aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2012-04-01OpenSSL: Made cert hostname check conform to RFC 6125Tatsuhiro Tsujikawa
This change replaces RFC 2818 based hostname check in OpenSSL build with RFC 6125 [1] based one. The hostname check in RFC 2818 is ambiguous and each project implements it in the their own way and they are slightly different. I check curl, gnutls, Firefox and Chrome and they are all different. I don't think there is a bug in current implementation of hostname check. But it is not as strict as the modern browsers do. Currently, curl allows multiple wildcard character '*' and it matches '.'. (as described in the comment in ssluse.c). Firefox implementation is also based on RFC 2818 but it only allows at most one wildcard character and it must be in the left-most label in the pattern and the wildcard must not be followed by any character in the label.[2] Chromium implementation is based on RFC 6125 as my patch does. Firefox and Chromium both require wildcard in the left-most label in the presented identifier. This patch is more strict than the current implementation, so there may be some cases where old curl works but new one does not. But at the same time I think it is good practice to follow the modern browsers do and follow the newer RFC. [1] http://tools.ietf.org/html/rfc6125#section-6.4.3 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=159483
2012-04-01HTTP: reset expected DL/UL sizes on redirectsDaniel Stenberg
With FOLLOWLOCATION enabled. When a 3xx page is downloaded and the download size was known (like with a Content-Length header), but the subsequent URL (transfered after the 3xx page) was chunked encoded, then the previous "known download size" would linger and cause the progress meter to get incorrect information, ie the former value would remain being sent in. This could easily result in downloads that were WAY larger than "expected" and would cause >100% outputs with the curl command line tool. Test case 599 was created and it was used to repeat the bug and then verify the fix. Bug: http://curl.haxx.se/bug/view.cgi?id=3510057 Reported by: Michael Wallner
2012-03-31smtp: Add support for DIGEST-MD5 authenticationGökhan Şengün
2012-03-31smtp: Cody tidy up of md5 digest lengthGökhan Şengün
Replaced the hard coded md5 digest length (16) with a preprocessor constant
2012-03-31md5: Add support for calculating the md5 sum of buffers incrementallyGökhan Şengün
It is now possible to calculate the md5 sum as the stream of buffers becomes known where as previously it was only possible to calculate the md5 sum of a pre-prepared buffer.
2012-03-31Revert "mk-ca-bundle.pl: use LWP::UserAgent for https"Daniel Stenberg
This reverts commit 9f0e1689f169b83b8fbdae23e0024cc57dcbc770. It turned out that "improvement" instead made the fetching of the certificates unreliable Bug: http://curl.haxx.se/mail/lib-2012-03/0238.html Reported by: Tim Heckman
2012-03-31pop3: Added support for additional pop3 commandsSteve Holme
This feature allows the user to specify and use additional POP3 commands such as UIDL and DELE via libcurl's CURLOPT_CUSTOMREQUEST or curl's -X command line option.
2012-03-25ssh.c: code cleanup, Curl_safefree() already nullifies pointerYang Tse
2012-03-25fix some compiler warningsYang Tse
2012-03-25pop3.c: Corrected problem with state() introduced in 01690ed2bce5Steve Holme
2012-03-25pop.c: Small code tidy upSteve Holme
2012-03-25pop3: Removed the need for the single message LIST command handlerSteve Holme
Simplified the code to remove the need for a separate "LIST <msg id>" command handler and state machine and instead use the LIST command handler for both operations.
2012-03-24pop3.c: Code policing and tidy upSteve Holme
Corrected character and line spacing and re-ordered list and retr functions based on the order of their state machines.
2012-03-24email: Moved server greeting responses into separate functionsSteve Holme
Moved the server greeting response handling code from the statemach_act functions to separate response functions. This makes the code simpler to follow and provides consistency with the other responses that are handled here.
2012-03-24pop3.c: Fixed body data being written when CURLOPT_NOBODY is specifiedSteve Holme
Body data would be forwarded to the client application in both the RETR and LIST commands even if CURLOPT_NOBODY was specified.
