1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
|
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
Changelog
Daniel (21 March 2006)
- Tor Arntsen fixed the AIX Toolbox RPM spec
Daniel (20 March 2006)
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
reacts properly according to the CURLOPT_FTP_SSL setting.
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
whose length was a multiple of 512 bytes could have random garbage
appended. Also, stop processing TFTP packets which are too short to be
legal.
- Ilja van Sprundel reported a possible crash in the curl tool when using
"curl hostwithoutslash -d data -G"
Version 7.15.3 (20 March 2006)
Daniel (20 March 2006)
- VULNERABILITY reported to us by Ulf Harnhammar.
libcurl uses the given file part of a TFTP URL in a manner that allows a
malicious user to overflow a heap-based memory buffer due to the lack of
boundary check.
This overflow happens if you pass in a URL with a TFTP protocol prefix
("tftp://"), using a valid host and a path part that is longer than 512
bytes.
The affected flaw can be triggered by a redirect, if curl/libcurl is told to
follow redirects and an HTTP server points the client to a tftp URL with the
characteristics described above.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2006-1061 to this issue.
Daniel (16 March 2006)
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
in the release archive.
Daniel (14 March 2006)
- David McCreedy fixed:
a bad SSL error message when OpenSSL certificates are verified fine.
a missing return code assignment in the FTP code
Daniel (7 March 2006)
- Markus Koetter filed debian bug report #355715 which identified a problem
with the multi interface and multi-part formposts. The fix from February
22nd could make the Curl_done() function get called twice on the same
connection and it was not designed for that and thus tried to call free() on
an already freed memory area!
- Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL
is used properly.
Daniel (6 March 2006)
- Lots of users on Windows have reported getting the "SSL: couldn't set
callback" error message so I've now made the setting of that callback not be
as critical as before. The function is only used for additional loggging/
trace anyway so a failure just means slightly less data. It should still be
able to proceed and connect fine to the server.
Daniel (4 March 2006)
- Thomas Klausner provided a patch written by Todd Vierling in bug report
#1442471 that fixes a build problem on Interix.
Daniel (2 March 2006)
- FTP upload without a file name part in the URL now causes
curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the
upload but named the file "(nil)" (without the quotes). Test case 524
verifies.
- Added a check for getprotobyname in configure so that it'll be used, thanks
to Gisle Vanem's change the other day.
Daniel (28 February 2006)
- Dan Fandrich prevented curl from getting stuck in an endless loop in case we
are out of file handles very early in curl's code where it makes sure that
0, 1 and 2 aren't gonna be used by the lib for transfers.
Daniel (27 February 2006)
- Marty Kuhrt pointed out that there were two VMS-specific files missing in
the release archive.
Version 7.15.2 (27 February 2006)
Daniel (22 February 2006)
- Lots of work and analysis by "xbx___" in bug #1431750
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
different but related bugs:
1) Removing an easy handle from a multi handle before the transfer is done
could leave a connection in the connection cache for that handle that is
in a state that isn't suitable for re-use. A subsequent re-use could then
read from a NULL pointer and segfault.
2) When an easy handle was removed from the multi handle, there could be an
outstanding c-ares DNS name resolve request. When the response arrived,
it caused havoc since the connection struct it "belonged" to could've
been freed already.
Now Curl_done() is called when an easy handle is removed from a multi handle
pre-maturely (that is, before the transfer was complteted). Curl_done() also
makes sure to cancel all (if any) outstanding c-ares requests.
Daniel (21 February 2006)
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
type to the already provided type CURLPROXY_SOCKS4.
I added a --socks4 option that works like the current --socks5 option but
instead use the socks4 protocol.
Daniel (20 February 2006)
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
content when libcurl didn't honor the internal ignorebody flag.
Daniel (18 February 2006)
- Ulf Härnhammar fixed a format string (printf style) problem in the Negotiate
code. It should however not be the cause of any troubles. He also fixed a
few similar problems in the HTTP test server code.
Daniel (17 February 2006)
- Shmulik Regev provided a fix for the DNS cache when using short life times,
as previously it could be holding on to old cached entries longer than
requested.
Daniel (11 February 2006)
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
that an app can use to let libcurl only connect to a remote host and then
extract the socket from libcurl. libcurl will then not attempt to do any
transfer at all after the connect is done.
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
instead of LDFLAGS.
Daniel (8 February 2006)
- Philippe Vaucher provided a brilliant piece of test code that show a problem
with re-used FTP connections. If the second request on the same connection
was set not to fetch a "body", libcurl could get confused and consider it an
attempt to use a dead connection and would go acting mighty strange.
Daniel (2 February 2006)
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
change done in November 2005.
Daniel (30 January 2006)
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
curl tool with --local-port. Plain and simply set the range of ports to bind
the local end of connections to. Implemented on to popular demand.
- Based on an error report by Philippe Vaucher, we no longer count a retried
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
connection is re-setup and 2) it does make the max-redirs counter behave
wrong.
Daniel (24 January 2006)
- Michal Marek provided a patch for FTP that makes libcurl continue to try
PASV even after EPSV returned a positive response code, if libcurl failed to
connect to the port number the EPSV response said. Obviously some people are
going through protocol-sensitive firewalls (or similar) that don't
understand EPSV and then they don't allow the second connection unless PASV
was used. This also called for a minor fix of test case 238.
Daniel (20 January 2006)
- Duane Cathey was one of our friends who reported that curl -P [IP]
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
"native" IP while it works fine for ipv6-disabled builds!
In the process of fixing this, I removed the support for LPRT since I can't
think of many reasons to keep doing it and asking on the mailing list didn't
reveal anyone else that could either. The code that sends EPRT and PORT is
now also a lot simpler than before (IMHO).
Daniel (19 January 2006)
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
(built ipv4-only) didn't work.
