aboutsummaryrefslogtreecommitdiff
path: root/lib/smtp.c
AgeCommit message (Collapse)Author
2019-02-04smtp: avoid risk of buffer overflow in strtolDaniel Gustafsson
If the incoming len 5, but the buffer does not have a termination after 5 bytes, the strtol() call may keep reading through the line buffer until is exceeds its boundary. Fix by ensuring that we are using a bounded read with a temporary buffer on the stack. Bug: https://curl.haxx.se/docs/CVE-2019-3823.html Reported-by: Brian Carpenter (Geeknik Labs) CVE-2019-3823
2018-12-17pingpong: ignore regular timeout in disconnect phaseDaniel Stenberg
The timeout set with CURLOPT_TIMEOUT is no longer used when disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP, POP3). Reported-by: jasal82 on github Fixes #3264 Closes #3374
2018-09-22url: use the URL API internally as wellDaniel Stenberg
... to make it a truly unified URL parser. Closes #3017
2018-09-06CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer sizeDaniel Stenberg
This is step 3 of #2888. Fixes #2888 Closes #2896
2018-07-09smtp: use the upload buffer size for scratch buffer mallocDaniel Stenberg
... not the read buffer size, as that can be set smaller and thus cause a buffer overflow! CVE-2018-0500 Reported-by: Peter Wu Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
2018-06-11cppcheck: fix warningsMarian Klymov
- Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
2018-02-12smtp: fix processing of initial dot in dataPatrick Monnerat
RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command should be taken into account when chasing the <CRLF>.<CRLF> end marker. Thus a leading dot character in data is also subject to escaping. Tests 911 and test server are adapted to this situation. New tests 951 and 952 check proper handling of initial dot in data. Closes #2304
2018-01-15smtp/pop3/imap_get_message: decrease the data length too...Daniel Stenberg
Follow-up commit to 615edc1f73 which was incomplete. Assisted-by: Max Dymond Detected by OSS-fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
2017-12-05sasl_getmesssage: make sure we have a long enough string to passDaniel Stenberg
For pop3/imap/smtp, added test 891 to somewhat verify the pop3 case. For this, I enhanced the pingpong test server to be able to send back responses with LF-only instead of always using CRLF. Closes #2150
2017-10-25time: rename Curl_tvnow to Curl_nowDaniel Stenberg
... since the 'tv' stood for timeval and this function does not return a timeval struct anymore. Also, cleaned up the Curl_timediff*() functions to avoid typecasts and clean up the descriptive comments. Closes #2011
2017-10-10smtp_done: free data before returning (on send failure)Daniel Stenberg
... as otherwise it could leak that memory. Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3600 Assisted-by: Max Dymond Closes #1977
2017-09-20smtp: fix memory leak in OOMDaniel Stenberg
Regression since ce0881edee Coverity CID 1418139 and CID 1418136 found it, but it was also seen in torture testing.
2017-09-02mime: new MIME API.Patrick Monnerat
Available in HTTP, SMTP and IMAP. Deprecates the FORM API. See CURLOPT_MIMEPOST. Lib code and associated documentation.
2017-06-30handler: refactor connection checkingMax Dymond
Add a new type of callback to Curl_handler which performs checks on the connection. Alter RTSP so that it uses this callback to do its own check on connection health.
2017-06-15http-proxy: only attempt FTP over HTTP proxyDaniel Stenberg
... all other non-HTTP protocol schemes are now defaulting to "tunnel trough" mode if a HTTP proxy is specified. In reality there are no HTTP proxies out there that allow those other schemes. Assisted-by: Ray Satiro, Michael Kaufmann Closes #1505
2017-05-01buffer: use data->set.buffer_size instead of BUFSIZEDaniel Stenberg
... to properly use the dynamically set buffer size!
2017-02-10URL: only accept ";options" in SMTP/POP3/IMAP URL schemesDaniel Stenberg
Fixes #1252
2017-01-12smtp: Fix STARTTLS denied error messageJay Satiro
- Format the numeric denial code as an integer instead of a character.
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-09-07errors: new alias CURLE_WEIRD_SERVER_REPLY (8)Jay Satiro
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as more of a generic "failed to parse" introduce an alias without FTP in the name. Closes https://github.com/curl/curl/pull/975
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-05-23smtp: minor ident (white space) fixesDaniel Stenberg
2016-04-29lib: include curl_printf.h as one of the last headersDaniel Stenberg
curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
2016-03-30multi: turn Curl_done into file local multi_doneDaniel Stenberg
... as it now is used by multi.c only.