2012-03-22http_proxy.h: fix builds with proxy or http disabledYang Tse
2012-03-22parsedate.c: fix a numeric overflowYang Tse
2012-03-22cookies: strip the numerical ipv6 host properlyAndrei Cipu
The commit e650dbde86d4 that stripped off [brackets] from ipv6-only host headers for the sake of cookie parsing wrongly incremented the host pointer which would cause a bad free() call later on.
2012-03-22fix several compiler warningsYang Tse
2012-03-22CONNECT: fix multi interface regressionDaniel Stenberg
The refactoring of HTTP CONNECT handling in commit 41b0237834232 that made it protocol independent broke it for the multi interface. This fix now introduce a better state handling and moved some logic to the http_proxy.c source file. Reported by: Yang Tse Bug: http://curl.haxx.se/mail/lib-2012-03/0162.html
2012-03-20fix several compiler warningsYang Tse
2012-03-17lwip: basic checks and macros for compatiblityDaniel Stenberg
2012-03-16http_proxy.c: fix OOM handlingYang Tse
2012-03-16fix some compiler warningsYang Tse
2012-03-13resolve with c-ares: don't resolve IPv6 when not workingMaxim Prohorov
If the Curl_ipv6works() function says no, there is no reason to try AAAA names even if libcurl was built with IPv6 support enabled. Bug: http://curl.haxx.se/mail/lib-2012-03/0045.html
2012-03-10smtp.c: Changed the curl error code for EHLO and HELO responsesSteve Holme
Changed the returned curl error codes for EHLO and HELO responses from CURLE_LOGIN_DENIED to CURLE_REMOTE_ACCESS_DENIED as a negative response from these commands represents no service as opposed to a login error.
2012-03-10Curl_http: strip off [brackets] from ipv6-only host headersAndrei Cipu
Since the host name is passed in to the cookie engine it will not work correctly if the brackets are left in the name. Bug:http://curl.haxx.se/mail/lib-2012-03/0036.html
2012-03-10mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.John Joseph Bachir
An alternative would be: 1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE 2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being used This question and answer explain: http://stackoverflow.com/questions/74358/
2012-03-10access the CA source file using HTTPSJohn Joseph Bachir
2012-03-09includes: remove inclusion of unused file http_proxy.hDaniel Stenberg
2012-03-08CONNECT: made generically not per-protocolDaniel Stenberg
Curl_protocol_connect() now does the tunneling through the HTTP proxy if requested instead of letting each protocol specific connection function do it.
2012-03-08ssh_connect: tunnel through HTTP proxy if requestedDaniel Stenberg
2012-03-08LWIP: don't consider HAVE_ERRNO_H to be winsockDaniel Stenberg
The check for Winsock definition was a bit too broad Bug: http://curl.haxx.se/mail/lib-2012-03/0046.html
2012-02-24CONNECT: fix ipv6 address in the Request-LineDaniel Stenberg
Commit 466150bc64d fixed the Host: header with CONNECT, but I then forgot the preceeding request-line. Now this too uses [brackets] properly if a ipv6 numerical address was given. Bug: http://curl.haxx.se/bug/view.cgi?id=3493129 Reported by: "Blacat"
2012-02-23SMTP: Added support for returning SMTP response codesSteve Holme
Set the conn->data->info.httpcode variable in smtp_statemach_act() to allow Curl_getinfo() to return the SMTP response code via the CURLINFO_RESPONSE_CODE action.
2012-02-21smtp.c: Fixed an issue with writing postdataSteve Holme
Fixed a problem in smtp_done() when writing out the postdata as Curl_write() would periodically return zero bytes written.
2012-02-19pop3.c: Fixed drop of final CRLF in EOB checkingSteve Holme
Curl_pop3_write() would drop the final CRLF of a message as it was considered part of the EOB as opposed to part of the message. Whilst the EOB sequence needs to be searched for by the function only the final 3 characters should be removed as per RFC-1939 section 3. Reported by: Rich Gray Bug: http://curl.haxx.se/mail/lib-2012-02/0051.html
2012-02-17smtp.c: Fixed an issue with the EOB checkingSteve Holme
Curl_smtp_escape_eob() would leave off final CRLFs from emails ending in multiple blank lines additionally leaving the smtpc->eob variable with the character count in, which would cause problems for additional emails when sent through multiple calls to curl_easy_perform() after a CURLOPT_CONNECT_ONLY.
