Age | Commit message (Collapse) | Author |
|
Synced and prepared for 7.24.0 release. Two security problems, one bug fix,
two more contributors.
|
|
With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.
Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
|
|
Related to the security vulnerability: CVE-2012-0036
Bug: http://curl.haxx.se/docs/adv_20120124.html
|
|
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).
URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.
This flaw is considered a security vulnerability: CVE-2012-0036
Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
Reported by: Dan Fandrich
|
|
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.
The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.
In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.
Reported by: product-security at Apple
|
|
3 more bugfixes, 3 more contributors
|
|
|
|
|
|
Using a URL with embedded user name and password didn't work if the host
was given as a numerical IPv6 string, like ftp://user:password@[::1]/
Reported by: Brandon Wang
Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
|
|
|
|
|
|
avoid checking preprocessor definition official value
|
|
in the makefile
|
|
As is pointed out in this bug report, there can indeed be situation
where --stderr has a point even when the "real" stderr can be
redirected. Remove the superfluous and wrong comment.
bug: http://curl.haxx.se/bug/view.cgi?id=3476020
|
|
http://curl.haxx.se/bug/view.cgi?id=3438362
|
|
|
|
Apparently ssl_get_ciphersuite() is needed to get the name of the used
cipher suite.
|
|
The value was turned negative when it shouldn't have been
|
|
... it is now named havege_random!
Reported by: Robert Schumann
Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
|
|
5 more bug fixes, 1 more contributor
|
|
Add simple telnet tests which (ab)use the http server.
The second test checks for an input file handling bug.
|
|
Remove wrongly implemented optimisation of telnet upload, apparently
intended to allow the library to avoid manually polling for input.
|
|
Fix a bug where input was read from stdin even when a different FILE *
had been configured via CURLOPT_READDATA
|
|
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
|
|
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
|
|
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.
Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
|
|
|
|
Allows tests from the libtest subdir to generate log traces
similar to those of curl with --tracetime and --trace-ascii
options but with output going to stderr.
|
|
|
|
|
|
|
|
Just showing how to download the contents of a given URL into a local
file.
Based on a suggestion and example code by Georg Potthast
|
|
Just to show that IMAP is used just like other protocols
|
|
|
|
|
|
|
|
This newly speced HTTP status code already works as intended in the new
spec:
http://greenbytes.de/tech/webdav/draft-reschke-http-status-308-02.html
Test 1325 is added to verify that the method is kept after the redirect
|
|
|
|
|
|
|
|
5 bug fixes, 3 more contributors
|
|
Some functions using getaddrinfo and gethostbyname were still
mistakingly being used/linked even if c-ares was selected as resolver
backend.
Reported by: Arthur Murray
Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
|
|
|
|
Test 161 updated accordingly
|
|
|
|
|
|
|
|
|
|
In commit c834213ad52 we re-used some obsolete error codes, and here are
two defines that makes sure existing source codes that happen to use any
of these deprecated ones will still compile.
As usual, define CURL_NO_OLDIES to avoid getting these "precaution
defines".
|
|
Previously the code would create a dummy socket while resolving just to
have curl_multi_fdset() return something but the non-win32 version
doesn't do it this way and the creation and use of a socket that isn't
made with the common create-socket callback can be confusing to apps
using the multi_socket API etc.
This change removes the dummy socket and thus will cause
curl_multi_fdset() to return with maxfd == -1 more often.
|