aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2012-03-10Curl_http: strip off [brackets] from ipv6-only host headersAndrei Cipu
Since the host name is passed in to the cookie engine it will not work correctly if the brackets are left in the name. Bug:http://curl.haxx.se/mail/lib-2012-03/0036.html
2012-03-10mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.John Joseph Bachir
An alternative would be: 1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE 2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being used This question and answer explain: http://stackoverflow.com/questions/74358/
2012-03-10access the CA source file using HTTPSJohn Joseph Bachir
2012-03-09includes: remove inclusion of unused file http_proxy.hDaniel Stenberg
2012-03-08CONNECT: made generically not per-protocolDaniel Stenberg
Curl_protocol_connect() now does the tunneling through the HTTP proxy if requested instead of letting each protocol specific connection function do it.
2012-03-08ssh_connect: tunnel through HTTP proxy if requestedDaniel Stenberg
2012-03-08LWIP: don't consider HAVE_ERRNO_H to be winsockDaniel Stenberg
The check for Winsock definition was a bit too broad Bug: http://curl.haxx.se/mail/lib-2012-03/0046.html
2012-02-24CONNECT: fix ipv6 address in the Request-LineDaniel Stenberg
Commit 466150bc64d fixed the Host: header with CONNECT, but I then forgot the preceeding request-line. Now this too uses [brackets] properly if a ipv6 numerical address was given. Bug: http://curl.haxx.se/bug/view.cgi?id=3493129 Reported by: "Blacat"
2012-02-23SMTP: Added support for returning SMTP response codesSteve Holme
Set the conn->data->info.httpcode variable in smtp_statemach_act() to allow Curl_getinfo() to return the SMTP response code via the CURLINFO_RESPONSE_CODE action.
2012-02-21smtp.c: Fixed an issue with writing postdataSteve Holme
Fixed a problem in smtp_done() when writing out the postdata as Curl_write() would periodically return zero bytes written.
2012-02-19pop3.c: Fixed drop of final CRLF in EOB checkingSteve Holme
Curl_pop3_write() would drop the final CRLF of a message as it was considered part of the EOB as opposed to part of the message. Whilst the EOB sequence needs to be searched for by the function only the final 3 characters should be removed as per RFC-1939 section 3. Reported by: Rich Gray Bug: http://curl.haxx.se/mail/lib-2012-02/0051.html
2012-02-17smtp.c: Fixed an issue with the EOB checkingSteve Holme
Curl_smtp_escape_eob() would leave off final CRLFs from emails ending in multiple blank lines additionally leaving the smtpc->eob variable with the character count in, which would cause problems for additional emails when sent through multiple calls to curl_easy_perform() after a CURLOPT_CONNECT_ONLY.
2012-02-16SMTP: Code policing and tidy upSteve Holme
2012-02-15smtp.c: Fixed use of angled brackets in AUTH parameter.Steve Holme
Fixed the use of angled brackets "<>" in the optional AUTH parameter as per RFC-2554 section 5. The address should not include them but an empty address should be replaced by them.
2012-02-14smtp_mail: Added support to MAIL FROM for the optional AUTH parameterSteve Holme
Added a new CURLOPT_MAIL_AUTH option that allows the calling program to set the optional AUTH parameter in the MAIL FROM command. When this option is specified and an authentication mechanism is used to communicate with the mail server then the AUTH parameter will be included in the MAIL FROM command. This is particularly useful when the calling program is acting as a relay in a trusted environment and performing server to server communication, as it allows the relaying server to specify the address of the mailbox that was used to authenticate and send the original email.
2012-02-14cyassl: update to CyaSSL 2.0.x APItoddouska
Modify configure.ac to test for new CyaSSL Init function and remove default install path to system. Change to CyaSSL OpenSSL header and proper Init in code as well. Note that this no longer detects or works with CyaSSL before v2
2012-02-14SMTP: Fixed error when using CURLOPT_CONNECT_ONLYSteve Holme
Fixed incorrect behavior in smtp_done() which would cause the end of block data to be sent to the SMTP server if libcurl was operating in connect only mode. This would cause the server to return an error as data would not be expected which in turn caused libcurl to return CURLE_RECV_ERROR.
2012-02-10parse_proxy: simply memory handlingDaniel Stenberg
... by making sure that the string is always freed after the invoke as parse_proxy will always copy the data and this way there's a single free() instead of multiple ones.
