aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2012-01-24gnutls: enforced use of SSLv3Daniel Stenberg
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2012-01-24OpenSSL: don't disable security work-aroundDaniel Stenberg
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
2012-01-20URL parse: user name with ipv6 numerical addressDaniel Stenberg
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20telnet.c: fix OOM triggered segfaultYang Tse
2012-01-19OpenSSL: follow-up for commit a20daf90e3Yang Tse
avoid checking preprocessor definition official value
2012-01-18ssl session caching: fix compiler warningsYang Tse
2012-01-18polarssl: show cipher suite name correctly with 1.1.0Daniel Stenberg
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
2012-01-18polarssl: show error code correctlyDaniel Stenberg
The value was turned negative when it shouldn't have been
2012-01-18polarssl: havege_rand is not present in version 1.1.0Daniel Stenberg
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18Use correct file descriptor for telnet upload.Colin Hogben
Fix a bug where input was read from stdin even when a different FILE * had been configured via CURLOPT_READDATA
2012-01-18OpenLDAP: fix LDAP connection phase memory leakYang Tse
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18OpenSSL: fix PKCS#12 certificate parsing related memory leakJohannes Bauer
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabledYang Tse
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-16add LF termination to infof() trace stringYang Tse
2012-01-15Curl_proxyCONNECT() trace known bug #39Yang Tse
2012-01-13http_negotiate_sspi.c: fix compiler warningYang Tse
2012-01-13ssh.c: fix compiler warningYang Tse
2012-01-12hostip: avoid getaddrinfo when c-ares is usedDaniel Stenberg
Some functions using getaddrinfo and gethostbyname were still mistakingly being used/linked even if c-ares was selected as resolver backend. Reported by: Arthur Murray Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-09FTP: CURLE_PARTIAL_FILE should not cause control connection to be closedgsengun
Test 161 updated accordingly
2012-01-08lib/setup.h: portable symbolic names for Winsock shutdown() mode flagsYang Tse
2012-01-04win32-threaded-resolver: stop using a dummy socketDaniel Stenberg
Previously the code would create a dummy socket while resolving just to have curl_multi_fdset() return something but the non-win32 version doesn't do it this way and the creation and use of a socket that isn't made with the common create-socket callback can be confusing to apps using the multi_socket API etc. This change removes the dummy socket and thus will cause curl_multi_fdset() to return with maxfd == -1 more often.
2012-01-04OpenSSL: remove reference to openssl internal structPeter Sylvester
With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN cflag. This flag might become the default in some distant future.
2012-01-04krb5.c: fix compiler warning: variable set but not usedYang Tse
2012-01-04Fixed use of CURLUSESSL_TRY for POP3 and IMAP based connections.Steve Holme
Fixed a problem in POP3 and IMAP where a connection would fail when CURLUSESSL_TRY was specified for a server that didn't support SSL/TLS connections rather than continuing.
2012-01-04Fixed incorrect error code being returned in STARTTLSSteve Holme
The STARTTLS response code in SMTP, POP3 and IMAP would return CURLE_LOGIN_DENIED rather than CURLE_USE_SSL_FAILED when SSL/TLS was not available on the server. Reported by: Gokhan Sengun Bug: http://curl.haxx.se/mail/lib-2012-01/0018.html
2012-01-02hostip.c: fix potential write past the end of string bufferYang Tse
2012-01-02hostip.c: fix Curl_loadhostpairs() OOM handlingYang Tse
2012-01-01Curl_input_negotiate: use the correct buffer for inputDaniel Stenberg
Unfortunately we have no test cases for this and I have no SSPI build or server to verify this with. The change seems simple enough though. Bug: http://curl.haxx.se/bug/view.cgi?id=3466497 Reported by: Patrice Guerin
2011-12-31just a stupid typoDaniel Stenberg
2011-12-31SFTP dir: increase buffer size counterDaniel Stenberg
When the buffer gets realloced to hold the file name in the SSH_SFTP_READDIR_LINK state, the counter was not bumped accordingly. Reported by: Armel Asselin Patch by: Armel Asselin Bug: http://curl.haxx.se/mail/lib-2011-12/0249.html
2011-12-31create_hostcache_id: use the key lower casedDaniel Stenberg
... to make sure the DNS cache is properly case insensitive
2011-12-31changed case: use new host name for subsequent HTTP requestsDaniel Stenberg
When a HTTP connection is re-used for a subsequent request without proxy, it would always re-use the Host: header of the first request. As host names are case insensitive it would make curl send another host name case that what the particular request used. Now it will instead always use the most recent host name to always use the desired casing. Added test case 1318 to verify. Bug: http://curl.haxx.se/mail/lib-2011-12/0314.html Reported by: Alex Vinnik
2011-12-31CURLOPT_RESOLVE: avoid adding already present host namesDaniel Stenberg
The load host names to DNS cache function was moved to hostip.c and it now makes sure to not add host names that already are present in the cache. It would previously lead to memory leaks when for example using the --resolve and multiple URLs on the command line.
