1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 16:18:48 -05:00

Merge branch 'master' of github.com:bagder/curl

This commit is contained in:
Pierre Joye 2012-01-26 16:39:53 +01:00
commit 8ee2576b6f
21 changed files with 239 additions and 167 deletions

View File

@ -1,4 +1,4 @@
Curl and libcurl 7.24.0 Curl and libcurl 7.24.1
Public curl releases: 127 Public curl releases: 127
Command line options: 149 Command line options: 149
@ -7,65 +7,17 @@ Curl and libcurl 7.24.0
Known libcurl bindings: 39 Known libcurl bindings: 39
Contributors: 907 Contributors: 907
This release includes the following security fixes:
o
This release includes the following changes: This release includes the following changes:
o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24] o
o CURLOPT_DNS_SERVERS: set name servers if possible [23]
o Add support for using nettle instead of gcrypt as gnutls backend [22]
o CURLOPT_INTERFACE: avoid resolving interfaces names with magic prefixes [21]
o Added CURLOPT_ACCEPTTIMEOUT_MS [30]
o configure: add symbols versioning option --enable-versioned-symbols [31]
This release includes the following bugfixes: This release includes the following bugfixes:
o SSL session share: move the age counter to the share object [1] o
o -J -O: use -O name if no Content-Disposition header comes! [2]
o protocol_connect: show verbose connect and set connect time [3]
o query-part: ignore the URI part for given protocols [4]
o gnutls: only translate winsock errors for old versions [5]
o POP3: fix end of body detection [6]
o POP3: detect when LIST returns no mails
o TELNET: improved treatment of options [7]
o configure: add support for pkg-config detection of libidn [8]
o CyaSSL 2.0+ library initialization adjustment [9]
o multi interface: only use non-NULL socker function pointer
o call opensocket callback properly for active FTP
o don't call close socket callback for sockets created with accept() [10]
o differentiate better between host/proxy errors [11]
o SSH: fix CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and --hostpubmd5 [12]
o multi: handle timeouts on DNS servers by checking for new sockets [13]
o CURLOPT_DNS_SERVERS: fix return code
o POP3: fixed escaped dot not being stripped out [14]
o OpenSSL: check for the SSLv2 function in configure [15]
o MakefileBuild: fix the static build [16]
o create_conn: don't switch to HTTP protocol if tunneling is enabled [17]
o multi interface: fix block when CONNECT_ONLY option is used [18]
o Fix connection reuse for TLS upgraded connections [19]
o multiple file upload with -F and custom type [20]
o multi interface: active FTP connections are no longer blocking [25]
o Android build fix [26]
o timer: restore PRETRANSFER timing [27]
o libcurl.m4: Fix quoting arguments of AC_LANG_PROGRAM [28]
o appconnect time fixed for non-blocking connect ssl backends [29]
o do not include SSL handshake into time spent waiting for 100-continue [32]
o handle dns cache case insensitive
o use new host name casing for subsequent HTTP requests [33]
o CURLOPT_RESOLVE: avoid adding already present host names
o SFTP mkdir: use correct permission [34]
o resolve: don't leak pre-populated dns entries [35]
o --retry: Retry transfers on timeout and DNS errors
o negotiate with SSPI backend: use the correct buffer for input [36]
o SFTP dir: increase buffer size counter to avoid cut off file names [37]
o TFTP: fix resending (again) [38]
o c-ares: don't include getaddrinfo-using code [39]
o FTP: CURLE_PARTIAL_FILE will not close the control channel [40]
o win32-threaded-resolver: stop using a dummy socket
o OpenSSL: remove reference to openssl internal struct [41]
o OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option no longer enabled
o OpenSSL: fix PKCS#12 certificate parsing related memory leak
o OpenLDAP: fix LDAP connection phase memory leak [42]
o Telnet: Use correct file descriptor for telnet upload
o Telnet: Remove bogus optimisation of telnet upload
This release includes the following known bugs: This release includes the following known bugs:
@ -74,58 +26,10 @@ This release includes the following known bugs:
This release would not have looked like this without help, code, reports and This release would not have looked like this without help, code, reports and
advice from friends like these: advice from friends like these:
Alejandro Alvarez Ayllon, Jason Glasgow, Jonas Schnelli, Mark Brand,
Martin Storsjo, Yang Tse, Laurent Rabret, Jason Glasgow, Steve Holme,
Reza Arbab, Jason Liu, Gokhan Sengun, Rob Ward, Dan Fandrich,
Naveen Chandran, Ward Willats, Vladimir Grishchenko, Colin Hogben,
Alessandro Ghedini, Cedric Deltheil, Toni Moreno, Bernhard Reutner-Fischer,
Sven Wegener, Alex Vinnik, Kamil Dudka, Mamoru Tasaka, Patrice Guerin,
Armel Asselin, Arthur Murray, Steve H Truong, Peter Sylvester,
Johannes Bauer
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)
References to bug reports and discussions on issues: References to bug reports and discussions on issues:
[1] = http://curl.haxx.se/mail/lib-2011-11/0116.html
[2] = http://curl.haxx.se/mail/archive-2011-11/0030.htm
[3] = http://curl.haxx.se/mail/archive-2011-11/0035.html
[4] = http://curl.haxx.se/mail/lib-2011-11/0218.html
[5] = http://curl.haxx.se/mail/lib-2011-11/0267.html
[6] = http://curl.haxx.se/mail/lib-2011-11/0279.html
[7] = http://curl.haxx.se/mail/lib-2011-11/0247.html
[8] = http://curl.haxx.se/mail/lib-2011-11/0294.html
[9] = http://curl.haxx.se/bug/view.cgi?id=3442068
[10] = http://curl.haxx.se/mail/lib-2011-12/0018.html
[11] = http://curl.haxx.se/mail/archive-2011-12/0010.html
[12] = http://curl.haxx.se/bug/view.cgi?id=3451592
[13] = http://curl.haxx.se/mail/lib-2011-11/0371.html
[14] = http://curl.haxx.se/mail/lib-2011-11/0368.html
[15] = http://curl.haxx.se/mail/archive-2011-12/0012.html
[16] = http://curl.haxx.se/mail/lib-2011-12/0063.html
[17] = http://curl.haxx.se/mail/lib-2011-12/0010.html
[18] = http://curl.haxx.se/mail/lib-2011-12/0070.html
[19] = http://curl.haxx.se/mail/lib-2011-11/0022.html
[20] = http://curl.haxx.se/mail/lib-2011-12/0121.html
[21] = http://curl.haxx.se/mail/lib-2011-12/0107.html
[22] = http://curl.haxx.se/mail/lib-2011-11/0164.html
[23] = http://curl.haxx.se/mail/lib-2011-11/0067.html
[24] = http://curl.haxx.se/mail/lib-2011-11/0205.html
[25] = http://curl.haxx.se/mail/lib-2011-12/0179.html
[26] = http://curl.haxx.se/mail/lib-2011-12/0215.html
[27] = http://curl.haxx.se/mail/archive-2011-12/0022.html
[28] = http://curl.haxx.se/mail/lib-2011-12/0218.html
[29] = http://curl.haxx.se/mail/lib-2011-12/0211.html
[30] = http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTACCEPTTIMOUTMS
[31] = http://curl.haxx.se/mail/lib-2011-12/0133.html
[32] = https://bugzilla.redhat.com/767490
[33] = http://curl.haxx.se/mail/lib-2011-12/0314.html
[34] = http://curl.haxx.se/mail/lib-2011-12/0249.html
[35] = http://curl.haxx.se/bug/view.cgi?id=3463121
[36] = http://curl.haxx.se/bug/view.cgi?id=3466497
[37] = http://curl.haxx.se/mail/lib-2011-12/0249.html
[38] = http://curl.haxx.se/mail/lib-2012-01/0146.html
[39] = http://curl.haxx.se/mail/lib-2012-01/0160.html
[40] = http://curl.haxx.se/mail/lib-2012-01/0096.html
[41] = http://curl.haxx.se/mail/lib-2012-01/0049.html
[42] = http://curl.haxx.se/bug/view.cgi?id=3474308