Daniel (18 January 2006)
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
the configure script complained about a missing "missing" script if you ran
configure within a path whose name included one or more spaces. This is due
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
be used instead of the one automake ships with. This kludge needs to be
removed once we get an automake version with this problem corrected.
Possibly we'll then need to convert this into a kludge depending on what
automake version that is used and that is gonna be painful and I don't even
want to think about that now...!
Daniel (17 January 2006)
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
the latest features and protocols that libcurl supports and has a minor fix
to better deal with the obscure case where someone has more than one libcurl
installed at the same time.
Daniel (16 January 2006)
- David Shaw finally removed all traces of Gopher and we are now officially
not supporting it. It hasn't been functioning for years anyway, so this is
just finally stating what already was true. And a cleanup at the same time.
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
into a counter, and thus you can now do multiple curl_global_init() and you
are then supposed to do the same amount of calls to curl_global_cleanup().
Bryan has also updated the docs accordingly.
Daniel (13 January 2006)
- Andrew Benham fixed a race condition in the test suite that could cause the
test script to kill all processes in the current process group!
Daniel (12 January 2006)
- Michael Jahn:
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
HTTP proxy.
Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would
previously overwrite internal memory and cause unpredicted behaviour!
Daniel (11 January 2006)
- I decided to document the "secret option" here now, as I've received *NO*
feedback at all on my mailing list requests from November 2005:
I'm looking for feedback and comments. I added some experimental code the
other day, that allows a libcurl user to select what method libcurl should
use to reach a file on a FTP(S) server.
This functionality is available in CVS code and in recent daily snapshots.
Let me explain...
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
the command line tool) and you set it to a long (there are currenly no
defines for the argument values, just plain numericals). You can set three
different "methods" that do this:
1 multicwd - like today, curl will do a single CWD operation for each path
part in the given URL. For deep hierarchies this means very many
commands. This is how RFC1738 says it should be done. This is the
default.
2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
a full path to the server.
3 singlecwd - make one CWD with the full target directory and then operate
on the file "normally".
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
one of "multicwd", "nocwd" or "singlecwd".)
What feedback I'm interested in:
1 - Do they work at all? Do you find servers where one of these don't work?
2 - What would proper names for the option and its arguments be, if we
consider this feature good enough to get included and documented in
upcoming releases?
3 - Should we make libcurl able to "walk through" these options in case of
(path related) failures, or should it fail and let the user redo any
possible retries?
(This option is not documented in any man page just yet since I'm not sure
these names will be used or if the functionality will end up exactly like
this. And for the same reasons we have no test cases for these yet.)
Daniel (10 January 2006)
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
given subdirs, libcurl would still "remember" the full path as if it is the
current directory libcurl is in so that the next curl_easy_perform() would
get really confused if it tried the same path again - as it would not issue
any CWD commands at all, assuming it is already in the "proper" dir.
Starting now, a failed CWD command sets a flag that prevents the path to be
"remembered" after returning.
Daniel (7 January 2006)
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
proxy actually used a new connection and not sent the second request on the
first socket!
Daniel (6 January 2006)
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
is present instead of trying to mimic that script in curl's buildconf
script.
Daniel (3 January 2006)
- Andres Garcia made the TFTP test server build with mingw.
Daniel (16 December 2005)
- Jean Jacques Drouin pointed out that you could only have a user name or
password of 127 bytes or less embedded in a URL, where actually the code
uses a 255 byte buffer for it! Modified now to use the full buffer size.
Daniel (12 December 2005)
- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly
Version 7.15.1 (7 December 2005)
Daniel (6 December 2005)
- Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by
Stefan Esser.
VULNERABILITY
libcurl's URL parser function can overflow a malloced buffer in two ways, if
given a too long URL.
These overflows happen if you
1 - pass in a URL with no protocol (like "http://") prefix, using no slash
and the string is 256 bytes or longer. This leads to a single zero byte
overflow of the malloced buffer.
2 - pass in a URL with only a question mark as separator (no slash) between
the host and the query part of the URL. This leads to a single zero byte
overflow of the malloced buffer.
Both overflows can be made with the same input string, leading to two single
zero byte overwrites.
The affected flaw cannot be triggered by a redirect, but the long URL must
be passed in "directly" to libcurl. It makes this a "local" problem. Of
course, lots of programs may still pass in user-provided URLs to libcurl
without doing much syntax checking of their own, allowing a user to exploit
this vulnerability.
There is no known exploit at the time of this writing.
Daniel (2 December 2005)
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
file descriptor if given a non-existing file.
Daniel (24 November 2005)
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
again using configure.
- Yang Tse provided a whole series of patches to clear up compiler warnings on
MSVC 6.
Daniel (17 November 2005)
- I extended a patch from David Shaw to make libcurl _always_ provide an error
string in the given error buffer to address the flaw mention on 21 sep 2005.
Daniel (16 November 2005)
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
installed on 'make install' time.
Daniel (14 November 2005)
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
properly for a case, and so we did. We raised it even for non-SSPI builds
but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715
- Jan Kunder's debian bug report
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
error message for when you try to upload a file and the requested directory
doesn't exist on the target server.
- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
lib/memdebug.h that showed up in his msvc builds.
Daniel (13 November 2005)
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
bad limit-rate units:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
error if a bad unit is used.
- Thanks to this nice summary of poll() implementations:
http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
connectin closure so we check for that case (too) and re-enable poll for
cygwin builds.
Daniel (12 November 2005)
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
poll() and use select() on cygwin too (we already do the same choice on Mac
OS X)
- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).
Daniel (10 November 2005)
- David Lang fixed IPv6 support for TFTP!
- Introducing range stepping to the curl globbing support. Now you can specify
step counter by adding :[num] within the brackets when specifying a range:
[1-100:10]
[a-z:2]
If no step counter is set, it defaults to 1 as before:
[1-100]
[d-h]
Daniel (8 November 2005)
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
we really have no use for reverse lookups of the address.