2016-03-19ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabledSteve Holme
warning C4706: assignment within conditional expression
2016-03-08imap/pop3/smtp: Fixed connections upgraded with TLS are not reusedSteve Holme
Regression since commit 710f14edba. Bug: https://github.com/curl/curl/issues/422 Reported-by: Justin Ehlert
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-03-16free: instead of Curl_safefree()Daniel Stenberg
Since we just started make use of free(NULL) in order to simplify code, this change takes it a step further and: - converts lots of Curl_safefree() calls to good old free() - makes Curl_safefree() not check the pointer before free() The (new) rule of thumb is: if you really want a function call that frees a pointer and then assigns it to NULL, then use Curl_safefree(). But we will prefer just using free() from now on.
2015-03-03mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg
... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
2015-01-27sasl: implement EXTERNAL authentication mechanism.Patrick Monnerat
Its use is only enabled by explicit requirement in URL (;AUTH=EXTERNAL) and by not setting the password.
2015-01-20SASL: common state engine for imap/pop3/smtpPatrick Monnerat
2015-01-20SASL: common URL option and auth capabilities decoders for all protocolsPatrick Monnerat
2015-01-20IMAP/POP3/SMTP: use a per-connection sub-structure for SASL parameters.Patrick Monnerat
2014-12-16IPV6: address scope != scope idPatrick Monnerat
There was a confusion between these: this commit tries to disambiguate them. - Scope can be computed from the address itself. - Scope id is scope dependent: it is currently defined as 1-based local interface index for link-local scoped addresses, and as a site index(?) for (obsolete) site-local addresses. Linux only supports it for link-local addresses. The URL parser properly parses a scope id as an interface index, but stores it in a field named "scope": confusion. The field has been renamed into "scope_id". Curl_if2ip() used the scope id as it was a scope. This caused failures to bind to an interface. Scope is now computed from the addresses and Curl_if2ip() matches them. If redundantly specified in the URL, scope id is check for mismatch with the interface index. This commit should fix SF bug #1451.
2014-12-12smtp.c: Fixed compilation warningsSteve Holme
smtp.c:2357 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string smtp.c:2375 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string smtp.c:2386 warning: adding 'size_t' (aka 'unsigned long') to a string does not append to the string Used array index notation instead.
2014-12-12smtp.c: Fixed line longer than 79 columnsSteve Holme
2014-12-12smtp: Fixed inappropriate free of the scratch bufferSteve Holme
If the scratch buffer was allocated in a previous call to Curl_smtp_escape_eob(), a new buffer not allocated in the subsequent call and no action taken by that call, then an attempt would be made to try and free the buffer which, by now, would be part of the data->state structure. This bug was introduced in commit 4bd860a001.
2014-12-12smtp: Fixed dot stuffing when EOL characters were at end of input buffersSteve Holme
Fixed a problem with the CRLF. detection when multiple buffers were used to upload an email to libcurl and the line ending character(s) appeared at the end of each buffer. This meant any lines which started with . would not be escaped into .. and could be interpreted as the end of transmission string instead. This only affected libcurl based applications that used a read function and wasn't reproducible with the curl command-line tool. Bug: http://curl.haxx.se/bug/view.cgi?id=1456 Assisted-by: Patrick Monnerat
2014-11-26smtp: Fixed const'ness of nread parameter in Curl_smtp_escape_eob()Steve Holme
...and some comment typos!
2014-11-26smtp: Added support for the conversion of Unix newlines during mail sendSteve Holme
Added support for the automatic conversion of Unix newlines to CRLF during mail uploads. Feature: http://curl.haxx.se/bug/view.cgi?id=1456
2014-11-16kerberos: Use symbol qualified with _KERBEROS5Michael Osipov
For consistency renamed USE_KRB5 to USE_KERBEROS5.
2014-11-02sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is usedSteve Holme
Typically the USE_WINDOWS_SSPI definition would not be used when the CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication data structures and functions would incorrectly be used when they shouldn't be. Introduced a new USE_KRB5 definition that takes into account the use of CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
2014-09-30smtp: Fixed intermittent "SSL3_WRITE_PENDING: bad write retry" errorBill Nagel
This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL appears to require the same pointer on a write that follows a retry (CURLE_AGAIN) as discussed here: http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
2014-09-07Ensure progress.size_dl/progress.size_ul are always >= 0Brandon Casey
Historically the default "unknown" value for progress.size_dl and progress.size_ul has been zero, since these values are initialized implicitly by the calloc that allocates the curl handle that these variables are a part of. Users of curl that install progress callbacks may expect these values to always be >= 0. Currently it is possible for progress.size_dl and progress.size_ul to by set to a value of -1, if Curl_pgrsSetDownloadSize() or Curl_pgrsSetUploadSize() are passed a "size" of -1 (which a few places currently do, and a following patch will add more). So lets update Curl_pgrsSetDownloadSize() and Curl_pgrsSetUploadSize() so they make sure that these variables always contain a value that is >= 0. Updates test579 and test599. Signed-off-by: Brandon Casey <drafnel@gmail.com>
2014-08-15smtp: Added support for GSSAPI (Kerberos V5) authentication via Windows SSPISteve Holme