aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-06-22Curl_urldecode: no peeking beyond end of input bufferDaniel Stenberg
Security problem: CVE-2013-2174 If a program would give a string like "%FF" to curl_easy_unescape() but ask for it to decode only the first byte, it would still parse and decode the full hex sequence. The function then not only read beyond the allowed buffer but it would also deduct the *unsigned* counter variable for how many more bytes there's left to read in the buffer by two, making the counter wrap. Continuing this, the function would go on reading beyond the buffer and soon writing beyond the allocated target buffer... Bug: http://curl.haxx.se/docs/adv_20130622.html Reported-by: Timo Sirainen
2013-06-20Use opened body.out file and write content to it.Guenter Knauf
2013-06-20multi_socket: react on socket close immediatelyDaniel Stenberg
As a remedy to the problem when a socket gets closed and a new one is opened with the same file descriptor number and as a result multi.c:singlesocket() doesn't detect the difference, the new function Curl_multi_closed() gets told when a socket is closed so that it can be removed from the socket hash. When the old one has been removed, a new socket should be detected fine by the singlesocket() on next invoke. Bug: http://curl.haxx.se/bug/view.cgi?id=1248 Reported-by: Erik Johansson
2013-06-20RELEASE-NOTES: synced with e305f5ec715fDaniel Stenberg
2013-06-18TODO: mention the DANE patch from MarchDaniel Stenberg
2013-06-17CURLOPT_COOKIELIST: take cookie share lockDaniel Stenberg
When performing COOKIELIST operations the cookie lock needs to be taken for the cases where the cookies are shared among multiple handles! Verified by Benjamin Gilbert's updated test 506 Bug: http://curl.haxx.se/bug/view.cgi?id=1215 Reported-by: Benjamin Gilbert
2013-06-17test506: verify that CURLOPT_COOKIELIST takes share lockBenjamin Gilbert
It doesn't right now: http://curl.haxx.se/bug/view.cgi?id=1215
2013-06-15TODO: HTTP2/SPDY supportDaniel Stenberg
2013-06-14curl_easy_setopt.3: clarify CURLOPT_PROGRESSFUNCTION frequencyDaniel Stenberg
Make it clearer that the CURLOPT_PROGRESSFUNCTION callback will be called more frequently than once per second when things are happening.
2013-06-13RELEASE-NOTES: synced with 9c3e098259b82Daniel Stenberg
Mention 7 recent bug fixes and their associated contributors
2013-06-13curl_multi_wait.3: clarify the numfds counterDaniel Stenberg
2013-06-13curl_easy_perform: avoid busy-loopingDaniel Stenberg
When curl_multi_wait() finds no file descriptor to wait for, it returns instantly and this must be handled gracefully within curl_easy_perform() or cause a busy-loop. Starting now, repeated fast returns without any file descriptors is detected and a gradually increasing sleep will be used (up to a max of 1000 milliseconds) before continuing the loop. Bug: http://curl.haxx.se/bug/view.cgi?id=1238 Reported-by: Miguel Angel
2013-06-12cookies: follow-up fix for path checkingYAMADA Yasuharu
The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62).
2013-06-12lib1900: use tutil_tvnow instead of gettimeofdaySergei Nikulov
Makes it build on windows
2013-06-12axtls: now done non-blockingEric Hu
2013-06-12test2033: requires NTLM supportEric Hu
2013-06-11KNOWN_BUGS: #82 failed build with Borland compilerDaniel Stenberg
2013-06-11Curl_output_digest: support auth-int for empty entity bodyDaniel Stenberg
By always returning the md5 for an empty body when auth-int is asked for, libcurl now at least sometimes does the right thing. Bug: http://curl.haxx.se/bug/view.cgi?id=1235 Patched-by: Nach M. S.