I truly hope these are the last reverse lookups we had lingering in the
code!
- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
version of libcurl with different Windows versions. Current version of
libcurl imports SSPI functions from secur32.dll. However, under Windows NT
4.0 these functions are located in security.dll, under Windows 9x - in
secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
just forwards calls to secur32.dll).
Dmitry's patch loads proper library dynamically depending on Windows
version. Function InitSecurityInterface() is used to obtain pointers to all
of SSPI function in one structure.
Daniel (31 October 2005)
- Vilmos Nebehaj improved libcurl's LDAP abilities:
The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
attributes in LDAP objects. So, I made a quick patch to address these
problems.
The solution is simple: if we connect to an LDAP server, first try LDAPv3
(which is the preferred protocol as of now) and then fall back to LDAPv2.
In case of binary attributes, we first convert them to base64, just like the
openldap client does. It uses ldap_get_values_len() instead of
ldap_get_values() to be able to retrieve binary attributes correctly. I
defined the necessary LDAP macros in lib/ldap.c to be able to compile
libcurl without the presence of libldap
Daniel (27 October 2005)
- Nis Jorgensen filed bug report #1338648
(http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
feature request, but anyway. It pointed out that --max-redirs did not allow
it to be set to 0, which then would return an error code on the first
Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
set to 0, or -1 for infinity. Added test case 274 to verify.
- tommink[at]post.pl reported in bug report #1337723
(http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
binary data from stdin on Windows if the data contained control-Z (hex 1a)
since that is treated as end-of-file when read in text mode. Gisle Vanem
pointed out the fix, and I made both -T and --data-binary take advantage of
it.
- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
in the man page, curl would send an invalid HTTP Range: header. The correct
way would be to use "-r [number]-" or even "-r -[number]". Starting now,
curl will warn if this is discovered, and automatically append a dash to the
range before passing it to libcurl.
Daniel (25 October 2005)
- Amol Pattekar reported a bug with great detail and a fine example in bug
#1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
interface and connecting to a host with multiple IP addresses, and one of
the addresses fails to connect (the server must exist and respond, just not
accept connections) libcurl leaks a socket descriptor. Thanks to the fine
report, I could find and fix this.
Daniel (22 October 2005)
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
#1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
stream from a server and the server requests a "rehandshake", the current
code simply returns this as an error. I have no good way to test this, but
I've added a crude attempt of dealing with this situation slightly better -
it makes a blocking handshake if this happens. Done like this because fixing
this the "proper" way (that would handshake asynchronously) will require
quite some work and I really need a good way to test this to do such a
change.
Daniel (21 October 2005)
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
it, it could then accidentally actually crash. Presumably, this concerns FTP
connections. http://curl.haxx.se/bug/view.cgi?id=1330310
- Temprimus improved the MSVC makefile so that the static debug SSL libs are
linked to the executable and not to the libcurld.lib
http://curl.haxx.se/bug/view.cgi?id=1326676
- Bradford Bruce made the windows resolver code properly return
CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
errors (as documented).
Daniel (20 October 2005)
- Dave Dribin made libcurl understand and handle cases when the server
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.
- Temprimus improved the MSVC makefile: "makes a build option available so if
you set rtlibcfg=static for the make, then it would build with /MT. The
default behaviour is /MD (the original)."
http://curl.haxx.se/bug/view.cgi?id=1326665
Daniel (14 October 2005)
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
reported, the define is used by the configure script and is assumed to use
the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
release version.
Version 7.15.0 (13 October 2005)
Daniel (12 October 2005)
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
code that would overflow a buffer if given a too long user name or domain
name. This would happen if you enable NTLM authentication and either
A - pass in a user name and domain name to libcurl that together are longer
than 192 bytes
B - allow (lib)curl to follow HTTP "redirects" (Location: and the
appropriate HTTP 30x response code) and the new URL contains a URL with
a user name and domain name that together are longer than 192 bytes
See http://curl.haxx.se/docs/security.html for further details and updates
Daniel (5 October 2005)
- Darryl House reported a problem with using -z to download files from FTP.
It turned out that if the given time stamp was exact the same as the remote
time stamp, the file would still wrongly be downloaded. Added test case 272
to verify.
Daniel (4 October 2005)
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
from the configure script.
- Michael Wallner reported that the date parser had wrong offset stored for
the MEST and CEST time zones.
Daniel (27 September 2005)
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)
that identified a silly problem with Content-Range: headers with the 'bytes'
keyword written in a different case than all lowercase! It would cause a
segfault!
- TJ Saunders of the proftpd project identified and pointed out problems with
the modified FTPS negotiation change of August 19 2005. Thus, we revert the
change back to pre-7.14.1 status.
Daniel (21 September 2005)
- Fixed "cut off" sentence in the libcurl-tutorial man page:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305
- Clarified in the curl_easy_setopt man page what the default
CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311
- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
sometimes doesn't fill in the buffer even though it is supposed to:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313
- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
error string set.
Daniel (19 September 2005)
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.
Daniel (15 September 2005)
- Added a TFTP server to the test suite and made the test suite capable of
using it.
Daniel (7 September 2005)
- Ben Madsen's detailed reports that funnily enough only occurred with certain
glibc versions turned out to be curl using an already closed file handle
during certain conditions (like when saving FTP server "headers").
- Scott Davis helped me track down a problem in the test HTTP server that made
test case 56 wrongly fail at times. It turned out it was due to the server
finding the end of a chunked-encoded POST too early.
Daniel (6 September 2005)
- Now curl warns if an unknown variable is used in the -w/--writeout argument.
Daniel (4 September 2005)
- I applied Nicolas François' man page patch he posted to the Debian bug
tracker. It corrected two lines that started with apostrophes, which isn't
legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511
- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
connection's IP address when setting up the data connection instead of
extractting the IP address from the PASV response. It has turned out this
feature is frequently needed by people to circumvent silly servers and silly
firewalls, especially when FTPS is used and the PASV command-response is
sent encrtyped.
