aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-08-14I think it's worth clarifying that curl DOES NOT validate a given URL moreDaniel Stenberg
than what's absolutely necessary: curl will do its best to use what you pass to it as a URL. It is not trying to validate it as a syntactically correct URL by any means but is instead VERY liberal with what it accepts.
2009-08-13- Changed NSS code to not ignore the value of ssl.verifyhost and produce moreKamil Dudka
verbose error messages. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056
2009-08-13mention yesterday's changesDaniel Stenberg
2009-08-12add missing file, as pointed out by Karl MDaniel Stenberg
2009-08-12start over fresh again towards 7.19.7Daniel Stenberg
2009-08-12imported names from the 7.19.6 RELEASE-NOTESDaniel Stenberg
2009-08-12Added a range of new fun date strings to try. This set of dates come from aDaniel Stenberg
mail posted to the http-state mailing list, from Adam Barth, and is said to be the set of date formats the Chrome browser code is tested against: http://www.ietf.org/mail-archive/web/http-state/current/msg00129.html libcurl parses most of them identically, but not all of them.
2009-08-127.19.6Daniel Stenberg
2009-08-12- Carsten Lange reported a bug and provided a patch for TFTP upload and theDaniel Stenberg
sending of the TSIZE option. I don't like fixing bugs just hours before a release, but since it was broken and the patch fixes this for him I decided to get it in anyway.
2009-08-12use --insecure to allow non-matching known hosts for SSH-based protocolsDaniel Stenberg
2009-08-12pasted here (and renumbered) from the TODO-RELEASE since they are in factDaniel Stenberg
bugs we know about that will appear in the next release (too)
2009-08-11- Peter Sylvester made the HTTPS test server use specific certificates forDaniel Stenberg
each test, so that the test suite can now be used to actually test the verification of cert names etc. This made an error show up in the OpenSSL- specific code where it would attempt to match the CN field even if a subjectAltName exists that doesn't match. This is now fixed and verified in test 311.
2009-08-11creditDaniel Stenberg
2009-08-11- Benbuck Nason posted the bug report #2835196Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler warnings when mixing ints and bools.
2009-08-11Include the Android make file in the source package even though theDan Fandrich
config.h issue hasn't been completely solved. This will save some effort for someone desperate to use curl on Android.
2009-08-11Fix definition of CURLOPT_SOCKS5_GSSAPI_SERVICE from LONG to OBJECTPOINTPatrick Monnerat
Fix OS400 makefile for tests to use the new Makefile.inc in libtest Update the OS400 wrappers and RPG binding according to the current CVS source state
2009-08-11Added links to more details on most issues. Moved all these issues to 7.19.7Daniel Stenberg
now since we won't manage to get them done for 7.19.6.
2009-08-11Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.Dan Fandrich
2009-08-09Fixed some memory leaks in the command-line tool that caused most of theDan Fandrich
torture tests to fail.
2009-08-07fix cast for some systems which are broken due to absense of socklen_t, ↵Gunter Knauf
therefore now use curl_socklen_t.
2009-08-06added a cast to silent compiler warning with 64bit systems.Gunter Knauf
2009-08-06fixed cast added with last commit.Gunter Knauf
2009-08-06cast to fix 64bit build warnings. From manpage:Gunter Knauf
POSIX.1-2001. Note that RFC 2553 defines a prototype where the last parameter cnt is of type size_t. Many systems follow RFC 2553. Glibc 2.0 and 2.1 have size_t, but 2.2 has socklen_t.
2009-08-04RFC1867 was updated by RFC2388Daniel Stenberg
2009-08-03avoid possible NULL dereference caused by my previous fixDaniel Stenberg
2009-08-03Remove call to LoadLibrary(). (leftover from debugging).Gisle Vanem
2009-08-03Fix bad sentence.Gisle Vanem
2009-08-03- Timo Teras changed the reason code used in the resolve callback done whenDaniel Stenberg
ares_cancel() is used, to be ARES_ECANCELLED instead of ARES_ETIMEOUT to better allow the callback to know what's happening.
