aboutsummaryrefslogtreecommitdiff
path: root/CHANGES
blob: d26719bcc4f9d402d90e219e26a015aba1e9da57 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

                                  Changelog


Daniel (4 April 2005)
- Hardeep Singh reported a problem doing HTTP POST with Digest. (It was
  actually also affecting NTLM and Negotiate.) It turned out that if the
  server responded with 100 Continue before the initial 401 response, libcurl
  didn't take care of the response properly. Test case 245 and 246 added to
  verify this.

Daniel (30 March 2005)
- Andres Garcia modified the configure script to check for libgdi32 before
  libcrypto, to make the SSL check work fine on msys/mingw.

Daniel (29 March 2005)
- Tom Moers identified a flaw when you sent a POST with Digest authentication,
  as in the first request when curl sends a POST with Content-Length: 0, it
  still forcibly closed the connection before doing the next step in the auth
  negotiation.

- Jesper Jensen found out that FTP-SSL didn't work since my FTP
  rewrite. Fixing that was easy, but it also revealed a much worse problem:
  the FTP server response reader function didn't properly deal with reading
  responses in multiple tiny chunks properly! I modified the FTP server to
  allow it to produce such split-up responses to make sure curl deals with
  them as it should.

- Based on Augustus Saunders' comments and findings, the HTTP output auth
  function was fixed to use the proper proxy authentication when multiple ones
  are accepted. test 239 and test 243 were added to repeat the problems and
  verify the fixes.

  --proxy-anyauth was added to the curl tool

Daniel (16 March 2005)
- Tru64 and some IRIX boxes seem to not like test 237 as it is. Their
  inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted
  address which makes a different failure... Now I've modified the ipv4
  resolve code to use inet_pton() instead in an attempt to make these systems
  better detect this as a bad IP address rather than creating a toally bogus
  address that is then passed on and used.

Daniel (15 March 2005)
- Dan Fandrich made the code properly use the uClibc's version of
  inet_ntoa_r() when built with it.

- Added test 237 and 238: test EPSV and PASV response handling when they get
  well- formated data back but using illegal values. In 237 PASV gets an IP
  address that is way bad. In 238 EPSV gets a port that is way out of range.

Daniel (14 March 2005)
- Added a few missing features to the curl-config --features list

- Modified testcurl.pl to now offer
  1 - command line options for all info it previously only read from
      file: --name, --email, --desc and --configure
  2 - --nocvsup makes it not attempt to do cvs update
  3 - --crosscompile informs it and makes it not attempt things it can't do

- Fixed numerous win32 compiler warnings.

- Removed the lib/security.h file since it shadowed the mingw/win32 header
  with the same name which is needed for SSPI builds. The contents of the
  former security.h is now i krb4.h

- configure --enable-sspi now enables SSPI in the build. It only works for
  windows builds (including cross-compiles for windows).

Daniel (12 March 2005)
- David Houlder added --form-string that adds that string to a multipart
  formpost part, without special characters having special meanings etc like
  --form features.

Daniel (11 March 2005)
- curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was
  built with SSPI support.

- Christopher R. Palmer made it possible to build libcurl with the
  USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
  native way to do NTLM. SSPI also allows libcurl to pass on the current user
  and its password in the request.

Daniel (9 March 2005)
- Dan F improved the SSL lib setup in configure.

- Nodak Sodak reported a crash when using a SOCKS4 proxy.

- Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the
  multi interface code.

- Adjusted the man page for the curl_getdate() return value for dates after
  year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it
  returns either the correct value or even -1 on some systems that still seem
  to not deal with this properly. Tor Arntsen found a 64bit AIX system for us
  that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on
  this problem in the first place.

Daniel (8 March 2005)
- Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP
  file got a Last-Modified: header written to the data stream, corrupting the
  actual data. This was because some conditions from the previous FTP code was
  not properly brought into the new FTP code. I fixed and I added test case
  520 to verify. (This bug was introduced in 7.13.1)

- Dan Fandrich fixed the configure --with-zlib option to always consider the
  given path before any standard paths.

Daniel (6 March 2005)
- Randy McMurchy was the first to report that valgrind.pm was missing from the
  release archive and thus 'make test' fails.

Daniel (5 March 2005)
- Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files.

- Added test case 235 that makes a resumed upload of a file that isn't present
  on the remote side. This then converts the operation to an ordinary STOR
  upload. This was requested/pointed out by Ignacio Vazquez-Abrams.

  It also proved (and I fixed) a bug in the newly rewritten ftp code (and
  present in the 7.13.1 release) when trying to resume an upload and the
  servers returns an error to the SIZE command. libcurl then loops and sends
  SIZE commands infinitely.

- Dan Fandrich fixed a SSL problem introduced on February 9th that made
  libcurl attempt to load the whole random file to seed the PRNG. This is
  really bad since this turns out to be using /dev/urandom at times...

Version 7.13.1 (4 March 2005)

Daniel (4 March 2005)
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
  the cookie "engine" without having to provide an empty or non-existing file.