Sponsored by CU*Answers
Daniel (1 September 2005)
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
list of protocols whereever those are mentioned.
Version 7.14.1 (1 September 2005)
Daniel (29 August 2005)
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.
- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
for Windows, that could lead to an Access Violation when the multi interface
was used due to an issue with how the resolver thread was and was not
terminated.
- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
instead of MIT/Heimdal for GSS capabilities.
Daniel (24 August 2005)
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
from the command line tool with --ignore-content-length. This will make it
easier to download files from Apache 1.x (and similar) servers that are
still having problems serving files larger than 2 or 4 GB. When this option
is enabled, curl will simply have to wait for the server to close the
connection to signal end of transfer. I wrote test case 269 that runs a
simple test to verify that this works.
- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
the --logfile command line option to --log-file, and thus the test script
valgrind autodetection now has yet another version check to do and then it
alters the valgrind command line accordingly.
- Fixed CA cert verification using GnuTLS with the default bundle, which
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
Ralph Mitchell reported.
Daniel (19 August 2005)
- Norbert Novotny had problems with FTPS and he helped me work out a patch
that made curl run fine in his end. The key was to make sure we do the
SSL/TLS negotiation immediately after the TCP connect is done and not after
a few other commands have been sent like we did previously. I don't consider
this change necessary to obey the standards, I think this server is pickier
than what the specs allow it to be, but I can't see how this modified
libcurl code can add any problems to those who are interpreting the
standards more liberally.
Daniel (17 August 2005)
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
write the result to a given cookie jar and then never actually call
curl_easy_perform() - the given file(s) to read was never read but the
output file was written and thus it caused a "funny" result.
- While doing some tests for the bug above, I noticed that Firefox generates
large numbers (for the expire time) in the cookies.txt file and libcurl
didn't treat them properly. Now it does.
Daniel (15 August 2005)
- Added more verbose "warning" messages to the curl client for cases where it
fails to open/read files etc to help users diagnose why it doesn't do what
you'd expect it to. Converted lots of old messages to use the new generic
function I wrote for this purpose.
Daniel (13 August 2005)
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
site responds with bad HTTP response that doesn't contain any header at all,
only a response body, and the write callback returns 0 to abort the
transfer, it didn't have any real effect but the write callback would be
called once more anyway.
Daniel (12 August 2005)
- Based on Richard Clayton's reports, I found out that using curl -d @filename
when 'filename' was not possible to access made curl use a GET request
instead.
- The time condition illegal syntax warning is now inhibited if -s is used.
Daniel (10 August 2005)
- Mario Schroeder found out that one of the debug callbacks calls that regards
SSL data with the CURLINFO_TEXT type claimed that the data was one byte
larger than it actually is, thus falsely telling the application that the
terminating zero was part of the data.
Daniel (9 August 2005)
- Christopher R. Palmer fixed the offsets used for date parsings when the time
zone name of a daylight savings time was used. For example, PDT vs PDS. This
flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
Fortunately, no web server or cookie string etc should be using such time
zone names thus limiting the effect of this bug.
Daniel (8 August 2005)
- Jon Grubbs filed bug report #1249962
(http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem
with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
switches to pure HTTP internally when an HTTP proxy is used, even for FTP
URLs. The problem would also occur with other multi-pass auth methods.
Daniel (7 August 2005)
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
--features was used.
Daniel (28 July 2005)
- If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is
set to 1, CURLOPT_NOBODY will now automatically be set to 0.
Daniel (27 July 2005)
- Dan Fandrich changes over the last week: fixed numerous minor configure
option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
and --without-krb4. Spellfixed several error messages.
- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
simple interface to extracting and setting cookies in libcurl's internal
"cookie jar". See the new cookie_interface.c example code.
Daniel (13 July 2005)
- Diego Casorran provided patches to make curl build fine on Amiga again.
Daniel (12 July 2005)
- Adrian Schuur added trailer support in the chunked encoding stream. The
trailer is then sent to the normal header callback/stream. I wrote up test
case 266 to verify the basic functionality. Do note that test case 34
contains a flawed chunked encoding stream that still works the same.
Daniel (5 July 2005)
- Gisle Vanem came up with a nice little work-around for bug #1230118
(http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC)
libc time functions may return data one hour off if TZ is not set and
automatic DST adjustment is enabled. This made curl_getdate() return wrong
value, and it also concerned internal cookie expirations etc.
Daniel (4 July 2005)
- Andrew Bushnell provided enough info for me to tell that we badly needed to
fix the CONNECT authentication code with multi-pass auth methods (such as
NTLM) as it didn't previously properly ignore response-bodies - in fact it
stopped reading after all response headers had been received. This could
lead to libcurl sending the next request and reading the body from the first
request as response to the second request. (I also renamed the function,
which wasn't strictly necessary but...)
The best fix would to once and for all make the CONNECT code use the
ordinary request sending/receiving code, treating it as any ordinary request
instead of the special-purpose function we have now. It should make it
better for multi-interface too. And possibly lead to less code...
Added test case 265 for this. It doesn't work as a _really_ good test case
since the test proxy is too stupid, but the test case helps when running the
debugger to verify.
Daniel (30 June 2005)
- Dan Fandrich improved the configure script's ability to figure out what kind
of strerror_r() API that is used when cross-compiling. If __GLIB__ is
defined, it assumes the glibc API. If not, it issues a notice as before that
the user needs to manually edit lib/config.h for this.
Daniel (23 June 2005)
- David Shaw's fix that unifies proxy string treatment so that a proxy given
with CURLOPT_PROXY can use a http:// prefix and user + password. The user
and password fields are now also URL decoded properly. Test case 264 added
to verify.
