diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e7d4f3c97..6bea290a4 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,4 +1,4 @@ -Curl and libcurl 7.24.0 +Curl and libcurl 7.24.1 Public curl releases: 127 Command line options: 149 @@ -7,65 +7,17 @@ Curl and libcurl 7.24.0 Known libcurl bindings: 39 Contributors: 907 +This release includes the following security fixes: + + o + This release includes the following changes: - o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24] - o CURLOPT_DNS_SERVERS: set name servers if possible [23] - o Add support for using nettle instead of gcrypt as gnutls backend [22] - o CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes [21] - o Added CURLOPT_ACCEPTTIMEOUT_MS [30] - o configure: add symbols versioning option --enable-versioned-symbols [31] + o This release includes the following bugfixes: - o SSL session share: move the age counter to the share object [1] - o -J -O: use -O name if no Content-Disposition header comes! [2] - o protocol_connect: show verbose connect and set connect time [3] - o query-part: ignore the URI part for given protocols [4] - o gnutls: only translate winsock errors for old versions [5] - o POP3: fix end of body detection [6] - o POP3: detect when LIST returns no mails - o TELNET: improved treatment of options [7] - o configure: add support for pkg-config detection of libidn [8] - o CyaSSL 2.0+ library initialization adjustment [9] - o multi interface: only use non-NULL socker function pointer - o call opensocket callback properly for active FTP - o don't call close socket callback for sockets created with accept() [10] - o differentiate better between host/proxy errors [11] - o SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 [12] - o multi: handle timeouts on DNS servers by checking for new sockets [13] - o CURLOPT_DNS_SERVERS: fix return code - o POP3: fixed escaped dot not being stripped out [14] - o OpenSSL: check for the SSLv2 function in configure [15] - o MakefileBuild: fix the static build [16] - o create_conn: don't switch to HTTP protocol if tunneling is enabled [17] - o multi interface: fix block when CONNECT_ONLY option is used [18] - o Fix connection reuse for TLS upgraded connections [19] - o multiple file upload with -F and custom type [20] - o multi interface: active FTP connections are no longer blocking [25] - o Android build fix [26] - o timer: restore PRETRANSFER timing [27] - o libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM [28] - o appconnect time fixed for non-blocking connect ssl backends [29] - o do not include SSL handshake into time spent waiting for 100-continue [32] - o handle dns cache case insensitive - o use new host name casing for subsequent HTTP requests [33] - o CURLOPT_RESOLVE: avoid adding already present host names - o SFTP mkdir: use correct permission [34] - o resolve: don't leak pre-populated dns entries [35] - o --retry: Retry transfers on timeout and DNS errors - o negotiate with SSPI backend: use the correct buffer for input [36] - o SFTP dir: increase buffer size counter to avoid cut off file names [37] - o TFTP: fix resending (again) [38] - o c-ares: don't include getaddrinfo-using code [39] - o FTP: CURLE_PARTIAL_FILE will not close the control channel [40] - o win32-threaded-resolver: stop using a dummy socket - o OpenSSL: remove reference to openssl internal struct [41] - o OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled - o OpenSSL: fix PKCS#12 certificate parsing related memory leak - o OpenLDAP: fix LDAP connection phase memory leak [42] - o Telnet: Use correct file descriptor for telnet upload - o Telnet: Remove bogus optimisation of telnet upload + o This release includes the following known bugs: @@ -74,58 +26,10 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Alejandro Alvarez Ayllon, Jason Glasgow, Jonas Schnelli, Mark Brand, - Martin Storsjo, Yang Tse, Laurent Rabret, Jason Glasgow, Steve Holme, - Reza Arbab, Jason Liu, Gokhan Sengun, Rob