aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-08-20url: handle arbitrary-length username and password before '@'Jonathan Nieder
libcurl quietly truncates usernames, passwords, and options from before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters to fit in fixed-size buffers on the stack. Allocate a buffer large enough to fit the parsed fields on the fly instead to support longer passwords. After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH left, so stop defining that constant while at it. The hardcoded max username and password length constants, on the other hand, are still used in HTTP proxy credential handling (which this patch doesn't touch). Reported-by: Colby Ranger
2013-08-20url: handle exceptional cases first in parse_url_login()Jonathan Nieder
Instead of nesting "if(success)" blocks and leaving the reader in suspense about what happens in the !success case, deal with failure cases early, usually with a simple goto to clean up and return from the function. No functional change intended. The main effect is to decrease the indentation of this function slightly.
2013-08-20Curl_setopt: handle arbitrary-length username and passwordJonathan Nieder
libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' <out | tr -d '\r' | base64 -d ) password=${userpass#me:} echo ${#password} Expected result: 300 Actual result: 255 The fix is simple: allocate appropriately sized buffers on the heap instead of trying to squeeze the provided values into fixed-size on-stack buffers. Bug: http://bugs.debian.org/719856 Reported-by: Colby Ranger
2013-08-20netrc: handle longer username and passwordJonathan Nieder
libcurl truncates usernames and passwords it reads from .netrc to LOGINSIZE and PASSWORDSIZE (64) characters without any indication to the user, to ensure the values returned from Curl_parsenetrc fit in a caller-provided buffer. Fix the interface by passing back dynamically allocated buffers allocated to fit the user's input. The parser still relies on a 256-character buffer to read each line, though. So now you can include an ~246-character password in your .netrc, instead of the previous limit of 63 characters. Reported-by: Colby Ranger
2013-08-20url: allocate username, password, and options on the heapJonathan Nieder
This makes it possible to increase the size of the buffers when needed in later patches. No functional change yet.
2013-08-20url: use goto in create_conn() for exception handlingJonathan Nieder
Instead of remembering before each "return" statement which temporary allocations, if any, need to be freed, take care to set pointers to NULL when no longer needed and use a goto to a common block to exit the function and free all temporaries. No functional change intended. Currently the only temporary buffer in this function is "proxy" which is already correctly freed when appropriate, but there will be more soon.
2013-08-20sasl: allow arbitrarily long username and passwordJonathan Nieder
Use appropriately sized buffers on the heap instead of fixed-size buffers on the stack, to allow for longer usernames and passwords. Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
2013-08-19imap: Fixed response check for SEARCH commandAlex McLellan
Adding this line allows libcurl to return the server response when performing a search command via a custom request.
2013-08-16glob: error out on range overflowDaniel Stenberg
The new multiply() function detects range value overflows. 32bit machines will overflow on a 32bit boundary while 64bit hosts support ranges up to the full 64 bit range. Added test 1236 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1267 Reported-by: Will Dietz
2013-08-16urlglob: better detect unclosed braces, empty lists and overflowsDaniel Stenberg
A rather big overhaul and cleanup. 1 - curl wouldn't properly detect and reject globbing that ended with an open brace if there were brackets or braces before it. Like "{}{" or "[0-1]{" 2 - curl wouldn't properly reject empty lists so that "{}{}" would result in curl getting (nil) strings in the output. 3 - By using strtoul() instead of sscanf() the code will now detected over and underflows. It now also better parses the step argument to only accept positive numbers and only step counters that is smaller than the delta between the maximum and minimum numbers. 4 - By switching to unsigned longs instead of signed ints for the counters, the max values for []-ranges are now very large (on 64bit machines). 5 - Bumped the maximum number of globs in a single URL to 100 (from 10) 6 - Simplified the code somewhat and now it stores fixed strings as single- entry lists. That's also one of the reasons why I did (5) as now all strings between "globs" will take a slot in the array. Added test 1234 and 1235 to verify. Updated test 87. This commit fixes three separate bug reports. Bug: http://curl.haxx.se/bug/view.cgi?id=1264 Bug: http://curl.haxx.se/bug/view.cgi?id=1265 Bug: http://curl.haxx.se/bug/view.cgi?id=1266 Reported-by: Will Dietz
2013-08-15VMS: Add RELEASE-NOTES to vms documentJohn Malmberg
Add the curl release notes to the release note document generated for VMS packages. Add the different filenames generated by a daily build to the cleanup procedures.