Daniel (22 June 2005)
- David Shaw updated libcurl.m4
Daniel (14 June 2005)
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
(http://curl.haxx.se/bug/view.cgi?id=1216500). Comment in
http://curl.haxx.se/mail/lib-2005-06/0059.html
Daniel (13 June 2005)
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
reverted patch).
Daniel (9 June 2005)
- Incorporated Tupone's findtool fix in buildconf (slightly edited)
- Incorporated Tupone's head -n fix in buildconf.
Daniel (8 June 2005)
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
in pieces, one by one and see what we need to adjust to work all over.
Daniel (6 June 2005)
- Tupone Alfredo fixed three problems in buildconf:
1) findtool does look per tool in PATH and think ./perl is the perl
executable, while is just a local directory (I have . in the PATH)
2) I got several warning for head -1 deprecated in favour of head -n 1
3) ares directory is missing some file (missing is missing :-) ) because
automake and friends is not run.
Daniel (3 June 2005)
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes
- Andres Garcia provided yet another text mode patch for several test cases so
that they do text comparisions better on Windows (newline-wise).
Daniel (1 June 2005)
- The configure check for c-ares now adds the cares lib before the other libs,
to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
and patch: http://curl.haxx.se/bug/view.cgi?id=1212940
Daniel (31 May 2005)
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
address was not possible to use. It is now, but requires it written
RFC2732-style, within brackets - which incidently is how you enter numerical
IPv6 addresses in URLs. Test case 263 added to verify.
Daniel (30 May 2005)
- Eric Cooper reported about a problem with HTTP servers that responds with
binary zeroes within the headers. They confused libcurl to do wrong so the
downloaded headers become incomplete. The fix is now verified with test case
262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948
Daniel (25 May 2005)
- Fixed problems with the test suite, and in particular the FTP test cases
since it previously was failing every now and then in a nonsense manner.
- --trace-time now outputs the full microsecond, all 6 digits.
Daniel (24 May 2005)
- Andres Garcia provided a text mode patch for several test cases so that they
do text comparisions better on Windows (newline-wise).
- Any 2xx response (and not just 200) is now considered a fine response to
TYPE, as some servers obviously sends a 226 there. Added test case 261 to
verify. Based on a question/report by Georg Wicherski.
Daniel (20 May 2005)
- Improved runtests.pl to allow stdout tests to be mode=text as well, just
as file comparisons already supports. Added this info to the FILEFORMAT
docs.
Daniel (18 May 2005)
- John McGowan identified a problem in bug report #1204435
(http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like
"http://somehost?data" as it added a slash too much in the request ("GET
/?data/"...). Added test case 260 to verify.
- The configure check for strerror_r() failed to detect the proper API at
times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
version if the posix define wasn't set (since it _had_ found a strerror_r).
Daniel (16 May 2005)
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
due to this. There's now a configure check that attempts to detect the bad
function and not use it on such systems.
Version 7.14.0 (16 May 2005)
Daniel (13 May 2005)
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
doesn't work as good as if built without poll(). I've adjusted the configure
to always skip the fine-poll() test on Mac OS X (darwin).
Daniel (12 May 2005)
- When doing a second request (after a disconnect) using the same easy handle,
over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
properly (the auth method was accidentally reset to the same as had been set
for host auth, which defaults to Basic). Bug report #1200661
(http://curl.haxx.se/bug/view.cgi?id=1200661) identified the the problem and
the fix.
- If -z/--time-cond is used with an invalid date syntax, this is no longer
silently discarded. Instead a proper warning message is diplayed that
informs about it. But it still continues without the condition.
Version 7.14.0-pre2 (11 May 2005)
Daniel (11 May 2005)
- Starting now, libcurl sends a little different set of headers in its default
HTTP requests:
A) Normal non-proxy HTTP:
- no more "Pragma: no-cache" (this only makes sense to proxies)
B) Non-CONNECT HTTP request over proxy:
- "Pragma: no-cache" is used (like before)
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
C) CONNECT HTTP request over proxy:
- "Host: [name]:[port]"
- "Proxy-Connection: Keep-alive"
The A) case is mostly to reduce the default header size and remove a
pointless header.
The B) is to address (rare) problems with HTTP 1.0 proxies
The C) headers are both to address (rare) problems with some proxies. The
code in libcurl that deals with CONNECT requests need a rewrite, but it
feels like a too big a job for me to do now. Details are added in the code
comments for now.
Updated a large amount of test cases to reflect the news.
Daniel (10 May 2005)
- Half-baked attempt to bail out if select() returns _only_ errorfds when the
transfer is in progress. An attempt to fix Allan's problem. See
http://curl.haxx.se/mail/lib-2005-05/0073.html and the rest of that thread
for details.
I'm still not sure this is the right fix, but...
Version 7.14.0-pre1 (9 May 2005)
Daniel (2 May 2005)
- Sort of "fixed" KNOWN_BUGS #4: curl now builds IPv6 enabled on AIX 4.3. At
least it should no longer cause a compiler error. However, it does not have
AI_NUMERICHOST so we cannot getaddrinfo() any numerical addresses with it
(we use that for FTP PORT/EPRT)! So, I modified the configure check that
checks if the getaddrinfo() is working, to use AI_NUMERICHOST since then
it'll fail on AIX 4.3 and it will automatically build with IPv6 support
disabled.
- Added --trace-time that when used adds a time stamp to each trace line that
--trace, --trace-ascii and --verbose output. I also made the '>' display
separate each line on the linefeed so that HTTP requests etc look nicer in
the -v output.
- Made curl recognize the environment variables Lynx (and others?) support for
pointing out the CA cert path/file: SSL_CERT_DIR and SSL_CERT_FILE. If
CURL_CA_BUNDLE is not set, they are checked afterwards.