2012-02-10parse_proxy: bail out on zero-length proxy names!Daniel Stenberg
The proxy parser function strips off trailing slashes off the proxy name which could lead to a mistaken zero length proxy name which would be treated as no proxy at all by subsequent functions! This is now detected and an error is returned. Verified by the new test 1329. Reported by: Chandrakant Bagul Bug: http://curl.haxx.se/mail/lib-2012-02/0000.html
2012-02-09nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka
... and fix some typos from the 62d15f1 commit.
2012-02-09CURLOPT_SSL_OPTIONS: addedDaniel Stenberg
Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
2012-02-09add library support for tuning TCP_KEEPALIVEDave Reisner
This adds three new options to control the behavior of TCP keepalives: - CURLOPT_TCP_KEEPALIVE: enable/disable probes - CURLOPT_TCP_KEEPIDLE: idle time before sending first probe - CURLOPT_TCP_KEEPINTVL: delay between successive probes While not all operating systems support the TCP_KEEPIDLE and TCP_KEEPINTVL knobs, the library will still allow these options to be set by clients, silently ignoring the values.
2012-02-07curl_easy_reset: reset the referer stringDaniel Stenberg
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly clear it. Verified with the new test 598 Bug: http://curl.haxx.se/bug/view.cgi?id=3481551 Reported by: Michael Day
2012-01-31CONNECT: send correct Host: with IPv6 numerical addressDaniel Stenberg
When the target host was given as a IPv6 numerical address, it was not properly put within square brackets for the Host: header in the CONNECT request. The "normal" request did fine. Reported by: "zooloo" Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
2012-01-28more resilient connection times among IP addressesPierre Ynard
When connecting to a domain with multiple IP addresses, allow different, decreasing connection timeout values. This should guarantee some connections attempts with sufficiently long timeouts, while still providing fallback.
2012-01-28remove write-only variablePierre Ynard
2012-01-24gnutls: enforced use of SSLv3Daniel Stenberg
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-20URL parse: user name with ipv6 numerical addressDaniel Stenberg
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20telnet.c: fix OOM triggered segfaultYang Tse
2012-01-19OpenSSL: follow-up for commit a20daf90e3Yang Tse
avoid checking preprocessor definition official value
2012-01-18ssl session caching: fix compiler warningsYang Tse
2012-01-18polarssl: show cipher suite name correctly with 1.1.0Daniel Stenberg
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
2012-01-18polarssl: show error code correctlyDaniel Stenberg
The value was turned negative when it shouldn't have been
2012-01-18polarssl: havege_rand is not present in version 1.1.0Daniel Stenberg
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18Use correct file descriptor for telnet upload.Colin Hogben
Fix a bug where input was read from stdin even when a different FILE * had been configured via CURLOPT_READDATA
2012-01-18OpenLDAP: fix LDAP connection phase memory leakYang Tse
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-16add LF termination to infof() trace stringYang Tse
2012-01-15Curl_proxyCONNECT() trace known bug #39Yang Tse
2012-01-13http_negotiate_sspi.c: fix compiler warningYang Tse
2012-01-13ssh.c: fix compiler warningYang Tse
2012-01-12hostip: avoid getaddrinfo when c-ares is usedDaniel Stenberg
Some functions using getaddrinfo and gethostbyname were still mistakingly being used/linked even if c-ares was selected as resolver backend. Reported by: Arthur Murray Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-09FTP: CURLE_PARTIAL_FILE should not cause control connection to be closedgsengun
Test 161 updated accordingly
2012-01-08lib/setup.h: portable symbolic names for Winsock shutdown() mode flagsYang Tse
2012-01-04win32-threaded-resolver: stop using a dummy socketDaniel Stenberg
Previously the code would create a dummy socket while resolving just to have curl_multi_fdset() return something but the non-win32 version doesn't do it this way and the creation and use of a socket that isn't made with the common create-socket callback can be confusing to apps using the multi_socket API etc. This change removes the dummy socket and thus will cause curl_multi_fdset() to return with maxfd == -1 more often.
2012-01-04OpenSSL: remove reference to openssl internal structPeter Sylvester
With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN cflag. This flag might become the default in some distant future.
2012-01-04krb5.c: fix compiler warning: variable set but not usedYang Tse