2009-08-03256 - "More questions about ares behavior"Daniel Stenberg
yet another issue not yet sorted out
2009-08-03indentation fixes onlyDaniel Stenberg
2009-08-03- Joshua Kwan fixed the init routine to fill in the defaults for stuff thatDaniel Stenberg
fails to get inited by other means. This fixes a case of when the c-ares init fails when internet access is fone.
2009-08-03respect error code from ftruncate(), mentioned by Peter SylvesterDaniel Stenberg
2009-08-03Reverted the zero-byte-in-name check to instead rely on the fact that strlenDaniel Stenberg
and the name length differ in those cases and thus leave the matching function unmodified from before, as the matching functions never have to bother with the zero bytes in legitimate cases. Peter Sylvester helped me realize that this fix is slightly better as it leaves more code unmodified and makes the detection a bit more obvious in the code.
2009-08-02clarified configure detection of GnuTLSDaniel Stenberg
2009-08-02Extended my embedded-zero-in-cert-name fix based on a comment from ScottDaniel Stenberg
Cantor. My previous attempt was half-baked and didn't cover the normal CN case.
2009-08-02mention two crashing bugs we'd like fixedDaniel Stenberg
2009-08-01clarify the description of the null byte in cert name fixDaniel Stenberg
2009-08-01- Curt Bogmine reported a problem with SNI enabled on a particular server. WeDaniel Stenberg
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
2009-08-01- Scott Cantor posted the bug report #2829955Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert verification flaw found and exploited by Moxie Marlinspike. The presentation he did at Black Hat is available here: https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike Apparently at least one CA allowed a subjectAltName or CN that contain a zero byte, and thus clients that assumed they would never have zero bytes were exploited to OK a certificate that didn't actually match the site. Like if the name in the cert was "example.com\0theatualsite.com", libcurl would happily verify that cert for example.com. libcurl now better use the length of the extracted name, not assuming it is zero terminated.
2009-08-01- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (presentDaniel Stenberg
only in some OpenSSL installs - like on Windows) isn't thread-safe and we agreed that moving it to the global_init() function is a decent way to deal with this situation.
2009-08-01- Alexander Beedie provided the patch for a noproxy problem: If I have setDaniel Stenberg
CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually could still end up using a proxy if a proxy environment variable was set.
2009-08-01updated with recent issuesDaniel Stenberg
2009-07-3167. When creating multipart formposts. The file name part can be encoded withDaniel Stenberg
something beyond ascii but currently libcurl will only pass in the verbatim string the app provides. There are several browsers that already do this encoding. The key seems to be the updated draft to RFC2231: http://tools.ietf.org/html/draft-reschke-rfc2231-in-http-02
2009-07-31Copy the libcurl header files into the right location for Android.Dan Fandrich
2009-07-28use --insecure for the SFTP and SCP testsDaniel Stenberg
2009-07-27moved the changes that aren't strictly bugfixes until after 7.19.6 since IDaniel Stenberg
can't seem to catch up 243 - ftp QUOTE commands that are allowed to fail but not close the connection is done
2009-07-27- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE andDaniel Stenberg
CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to send when using FTP, as a sign that libcurl shall simply ignore the response from the server instead of treating it as an error. Not treating a 400+ FTP response code as an error means that failed commands will not abort the chain of commands, nor will they cause the connection to get disconnected.
2009-07-27From: Johan van SelstDaniel Stenberg
"you replaced the old SSLeay_add_ssl_algorithms() call with OpenSSL_add_all_algorithms(), however unlike the name suggests, the second function is not a superset of the first. When using SSL both these functions will need to be called in order to offer complete functionality"
2009-07-26- Bug report #2825989 (http://curl.haxx.se/bug/view.cgi?id=2825989) pointedDaniel Stenberg
out that OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and provided the solution too: to use OpenSSL_add_all_algorithms() instead of the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in OpenSSL 0.9.5
2009-07-25properly free data returned by aprintf(), and bring back the code to beDaniel Stenberg
independent of libssh2 version as the client code isn't really meant to adapt to such build-time constraints.