Ward, Dan Fandrich, - Naveen Chandran, Ward Willats, Vladimir Grishchenko, Colin Hogben, - Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer, - Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin, - Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester, - Johannes Bauer + Thanks! (and sorry if I forgot to mention someone) References to bug reports and discussions on issues: - [1] = http://curl.haxx.se/mail/lib-2011-11/0116.html - [2] = http://curl.haxx.se/mail/archive-2011-11/0030.htm - [3] = http://curl.haxx.se/mail/archive-2011-11/0035.html - [4] = http://curl.haxx.se/mail/lib-2011-11/0218.html - [5] = http://curl.haxx.se/mail/lib-2011-11/0267.html - [6] = http://curl.haxx.se/mail/lib-2011-11/0279.html - [7] = http://curl.haxx.se/mail/lib-2011-11/0247.html - [8] = http://curl.haxx.se/mail/lib-2011-11/0294.html - [9] = http://curl.haxx.se/bug/view.cgi?id=3442068 - [10] = http://curl.haxx.se/mail/lib-2011-12/0018.html - [11] = http://curl.haxx.se/mail/archive-2011-12/0010.html - [12] = http://curl.haxx.se/bug/view.cgi?id=3451592 - [13] = http://curl.haxx.se/mail/lib-2011-11/0371.html - [14] = http://curl.haxx.se/mail/lib-2011-11/0368.html - [15] = http://curl.haxx.se/mail/archive-2011-12/0012.html - [16] = http://curl.haxx.se/mail/lib-2011-12/0063.html - [17] = http://curl.haxx.se/mail/lib-2011-12/0010.html - [18] = http://curl.haxx.se/mail/lib-2011-12/0070.html - [19] = http://curl.haxx.se/mail/lib-2011-11/0022.html - [20] = http://curl.haxx.se/mail/lib-2011-12/0121.html - [21] = http://curl.haxx.se/mail/lib-2011-12/0107.html - [22] = http://curl.haxx.se/mail/lib-2011-11/0164.html - [23] = http://curl.haxx.se/mail/lib-2011-11/0067.html - [24] = http://curl.haxx.se/mail/lib-2011-11/0205.html - [25] = http://curl.haxx.se/mail/lib-2011-12/0179.html - [26] = http://curl.haxx.se/mail/lib-2011-12/0215.html - [27] = http://curl.haxx.se/mail/archive-2011-12/0022.html - [28] = http://curl.haxx.se/mail/lib-2011-12/0218.html - [29] = http://curl.haxx.se/mail/lib-2011-12/0211.html - [30] = http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTACCEPTTIMOUTMS - [31] = http://curl.haxx.se/mail/lib-2011-12/0133.html - [32] = https://bugzilla.redhat.com/767490 - [33] = http://curl.haxx.se/mail/lib-2011-12/0314.html - [34] = http://curl.haxx.se/mail/lib-2011-12/0249.html - [35] = http://curl.haxx.se/bug/view.cgi?id=3463121 - [36] = http://curl.haxx.se/bug/view.cgi?id=3466497 - [37] = http://curl.haxx.se/mail/lib-2011-12/0249.html - [38] = http://curl.haxx.se/mail/lib-2012-01/0146.html - [39] = http://curl.haxx.se/mail/lib-2012-01/0160.html - [40] = http://curl.haxx.se/mail/lib-2012-01/0096.html - [41] = http://curl.haxx.se/mail/lib-2012-01/0049.html - [42] = http://curl.haxx.se/bug/view.cgi?id=3474308 + diff --git a/TODO-RELEASE b/TODO-RELEASE index 6c94376fc..386cccf57 100644 --- a/TODO-RELEASE +++ b/TODO-RELEASE @@ -1,4 +1,4 @@ -To be addressed in 7.22.1 +To be addressed in 7.24.1 ========================= 295 - "RTSP Authentication (#22)" https://github.com/bagder/curl/pull/22 @@ -8,4 +8,8 @@ To be addressed in 7.22.1 300 - "Polling on stray socket on sequential transfers." Andrew S http://curl.haxx.se/mail/lib-2011-07/0053.html -308 - +308 - Revisit option --enable-threaded-resolver at least allow selection among + pthreads and Windows threads when building a Windows target. + http://curl.haxx.se/mail/lib-2012-01/0291.html + +309 - diff --git a/docs/THANKS b/docs/THANKS index dd32c6a31..0b2fd3b4b 100644 --- a/docs/THANKS +++ b/docs/THANKS @@ -20,11 +20,13 @@ Albert Choy Ale Vesely Alejandro Alvarez Aleksandar Milivojevic +Alessandro Ghedini Alessandro Vesely Alex Bligh Alex Fishman Alex Neblett Alex Suykov +Alex Vinnik Alex aka WindEagle Alexander Beedie Alexander Kourakos @@ -74,6 +76,7 @@ Anton Kalmykov Arkadiusz Miskiewicz Armel Asselin Arnaud Ebalard +Arthur Murray Arve Knudsen Ates Goral Augustus Saunders @@ -91,6 +94,7 @@ Ben Winslow Benbuck Nason Benjamin Gerard Bernard Leak +Bernhard Reutner-Fischer