aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2013-04-11cookie: fix tailmatching to prevent cross-domain leakageYAMADA Yasuharu
Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). This is a security vulnerabilty, CVE-2013-1944. Bug: http://curl.haxx.se/docs/adv_20130412.html
2013-04-11Enabled MinGW sync resolver builds.Guenter Knauf
2013-04-10if2ip.c: fix compiler warningYang Tse
2013-04-10Fixed lost OpenSSL output with "-t" - followup.Guenter Knauf
The previously applied patch didnt work on Windows; we cant rely on shell commands like 'echo' since they act diffently on each platform and each shell. In order to keep this script platform-independent the code must only use pure Perl.
2013-04-09FTP: handle "rubbish" in front of directory name in 257 responsesBill Middlecamp
When doing PWD, there's a 257 response which apparently some servers prefix with a comment before the path instead of after it as is otherwise the norm. Failing to parse this, several otherwise legitimate use cases break. Bug: http://curl.haxx.se/mail/lib-2013-04/0113.html
2013-04-09Fixed ares-enabled builds with static makefiles.Guenter Knauf
2013-04-09Fixed lost OpenSSL output with "-t".Guenter Knauf
The OpenSSL pipe wrote to the final CA bundle file, but the encoded PEM output wrote to a temporary file. Consequently, the OpenSSL output was lost when the temp file was renamed to the final file at script finish (overwriting the final file written earlier by openssl). Patch posted to the list by Richard Michael (rmichael edgeofthenet org).
2013-04-08darwinssl: disable insecure ciphers by defaultNick Zitzmann
I noticed that aria2's SecureTransport code disables insecure ciphers such as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later. That's a good idea, and now we do the same thing in order to prevent curl from accessing a "secure" site that only negotiates insecure ciphersuites.
2013-04-08tcpkeepalive: Support CURLOPT_TCP_KEEPIDLE on OSXRobert Wruck
MacOS X doesn't have TCP_KEEPIDLE/TCP_KEEPINTVL but only a single TCP_KEEPALIVE (see http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/man4/tcp.4.html). Here is a patch for CURLOPT_TCP_KEEPIDLE on OSX platforms.
2013-04-08proxy: make ConnectionExists() check credential of proxyconnections tooFabian Keil
Previously it only compared credentials if the requested needle connection wasn't using a proxy. This caused NTLM authentication failures when using proxies as the authentication code wasn't send on the connection where the challenge arrived. Added test 1215 to verify: NTLM server authentication through a proxy (This is a modified copy of test 67)
2013-04-07if2ip.c: Fixed another warning: unused parameter 'remote_scope'Marc Hoersken
2013-04-07cookie.c: Made cookie sort function more deterministicMarc Hoersken
Since qsort implementations vary with regards to handling the order of similiar elements, this change makes the internal sort function more deterministic by comparing path length first, then domain length and finally the cookie name. Spotted with testcase 62 on Windows.
2013-04-07curl_schannel.c: Follow up on memory leak fix ae4558dMarc Hoersken
2013-04-07http_negotiate.c: Fixed passing argument from incompatible pointer typeMarc Hoersken
2013-04-06ftp.c: Added missing brackets around ABOR command logicMarc Hoersken
2013-04-06curl_schannel.c: Fixed memory leak if connection was not successfulMarc Hoersken
2013-04-06if2ip.c: Fixed warning: unused parameter 'remote_scope'Marc Hoersken
2013-04-06FTP: wait on both connections during active STOR stateDaniel Stenberg
When doing PORT and upload (STOR), this function needs to extract the file descriptor for both connections so that it will respond immediately when the server eventually connects back. This flaw caused active connections to become unnecessary slow but they would still often work due to the normal polling on a timeout. The bug also would not occur if the server connected back very fast, like when testing on local networks. Bug: http://curl.haxx.se/bug/view.cgi?id=1183 Reported by: Daniel Theron
2013-04-06connect: treat an interface bindlocal() problem as a non-fatal errorKim Vandry
I am using curl_easy_setopt(CURLOPT_INTERFACE, "if!something") to force transfers to use a particular interface but the transfer fails with CURLE_INTERFACE_FAILED, "Failed binding local connection end" if the interface I specify has no IPv6 address. The cause is as follows: The remote hostname resolves successfully and has an IPv6 address and an IPv4 address. cURL attempts to connect to the IPv6 address first. bindlocal (in lib/connect.c) fails because Curl_if2ip cannot find an IPv6 address on the interface. This is a fatal error in singleipconnect() This change will make cURL try the next IP address in the list. Also included are two changes related to IPv6 address scope: - Filter the choice of address in Curl_if2ip to only consider addresses with the same scope ID as the connection address (mismatched scope for local and remote address does not result in a working connection). - bindlocal was ignoring the scope ID of addresses returned by Curl_if2ip . Now it uses them. Bug: http://curl.haxx.se/bug/view.cgi?id=1189
2013-04-05Curl_open: restore default MAXCONNECTS to 5Daniel Stenberg
At some point recently we lost the default value for the easy handle's connection cache, and this change puts it back to 5 - which is the former default value and it is documented in the curl_easy_setopt.3 man page.
2013-04-04easy.c: fix compiler warningYang Tse
2013-04-04http_negotiate.c: follow-up for commit 3dcc1a9cYang Tse
2013-04-04easy: Fix the broken CURLOPT_MAXCONNECTS optionLinus Nielsen Feltzing
Copy the CURLOPT_MAXCONNECTS option to CURLMOPT_MAXCONNECTS in curl_easy_perform(). Bug: http://curl.haxx.se/bug/view.cgi?id=1212 Reported-by: Steven Gu
2013-04-04Updated copyright date.Guenter Knauf
2013-04-04Another small output fix for --help and --version.Guenter Knauf
2013-04-04http_negotiate.c: fix several SPNEGO memory handling issuesYang Tse
2013-04-04Added a cont to specify base64 line wrap.Guenter Knauf
2013-04-04Fixed version output.Guenter Knauf
2013-04-04Added support for --help and --version options.Guenter Knauf
2013-04-04Added option to specify length of base64 output.Guenter Knauf
Based on a patch posted to the list by Richard Michael.
