aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-02-21pop3 test server: send terminating ".CRLF" onlyDaniel Stenberg
With commit 035ef06bda7 applied, the test pop3 server needs to send ".\r\n" as the body terminating sequence and there needs to be a final CRLF in the actual body in the test data file.
2012-02-19pop3.c: Fixed drop of final CRLF in EOB checkingSteve Holme
Curl_pop3_write() would drop the final CRLF of a message as it was considered part of the EOB as opposed to part of the message. Whilst the EOB sequence needs to be searched for by the function only the final 3 characters should be removed as per RFC-1939 section 3. Reported by: Rich Gray Bug: http://curl.haxx.se/mail/lib-2012-02/0051.html
2012-02-17smtp.c: Fixed an issue with the EOB checkingSteve Holme
Curl_smtp_escape_eob() would leave off final CRLFs from emails ending in multiple blank lines additionally leaving the smtpc->eob variable with the character count in, which would cause problems for additional emails when sent through multiple calls to curl_easy_perform() after a CURLOPT_CONNECT_ONLY.
2012-02-17CURLE_FTP_PRET_FAILED: listed twiceDaniel Stenberg
Make sure it is mentioned once and with the correct description
2012-02-16--mail-auth documentedDaniel Stenberg
2012-02-16SMTP: Code policing and tidy upSteve Holme
2012-02-16curl: Added support for --mail-authSteve Holme
Added an extra command-line argument to support the optional AUTH parameter in SMTPs MAIL FROM command.
2012-02-16docs: mention that NTLM works with NSS, tooKamil Dudka
2012-02-15DOCS: Added information for CURLOPT_MAIL_AUTH.Steve Holme
Added information relating to the new CURLOPT_MAIL_AUTH parameter and reworked CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT to be a clearer. Fixed inconsistencies of "vocalisation of the abbreviation" versus "vocalisation of the first word" for all abbreviations. Corrected a typo in CURLOPT_NOPROXY.
2012-02-15smtp.c: Fixed use of angled brackets in AUTH parameter.Steve Holme
Fixed the use of angled brackets "<>" in the optional AUTH parameter as per RFC-2554 section 5. The address should not include them but an empty address should be replaced by them.
2012-02-14smtp_mail: Added support to MAIL FROM for the optional AUTH parameterSteve Holme
Added a new CURLOPT_MAIL_AUTH option that allows the calling program to set the optional AUTH parameter in the MAIL FROM command. When this option is specified and an authentication mechanism is used to communicate with the mail server then the AUTH parameter will be included in the MAIL FROM command. This is particularly useful when the calling program is acting as a relay in a trusted environment and performing server to server communication, as it allows the relaying server to specify the address of the mailbox that was used to authenticate and send the original email.
2012-02-14cyassl: update to CyaSSL 2.0.x APItoddouska
Modify configure.ac to test for new CyaSSL Init function and remove default install path to system. Change to CyaSSL OpenSSL header and proper Init in code as well. Note that this no longer detects or works with CyaSSL before v2
2012-02-14LIBCURL_VERSION_NUM: 0x071900Daniel Stenberg
I accidentally left the lowest bits 01 before
2012-02-14SMTP: Fixed error when using CURLOPT_CONNECT_ONLYSteve Holme
Fixed incorrect behavior in smtp_done() which would cause the end of block data to be sent to the SMTP server if libcurl was operating in connect only mode. This would cause the server to return an error as data would not be expected which in turn caused libcurl to return CURLE_RECV_ERROR.
2012-02-13s/7.24.1/7.25.0Daniel Stenberg
We will go straight to 7.25.0 due to the new additions
2012-02-13curlver.h: bumped to 7.25.0Daniel Stenberg
and updated the end year in the generic copyright string
2012-02-13RELEASE-NOTES: synced with 2b26eb985Daniel Stenberg
9 bug fixes, 4 changes and numerous contributors Bumped release version and option counters
2012-02-13configure: add option disable --libcurl outputColin Hogben
2012-02-13curl tool: allow negative numbers as option valuesAlessandro Ghedini
Fix the str2num() function to not check if the input string starts with a digit, since strtol() supports numbers prepended with '-' (and '+') too. This makes the --max-redirs option work as documented.
2012-02-10parse_proxy: simply memory handlingDaniel Stenberg
... by making sure that the string is always freed after the invoke as parse_proxy will always copy the data and this way there's a single free() instead of multiple ones.
2012-02-10parse_proxy: bail out on zero-length proxy names!Daniel Stenberg
The proxy parser function strips off trailing slashes off the proxy name which could lead to a mistaken zero length proxy name which would be treated as no proxy at all by subsequent functions! This is now detected and an error is returned. Verified by the new test 1329. Reported by: Chandrakant Bagul Bug: http://curl.haxx.se/mail/lib-2012-02/0000.html
2012-02-09nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka
... and fix some typos from the 62d15f1 commit.