Bertrand Demiddelaer Bill Egert Bill Hoffman @@ -105,6 +109,7 @@ Brad Burdick Brad Hards Brad King Bradford Bruce +Brandon Wang Brendan Jurd Brent Beardsley Brian Akins @@ -121,6 +126,7 @@ Camille Moncelier Caolan McNamara Carsten Lange Casey O'Donnell +Cedric Deltheil Chad Monroe Charles Kerr Chih-Chung Chang @@ -133,6 +139,7 @@ Chris Gaukroger Chris Maltby Chris Mumford Chris Smowton +Christian Grothoff Christian Hagele Christian Krause Christian Kurz @@ -382,6 +389,8 @@ Jan Kunder Jan Van Boghout Jared Lundell Jari Sundell +Jason Glasgow +Jason Liu Jason McDonald Jason S. Priebe Jay Austin @@ -418,6 +427,7 @@ Jofell Gallardo Johan Anderson Johan Nilsson Johan van Selst +Johannes Bauer John Bradshaw John Crow John Dennis @@ -437,6 +447,7 @@ Jon Sargeant Jon Travis Jon Turner Jonas Forsman +Jonas Schnelli Jonatan Lander Jonathan Hseu Jongki Suwandi @@ -524,6 +535,7 @@ Luke Call Luong Dinh Dung Maciej Karpiuk Maciej W. Rozycki +Mamoru Tasaka Mandy Wu Manfred Schwarb Manuel Massing @@ -614,6 +626,7 @@ Moonesamy Nathan Coulter Nathan O'Sullivan Nathanael Nerode +Naveen Chandran Naveen Noel Neil Dunbar Neil Spring @@ -631,6 +644,7 @@ Nikita Schmidt Nikitinskit Dmitriy Niklas Angebrand Nikolai Kondrashov +Nikos Mavrogiannopoulos Ning Dong Nir Soffer Nis Jorgensen @@ -647,6 +661,7 @@ Paolo Piacentini Pascal Terjan Pasha Kuznetsov Pat Ray +Patrice Guerin Patrick Bihan-Faou Patrick Monnerat Patrick Scott @@ -720,6 +735,7 @@ Renaud Duhaut Rene Bernhardt Rene Rebe Reuven Wachtfogel +Reza Arbab Ricardo Cadime Rich Gray Rich Rauenzahn @@ -736,11 +752,13 @@ Rick Richardson Rob Crittenden Rob Jones Rob Stanzel +Rob Ward Robert A. Monat Robert D. Young Robert Foreman Robert Iakobashvili Robert Olson +Robert Schumann Robert Weaver Robin Cornelius Robin Johnson @@ -809,6 +827,7 @@ Stephen Kick Stephen More Sterling Hughes Steve Green +Steve H Truong Steve Holme Steve Lhomme Steve Little @@ -864,6 +883,7 @@ Tomasz Lacki Tommie Gannert Tommy Tam Ton Voon +Toni Moreno Toon Verwaest Tor Arntsen Torsten Foertsch @@ -892,6 +912,7 @@ Vojtech Janota Vojtech Minarik Vsevolod Novikov Walter J. Mack +Ward Willats Wayne Haigh Werner Koch Wesley Laxton diff --git a/docs/examples/README b/docs/examples/README index da04d2886..270048a6c 100644 --- a/docs/examples/README +++ b/docs/examples/README @@ -55,6 +55,7 @@ htmltitle.cc - download a HTML file and extract the tag from a HTML http-post.c - HTTP POST httpput.c - HTTP PUT a local file https.c - simple HTTPS transfer +imap.c - simple IMAP transfer multi-app.c - a multi-interface app multi-debugcallback.c - a multi-interface app using the debug callback multi-double.c - a multi-interface app doing two simultaneous transfers @@ -75,4 +76,5 @@ simple.c - the most simple download a URL source simplepost.c - HTTP POST simplessl.c - HTTPS example with certificates many options set synctime.c - Sync local time by extracting date from remote HTTP servers +url2file.c - download a document and store it in a file 10-at-a-time.c - Download many files simultaneously, 10 at a time. diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 9dcce8770..d94a84b78 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -266,7 +266,7 @@ If you forward the input arguments directly to "fseek" or "lseek", note that the data type for \fIoffset\fP is not the same as defined for curl_off_t on many systems! (Option added in 7.18.0) .IP CURLOPT_SEEKDATA -Data pointer to pass to the file read function. If you use the +Data pointer to pass to the file seek function. If you use the \fICURLOPT_SEEKFUNCTION\fP option, this is the pointer you'll get as input. If you don't specify a seek callback, NULL is passed. (Option added in 7.18.0) .IP CURLOPT_SOCKOPTFUNCTION @@ -322,7 +322,7 @@ to the \fICURLOPT_OPENSOCKETFUNCTION\fP option. Return 0 to signal success and 1 if there was an error. (Option added in 7.21.7) .IP CURLOPT_CLOSESOCKETDATA Pass a pointer that will be untouched by libcurl and passed as the first -argument in the