2013-06-11multi_socket: reduce timeout inaccuracy marginDaniel Stenberg
Allow less room for "triggered too early" mistakes by applications / timers on non-windows platforms. Starting now, we assume that a timeout call is never made earlier than 3 milliseconds before the actual timeout. This greatly improves timeout accuracy on Linux. Bug: http://curl.haxx.se/bug/view.cgi?id=1228 Reported-by: Hang Su
2013-06-10cert_stuff: avoid double free in the PKCS12 codeDaniel Stenberg
In the pkcs12 code, we get a list of x509 records returned from PKCS12_parse but when iterating over the list and passing each to SSL_CTX_add_extra_chain_cert() we didn't also properly remove them from the "stack", which made them get freed twice (both in sk_X509_pop_free() and then later in SSL_CTX_free). This isn't really documented anywhere... Bug: http://curl.haxx.se/bug/view.cgi?id=1236 Reported-by: Nikaiw
2013-06-10cert_stuff: remove code duplication in the pkcs12 logicDaniel Stenberg
2013-06-08axtls: honor disabled VERIFYHOSTAleksey Tulinov
When VERIFYHOST == 0, libcurl should let invalid certificates to pass.
2013-06-08curl_easy_setopt.3: HTTP header with no contentPeter Gal
Update the documentation on how to specify a HTTP header with no content.
2013-06-07RELEASE-NOTES: synced with 87cf677eca55Daniel Stenberg
Added 11 bugs and 7 contributors
2013-06-06lib1500: remove bad checkDaniel Stenberg
After curl_multi_wait() returns, this test checked that we got exactly one file descriptor told to read from, but we cannot be sure that is true. curl_multi_wait() will sometimes return earlier without any file descriptor to handle, just just because it is a suitable time to call *perform(). This problem showed up with commit 29bf0598. Bug: http://curl.haxx.se/mail/lib-2013-06/0029.html Reported-by: Fabian Keil
2013-06-04tests/Makefile: typo in the perlcheck targetDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1239 Reported-by: Christian Weisgerber
2013-06-04test1230: verify CONNECT to a numerical ipv6-addressDaniel Stenberg
2013-06-04sws: support extracting test number from CONNECT ipv6-address!Daniel Stenberg
If an ipv6-address is provided to CONNECT, the last hexadecimal group in the address will be used as the test number! For example the address "[1234::ff]" would be treated as test case 255.
2013-06-04curl_multi_wait: only use internal timer if not -1Daniel Stenberg
commit 29bf0598aad5 introduced a problem when the "internal" timeout is prefered to the given if shorter, as it didn't consider the case where -1 was returned. Now the internal timeout is only considered if not -1. Reported-by: Tor Arntsen Bug: http://curl.haxx.se/mail/lib-2013-06/0015.html
2013-06-03libcurl-tutorial.3: added a section on IPv6Dan Fandrich
Also added a (correctly-escaped) backslash to the autoexec.bat example file and a new Windows character device name with a colon as examples of other characters that are special and potentially dangerous (this reverts and reworks commit 7d8d2a54).
2013-06-03curl_multi_wait: reduce timeout if the multi handle wants toDaniel Stenberg
If the multi handle's pending timeout is less than what is passed into this function, it will now opt to use the shorter time anyway since it is a very good hint that the handle wants to process something in a shorter time than what otherwise would happen. curl_multi_wait.3 was updated accordingly to clarify This is the reason for bug #1224 Bug: http://curl.haxx.se/bug/view.cgi?id=1224 Reported-by: Andrii Moiseiev
2013-06-03multi_runsingle: switch an if() condition for readabilityDaniel Stenberg
... because there's an identical check right next to it so using the operators in the check in the same order increases readability.