2012-02-16SMTP: Code policing and tidy upSteve Holme
2012-02-15smtp.c: Fixed use of angled brackets in AUTH parameter.Steve Holme
Fixed the use of angled brackets "<>" in the optional AUTH parameter as per RFC-2554 section 5. The address should not include them but an empty address should be replaced by them.
2012-02-14smtp_mail: Added support to MAIL FROM for the optional AUTH parameterSteve Holme
Added a new CURLOPT_MAIL_AUTH option that allows the calling program to set the optional AUTH parameter in the MAIL FROM command. When this option is specified and an authentication mechanism is used to communicate with the mail server then the AUTH parameter will be included in the MAIL FROM command. This is particularly useful when the calling program is acting as a relay in a trusted environment and performing server to server communication, as it allows the relaying server to specify the address of the mailbox that was used to authenticate and send the original email.
2012-02-14cyassl: update to CyaSSL 2.0.x APItoddouska
Modify configure.ac to test for new CyaSSL Init function and remove default install path to system. Change to CyaSSL OpenSSL header and proper Init in code as well. Note that this no longer detects or works with CyaSSL before v2
2012-02-14SMTP: Fixed error when using CURLOPT_CONNECT_ONLYSteve Holme
Fixed incorrect behavior in smtp_done() which would cause the end of block data to be sent to the SMTP server if libcurl was operating in connect only mode. This would cause the server to return an error as data would not be expected which in turn caused libcurl to return CURLE_RECV_ERROR.
2012-02-10parse_proxy: simply memory handlingDaniel Stenberg
... by making sure that the string is always freed after the invoke as parse_proxy will always copy the data and this way there's a single free() instead of multiple ones.
2012-02-10parse_proxy: bail out on zero-length proxy names!Daniel Stenberg
The proxy parser function strips off trailing slashes off the proxy name which could lead to a mistaken zero length proxy name which would be treated as no proxy at all by subsequent functions! This is now detected and an error is returned. Verified by the new test 1329. Reported by: Chandrakant Bagul Bug: http://curl.haxx.se/mail/lib-2012-02/0000.html
2012-02-09nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka
... and fix some typos from the 62d15f1 commit.
2012-02-09CURLOPT_SSL_OPTIONS: addedDaniel Stenberg
Allow an appliction to set libcurl specific SSL options. The first and only options supported right now is CURLSSLOPT_ALLOW_BEAST. It will make libcurl to disable any work-arounds the underlying SSL library may have to address a known security flaw in the SSL3 and TLS1.0 protocol versions. This is a reaction to us unconditionally removing that behavior after this security advisory: http://curl.haxx.se/docs/adv_20120124B.html ... it did however cause a lot of programs to fail because of old servers not liking this work-around. Now programs can opt to decrease the security in order to interoperate with old servers better.
2012-02-09add library support for tuning TCP_KEEPALIVEDave Reisner
This adds three new options to control the behavior of TCP keepalives: - CURLOPT_TCP_KEEPALIVE: enable/disable probes - CURLOPT_TCP_KEEPIDLE: idle time before sending first probe - CURLOPT_TCP_KEEPINTVL: delay between successive probes While not all operating systems support the TCP_KEEPIDLE and TCP_KEEPINTVL knobs, the library will still allow these options to be set by clients, silently ignoring the values.
2012-02-07curl_easy_reset: reset the referer stringDaniel Stenberg
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly clear it. Verified with the new test 598 Bug: http://curl.haxx.se/bug/view.cgi?id=3481551 Reported by: Michael Day
2012-01-31CONNECT: send correct Host: with IPv6 numerical addressDaniel Stenberg
When the target host was given as a IPv6 numerical address, it was not properly put within square brackets for the Host: header in the CONNECT request. The "normal" request did fine. Reported by: "zooloo" Bug: http://curl.haxx.se/bug/view.cgi?id=3482093