2012-02-09configure: don't modify LD_LIBRARY_PATH for cross compilesRob Ward
2012-02-09--ssl-allow-beast addedDaniel Stenberg
This new option tells curl to not work around a security flaw in the SSL3 and TLS1.0 protocols. It uses the new libcurl option CURLOPT_SSL_OPTIONS with the CURLSSLOPT_ALLOW_BEAST bit set.
2012-02-09CURLOPT_SSL_OPTIONS: addedDaniel Stenberg
Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
2012-02-09curl: use new library-side TCP_KEEPALIVE optionsDave Reisner
Use the new library CURLOPT_TCP_KEEPALIVE rather than disabling this via the sockopt callback. If --keepalive-time is used, apply the value to CURLOPT_TCP_KEEPIDLE and CURLOPT_TCP_KEEPINTVL.
2012-02-09add library support for tuning TCP_KEEPALIVEDave Reisner
This adds three new options to control the behavior of TCP keepalives: - CURLOPT_TCP_KEEPALIVE: enable/disable probes - CURLOPT_TCP_KEEPIDLE: idle time before sending first probe - CURLOPT_TCP_KEEPINTVL: delay between successive probes While not all operating systems support the TCP_KEEPIDLE and TCP_KEEPINTVL knobs, the library will still allow these options to be set by clients, silently ignoring the values.
2012-02-07curl_easy_reset: reset the referer stringDaniel Stenberg
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly clear it. Verified with the new test 598 Bug: http://curl.haxx.se/bug/view.cgi?id=3481551 Reported by: Michael Day
2012-02-07curl tool: allow glob-loops to abort again upon critical errorsYang Tse
This prevents clobbering of non recoverable error return codes while retaining intended functionality of commit 65103efe
2012-02-06curl tool: don't abort glob-loop due to failuresDaniel Stenberg
We want to continue to the next URL to try even on failures returned from libcurl. This makes -f with ranges still get subsequent URLs even if occasional ones return error. This was a regression as it used to work and broke in the 7.23.0 release. Added test case 1328 to verify the fix. Bug: http://curl.haxx.se/bug/view.cgi?id=3481223 Reported by: Juan Barreto
2012-01-31CONNECT: send correct Host: with IPv6 numerical addressDaniel Stenberg
When the target host was given as a IPv6 numerical address, it was not properly put within square brackets for the Host: header in the CONNECT request. The "normal" request did fine. Reported by: "zooloo" Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
2012-01-28Explicitly link to the nettle/gcrypt librariesMartin Storsjo
When support for nettle was added in 64f328c787ab, I overlooked the fact that AC_CHECK_LIB doesn't add the tested lib to LIBS if the check succeeded, if a custom success code block was present. (The previous version of the check had an empty block for successful checks, adding the lib to LIBS implicitly.) Therefore, explicitly add either nettle or gcrypt to LIBS, after deciding which one to use. Even if they can be linked in transitively, it is safer to actually link explicitly to them. This fixes building with gnutls with linkers that don't allow linking transitively, such as for windows.
2012-01-28more resilient connection times among IP addressesPierre Ynard
When connecting to a domain with multiple IP addresses, allow different, decreasing connection timeout values. This should guarantee some connections attempts with sufficiently long timeouts, while still providing fallback.
2012-01-28remove write-only variablePierre Ynard
2012-01-26Merge branch 'master' of github.com:bagder/curlPierre Joye
2012-01-26- fix IPV6 and IDN optionsPierre Joye
2012-01-25TODO-RELEASE: added item #308Yang Tse
2012-01-25THANKS: imported contributors from 7.24.0 RELEASE-NOTESDaniel Stenberg
2012-01-25test harness: update stunnel.pem Diffie-Hellman parameters from 512 to 1024 bitYang Tse
2012-01-25version: start working on 7.24.1-DEVYang Tse
2012-01-24curl_easy_setopt.3: Fixed SEEKDATA & CLOSESOCKETDATA descriptionsDan Fandrich
2012-01-24RELEASE-NOTES: synced with 70f71bb99f7ed9Daniel Stenberg
Synced and prepared for 7.24.0 release. Two security problems, one bug fix, two more contributors.
2012-01-24gnutls: enforced use of SSLv3Daniel Stenberg
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-24tests: test CRLF in URLsDaniel Stenberg
Related to the security vulnerability: CVE-2012-0036 Bug: http://curl.haxx.se/docs/adv_20120124.html
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-22RELEASE-NOTES: synced with 6e2fd2c9eaDaniel Stenberg
3 more bugfixes, 3 more contributors
2012-01-22CURLOPT_ACCEPTTIMEOUT_MS: spellfixDaniel Stenberg
2012-01-20examples: updated README with two new example programsDan Fandrich
2012-01-20URL parse: user name with ipv6 numerical addressDaniel Stenberg
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html