Like before: on windows if none of these are set, it checks for the ca cert
file like this:
1. application's directory
2. current working directory
3. Windows System directory (e.g. C:\windows\system32)
4. Windows Directory (e.g. C:\windows)
5. all directories along %PATH%
Daniel (1 May 2005)
- The runtests.pl script now starts test servers by doing fork() and exec()
instead of the previous approach. This is less complicated and should
hopefully lead to less "leaked" servers (servers that aren't stopped
properly when the tests are stopped).
- Alexander Zhuravlev found a case when you did "curl -I [URL]" and it
complained on the chunked encoding, even though a HEAD should never return a
body and thus it cannot be a chunked-encoding problem!
Daniel (30 April 2005)
- Alexander Zhuravlev found out that (lib)curl SIGSEGVed when using
--interface on an address that can't be bound.
Daniel (28 April 2005)
- Working on fixing up test cases to mark sections as 'mode=text' for things
that curl writes as text files, since then they can get different line
endings depending on OS. Andrés García helps me work this out.
Did lots of other minor tweaks on the test scripts to work better and more
reliably find test servers and also kill test servers.
- Dan Fandrich pointed out how the runtests.pl script killed the HTTP server
instead of the HTTPS server when closing it down.
Daniel (27 April 2005)
- Paul Moore made curl check for the .curlrc file (_curlrc on windows) on two
more places. First, CURL_HOME is a new environment variable that is used
instead of HOME if it is set, to point out where the default config file
lives. If there's no config file in the dir pointed out by one of the
environment variables, the Windows version will instead check the same
directory the executable curl is located in.
Daniel (26 April 2005)
- Cory Nelson's work on nuking compiler warnings when building on x64 with
VS2005.
Daniel (25 April 2005)
- Fred New reported a bug where we used Basic auth and user name and password
in .netrc, and when following a Location: the subsequent requests didn't
properly use the auth as found in the netrc file. Added test case 257 to
verify my fix.
- Based on feedback from Cory Nelson, I added some preprocessor magic in
*/setup.h and */config-win32.h to build fine with VS2005 on x64.
Daniel (23 April 2005)
- Alex Suykov made the curl tool now assume that uploads using HTTP:// or
HTTPS:// are the only ones that show output and thus motivates a switched
off progress meter if the output is sent to the terminal. This makes FTP
uploads without '>', -o or -O show the progress meter.
Daniel (22 April 2005)
- Dave Dribin's MSVC makefile fix: set CURL_STATICLIB when it builds static
library variants.
- Andres Garcia fixed configure to set the proper define when building static
libcurl on windows.
- --retry-delay didn't work.
Daniel (18 April 2005)
- Olivier reported that even though he used CURLOPT_PORT, libcurl clearly
still used the default port. He was right. I fixed the problem and added the
test cases 521, 522 and 523 to verify the fix.
- Toshiyuki Maezawa reported that when doing a POST with a read callback,
libcurl didn't properly send an Expect: 100-continue header. It does now.
- I committed by mig change in the test suite's FTP server that moves out all
socket/TCP code to a separate C program named sockfilt. And added 4 new
test cases for FTP over IPv6.
Daniel (8 April 2005)
- Cory Nelson reported a problem with a HTTP server that responded with a 304
response containing an "illegal" Content-Length: header, which was not
properly ignored by libcurl. Now it is. Test case 249 verifies.
Daniel (7 April 2005)
- Added ability to build and run with GnuTLS as an alternative to OpenSSL for
the secure layer. configure --with-gnutls enables with. Note that the
previous OpenSSL check still has preference and if it first detects OpenSSL,
it will not check for GnuTLS. You may need to explictly diable OpenSSL with
--without-ssl.
This work has been sponsored by The Written Word.
Daniel (5 April 2005)
- Christophe Legry fixed the post-upload check for FTP to not complain if the
upload was skipped due to a time-condition as set with
CURLOPT_TIMECONDITION. I added test case 247 and 248 to verify.
Version 7.13.2 (5 April 2005)
Daniel (4 April 2005)
- Marcelo Juchem fixed the MSVC makefile for libcurl
- Gisle Vanem fixed a crash in libcurl, that could happen if the easy handle
was killed before the threading resolver (windows only) still hadn't
completed.
- Hardeep Singh reported a problem doing HTTP POST with Digest. (It was
actually also affecting NTLM and Negotiate.) It turned out that if the
server responded with 100 Continue before the initial 401 response, libcurl
didn't take care of the response properly. Test case 245 and 246 added to
verify this.
Daniel (30 March 2005)
- Andres Garcia modified the configure script to check for libgdi32 before
libcrypto, to make the SSL check work fine on msys/mingw.
Daniel (29 March 2005)
- Tom Moers identified a flaw when you sent a POST with Digest authentication,
as in the first request when curl sends a POST with Content-Length: 0, it
still forcibly closed the connection before doing the next step in the auth
negotiation.
- Jesper Jensen found out that FTP-SSL didn't work since my FTP
rewrite. Fixing that was easy, but it also revealed a much worse problem:
the FTP server response reader function didn't properly deal with reading
responses in multiple tiny chunks properly! I modified the FTP server to
allow it to produce such split-up responses to make sure curl deals with
them as it should.
- Based on Augustus Saunders' comments and findings, the HTTP output auth
function was fixed to use the proper proxy authentication when multiple ones
are accepted. test 239 and test 243 were added to repeat the problems and
verify the fixes.
--proxy-anyauth was added to the curl tool
Daniel (16 March 2005)
- Tru64 and some IRIX boxes seem to not like test 237 as it is. Their
inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted
address which makes a different failure... Now I've modified the ipv4
resolve code to use inet_pton() instead in an attempt to make these systems
better detect this as a bad IP address rather than creating a toally bogus
address that is then passed on and used.
Daniel (15 March 2005)
- Dan Fandrich made the code properly use the uClibc's version of
inet_ntoa_r() when built with it.
- Added test 237 and 238: test EPSV and PASV response handling when they get
well- formated data back but using illegal values. In 237 PASV gets an IP
address that is way bad. In 238 EPSV gets a port that is way out of range.
