aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-04-11test1218: another cookie tailmatch testDaniel Stenberg
... and make 1216 also verify it with a file input These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie domain tailmatch" vulnerability. See http://curl.haxx.se/docs/adv_20130412.html
2013-04-11cookie: fix tailmatching to prevent cross-domain leakageYAMADA Yasuharu
Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). This is a security vulnerabilty, CVE-2013-1944. Bug: http://curl.haxx.se/docs/adv_20130412.html
2013-04-11Enabled MinGW sync resolver builds.Guenter Knauf
2013-04-10if2ip.c: fix compiler warningYang Tse
2013-04-10Fixed lost OpenSSL output with "-t" - followup.Guenter Knauf
The previously applied patch didnt work on Windows; we cant rely on shell commands like 'echo' since they act diffently on each platform and each shell. In order to keep this script platform-independent the code must only use pure Perl.
2013-04-09test1217: verify parsing 257 responses with "rubbish" before pathDaniel Stenberg
Test 1217 verifies commit e0fb2d86c9f78, and without that change this test fails.
2013-04-09FTP: handle "rubbish" in front of directory name in 257 responsesBill Middlecamp
When doing PWD, there's a 257 response which apparently some servers prefix with a comment before the path instead of after it as is otherwise the norm. Failing to parse this, several otherwise legitimate use cases break. Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html
2013-04-09Fixed ares-enabled builds with static makefiles.Guenter Knauf
2013-04-09Fixed lost OpenSSL output with "-t".Guenter Knauf
The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM output wrote to a temporary file. Consequently, the OpenSSL output was lost when the temp file was renamed to the final file at script finish (overwriting the final file written earlier by openssl). Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
2013-04-09test1216: test tailmatching cookie domainsDaniel Stenberg
This test is an attempt to repeat the problem YAMADA Yasuharu reported at http://curl.haxx.se/mail/lib-2013-04/0108.html
2013-04-09RELEASe-NOTES: synced with 29fdb2700f797Daniel Stenberg
added "tcpkeepalive on Mac OS X"
2013-04-08darwinssl: disable insecure ciphers by defaultNick Zitzmann
I noticed that aria2's SecureTransport code disables insecure ciphers such as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later. That's a good idea, and now we do the same thing in order to prevent curl from accessing a "secure" site that only negotiates insecure ciphersuites.
2013-04-08tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSXRobert Wruck
MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single TCP_KEEPALIVE (see http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html). Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms.
2013-04-08configure: remove CURL_CHECK_FUNC_RECVFROMDaniel Stenberg
1 - We don't use the results from the test and we never did. recvfrom() is only used by the TFTP code and it has not caused any problems. 2 - the CURL_CHECK_FUNC_RECVFROM function is extremely slow
2013-04-08RELEASE-NOTES: Corrected duplicate NTLM memory leaksSteve Holme
2013-04-08RELEASE-NOTES: Removed trailing full stopSteve Holme
2013-04-08proxy: make ConnectionExists() check credential of proxyconnections tooFabian Keil
Previously it only compared credentials if the requested needle connection wasn't using a proxy. This caused NTLM authentication failures when using proxies as the authentication code wasn't send on the connection where the challenge arrived. Added test 1215 to verify: NTLM server authentication through a proxy (This is a modified copy of test 67)
2013-04-08RELEASE-NOTES: sync with 704a5dfca9Daniel Stenberg
2013-04-08TODO-RELEASE: cleaned up, not really maintained latelyDaniel Stenberg
2013-04-07if2ip.c: Fixed another warning: unused parameter 'remote_scope'Marc Hoersken
2013-04-07cookie.c: Made cookie sort function more deterministicMarc Hoersken
Since qsort implementations vary with regards to handling the order of similiar elements, this change makes the internal sort function more deterministic by comparing path length first, then domain length and finally the cookie name. Spotted with testcase 62 on Windows.
2013-04-07curl_schannel.c: Follow up on memory leak fix ae4558dMarc Hoersken
2013-04-07Revert "getpart.pm: Strip carriage returns to fix Windows support"Marc Hoersken
This reverts commit e51b23c925a2721cf7c29b2b376d3d8903cfb067. As discussed on the mailinglist, this was not the correct approach.
2013-04-07http_negotiate.c: Fixed passing argument from incompatible pointer typeMarc Hoersken
2013-04-06ftp.c: Added missing brackets around ABOR command logicMarc Hoersken
2013-04-06sockfilt.c: Fixed detection of client-side connection closeMarc Hoersken
WINSOCK only: Since FD_CLOSE is only signaled once, it may trigger at the same time as FD_READ. Data actually being available makes it impossible to detect that the connection was closed by checking that recv returns zero. Another recv attempt could block the connection if it was not closed. This workaround abuses exceptfds in conjunction with readfds to signal that the connection has actually closed.
