aboutsummaryrefslogtreecommitdiff
path: root/tests/data/test554
AgeCommit message (Collapse)Author
2013-08-04formadd: wrong pointer for file name when CURLFORM_BUFFERPTR usedDaniel Stenberg
The internal function that's used to detect known file extensions for the default Content-Type got the the wrong pointer passed in when CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that strlen() would be used which could lead to an out-of-bounds read (and thus segfault). In most cases it would only lead to it not finding or using the correct default content-type. It also showed that test 554 and test 587 were testing for the previous/wrong behavior and now they're updated as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1262 Reported-by: Konstantin Isakov
2013-06-25formpost: better random boundariesDaniel Stenberg
When doing multi-part formposts, libcurl used a pseudo-random value that was seeded with time(). This turns out to be bad for users who formpost data that is provided with users who then can guess how the boundary string will look like and then they can forge a different formpost part and trick the receiver. My advice to such implementors is (still even after this change) to not rely on the boundary strings being cryptographically strong. Fix your code and logic to not depend on them that much! I moved the Curl_rand() function into the sslgen.c source file now to be able to take advantage of the SSL library's random function if it provides one. If not, try to use the RANDOM_FILE for seeding and as a last resort keep the old logic, just modified to also add microseconds which makes it harder to properly guess the exact seed. The formboundary() function in formdata.c is now using 64 bit entropy for the boundary and therefore the string of dashes was reduced by 4 letters and there are 16 hex digits following it. The total length is thus still the same. Bug: http://curl.haxx.se/bug/view.cgi?id=1251 Reported-by: "Floris"
2011-08-08CURLFORM_BUFFER: insert filename as documentedDaniel Stenberg
A regression where CURLFORM_BUFFER stopped to properly insert the file name part in the formpart. Bug introduced in commit f851f768578dc096. Added CURLFORM_BUFFER use to test 554 to verify this. Bug: http://curl.haxx.se/mail/lib-2011-07/0176.html Reported by: Henry Ludemann
2011-06-17CURLFORM_STREAM: acknowledge CURLFORM_FILENAMEDaniel Stenberg
The CURLFORM_STREAM is documented to only insert a file name (and thus look like a file upload) in the part if CURLFORM_FILENAME is set, but in reality it always inserted a filename="" and if CURLFORM_FILENAME wasn't set, it would insert insert rubbish (or possibly crash). This is now fixed to work as documented, and test 554 has been extended to verify this. Reported by: Sascha Swiercy Bug: http://curl.haxx.se/mail/lib-2011-06/0070.html
2008-03-31- Added CURLFORM_STREAM as a supported option to curl_formadd() to allow anDaniel Stenberg
application to provide data for a multipart with the read callback. Note that the size needs to be provided with CURLFORM_CONTENTSLENGTH when the stream option is used. This feature is verified by the new test case 554. This feature was sponsored by Xponaut.