- Rene Rebe fixed a -# crash when more data than expected was retrieved.

Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
  http://www.securityfocus.com/archive/1/391042 and the CAN report here:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490

  If these security guys were serious, we'd been notified in advance and we
  could've saved a few of you a little surprise, but now we weren't.

Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
  requested data from a host and then followed a redirect to another
  host. libcurl then didn't use the proxy-auth properly in the second request,
  due to the host-only check for original host name wrongly being extended to
  the proxy auth as well. Added test case 233 to verify the flaw and that the
  fix removed the problem.

Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
  BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
  configure when mingw is used.

Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
  didn't close the socket properly when returning error due to failing
  localbind

Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
  that picks NTLM. Thanks to David Byron letting me test NTLM against his
  servers, I could quickly repeat and fix the problem. It turned out to be:

  When libcurl POSTs without knowing/using an authentication and it gets back
  a list of types from which it picks NTLM, it needs to either continue
  sending its data if it keeps the connection alive, or not send the data but
  close the connection. Then do the first step in the NTLM auth. libcurl
  didn't send the data nor close the connection but simply read the
  response-body and then sent the first negotiation step. Which then failed
  miserably of course. The fixed version forces a connection if there is more
  than 2000 bytes left to send.

Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
  was never used.

Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
  week day names and month names and servers don't like that.

Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
  libcurl is built shared. Otherwise valgrind only tests the shell that runs
  the wrapper-script named 'curl' that is a front-end to curl in this case.
  This should also fix the huge amount of reports of false positives when
  valgrind has identified leaks in (ba)sh and not in curl and people report
  that as curl bugs. Bug report #1116672 is one example.

  Also, the valgrind report parser has been adapted to check that at least one
  of the sources in a stack strace is one of (lib)curl's source files or
  otherwise it will not consider the problem to concern (lib)curl.

- Marty Kuhrt streamlined the VMS build.

Daniel (9 February 2005)
- David Byron fixed his SSL problems, initially mentioned here:
  http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
  SSL_pending() as we should.

- Converted lots of FTP code to a statemachine, so that the multi interface
  doesn't block while communicating commands-responses with an FTP server.

  I've added a comment like BLOCKING in the code on all spots I could find
  where we still have blocking operations. When we change curl_easy_perform()
  to use the multi interface, we'll also be able to simplify the code since
  there will only be one "internal interface".

  While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
  new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
  like changing directory or retrieving a file, while the second means that we
  were denied login.

  The CVS tag 'before_ftp_statemachine' was set just before this went in, in
  case of future need.

- Gisle made the DICT code send CRLF and not just LF as the spec says so.

Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
  sure the proper error code is returned for those occations.

Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
  contents.

Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
  PORT on ipv6-enabled hosts.

- David Byron pointed out we could use BUFSIZE to read data (in
  lib/transfer.c) instead of using BUFSIZE -1.

Version 7.13.0 (1 February 2005)

Daniel (31 January 2005)
- Added Lars Nilsson's htmltitle.cc example

Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
  failed (as in test case 205).

- Fixed a valgrind warning for file:// operations.

- Fixed a valgrind report in the url globbing code for the curl command line
  tool.

- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
  I noticed that it previously didn't detect and report the "Conditional jump
  or move depends on uninitialised value(s)" error. When I fixed this, I
  caught a few curl bugs with it. And then I had to spend time to make the
  test suite IGNORE these errors when OpenSSL is used since it produce massive
  amounts of valgrind warnings (but only of the "Conditional..." kind it
  seems). So, if a test that requires SSL is run, it ignores the
  "Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
  of "valgrind OK".

Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
  gets closed just after the request has been sent failed and did not re-issue
  a request on a fresh reconnect like the easy interface did. Now it does!

- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
  my new curl_easy_perform() that uses the multi interface to run the
  request. It is a great testbed for the multi interface and I believe we
  shall do it this way for real in the future when we have a successor to
  curl_multi_fdset(). I've used this approach to detect and fix several of the
  recent multi-interfaces issues.

- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
  bad assumptions.

- multi interface: when a request is denied due to "Maximum redirects
  followed" libcurl leaked the last Location: URL.

- Connect failures with the multi interface was often returned as "connect()
  timed out" even though the reason was different.

Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
  curl_easy_perform() invokes. It was previously unlocked at disconnect, which
  could mean that it remained locked between multiple transfers. The DNS cache
  may not live as long as the connection cache does, as they are separate.

  To deal with the lack of DNS (host address) data availability in re-used
  connections, libcurl now keeps a copy of the IP adress as a string, to be
  able to show it even on subsequent requests on the same connection.

  The problem could be made to appear with this stunt:

  1. create a multi handle
  2. add an easy handle
  3. fetch a URL that is persistent (leaves the connection alive)
  4. remove the easy handle from the multi
  5. kill the multi handle
  6. create a multi handle
  7. add the same easy handle to the new multi handle
  8. fetch a URL from the same server as before (re-using the connection)

- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
  when built ipv6-enabled. I've now made a fix for it. Writing test cases for
  custom port hosts turned too tricky so unfortunately there's none.

