aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-08-24- Marc de Bruin pointed out that configure --with-gnutls=PATH didn't workDaniel Stenberg
properly and provided a fix. http://curl.haxx.se/bug/view.cgi?id=2843008
2009-08-24- Eric Wong introduced support for the new option -T. (dot) that makes curlDaniel Stenberg
read stdin in a non-blocking fashion. This also brings back -T- (minus) to the previous blocking behavior since it could break stuff for people at times.
2009-08-24clarify the code by initing newurl to NULLDaniel Stenberg
2009-08-21With CURLOPT_PROXY_TRANSFER_MODE, avoid sending invalid URLs likeMichal Marek
ftp://example.com;type=i if the user specified ftp://example.com without the slash.
2009-08-21- Andre Guibert de Bruet pointed out a missing return code check for aDaniel Stenberg
strdup() that could lead to segfault if it returned NULL. I extended his suggest patch to now have Curl_retry_request() return a regular return code and better check that.
2009-08-21- Lots of good work by Krister Johansen, mostly related to pipelining:Daniel Stenberg
Fix SIGSEGV on free'd easy_conn when pipe unexpectedly breaks Fix data corruption issue with re-connected transfers Fix use after free if we're completed but easy_conn not NULL
2009-08-195.3 Sort outgoing cookiesDaniel Stenberg
5.4 Rearrange request header order Things to play with when you're bored
2009-08-18the mozilla browser is called Firefox...Daniel Stenberg
2009-08-18Pull the certificate files from the source directory. Ensure that theDan Fandrich
certificate tests only run on a localhost-hosted test server since the host name is explicitly checked.
2009-08-16added missing curl_easy_pause to export list.Gunter Knauf
2009-08-14I think it's worth clarifying that curl DOES NOT validate a given URL moreDaniel Stenberg
than what's absolutely necessary: curl will do its best to use what you pass to it as a URL. It is not trying to validate it as a syntactically correct URL by any means but is instead VERY liberal with what it accepts.
2009-08-13- Changed NSS code to not ignore the value of ssl.verifyhost and produce moreKamil Dudka
verbose error messages. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056
2009-08-13mention yesterday's changesDaniel Stenberg
2009-08-12add missing file, as pointed out by Karl MDaniel Stenberg
2009-08-12start over fresh again towards 7.19.7Daniel Stenberg
2009-08-12imported names from the 7.19.6 RELEASE-NOTESDaniel Stenberg
2009-08-12Added a range of new fun date strings to try. This set of dates come from aDaniel Stenberg
mail posted to the http-state mailing list, from Adam Barth, and is said to be the set of date formats the Chrome browser code is tested against: http://www.ietf.org/mail-archive/web/http-state/current/msg00129.html libcurl parses most of them identically, but not all of them.
2009-08-127.19.6Daniel Stenberg
2009-08-12- Carsten Lange reported a bug and provided a patch for TFTP upload and theDaniel Stenberg
sending of the TSIZE option. I don't like fixing bugs just hours before a release, but since it was broken and the patch fixes this for him I decided to get it in anyway.
2009-08-12use --insecure to allow non-matching known hosts for SSH-based protocolsDaniel Stenberg
2009-08-12pasted here (and renumbered) from the TODO-RELEASE since they are in factDaniel Stenberg
bugs we know about that will appear in the next release (too)
2009-08-11- Peter Sylvester made the HTTPS test server use specific certificates forDaniel Stenberg
each test, so that the test suite can now be used to actually test the verification of cert names etc. This made an error show up in the OpenSSL- specific code where it would attempt to match the CN field even if a subjectAltName exists that doesn't match. This is now fixed and verified in test 311.
2009-08-11creditDaniel Stenberg
2009-08-11- Benbuck Nason posted the bug report #2835196Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2835196), fixing a few compiler warnings when mixing ints and bools.
2009-08-11Include the Android make file in the source package even though theDan Fandrich
config.h issue hasn't been completely solved. This will save some effort for someone desperate to use curl on Android.