opensocket callback set with +argument in the closesocket callback set with \fICURLOPT_CLOSESOCKETFUNCTION\fP. (Option added in 7.21.7) .IP CURLOPT_PROGRESSFUNCTION Function pointer that should match the \fIcurl_progress_callback\fP prototype @@ -2070,7 +2070,7 @@ This option requires that libcurl was built with a resolver backend that supports this operation. The c-ares backend is the only such one. (Added in 7.24.0) -.IP CURLOPT_ACCEPTTIMOUT_MS +.IP CURLOPT_ACCEPTTIMEOUT_MS Pass a long telling libcurl the maximum number of milliseconds to wait for a server to connect back to libcurl when an active FTP connection is used. If no timeout is set, the internal default of 60000 will be used. (Added in 7.24.0) diff --git a/include/curl/curlver.h b/include/curl/curlver.h index bc6ca64ca..0c0d9bd29 100644 --- a/include/curl/curlver.h +++ b/include/curl/curlver.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -30,13 +30,13 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.24.0-DEV" +#define LIBCURL_VERSION "7.24.1-DEV" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 #define LIBCURL_VERSION_MINOR 24 -#define LIBCURL_VERSION_PATCH 0 +#define LIBCURL_VERSION_PATCH 1 /* This is the numeric version of the libcurl version number, meant for easier parsing and comparions by programs. The LIBCURL_VERSION_NUM define will @@ -53,7 +53,7 @@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBCURL_VERSION_NUM 0x071800 +#define LIBCURL_VERSION_NUM 0x071801 /* * This is the date and time when the full source package was created. The diff --git a/lib/escape.c b/lib/escape.c index b0922bc93..0dd5a1d0a 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -31,6 +31,7 @@ #include "urldata.h" #include "warnless.h" #include "non-ascii.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include <curl/mprintf.h> @@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; CURLcode res; @@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). + * */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; CURLcode res; if(!ns) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - res = Curl_convert_from_network(handle, &in, 1); + res = Curl_convert_from_network(data, &in, 1); if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free diff --git a/lib/escape.h b/lib/escape.h index 04b06a973..4c7f84133 100644 --- a/lib/escape.h +++ b/lib/escape.h @@ -1,5 +1,5 @@ -#ifndef __ESCAPE_H -#define __ESCAPE_H +#ifndef HEADER_CURL_ESCAPE_H +#define HEADER_CURL_ESCAPE_H /*************************************************************************** * _ _ ____ _ @@ -8,7 +8,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -25,5 +25,9 @@ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_crlf); #endif diff --git a/lib/gtls.c b/lib/gtls.c index f44fd7748..e24e7a81e 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn, rc = gnutls_protocol_set_priority(session, protocol_priority); #else const char *err; - rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0", + /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not + vulnerable to attacks such as the BEAST, why this code now explicitly + asks for that + */ + rc = gnutls_priority_set_direct(session, + "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:" + "-CIPHER-ALL:+ARCFOUR-128", &err); #endif if(rc != GNUTLS_E_SUCCESS) diff --git a/lib/imap.c b/lib/imap.c index c39664d86..c6701417d 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -953,17 +953,12 @@ static CURLcode imap_parse_url_path(struct connectdata *conn) struct imap_conn *imapc = &conn->proto.imapc; struct SessionHandle *data = conn->data; const char *path = data->state.path; - int len; if(!