2013-06-02curl_schannel.c: Removed variable unused since 35874298e4Marc Hoersken
2013-06-02curl_setup.h: Fixed redefinition warning using mingw-w64Marc Hoersken
2013-05-30multi_runsingle: add braces to clarify the codeDaniel Stenberg
2013-05-28libcurl-tutorial.3: remove incorrect backslashDaniel Stenberg
A single backslash in the content is not legal nroff syntax. Reported and fixed by: Eric S. Raymond Bug: http://curl.haxx.se/bug/view.cgi?id=1234
2013-05-28curl_formadd.3: fixed wrong "end-marker" syntaxDaniel Stenberg
Reported and fixed by: Eric S. Raymond Bug: http://curl.haxx.se/bug/view.cgi?id=1233
2013-05-28curl.1: clarify that --silent still outputs dataDaniel Stenberg
2013-05-27Digest auth: escape user names with \ or " in themDaniel Stenberg
When sending the HTTP Authorization: header for digest, the user name needs to be escaped if it contains a double-quote or backslash. Test 1229 was added to verify Reported and fixed by: Nach M. S Bug: http://curl.haxx.se/bug/view.cgi?id=1230
2013-05-22ossl_recv: SSL_read() returning 0 is an error tooMike Giancola
SSL_read can return 0 for "not successful", according to the open SSL documentation: http://www.openssl.org/docs/ssl/SSL_read.html
2013-05-22ossl_send: SSL_write() returning 0 is an error tooMike Giancola
We found that in specific cases if the connection is abruptly closed, the underlying socket is listed in a close_wait state. We continue to call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs report the socket closed / connection finished. Since we have cases where the multi connection is only used once, this can pose a problem for us. I've read that if another connection was to come in, curl would see the socket as bad and attempt to close it at that time - unfortunately, this does not work for us. I found that in specific situations, if SSL_write returns 0, curl did not recognize the socket as closed (or errored out) and did not report it to the application. I believe we need to change the code slightly, to check if ssl_write returns 0. If so, treat it as an error - the same as a negative return code. For OpenSSL - the ssl_write documentation is here: http://www.openssl.org/docs/ssl/SSL_write.html
2013-05-21KNOWN_BUGS: curl -OJC- fails to resumeDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1169
2013-05-21Curl_cookie_add: handle IPv6 hostsDaniel Stenberg
1 - don't skip host names with a colon in them in an attempt to bail out on HTTP headers in the cookie file parser. It was only a shortcut anyway and trying to parse a file with HTTP headers will still be handled, only slightly slower. 2 - don't skip domain names based on number of dots. The original netscape cookie spec had this oddity mentioned and while our code decreased the check to only check for two, the existing cookie spec has no such dot counting required. Bug: http://curl.haxx.se/bug/view.cgi?id=1221 Reported-by: Stefan Neis
2013-05-20curl_easy_setopt.3: expand the PROGRESSFUNCTION sectionDaniel Stenberg
Explain the callback and its arguments better and with more descriptive text.
2013-05-19tests: add test1394 file to the tarballDaniel Stenberg
2013-05-19tarball: include the xmlstream exampleDaniel Stenberg
2013-05-19xmlstream: XML stream parsing example source codeDavid Strauss
Add an XML stream parsing example using Expat. Add missing ignore for the binary from an unrelated example.
2013-05-18cookies: only consider full path matchesYAMADA Yasuharu
I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - server returns cookie which with path=/hoge; the point is there is NOT the '/' end of path string. - cURL sends a request to http://example.fake/hogege/ with the cookie. The reason for this old "feature" is because that behavior is what is described in the original netscape cookie spec: http://curl.haxx.se/rfc/cookie_spec.html The current cookie spec (RFC6265) clarifies the situation: http://tools.ietf.org/html/rfc6265#section-5.2.4
2013-05-16axtls: prevent memleaks on SSL handshake failuresEric Hu
2013-05-12Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"Daniel Stenberg
This reverts commit 8ec2cb5544b86306b702484ea785b6b9596562ab. We don't have any code anywhere in libcurl (or the curl tool) that use wcsdup so there's no such memory use to track. It seems to cause mild problems with the Borland compiler though that we may avoid by reverting this change again. Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html