Daniel (14 March 2005)
- Added a few missing features to the curl-config --features list
- Modified testcurl.pl to now offer
1 - command line options for all info it previously only read from
file: --name, --email, --desc and --configure
2 - --nocvsup makes it not attempt to do cvs update
3 - --crosscompile informs it and makes it not attempt things it can't do
- Fixed numerous win32 compiler warnings.
- Removed the lib/security.h file since it shadowed the mingw/win32 header
with the same name which is needed for SSPI builds. The contents of the
former security.h is now i krb4.h
- configure --enable-sspi now enables SSPI in the build. It only works for
windows builds (including cross-compiles for windows).
Daniel (12 March 2005)
- David Houlder added --form-string that adds that string to a multipart
formpost part, without special characters having special meanings etc like
--form features.
Daniel (11 March 2005)
- curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was
built with SSPI support.
- Christopher R. Palmer made it possible to build libcurl with the
USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
native way to do NTLM. SSPI also allows libcurl to pass on the current user
and its password in the request.
Daniel (9 March 2005)
- Dan F improved the SSL lib setup in configure.
- Nodak Sodak reported a crash when using a SOCKS4 proxy.
- Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the
multi interface code.
- Adjusted the man page for the curl_getdate() return value for dates after
year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it
returns either the correct value or even -1 on some systems that still seem
to not deal with this properly. Tor Arntsen found a 64bit AIX system for us
that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on
this problem in the first place.
Daniel (8 March 2005)
- Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP
file got a Last-Modified: header written to the data stream, corrupting the
actual data. This was because some conditions from the previous FTP code was
not properly brought into the new FTP code. I fixed and I added test case
520 to verify. (This bug was introduced in 7.13.1)
- Dan Fandrich fixed the configure --with-zlib option to always consider the
given path before any standard paths.
Daniel (6 March 2005)
- Randy McMurchy was the first to report that valgrind.pm was missing from the
release archive and thus 'make test' fails.
Daniel (5 March 2005)
- Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files.
- Added test case 235 that makes a resumed upload of a file that isn't present
on the remote side. This then converts the operation to an ordinary STOR
upload. This was requested/pointed out by Ignacio Vazquez-Abrams.
It also proved (and I fixed) a bug in the newly rewritten ftp code (and
present in the 7.13.1 release) when trying to resume an upload and the
servers returns an error to the SIZE command. libcurl then loops and sends
SIZE commands infinitely.
- Dan Fandrich fixed a SSL problem introduced on February 9th that made
libcurl attempt to load the whole random file to seed the PRNG. This is
really bad since this turns out to be using /dev/urandom at times...
Version 7.13.1 (4 March 2005)
Daniel (4 March 2005)
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
the cookie "engine" without having to provide an empty or non-existing file.
- Rene Rebe fixed a -# crash when more data than expected was retrieved.
Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
http://www.securityfocus.com/archive/1/391042 and the CAN report here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
If these security guys were serious, we'd been notified in advance and we
could've saved a few of you a little surprise, but now we weren't.
Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.
Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
configure when mingw is used.
Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
didn't close the socket properly when returning error due to failing
localbind
Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
that picks NTLM. Thanks to David Byron letting me test NTLM against his
servers, I could quickly repeat and fix the problem. It turned out to be:
When libcurl POSTs without knowing/using an authentication and it gets back
a list of types from which it picks NTLM, it needs to either continue
sending its data if it keeps the connection alive, or not send the data but
close the connection. Then do the first step in the NTLM auth. libcurl
didn't send the data nor close the connection but simply read the
response-body and then sent the first negotiation step. Which then failed
miserably of course. The fixed version forces a connection if there is more
than 2000 bytes left to send.
Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
was never used.
Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
week day names and month names and servers don't like that.
Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
libcurl is built shared. Otherwise valgrind only tests the shell that runs
the wrapper-script named 'curl' that is a front-end to curl in this case.
This should also fix the huge amount of reports of false positives when
valgrind has identified leaks in (ba)sh and not in curl and people report
that as curl bugs. Bug report #1116672 is one example.
Also, the valgrind report parser has been adapted to check that at least one
of the sources in a stack strace is one of (lib)curl's source files or
otherwise it will not consider the problem to concern (lib)curl.
- Marty Kuhrt streamlined the VMS build.
Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here:
http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
SSL_pending() as we should.
- Converted lots of FTP code to a statemachine, so that the multi interface
doesn't block while communicating commands-responses with an FTP server.
I've added a comment like BLOCKING in the code on all spots I could find
where we still have blocking operations. When we change curl_easy_perform()
to use the multi interface, we'll also be able to simplify the code since
there will only be one "internal interface".
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
like changing directory or retrieving a file, while the second means that we
were denied login.
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
case of future need.
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
sure the proper error code is returned for those occations.
Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
contents.
Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
PORT on ipv6-enabled hosts.
- David Byron pointed out we could use BUFSIZE to read data (in
lib/transfer.c) instead of using BUFSIZE -1.
Version 7.13.0 (1 February 2005)
Daniel (31 January 2005)
- Added Lars Nilsson's htmltitle.cc example
Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
failed (as in test case 205).
- Fixed a valgrind warning for file:// operations.
- Fixed a valgrind report in the url globbing code for the curl command line
tool.
- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
I noticed that it previously didn't detect and report the "Conditional jump
or move depends on uninitialised value(s)" error. When I fixed this, I
caught a few curl bugs with it. And then I had to spend time to make the
test suite IGNORE these errors when OpenSSL is used since it produce massive
amounts of valgrind warnings (but only of the "Conditional..." kind it
seems). So, if a test that requires SSL is run, it ignores the
"Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
of "valgrind OK".
Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
gets closed just after the request has been sent failed and did not re-issue
a request on a fresh reconnect like the easy interface did. Now it does!
- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
my new curl_easy_perform() that uses the multi interface to run the
request. It is a great testbed for the multi interface and I believe we
shall do it this way for real in the future when we have a successor to
curl_multi_fdset(). I've used this approach to detect and fix several of the
recent multi-interfaces issues.
- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
bad assumptions.
- multi interface: when a request is denied due to "Maximum redirects
followed" libcurl leaked the last Location: URL.
- Connect failures with the multi interface was often returned as "connect()
timed out" even though the reason was different.
Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
curl_easy_perform() invokes. It was previously unlocked at disconnect, which
could mean that it remained locked between multiple transfers. The DNS cache
may not live as long as the connection cache does, as they are separate.
To deal with the lack of DNS (host address) data availability in re-used
connections, libcurl now keeps a copy of the IP adress as a string, to be
able to show it even on subsequent requests on the same connection.
The problem could be made to appear with this stunt:
1. create a multi handle
2. add an easy handle
3. fetch a URL that is persistent (leaves the connection alive)
4. remove the easy handle from the multi
5. kill the multi handle
6. create a multi handle
7. add the same easy handle to the new multi handle
8. fetch a URL from the same server as before (re-using the connection)
- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
when built ipv6-enabled. I've now made a fix for it. Writing test cases for
custom port hosts turned too tricky so unfortunately there's none.
Daniel (25 January 2005)
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
is present in RFC959... so now (lib)curl supports it as well. --ftp-account
and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
account string after PASS have been sent away. The client responds
with "ACCT [account string]".) Added test case 228 and 229 to verify the
functionality. Updated the test FTP server to support ACCT somewhat.
- David Shaw contributed a fairly complete and detailed autoconf test you can
use to detect libcurl and setup variables for the protocols the installed
libcurl supports: docs/libcurl/libcurl.m4
Daniel (21 January 2005)
- Major FTP third party transfer overhaul.
These four options are now obsolete: CURLOPT_SOURCE_HOST,
CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
and CURLOPT_PASV_HOST.
These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.
The target-side didn't use the proper path with RETR, and thus this only
worked correctly in the login path (i.e without doing any CWD). The source-
side still uses a wrong path, but the fix for this will need to wait. Verify
the flaw by using a source URL with included %XX-codes.
Made CURLOPT_FTPPORT control weather the target operation should use PORT
(or not). The other side thus uses passive (PASV) mode.
Updated the ftp3rdparty.c example source to use the updated options.
Added support for a second FTP server in the test suite. Named... ftp2.
Added test cases 230, 231 and 232 as a few first basic tests of very simple
3rd party transfers.
Changed the debug output to include 'target' and 'source' when a 3rd party
is being made, to make it clearer what commands/responses came on what
connection.
Added three new command line options: --3p-url, --3p-user and --3p-quote.
Documented the command line options and the curl_easy_setopt options related
to third party transfers.
(Temporarily) disabled the ability to re-use an existing connection for the
source connection. This is because it needs to force a new in case the
source and target is the same host, and the host name check is trickier now
when the source is identified with a full URL instead of a plain host name
like before.
TODO (short-term) for 3rd party transfers: quote support. The options are
there, we need to add test cases to verify their functionality.
TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
and SSL/TSL support.
Daniel (20 January 2005)
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
code was written for it. I fixed and added test case 227 to verify it.
The curl.1 man page didn't mention the '+' so I added it.
Daniel (19 January 2005)
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
contains %0a or %0d in the user, password or CWD parts. (A future fix would
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
225 and 226 were added to verify this
- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:
1) the proxy environment variables are still read and used to set HTTP proxy
2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
disabled). This is important since apps may want to disable HTTP proxy
without actually knowing if libcurl was built to disable HTTP or not.
Based on Stephan's patch, both these issues should now be fixed.
Daniel (18 January 2005)
- Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was
applied.
Daniel (16 January 2005)
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
assumed this used the DICT protocol. While guessing protocols will remain
fuzzy, I've now made sure that the host names must start with "[protocol]."
for them to be a valid guessable name. I also removed "https" as a prefix
that indicates HTTPS, since we hardly ever see any host names using that.
Daniel (13 January 2005)
- Inspired by Martijn Koster's patch and example source at
http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
select() and poll() calls properly loop if they return -1 and errno is
EINTR. glibc docs for this is found here:
http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
This last link says BSD doesn't have this "effect". Will there be a problem
if we do this unconditionally?
Daniel (11 January 2005)
- Dan Torop cleaned up a few no longer used variables from David Phillips'
select() overhaul fix.
- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
using a custom Host: header and curl fails to send a request on a re-used
persistent connection and thus creates a new connection and resends it. It
then sent two Host: headers. Cyrill's analysis was posted here:
http://curl.haxx.se/mail/archive-2005-01/0022.html
- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
problem with the version byte and the check for bad versions. Bruce has lots
of clues on this, and based on his suggestion I've now removed the check of
that byte since it seems to be able to contain 1 or 5.
Daniel (10 January 2005)
- Pavel Orehov reported memory problems with the multi interface in bug report
#1098843. In short, a shared DNS cache was setup for a multi handle and when
the shared cache was deleted before the individual easy handles, the latter
cleanups caused read/writes to already freed memory.
- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
remote certificate name when it didn't match the used host name.
Gisle (8 January 2005)
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
Daniel (7 January 2005)
- Improved the test script's valgrind log parser to actually work! Also added
the ability to disable the log scanner for specific test cases. Test case
509 results in numerous problems and leaks in OpenSSL and has to get it
disabled.
Daniel (6 January 2005)
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
(i.e not in the library).
- Bug report #1097019 identified a problem when doing -d "data" with -G and
sending it to two URLs with {}. Added test 199 to verify the fix.
Daniel (4 January 2005)
- Marty Kuhrt adjusted a VMS build script slightly
- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
Win2000.
Daniel (2 January 2005)
- Alex Neblett updated the MSVC makefiles slightly.
|