2013-04-06curl_schannel.c: Fixed memory leak if connection was not successfulMarc Hoersken
2013-04-06if2ip.c: Fixed warning: unused parameter 'remote_scope'Marc Hoersken
2013-04-06runtests.pl: Fixed --verbose parameter passed to http_pipe.pyMarc Hoersken
2013-04-06sockfilt.c: Reduce CPU load while running under a Windows PIPEMarc Hoersken
2013-04-06tftpd.c: Apply sread timeout to the whole data transfer sessionMarc Hoersken
2013-04-06getpart.pm: Strip carriage returns to fix Windows supportMarc Hoersken
2013-04-06ftp tests: libcurl returns CURLE_FTP_ACCEPT_FAILED better nowDaniel Stenberg
Since commit 57aeabcc1a20f, it handles errors on the control connection while waiting for the data connection better. Test 591 and 592 are updated accordingly.
2013-04-06FTP: wait on both connections during active STOR stateDaniel Stenberg
When doing PORT and upload (STOR), this function needs to extract the file descriptor for both connections so that it will respond immediately when the server eventually connects back. This flaw caused active connections to become unnecessary slow but they would still often work due to the normal polling on a timeout. The bug also would not occur if the server connected back very fast, like when testing on local networks. Bug: http://curl.haxx.se/bug/view.cgi?id=1183 Reported by: Daniel Theron
2013-04-06tftpd.c: Follow up cleanup and restore of previous sockoptMarc Hoersken
2013-04-06connect: treat an interface bindlocal() problem as a non-fatal errorKim Vandry
I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force transfers to use a particular interface but the transfer fails with CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the interface I specify has no IPv6 address. The cause is as follows: The remote hostname resolves successfully and has an IPv6 address and an IPv4 address. cURL attempts to connect to the IPv6 address first. bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an IPv6 address on the interface. This is a fatal error in singleipconnect() This change will make cURL try the next IP address in the list. Also included are two changes related to IPv6 address scope: - Filter the choice of address in Curl_if2ip to only consider addresses with the same scope ID as the connection address (mismatched scope for local and remote address does not result in a working connection). - bindlocal was ignoring the scope ID of addresses returned by Curl_if2ip . Now it uses them. Bug: http://curl.haxx.se/bug/view.cgi?id=1189
2013-04-06tftpd.c: Fixed sread timeout on Windows by setting it manuallyMarc Hoersken
2013-04-06ftp.pm: Added tskill to support Windows XP HomeMarc Hoersken
2013-04-06runtests.pl: Modularization of MinGW/Msys compatibility functionsMarc Hoersken
2013-04-06ftp.pm: Made Perl testsuite able to handle Windows processesMarc Hoersken
2013-04-06util.c: Revert workaround eeefcdf, 6eb56e7 and e3787e8Marc Hoersken
2013-04-06ftp.pm: Made Perl testsuite able to kill Windows processesMarc Hoersken
2013-04-06util.c: Follow up cleanup on eeefcdfMarc Hoersken
2013-04-06cpp: use #ifdef __MINGW32__ to avoid compiler complaintsDaniel Stenberg
... instead of just #if
2013-04-06util.c: Made write_pidfile write the correct PID on MinGW/MsysMarc Hoersken
This workaround fixes an issue on MinGW/Msys regarding the Perl testsuite scripts not being able to signal or control the server processes. The MinGW Perl runtime only sees the Msys processes and their corresponding PIDs, but sockfilt (and other servers) wrote the Windows PID into their PID-files. Since this PID is useless to the testsuite, the write_pidfile function was changed to search for the Msys PID and write that into the PID-file.
2013-04-05RELEASE-NOTES: synced with 5e722b2d09087Daniel Stenberg
3 more bug fixes, 6 more contributors
2013-04-05sockfilt.c: Fixed handling of multiple fds being signaledMarc Hoersken
2013-04-05curl_global_init.3: improve description of CURL_GLOBAL_ALLKamil Dudka
Reported by: Tomas Mlcoch
2013-04-05examples/multi-single.c: fix the order of destructionsKamil Dudka
... so that it adheres to the API documentation. Reported by: Tomas Mlcoch
2013-04-05Curl_open: restore default MAXCONNECTS to 5Daniel Stenberg
At some point recently we lost the default value for the easy handle's connection cache, and this change puts it back to 5 - which is the former default value and it is documented in the curl_easy_setopt.3 man page.