2013-04-02Curl_cookie_add: only increase numcookies for new cookiesYasuharu Yamada
Count up numcookies in Curl_cookie_add() only when cookie is new one
2013-04-02SO_SNDBUF: don't set SNDBUF for win32 versions vista or laterDaniel Stenberg
The Microsoft knowledge-base article http://support.microsoft.com/kb/823764 describes how to use SNDBUF to overcome a performance shortcoming in winsock, but it doesn't apply to Windows Vista and later versions. If the described SNDBUF magic is applied when running on those more recent Windows versions, it seems to instead have the reversed effect in many cases and thus make libcurl perform less good on those systems. This fix thus adds a run-time version-check that does the SNDBUF magic conditionally depending if it is deemed necessary or not. Bug: http://curl.haxx.se/bug/view.cgi?id=1188 Reported by: Andrew Kurushin Tested by: Christian Hägele
2013-04-01darwinssl: additional descriptive messages of SSL handshake errorsNick Zitzmann
(This doesn't need to appear in the release notes.)
2013-04-01code-policedDaniel Stenberg
2013-03-31tcpkeepalive: support TCP_KEEPIDLE/TCP_KEEPINTVL on win32Daniel Stenberg
Patch by: Robert Wruck Bug: http://curl.haxx.se/bug/view.cgi?id=1209
2013-03-29ftp_sendquote: use PPSENDF, not FTPSENDFDaniel Stenberg
The last remaining code piece that still used FTPSENDF now uses PPSENDF. In the problematic case, a PREQUOTE series was done on a re-used connection when Curl_pp_init() hadn't been called so it had messed up pointers. The init call is done properly from Curl_pp_sendf() so this change fixes this particular crash. Bug: http://curl.haxx.se/mail/lib-2013-03/0319.html Reported by: Sam Deane
2013-03-25NTLM: fix several NTLM code paths memory leaksYang Tse
2013-03-25WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usageYang Tse
As of 25-mar-2013 wcsdup() _wcsdup() and _tcsdup() are only used in WIN32 specific code, so tracking of these has not been extended for other build targets. Without this fix, memory tracking system on WIN32 builds, when using these functions, would provide misleading results. In order to properly extend this support for all targets curl.h would have to define curl_wcsdup_callback prototype and consequently wchar_t should be visible before that in curl.h. IOW curl_wchar_t defined in curlbuild.h and this pulling whatever system header is required to get wchar_t definition. Additionally a new curl_global_init_mem() function that also receives user defined wcsdup() callback would be required.
2013-03-25curl_ntlm_msgs.c: revert commit 463082bea4Yang Tse
reverts unreleased invalid memory leak fix
2013-03-23Curl_proxyCONNECT: count received headersMartin Jansen
Proxy servers tend to add their own headers at the beginning of responses. The size of these headers was not taken into account by CURLINFO_HEADER_SIZE before this change. Bug: http://curl.haxx.se/bug/view.cgi?id=1204
2013-03-21sasl: Corrected a few violations of the curl coding standardsSteve Holme
Corrected some incorrectly positioned pointer variable declarations to be "char *" rather than "char* ".
2013-03-21multi.c: Corrected a couple of violations of the curl coding standardsSteve Holme
Corrected some incorrectly positioned pointer variable declarations to be "type *" rather than "type* ".
2013-03-21multi.c: Fix compilation warningSteve Holme
warning: an enumerated type is mixed with another type
2013-03-20multi.c: fix compilation errorSteve Holme
warning: conversion from enumeration type to different enumeration type
2013-03-19darwinssl: disable ECC ciphers under Mountain Lion by defaultNick Zitzmann
I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are turned off until the next point release of OS X.
2013-03-18Curl_proxyCONNECT: clear 'rewindaftersend' on successOliver Schindler
After having done a POST over a CONNECT request, the 'rewindaftersend' boolean could be holding the previous value which could lead to badness. This should be tested for in a new test case! Bug: https://groups.google.com/d/msg/msysgit/B31LNftR4BI/KhRTz0iuGmUJ
2013-03-17imap: Fixed incorrect initial response generation for SASL AUTHENTICATESteve Holme
Fixed incorrect initial response generation for the NTLM and LOGIN SASL authentication mechanisms when the SASL-IR was detected. Introduced in commit: 6da7dc026c14.
2013-03-15HTTP proxy: insert slash in URL if missingDaniel Stenberg
curl has been accepting URLs using slightly wrong syntax for a long time, such as when completely missing as slash "http://example.org" or missing a slash when a query part is given "http://example.org?q=foobar". curl would translate these into a legitimate HTTP request to servers, although as was shown in bug #1206 it was not adjusted properly in the cases where a HTTP proxy was used. Test 1213 and 1214 were added to the test suite to verify this fix. The test HTTP server was adjusted to allow us to specify test number in the host name only without using any slashes in a given URL. Bug: http://curl.haxx.se/bug/view.cgi?id=1206 Reported by: ScottJi
2013-03-14curl_memory.h: introduce CURLX_NO_MEMORY_CALLBACKS usage possibilityYang Tse
This commit alone does not fix anything nor modifies existing interfaces or behaviors, although it is a prerequisite for other fixes.
2013-03-14Makefile.vc6: add missing filesYang Tse