*path) path = "INBOX"; /* url decode the path and use this mailbox */ - imapc->mailbox = curl_easy_unescape(data, path, 0, &len); - if(!imapc->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff --git a/lib/pop3.c b/lib/pop3.c index b7781109b..cc360b8b9 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -914,11 +914,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn) const char *path = data->state.path; /* url decode the path and use this mailbox */ - pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); - if(!pop3c->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff --git a/lib/smtp.c b/lib/smtp.c index 4cb25efca..553c697d0 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -1244,7 +1244,6 @@ static CURLcode smtp_connect(struct connectdata *conn, struct SessionHandle *data = conn->data; struct pingpong *pp = &smtpc->pp; const char *path = conn->data->state.path; - int len; char localhost[HOSTNAME_MAX + 1]; *done = FALSE; /* default to not done yet */ @@ -1316,9 +1315,9 @@ static CURLcode smtp_connect(struct connectdata *conn, } /* url decode the path and use it as domain with EHLO */ - smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); - if(!smtpc->domain) - return CURLE_OUT_OF_MEMORY; + result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE); + if(result) + return result; /* When we connect, we start in the state where we await the server greeting */ diff --git a/lib/ssluse.c b/lib/ssluse.c index ec1a149c8..014d5b56a 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1545,6 +1545,13 @@ ossl_connect_step1(struct connectdata *conn, become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition. + + OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability + (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to + SSL_OP_ALL that _disables_ that work-around despite the fact that + SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to + keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit + must not be set. */ ctx_options = SSL_OP_ALL; @@ -1553,12 +1560,15 @@ ossl_connect_step1(struct connectdata *conn, ctx_options |= SSL_OP_NO_TICKET; #endif -#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ - (SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L) +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG /* mitigate CVE-2010-4180 */ ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; #endif +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif + /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) ctx_options |= SSL_OP_NO_SSLv2; diff --git a/lib/telnet.c b/lib/telnet.c index e7cb295d8..0be795435 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -1273,11 +1273,13 @@ static CURLcode telnet_done(struct connectdata *conn, (void)status; /* unused */ (void)premature; /* not used */ + if(!tn) + return CURLE_OK; + curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; - free(conn->data->state.proto.telnet); - conn->data->state.proto.telnet = NULL; + Curl_safefree(conn->data->state.proto.telnet); return CURLE_OK; } diff --git a/lib/url.c b/lib/url.c index fd46a7e03..466748bfc 100644 --- a/lib/url.c +++ b/lib/url.c @@ -137,7 +137,9 @@ static long ConnectionKillOne(struct SessionHandle *data); static void conn_free(struct connectdata *conn); static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke); static CURLcode do_init(struct connectdata *conn); - +static CURLcode parse_url_userpass(struct SessionHandle *data, + struct connectdata *conn, + char *user, char *passwd); /* * Protocol table. */ @@ -3666,7 +3668,9 @@ static CURLcode findprotocol(struct SessionHandle *data, */ static CURLcode parseurlandfillconn(struct SessionHandle *data, struct connectdata *conn, - bool *prot_missing) + bool *prot_missing, + char *user, + char *passwd) { char *at; char *fragment; @@ -3675,6 +3679,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, int rc; char protobuf[16]; const char *protop; + CURLcode result; *prot_missing = FALSE; @@ -3841,6 +3846,14 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, path[0] = '/'; } + /************************************************************* + * Parse a user name and password in the URL and strip it out + * of the host name + *************************************************************/ + result = parse_url_userpass(data, conn, user, passwd); + if(result != CURLE_OK) + return result; + if(conn->host.name[0] == '[') { /* This looks like an IPv6 address literal. See if there is an address scope. */ @@ -4783,7 +4796,7 @@ static CURLcode create_conn(struct SessionHandle *data, conn->host.name = conn->host.rawalloc; conn->host.name[0] = 0; - result = parseurlandfillconn(data, conn, &prot_missing); + result = parseurlandfillconn(data, conn, &prot_missing, user, passwd); if(result != CURLE_OK) return result; @@ -4812,15 +4825,6 @@ static CURLcode create_conn(struct SessionHandle *data, data->change.url_alloc = TRUE; /* free this later */ } - /************************************************************* - * Parse a user name and password in the URL and strip it out - * of the host name - *************************************************************/ - result = parse_url_userpass(data, conn, user, passwd); - if(result != CURLE_OK) - return result; - - /************************************************************* * If the protocol can't handle url query strings, then cut * of the unhandable part diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 85a6e4b2f..610243c24 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -82,7 +82,7 @@ test1220 \ test1300 test1301 test1302 test1303 test1304 test1305 \ test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -test1325 test1326 test1327 \ +test1322 test1323 test1324 test1325 test1326 test1327 \ test2000 test2001 test2002 test2003 test2004 EXTRA_DIST = $(TESTCASES) DISABLED diff --git a/tests/data/test1322 b/tests/data/test1322 new file mode 100644 index 000000000..996727e94 --- /dev/null +++ b/tests/data/test1322 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +POP3 +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +pop3 +</server> + <name> +POP3 with URL-encoded CR LF in the URL + </name> + <command> +pop3://%HOSTIP:%POP3PORT/%0d%0a/1322 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> diff --git a/tests/data/test1323 b/tests/data/test1323 new file mode 100644 index 000000000..90eb88b7d --- /dev/null +++ b/tests/data/test1323 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +SMTP +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +smtp +</server> + <name> +SMTP with URL-encoded CR LF in the URL + </name> + <command> +smtp://%HOSTIP:%SMTPPORT/%0d%0a/1323 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> diff --git a/tests/data/test1324 b/tests/data/test1324 new file mode 100644 index 000000000..c9835efea --- /dev/null +++ b/tests/data/test1324 @@ -0,0 +1,29 @@ +<testcase> +<info> +<keywords> +IMAP +CRLF-in-URL +</keywords> +</info> + +# Client-side +<client> +<server> +imap +</server> + <name> +IMAP with URL-encoded CR LF in the URL + </name> + <command> +imap://%HOSTIP:%IMAPPORT/%0d%0a/1322 +</command> +</client> + +# +<verify> +# 3 - CURLE_URL_MALFORMAT +<errorcode> +3 +</errorcode> +</verify> +</testcase> diff --git a/tests/libtest/testtrace.c b/tests/libtest/testtrace.c index 9c082394e..5cb5fec5e 100644 --- a/tests/libtest/testtrace.c +++ b/tests/libtest/testtrace.c @@ -111,7 +111,7 @@ int libtest_debug_cb(CURL *handle, curl_infotype type, switch (type) { case CURLINFO_TEXT: - fprintf(stderr, "%s== Info: %s", timebuf, data); + fprintf(stderr, "%s== Info: %s", &timebuf[0], data); default: /* in case a new one is introduced to shock us */ return 0; diff --git a/tests/stunnel.pem b/tests/stunnel.pem index 1b4d66993..6a3859b33 100644 --- a/tests/stunnel.pem +++ b/tests/stunnel.pem @@ -137,6 +137,7 @@ Ft896NmH4QFsDAetZcCFf24AM4DbUQo5jtG+dkanI/7IxxNYJ1PQ64/yscdQFvHW xhIX3Q6FqABjcN5nc80Rog+b6eS8QRX1BRnQqbGtocuptUgW5mWsSb+DR6pZbA== -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- -MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx -q3YvALe/enMbIq8F3OUmppq3UHwTAgEC +MIGHAoGBAMq/KFGh2oy16WzkFs1U71Uz7dIEKvSYfc+zo439pYyVzcD8MkcC15Zb +ayK3jPBYf07eKzc2TvI3/ZSducmECNP8gk2gAndP1P1rmpheN+owZJS7kQVfQmHl +UmT87U99NPaMHXMNOsFj/3mbAaANndKEnd8PM2r5fg16C4+2e5KzAgEC -----END DH PARAMETERS-----