2013-08-15tests 2032, 2033: Don't hardcode port in expected outputTor Arntsen
2013-08-14ftp: convert state names to a global arrayDaniel Stenberg
... just to make them easier to print in debug ouputs while debugging. They are still within #ifdef [debugbuild].
2013-08-14--help: fix the --sasl-ir in the help outputDaniel Stenberg
2013-08-14ftp_domore_getsock: when passive mode, the second conn is already thereDaniel Stenberg
This makes the socket callback get called with the proper bitmask as otherwise the application could be left hanging waiting for reading on an upload connection! Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html Reported-by: Bill Doyle
2013-08-14curl: make --no-[option] work properly for several optionsDaniel Stenberg
--create-dirs, --crlf, --socks5-gssapi-nec and --sasl-ir
2013-08-12nss: make sure that NSS is initializedKamil Dudka
... prior to calling PK11_GenerateRandom()
2013-08-12multi: s/easy/dataDaniel Stenberg
With everything being struct SessionHandle pointers now, this rename makes multi.c use the library-wide practise of calling that pointer 'data' instead of the previously used 'easy'.
2013-08-12cleanup: removed one function, made one staticDaniel Stenberg
Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to easy_addmulti and made it static. Removed Curl_easy_initHandleData() and uses of it since it was emptied in commit cdda92ab67b47d74a.
2013-08-12SessionHandle: the protocol specific pointer is now a void *Daniel Stenberg
All protocol handler structs are now opaque (void *) in the SessionHandle struct and moved in the request-specific sub-struct 'SingleRequest'. The intension is to keep the protocol specific knowledge in their own dedicated source files [protocol].c etc. There's some "leakage" where this policy is violated, to be addressed at a later point in time.
2013-08-12urldata: clean up the use of the protocol specific structsDaniel Stenberg
1 - always allocate the struct in protocol->setup_connection. Some protocol handlers had to get this function added. 2 - always free at the end of a request. This is also an attempt to keep less memory in the handle after it is completed.
2013-08-12version number: bump to 7.32.1 for nowDaniel Stenberg
Start working on the next version and up some counters.
2013-08-11THANKS: added contributors from the 7.32.0 release notesDaniel Stenberg
2013-08-11test1228: add 'HTTP proxy' to the keywordsFabian Keil
2013-08-11tests: add keywords for a couple of FILE testsFabian Keil
2013-08-11tests: add 'FAILURE' keywords to tests 1409 and 1410Fabian Keil
2013-08-11tests: add keywords for a couple of HTTP testsFabian Keil
2013-08-11tests: add keywords for a couple of FTP testsFabian Keil
2013-08-11test1511: consistently terminate headers with CRLFFabian Keil
2013-08-10DISABLED: shut of test 1512 for nowDaniel Stenberg
It shows intermittent failures and I haven't been able to track them down yet. Disable this test for now.
2013-08-09curl_multi_add_handle.3: ... that timer callback is for event-basedDaniel Stenberg
2013-08-09comments: remove old and wrong multi/easy interface statementsDaniel Stenberg
2013-08-09curl_multi_add_handle.3: mention the CURLMOPT_TIMERFUNCTION useDaniel Stenberg
2013-08-08KNOWN_BUGS: 22 and 57 have been fixed and committedJohn E. Malmberg
2013-08-08RELEASE-NOTES: synced with d20def20462e7Daniel Stenberg
2013-08-08global dns cache: fix memory leakDaniel Stenberg
The take down of the global dns cache didn't take CURLOPT_RESOLVE names into account.
