aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2009-03-05Fix NTLM authentication memory leak on SSPI enabled Windows buildsYang Tse
2009-03-03- David James brought a patch that make libcurl close (all) dead connectionsDaniel Stenberg
whenever you attempt to open a new connection.
2009-03-02- David Kierznowski notified us about a security flawDaniel Stenberg
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in which previous libcurl versions (by design) can be tricked to access an arbitrary local/different file instead of a remote one when CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release together this the addition of two new setopt options for controlling this new behavior: o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option excludes the FILE and SCP protocols and thus you nee to explicitly allow them in your app if you really want that behavior. o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch using the primary URL option. This is useful if you want to allow a user or other outsiders control what URL to pass to libcurl and yet not allow all protocols libcurl may have been built to support.
2009-02-28for portability reasons: s/inet_pton/Curl_inet_pton/Yang Tse
2009-02-28fix compiler warningYang Tse
2009-02-27- Senthil Raja Velu reported a problem when CURLOPT_INTERFACE andDaniel Stenberg
CURLOPT_LOCALPORT were used together (the local port bind failed), and Markus Koetter provided the fix!
2009-02-27Indentation fixes, untabify and related whitespace-cleanup. No code changed.Daniel Stenberg
2009-02-25corrected and clarified the top commentDaniel Stenberg
2009-02-25- As Daniel Fandrich figured out, we must do the GnuTLS initing in theDaniel Stenberg
curl_global_init() function to properly maintain the performing functions thread-safe. We've previously (28 April 2007) moved the init to a later time just to avoid it to fail very early when libgcrypt dislikes the situation, but that move was bad and the fix should rather be in libgcrypt or elsewhere.
2009-02-24- Brian J. Murrell found out that Negotiate proxy authentication didn't work.Daniel Stenberg
It happened because the code used the struct for server-based auth all the time for both proxy and server auth which of course was wrong.
2009-02-23- After a bug reported by James Cheng I've made curl_easy_getinfo() forDaniel Stenberg
CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return -1 if the sizes aren't know. Previously these returned 0, make it impossible to detect the difference between actually zero and unknown.
2009-02-23adjustment for new Mac OS X framework build scriptYang Tse
2009-02-23Daniel Johnson provided a shell script that will perform all the steps neededYang Tse
to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
2009-02-23- I renamed everything in the windows builds files that used the name 'curllib'Daniel Stenberg
to the proper 'libcurl' as clearly this caused confusion.
2009-02-23use the internal snprintf() functionYang Tse
2009-02-20Do not halt compilation when using VS2008 to build a Windows 2000 targetYang Tse
2009-02-20- Linus Nielsen Feltzing reported and helped me repeat and fix a problem withDaniel Stenberg
FTP with the multi interface: when a transfer fails, like when aborted by a write callback, the control connection was wrongly closed and thus not re-used properly. This change is also an attempt to cleanup the code somewhat in this area, as now the FTP code attempts to keep (better) track on pending responses necessary to get read in ftp_done().
2009-02-19- Patrik Thunstrom reported a problem and helped me repeat it. It turned outDaniel Stenberg
libcurl did a superfluous 1000ms wait when doing SFTP downloads! We read data with libssh2 while doing the "DO" operation for SFTP and then when we were about to start getting data for the actual file part, the "TRANSFER" part, we waited for socket action (in 1000ms) before doing a libssh2-read. But in this case libssh2 had already read and buffered the data so we ended up always just waiting 1000ms before we get working on the data!
2009-02-18spell-fixed comments and other minor non-code editsDaniel Stenberg
2009-02-18FTP downloads (i.e.: RETR) ending with code 550 now return error ↵Patrick Monnerat
CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE.
2009-02-17- Kamil Dudka made NSS-powered builds compile and run again!Daniel Stenberg
2009-02-17- A second follow-up change by Andre Guibert de Bruet to fix a related memoryDaniel Stenberg
leak like that fixed on the 14th. When zlib returns failure, we need to cleanup properly before returning error.
2009-02-17- CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 forDaniel Stenberg
plain FTP connections, and it will then allow MKD to fail once and retry the CWD afterwards. This is especially useful if you're doing many simultanoes connections against the same server and they all have this option enabled, as then CWD may first fail but then another connection does MKD before this connection and thus MKD fails but trying CWD works! The numbers can (should?) now be set with the convenience enums now called CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY. Tests has proven that if you're making an application that uploads a set of files to an ftp server, you will get a noticable gain in speed if you're using multiple connections and this option will be then be very useful.