2011-12-30removed trailing whitespaceYang Tse
2011-12-25transfer: avoid unnecessary timeout event when waiting for 100-continueKamil Dudka
The commit 9dd85bc unintentionally changed the way we compute the time spent waiting for 100-continue. In particular, when using a SSL client certificate, the time spent by SSL handshake was included and could cause the CURL_TIMEOUT_EXPECT_100 timeout to be mistakenly fired up. Bug: https://bugzilla.redhat.com/767490 Reported by: Mamoru Tasaka
2011-12-25transfer.c: move a logging statement placementYang Tse
2011-12-25hash.c: fix OOM triggered segfaultYang Tse
2011-12-24ftp_do_more: don't return success until all is doneDaniel Stenberg
ftp_do_more() returns after accepting the server connect however it needs to fall through and set "*complete" to TRUE before exit from the function. Bug: http://curl.haxx.se/mail/lib-2011-12/0250.html Reported by: Gokhan Sengun
2011-12-24Curl_do_more: fix typo logicDaniel Stenberg
In the recent do_more fix the new logic was mistakenly checking the pointer instead of what it points to. Reported by: Gokhan Sengun Bug: http://curl.haxx.se/mail/lib-2011-12/0250.html
2011-12-24SFTP mkdir: use correct permissionDaniel Stenberg
When sending quote command to a SFTP server and 'mkdir' was used, it would send fixed permissions and not use the CURLOPT_NEW_DIRECTORY_PERMS as it should. Reported by: Armel Patch by: Armel Bug: http://curl.haxx.se/mail/lib-2011-12/0249.html
2011-12-23resolve: don't leak pre-populated dns entriesDaniel Stenberg
CURLOPT_RESOLVE populates the DNS cache with entries that are marked as eternally in use. Those entries need to be taken care of when the cache is killed off. Bug: http://curl.haxx.se/bug/view.cgi?id=3463121 Reported by: "tw84452852"
2011-12-21formdata.c: OOM handling fixesYang Tse
2011-12-20Curl_socket_check: enlarge poll struct array to 3Daniel Stenberg
This function was introduced in commit 5527417afae0 and as pointed out by Gokhan Sengun, the array with poll structs must large enough to hold 3 sockets since that is what the function can accept. It could be noted that he had this fixed in his patch as posted in http://curl.haxx.se/mail/lib-2011-12/0179.html Bug: http://curl.haxx.se/mail/lib-2011-12/0228.html Reported by: Gokhan Sengun
2011-12-20timeleft_accept: ack global timeout, moved to ftp.cDaniel Stenberg
First off the timeout for accepting a server connect back must of course respect a global timeout. Then the timeleft function is only used by ftp code so it was moved to ftp.c and made static.
2011-12-20FTP: move FTP-specific struct field to ftpc_connDaniel Stenberg
"wait_data_conn" was added to the connectionbits in commit c834213ad5 for handling active FTP connections but as it is purely FTP specific and now only ever accessed by ftp.c I moved it into the FTP connection struct.
2011-12-20non-blocking active FTP: cleanup multi state usageDaniel Stenberg
Backpedaled out the funny double-change of state in the multi state machine by adding a new argument to the do_more() function to signal completion. This way it can remain in the DO_MORE state properly until done. Long term, the entire DO_MORE logic should be moved into the FTP code and be hidden from the multi code as the logic is only used for FTP.
2011-12-20FTP: perform active connections non-blockingGokhan Sengun
1- Two new error codes are introduced. CURLE_FTP_ACCEPT_FAILED to be set whenever ACCEPTing fails because of FTP server connected. CURLE_FTP_ACCEPT_TIMEOUT to be set whenever ACCEPTing timeouts. Neither of these errors are considered fatal and control connection remains OK because it could just be a firewall blocking server to connect to the client. 2- One new setopt option was introduced. CURLOPT_ACCEPTTIMEOUT_MS It sets the maximum amount of time FTP client is going to wait for a server to connect. Internal default accept timeout is 60 seconds.
2011-12-20sockets: new Curl_socket_check() can wait for 3 socketsDaniel Stenberg
This offers an alternative to the existing Curl_socket_ready() API which only checks one socket for read and one for write.
2011-12-20Curl_pgrsTime: store now in an auto variableDaniel Stenberg
It makes it easier to introduce debug outputs in this function, and everything in the function is using the value anyway so it might even be more efficient.