globbing: curl glob counter mismatch with {} list useDaniel Stenberg
The "fixed string" function wrongly bumped the "urlnum" counter which made curl output the total number of URLs wrong when using {one,two,three} lists in globs. Reported-by: Michael-O Bug: http://curl.haxx.se/bug/view.cgi?id=1305
2013-11-28sessioninfo.c: Added sample code for CURLINFO_TLS_SESSIONChristian Grothoff
Added a simple example to show how one can use CURLINFO_TLS_SESSION for obtaining extensive TLS certificate information.
2013-11-27multi.c: Fixed compilation error introduced in commit a900d45489fc14Steve Holme
Systems that define SIGPIPE_VARIABLE as a noop would not compile as restore_pipe was defined afterwards.
2013-11-27curl_easy_getopt: Handle API violation gracefullyChristian Grothoff
This fixes a NULL dereference in the case where the client asks for CURLINFO_TLS_SESSION data after the (TLS) session has already been destroyed (i.e. curl_easy_perform has already completed for this handle). Instead of crashing, we now return a CURLSSLBACKEND_NONE error.
2013-11-27KNOWN_BUGS: #86: Disconnect commands may not be sent by IMAP, POP3 and SMTPSteve Holme
2013-11-27curl_multi_cleanup: ignore SIGPIPEJeff King
This is an extension to the fix in 7d80ed64e43515. We may call Curl_disconnect() while cleaning up the multi handle, which could lead to openssl sending packets, which could get a SIGPIPE. Signed-off-by: Jeff King <peff@peff.net>
2013-11-27sigpipe: factor out sigpipe_reset from easy.cJeff King
Commit 7d80ed64e43515 introduced some helpers to handle sigpipe in easy.c. However, that fix was incomplete, and we need to add more callers in other files. The first step is making the helpers globally accessible. Since the functions are small and should generally end up inlined anyway, we simply define them in the header as static functions. Signed-off-by: Jeff King <peff@peff.net>
2013-11-27connect: Try next ip directly after immediate connect failBjörn Stenberg
This fixes a rare Happy Eyeballs bug where if the first IP family runs out of addresses before the second-family-timer fires, and the second IP family's first connect fails immediately, no further IPs of the second family are attempted.
2013-11-25hostip: don't prune DNS cache entries that are in useDaniel Stenberg
When adding entries to the DNS cache with CURLOPT_RESOLVE, they are marked 'inuse' forever to prevent them from ever being removed in normal operations. Still, the code that pruned out-of-date DNS entries didn't care for the 'inuse' struct field and pruned it anyway! Reported-by: Romulo A. Ceccon Bug: http://curl.haxx.se/bug/view.cgi?id=1303
2013-11-24RELEASE-NOTES: Synced with 35e476a3f6cdd5Steve Holme
2013-11-24tests: Re-ordered test arguments to match other IMAP testsSteve Holme
2013-11-24tests: Corrected login "username" authentication responsesSteve Holme
2013-11-24tests: Added error code explanation commentsSteve Holme
2013-11-24tests: Removed expected QUIT response from graceful cancellation testsSteve Holme
A failure during authentication, which is performed as part of the CONNECT phrase (for IMAP, POP3 and SMTP) is considered by the multi- interface as being closed prematurely (aka a dead connection). As such these protocols cannot issue the relevant QUIT or LOGOUT command. Temporarily fixed the test cases until we can fix this properly.
2013-11-24tests: Added SMTP graceful authentication cancellation testsSteve Holme