2009-02-14In MSVC9 'time_t' is a 64-bit quantity. This causes a truncation warningGisle Vanem
when an 'int' is assigned to a 'time_t' variable. Hence redefine 'retry_time' and 'retry_max' to 'time_t'.
2009-02-14nah, use the simpler year - year range syntax only, no matter what emacs'Daniel Stenberg
copyright-update script thinks
2009-02-14- Andre Guibert de Bruet found and fixed a memory leak in the content encodingDaniel Stenberg
code, which could happen on libz errors.
2009-02-12Added support for Digest and NTLM authentication using GnuTLS.Dan Fandrich
2009-02-11- CURLINFO_CONDITION_UNMET was added to allow an application to get to know ifDaniel Stenberg
the condition in the previous request was unmet. This is typically a time condition set with CURLOPT_TIMECONDITION and was previously not possible to reliably figure out. From bug report #2565128 (http://curl.haxx.se/bug/view.cgi?id=2565128)
2009-02-07Moved Curl_strntoupper() to the rawstr.c file where the other raw stringDaniel Stenberg
functions are.
2009-02-03- Hidemoto Nakada provided a small fix that makes it possible to get theDaniel Stenberg
CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with CURLOPT_NOBODY set true.
2009-02-02- Patrick Scott found a rather large memory leak when using the multiDaniel Stenberg
interface and setting CURLMOPT_MAXCONNECTS to something less than the number of handles you add to the multi handle. All the connections that didn't fit in the cache would not be properly disconnected nor freed!
2009-02-02minor comment fixDaniel Stenberg
2009-02-02- Craig A West brought us: libcurl now defaults to do CONNECT with HTTPDaniel Stenberg
version 1.1 instead of 1.0 like before. This change also introduces the new proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0 option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0. I updated all test cases cases that use CONNECT and I tried to do some using --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
2009-01-31- When building with c-ares 1.6.1 (not yet released) or later and IPv6 supportDaniel Stenberg
enabled, we can now take advantage of its brand new AF_UNSPEC support in ares_gethostbyname(). This makes test case 241 finally run fine for me wtih this setup since it now parses the "::1 ip6-localhost" line fine in my /etc/hosts file!
2009-01-30Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for reportingDan Fandrich
the problem.
2009-01-30ensure that we use the ANSI version functionsYang Tse
2009-01-30fix typo in commentYang Tse
2009-01-30Provide another definition missing in MinGW's headersYang Tse
2009-01-29Provide some definitions missing in MinGW's headersYang Tse
2009-01-29Introduced curl_sspi.c and curl_sspi.h for the implementation of functionsYang Tse
Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c Also adjusted socks_sspi.c to remove the link-time dependency on the Windows SSPI library using it now in the same way as it was done in http_ntlm.c.
2009-01-29added some more messages to SSPI error functionYang Tse
2009-01-29Avoid inclusion of ntsecapi.h and directly provide the KERB_WRAP_NO_ENCRYPTYang Tse
definition to avoid a 'STRING' duplicate definition from OpenSSL's safestack.h
2009-01-29fix compiler warningsYang Tse
2009-01-28- Markus Moeller introduced two new options to libcurl:Daniel Stenberg
CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl to do GSS-style authentication with SOCKS5 proxies. The curl tool got the options called --socks5-gssapi-service and --socks5-gssapi-nec to enable these.
2009-01-28fix compiler warning: conversion from 'int' to 'bool', possible loss of dataYang Tse
2009-01-28fix compiler warning: enumerated type mixed with another typeYang Tse
2009-01-26- Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an appDaniel Stenberg
to set desired block size to use for TFTP transfers instead of the default 512 bytes.
2009-01-26- The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag toDaniel Stenberg
disable "rfc4507bis session ticket support". rfc4507bis was later turned into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 The enabled extension concerns the session management. I wonder how often libcurl stops a connection and then resumes a TLS session. also, sending the session data is some overhead. .I suggest that you just use your proposed patch (which explicitly disables TICKET). If someone writes an application with libcurl and openssl who wants to enable the feature, one can do this in the SSL callback. Sharad Gupta brought this to my attention. Peter Sylvester helped me decide on the proper action.
2009-01-26- Alexey Borzov filed bug report #2535504Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with quoted quotation marks in HTTP Digest headers didn't work. I've now added test case 1095 that verifies my fix.
2009-01-25- Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.Daniel Stenberg
They basically offer the same thing the NO_PROXY environment variable only offered previously: list a set of host names that shall not use the proxy even if one is specified.