2013-08-08global dns cache: didn't work [regression]Daniel Stenberg
CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been broken since the libcurl 7.29.0 release). While this option has been documented as deprecated for almost a decade and nobody even reported this bug, it should remain functional. Added test case 1512 to verify
2013-08-08packages/vms: update VMS build filesJohn Malmberg
VMS modified files either missing from a previous commit and changes to remove references to CVS repositories.
2013-08-08FTP: renamed several local functionsDaniel Stenberg
The previous naming scheme ftp_state_post_XXXX() wasn't really helpful as it wasn't always immediately after 'xxxx' and it wasn't easy to understand what it does based on such a name. This new one is instead ftp_state_yyyy() where yyyy describes what it does or sends.
2013-08-08mk-ca-bundle.1: don't install on make installDaniel Stenberg
Since the mk-ca-bundle tool itself isn't installed with make install, there's no point in installing its documentation. Bug: http://curl.haxx.se/mail/lib-2013-08/0057.html Reported-by: Guenter Knauf
2013-08-07packages/vms/Makefile.am: add latest file additions to EXTRA_DISTYang Tse
2013-08-07Building_vms_pcsi_kitJohn Malmberg
These are the files needed to build VMS distribution packages known as PCSI kits. Also minor update to the existing files, mainly to the documentation and file clean up code.
2013-08-06LIBCURL-STRUCTS: new documentDaniel Stenberg
This is the first version of this new document, detailing the seven perhaps most important internal structs in libcurl source code: 1.1 SessionHandle 1.2 connectdata 1.3 Curl_multi 1.4 Curl_handler 1.5 conncache 1.6 Curl_share 1.7 CookieInfo
2013-08-06CONTRIBUTE: minor language polishDaniel Stenberg
2013-08-06FTP: when EPSV gets a 229 but fails to connect, retry with PASVDaniel Stenberg
This is a regression as this logic used to work. It isn't clear when it broke, but I'm assuming in 7.28.0 when we went all-multi internally. This likely never worked with the multi interface. As the failed connection is detected once the multi state has reached DO_MORE, the Curl_do_more() function was now expanded somewhat so that the ftp_do_more() function can request to go "back" to the previous state when it makes another attempt - using PASV. Added test case 1233 to verify this fix. It has the little issue that it assumes no service is listening/accepting connections on port 1... Reported-by: byte_bucket in the #curl IRC channel
2013-08-05md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of LeopardNick Zitzmann
For some reason, OS X 10.5's GCC suddenly stopped working correctly with macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I worked around this by removing use of the macros and inserting static functions that just call CommonCrypto's implementations of the functions instead.
2013-08-05Simplify check for trusted certificates.Guenter Knauf
This changes the previous check for untrusted certs to a check for certs explicitely marked as trusted. The change is backward-compatible (tested with certdata.txt v1.80).
2013-08-05configure: warn on bad env variable use, don't errorDaniel Stenberg
Use XC_CHECK_BUILD_FLAGS instead XC_CHECK_USER_FLAGS.
2013-08-05Revert "configure: don't error out on variable confusions, just warn"Daniel Stenberg
This reverts commit 6b27703b5f525eccdc0a8409f51de8595c75132a.
2013-08-04formadd: wrong pointer for file name when CURLFORM_BUFFERPTR usedDaniel Stenberg
The internal function that's used to detect known file extensions for the default Content-Type got the the wrong pointer passed in when CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that strlen() would be used which could lead to an out-of-bounds read (and thus segfault). In most cases it would only lead to it not finding or using the correct default content-type. It also showed that test 554 and test 587 were testing for the previous/wrong behavior and now they're updated as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1262 Reported-by: Konstantin Isakov