Daniel (25 January 2005)
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
  is present in RFC959... so now (lib)curl supports it as well. --ftp-account
  and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
  account string after PASS have been sent away. The client responds
  with "ACCT [account string]".) Added test case 228 and 229 to verify the
  functionality. Updated the test FTP server to support ACCT somewhat.

- David Shaw contributed a fairly complete and detailed autoconf test you can
  use to detect libcurl and setup variables for the protocols the installed
  libcurl supports: docs/libcurl/libcurl.m4

Daniel (21 January 2005)
- Major FTP third party transfer overhaul.

  These four options are now obsolete: CURLOPT_SOURCE_HOST,
  CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
  and CURLOPT_PASV_HOST.

  These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.

  The target-side didn't use the proper path with RETR, and thus this only
  worked correctly in the login path (i.e without doing any CWD). The source-
  side still uses a wrong path, but the fix for this will need to wait. Verify
  the flaw by using a source URL with included %XX-codes.

  Made CURLOPT_FTPPORT control weather the target operation should use PORT
  (or not). The other side thus uses passive (PASV) mode.

  Updated the ftp3rdparty.c example source to use the updated options.

  Added support for a second FTP server in the test suite. Named... ftp2.
  Added test cases 230, 231 and 232 as a few first basic tests of very simple
  3rd party transfers.

  Changed the debug output to include 'target' and 'source' when a 3rd party
  is being made, to make it clearer what commands/responses came on what
  connection.

  Added three new command line options: --3p-url, --3p-user and --3p-quote.

  Documented the command line options and the curl_easy_setopt options related
  to third party transfers.

  (Temporarily) disabled the ability to re-use an existing connection for the
  source connection. This is because it needs to force a new in case the
  source and target is the same host, and the host name check is trickier now
  when the source is identified with a full URL instead of a plain host name
  like before.

  TODO (short-term) for 3rd party transfers: quote support. The options are
  there, we need to add test cases to verify their functionality.

  TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
  and SSL/TSL support.

Daniel (20 January 2005)
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
  code was written for it. I fixed and added test case 227 to verify it.
  The curl.1 man page didn't mention the '+' so I added it.

Daniel (19 January 2005)
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
  contains %0a or %0d in the user, password or CWD parts. (A future fix would
  include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
  225 and 226 were added to verify this

- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:

  1) the proxy environment variables are still read and used to set HTTP proxy

  2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
     disabled). This is important since apps may want to disable HTTP proxy
     without actually knowing if libcurl was built to disable HTTP or not.

  Based on Stephan's patch, both these issues should now be fixed.

Daniel (18 January 2005)
- Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was
  applied.

Daniel (16 January 2005)
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
  assumed this used the DICT protocol. While guessing protocols will remain
  fuzzy, I've now made sure that the host names must start with "[protocol]."
  for them to be a valid guessable name. I also removed "https" as a prefix
  that indicates HTTPS, since we hardly ever see any host names using that.

Daniel (13 January 2005)
- Inspired by Martijn Koster's patch and example source at
  http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
  select() and poll() calls properly loop if they return -1 and errno is
  EINTR. glibc docs for this is found here:
  http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html

  This last link says BSD doesn't have this "effect". Will there be a problem
  if we do this unconditionally?

Daniel (11 January 2005)
- Dan Torop cleaned up a few no longer used variables from David Phillips'
  select() overhaul fix.

- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
  using a custom Host: header and curl fails to send a request on a re-used
  persistent connection and thus creates a new connection and resends it. It
  then sent two Host: headers. Cyrill's analysis was posted here:
  http://curl.haxx.se/mail/archive-2005-01/0022.html

- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
  problem with the version byte and the check for bad versions. Bruce has lots
  of clues on this, and based on his suggestion I've now removed the check of
  that byte since it seems to be able to contain 1 or 5.

Daniel (10 January 2005)
- Pavel Orehov reported memory problems with the multi interface in bug report
  #1098843. In short, a shared DNS cache was setup for a multi handle and when
  the shared cache was deleted before the individual easy handles, the latter
  cleanups caused read/writes to already freed memory.

- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
  remote certificate name when it didn't match the used host name.

Gisle (8 January 2005)
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.

Daniel (7 January 2005)
- Improved the test script's valgrind log parser to actually work! Also added
  the ability to disable the log scanner for specific test cases. Test case
  509 results in numerous problems and leaks in OpenSSL and has to get it
  disabled.

Daniel (6 January 2005)
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
  (i.e not in the library).

- Bug report #1097019 identified a problem when doing -d "data" with -G and
  sending it to two URLs with {}. Added test 199 to verify the fix.

Daniel (4 January 2005)
- Marty Kuhrt adjusted a VMS build script slightly

- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
  Win2000.

Daniel (2 January 2005)
- Alex Neblett updated the MSVC makefiles slightly.