2009-08-11Fix definition of CURLOPT_SOCKS5_GSSAPI_SERVICE from LONG to OBJECTPOINTPatrick Monnerat
Fix OS400 makefile for tests to use the new Makefile.inc in libtest Update the OS400 wrappers and RPG binding according to the current CVS source state
2009-08-11Added links to more details on most issues. Moved all these issues to 7.19.7Daniel Stenberg
now since we won't manage to get them done for 7.19.6.
2009-08-11Fixed a memory leak in the FTP code and an off-by-one heap buffer overflow.Dan Fandrich
2009-08-09Fixed some memory leaks in the command-line tool that caused most of theDan Fandrich
torture tests to fail.
2009-08-07fix cast for some systems which are broken due to absense of socklen_t, ↵Gunter Knauf
therefore now use curl_socklen_t.
2009-08-06added a cast to silent compiler warning with 64bit systems.Gunter Knauf
2009-08-06fixed cast added with last commit.Gunter Knauf
2009-08-06cast to fix 64bit build warnings. From manpage:Gunter Knauf
POSIX.1-2001. Note that RFC 2553 defines a prototype where the last parameter cnt is of type size_t. Many systems follow RFC 2553. Glibc 2.0 and 2.1 have size_t, but 2.2 has socklen_t.
2009-08-04RFC1867 was updated by RFC2388Daniel Stenberg
2009-08-03avoid possible NULL dereference caused by my previous fixDaniel Stenberg
2009-08-03Remove call to LoadLibrary(). (leftover from debugging).Gisle Vanem
2009-08-03Fix bad sentence.Gisle Vanem
2009-08-03- Timo Teras changed the reason code used in the resolve callback done whenDaniel Stenberg
ares_cancel() is used, to be ARES_ECANCELLED instead of ARES_ETIMEOUT to better allow the callback to know what's happening.
2009-08-03256 - "More questions about ares behavior"Daniel Stenberg
yet another issue not yet sorted out
2009-08-03indentation fixes onlyDaniel Stenberg
2009-08-03- Joshua Kwan fixed the init routine to fill in the defaults for stuff thatDaniel Stenberg
fails to get inited by other means. This fixes a case of when the c-ares init fails when internet access is fone.
2009-08-03respect error code from ftruncate(), mentioned by Peter SylvesterDaniel Stenberg
2009-08-03Reverted the zero-byte-in-name check to instead rely on the fact that strlenDaniel Stenberg
and the name length differ in those cases and thus leave the matching function unmodified from before, as the matching functions never have to bother with the zero bytes in legitimate cases. Peter Sylvester helped me realize that this fix is slightly better as it leaves more code unmodified and makes the detection a bit more obvious in the code.
2009-08-02clarified configure detection of GnuTLSDaniel Stenberg
2009-08-02Extended my embedded-zero-in-cert-name fix based on a comment from ScottDaniel Stenberg
Cantor. My previous attempt was half-baked and didn't cover the normal CN case.
2009-08-02mention two crashing bugs we'd like fixedDaniel Stenberg
2009-08-01clarify the description of the null byte in cert name fixDaniel Stenberg
2009-08-01- Curt Bogmine reported a problem with SNI enabled on a particular server. WeDaniel Stenberg
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
2009-08-01- Scott Cantor posted the bug report #2829955Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert verification flaw found and exploited by Moxie Marlinspike. The presentation he did at Black Hat is available here: https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike Apparently at least one CA allowed a subjectAltName or CN that contain a zero byte, and thus clients that assumed they would never have zero bytes were exploited to OK a certificate that didn't actually match the site. Like if the name in the cert was "example.com\0theatualsite.com", libcurl would happily verify that cert for example.com. libcurl now better use the length of the extracted name, not assuming it is zero terminated.
2009-08-01- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (presentDaniel Stenberg
only in some OpenSSL installs - like on Windows) isn't thread-safe and we agreed that moving it to the global_init() function is a decent way to deal with this situation.