aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-01-24tests: test CRLF in URLsDaniel Stenberg
Related to the security vulnerability: CVE-2012-0036 Bug: http://curl.haxx.se/docs/adv_20120124.html
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-22RELEASE-NOTES: synced with 6e2fd2c9eaDaniel Stenberg
3 more bugfixes, 3 more contributors
2012-01-22CURLOPT_ACCEPTTIMEOUT_MS: spellfixDaniel Stenberg
2012-01-20examples: updated README with two new example programsDan Fandrich
2012-01-20URL parse: user name with ipv6 numerical addressDaniel Stenberg
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20telnet.c: fix OOM triggered segfaultYang Tse
2012-01-19testtrace.c: fix compiler warningYang Tse
2012-01-19OpenSSL: follow-up for commit a20daf90e3Yang Tse
avoid checking preprocessor definition official value
2012-01-19- s, use, enable, for options name, avoiding conflicts with the names used ↵Pierre Joye
in the makefile
2012-01-19curl.1: improve --stderr wordingDaniel Stenberg
As is pointed out in this bug report, there can indeed be situation where --stderr has a point even when the "real" stderr can be redirected. Remove the superfluous and wrong comment. bug: http://curl.haxx.se/bug/view.cgi?id=3476020
2012-01-18KNOWN_BUGS: can't receive zero bytes file properlyDaniel Stenberg
http://curl.haxx.se/bug/view.cgi?id=3438362
2012-01-18ssl session caching: fix compiler warningsYang Tse
2012-01-18polarssl: show cipher suite name correctly with 1.1.0Daniel Stenberg
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
2012-01-18polarssl: show error code correctlyDaniel Stenberg
The value was turned negative when it shouldn't have been
2012-01-18polarssl: havege_rand is not present in version 1.1.0Daniel Stenberg
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18RELEASE-NOTES: synced with 5d70a61b94604Daniel Stenberg
5 more bug fixes, 1 more contributor
2012-01-18Add two tests for telnet: URLsColin Hogben
Add simple telnet tests which (ab)use the http server. The second test checks for an input file handling bug.
2012-01-18Remove bogus optimisation of telnet upload.Colin Hogben
Remove wrongly implemented optimisation of telnet upload, apparently intended to allow the library to avoid manually polling for input.
2012-01-18Use correct file descriptor for telnet upload.Colin Hogben
Fix a bug where input was read from stdin even when a different FILE * had been configured via CURLOPT_READDATA
2012-01-18OpenLDAP: fix LDAP connection phase memory leakYang Tse
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-17tests: enable time tracing on tests 500, 573 and 585Yang Tse
2012-01-17tests: testtrace.[ch] provides debug callback for libtest usageYang Tse
Allows tests from the libtest subdir to generate log traces similar to those of curl with --tracetime and --trace-ascii options but with output going to stderr.
2012-01-17sws.c: fix proxy mode secondary connection monitoring conditionYang Tse
2012-01-16add LF termination to infof() trace stringYang Tse
2012-01-16sws.c: improve proxy mode torture testing support - followup to 18c6c8a5Yang Tse
2012-01-16url2file: new simple exampleDaniel Stenberg
Just showing how to download the contents of a given URL into a local file. Based on a suggestion and example code by Georg Potthast
2012-01-16imap.c: a dead simple imap exampleDaniel Stenberg
Just to show that IMAP is used just like other protocols
2012-01-16sws.c: improve proxy mode torture testing support - followup to c731fc58Yang Tse
2012-01-15sws.c: improve proxy mode torture testing support - followup to d4bf87dcYang Tse
2012-01-15Curl_proxyCONNECT() trace known bug #39Yang Tse
2012-01-14test: verify HTTP response code 308Daniel Stenberg
This newly speced HTTP status code already works as intended in the new spec: http://greenbytes.de/tech/webdav/draft-reschke-http-status-308-02.html Test 1325 is added to verify that the method is kept after the redirect
2012-01-13http_negotiate_sspi.c: fix compiler warningYang Tse
2012-01-13ssh.c: fix compiler warningYang Tse
2012-01-13sws.c: improve proxy mode torture testing supportYang Tse
2012-01-12RELEASE-NOTES: synced with 9f20379fe4Daniel Stenberg
5 bug fixes, 3 more contributors
2012-01-12hostip: avoid getaddrinfo when c-ares is usedDaniel Stenberg
Some functions using getaddrinfo and gethostbyname were still mistakingly being used/linked even if c-ares was selected as resolver backend. Reported by: Arthur Murray Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-09sws.c: replace sleep() usage with wait_ms()Yang Tse
2012-01-09FTP: CURLE_PARTIAL_FILE should not cause control connection to be closedgsengun
Test 161 updated accordingly
2012-01-08sws.c: some compiler warning fixesYang Tse
2012-01-08lib/setup.h: portable symbolic names for Winsock shutdown() mode flagsYang Tse
2012-01-06sws.c: 812fa73057 follow-upYang Tse
2012-01-05sws.c: some IPv6 proxy mode peparatory adjustmentsYang Tse
2012-01-05curl.h: provide backwards compatible symbolsDaniel Stenberg
In commit c834213ad52 we re-used some obsolete error codes, and here are two defines that makes sure existing source codes that happen to use any of these deprecated ones will still compile. As usual, define CURL_NO_OLDIES to avoid getting these "precaution defines".
2012-01-04win32-threaded-resolver: stop using a dummy socketDaniel Stenberg
Previously the code would create a dummy socket while resolving just to have curl_multi_fdset() return something but the non-win32 version doesn't do it this way and the creation and use of a socket that isn't made with the common create-socket callback can be confusing to apps using the multi_socket API etc. This change removes the dummy socket and thus will cause curl_multi_fdset() to return with maxfd == -1 more often.
2012-01-04OpenSSL: remove reference to openssl internal structPeter Sylvester
With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN cflag. This flag might become the default in some distant future.
2012-01-04test1320 test1321: avoid User-Agent comparisonYang Tse