View File

@ -1,4 +1,4 @@
To be addressed in 7.22.1 To be addressed in 7.24.1
========================= =========================
295 - "RTSP Authentication (#22)" https://github.com/bagder/curl/pull/22 295 - "RTSP Authentication (#22)" https://github.com/bagder/curl/pull/22
@ -8,4 +8,8 @@ To be addressed in 7.22.1
300 - "Polling on stray socket on sequential transfers." Andrew S 300 - "Polling on stray socket on sequential transfers." Andrew S
http://curl.haxx.se/mail/lib-2011-07/0053.html http://curl.haxx.se/mail/lib-2011-07/0053.html
308 - 308 - Revisit option --enable-threaded-resolver at least allow selection among
pthreads and Windows threads when building a Windows target.
http://curl.haxx.se/mail/lib-2012-01/0291.html
309 -

View File

@ -20,11 +20,13 @@ Albert Choy
Ale Vesely Ale Vesely
Alejandro Alvarez Alejandro Alvarez
Aleksandar Milivojevic Aleksandar Milivojevic
Alessandro Ghedini
Alessandro Vesely Alessandro Vesely
Alex Bligh Alex Bligh
Alex Fishman Alex Fishman
Alex Neblett Alex Neblett
Alex Suykov Alex Suykov
Alex Vinnik
Alex aka WindEagle Alex aka WindEagle
Alexander Beedie Alexander Beedie
Alexander Kourakos Alexander Kourakos
@ -74,6 +76,7 @@ Anton Kalmykov
Arkadiusz Miskiewicz Arkadiusz Miskiewicz
Armel Asselin Armel Asselin
Arnaud Ebalard Arnaud Ebalard
Arthur Murray
Arve Knudsen Arve Knudsen
Ates Goral Ates Goral
Augustus Saunders Augustus Saunders
@ -91,6 +94,7 @@ Ben Winslow
Benbuck Nason Benbuck Nason
Benjamin Gerard Benjamin Gerard
Bernard Leak Bernard Leak
Bernhard Reutner-Fischer
Bertrand Demiddelaer Bertrand Demiddelaer
Bill Egert Bill Egert
Bill Hoffman Bill Hoffman
@ -105,6 +109,7 @@ Brad Burdick
Brad Hards Brad Hards
Brad King Brad King
Bradford Bruce Bradford Bruce
Brandon Wang
Brendan Jurd Brendan Jurd
Brent Beardsley Brent Beardsley
Brian Akins Brian Akins
@ -121,6 +126,7 @@ Camille Moncelier
Caolan McNamara Caolan McNamara
Carsten Lange Carsten Lange
Casey O'Donnell Casey O'Donnell
Cedric Deltheil
Chad Monroe Chad Monroe
Charles Kerr Charles Kerr
Chih-Chung Chang Chih-Chung Chang
@ -133,6 +139,7 @@ Chris Gaukroger
Chris Maltby Chris Maltby
Chris Mumford Chris Mumford
Chris Smowton Chris Smowton
Christian Grothoff
Christian Hagele Christian Hagele
Christian Krause Christian Krause
Christian Kurz Christian Kurz
@ -382,6 +389,8 @@ Jan Kunder
Jan Van Boghout Jan Van Boghout
Jared Lundell Jared Lundell
Jari Sundell Jari Sundell
Jason Glasgow
Jason Liu
Jason McDonald Jason McDonald
Jason S. Priebe Jason S. Priebe
Jay Austin Jay Austin
@ -418,6 +427,7 @@ Jofell Gallardo
Johan Anderson Johan Anderson
Johan Nilsson Johan Nilsson
Johan van Selst Johan van Selst
Johannes Bauer
John Bradshaw John Bradshaw
John Crow John Crow
John Dennis John Dennis
@ -437,6 +447,7 @@ Jon Sargeant
Jon Travis Jon Travis
Jon Turner Jon Turner
Jonas Forsman Jonas Forsman
Jonas Schnelli
Jonatan Lander Jonatan Lander
Jonathan Hseu Jonathan Hseu
Jongki Suwandi Jongki Suwandi
@ -524,6 +535,7 @@ Luke Call
Luong Dinh Dung Luong Dinh Dung
Maciej Karpiuk Maciej Karpiuk
Maciej W. Rozycki Maciej W. Rozycki
Mamoru Tasaka
Mandy Wu Mandy Wu
Manfred Schwarb Manfred Schwarb
Manuel Massing Manuel Massing
@ -614,6 +626,7 @@ Moonesamy
Nathan Coulter Nathan Coulter
Nathan O'Sullivan Nathan O'Sullivan
Nathanael Nerode Nathanael Nerode
Naveen Chandran
Naveen Noel Naveen Noel
Neil Dunbar Neil Dunbar
Neil Spring Neil Spring
@ -631,6 +644,7 @@ Nikita Schmidt
Nikitinskit Dmitriy Nikitinskit Dmitriy
Niklas Angebrand Niklas Angebrand
Nikolai Kondrashov Nikolai Kondrashov
Nikos Mavrogiannopoulos
Ning Dong Ning Dong
Nir Soffer Nir Soffer
Nis Jorgensen Nis Jorgensen
@ -647,6 +661,7 @@ Paolo Piacentini
Pascal Terjan Pascal Terjan
Pasha Kuznetsov Pasha Kuznetsov
Pat Ray Pat Ray
Patrice Guerin
Patrick Bihan-Faou Patrick Bihan-Faou
Patrick Monnerat Patrick Monnerat
Patrick Scott Patrick Scott
@ -720,6 +735,7 @@ Renaud Duhaut
Rene Bernhardt Rene Bernhardt
Rene Rebe Rene Rebe
Reuven Wachtfogel Reuven Wachtfogel
Reza Arbab
Ricardo Cadime Ricardo Cadime
Rich Gray Rich Gray
Rich Rauenzahn Rich Rauenzahn
@ -736,11 +752,13 @@ Rick Richardson
Rob Crittenden Rob Crittenden
Rob Jones Rob Jones
Rob Stanzel Rob Stanzel
Rob Ward
Robert A. Monat Robert A. Monat
Robert D. Young Robert D. Young
Robert Foreman Robert Foreman
Robert Iakobashvili Robert Iakobashvili
Robert Olson Robert Olson
Robert Schumann
Robert Weaver Robert Weaver
Robin Cornelius Robin Cornelius
Robin Johnson Robin Johnson
@ -809,6 +827,7 @@ Stephen Kick
Stephen More Stephen More
Sterling Hughes Sterling Hughes
Steve Green Steve Green
Steve H Truong
Steve Holme Steve Holme
Steve Lhomme Steve Lhomme
Steve Little Steve Little
@ -864,6 +883,7 @@ Tomasz Lacki
Tommie Gannert Tommie Gannert
Tommy Tam Tommy Tam
Ton Voon Ton Voon
Toni Moreno
Toon Verwaest Toon Verwaest
Tor Arntsen Tor Arntsen
Torsten Foertsch Torsten Foertsch
@ -892,6 +912,7 @@ Vojtech Janota
Vojtech Minarik Vojtech Minarik
Vsevolod Novikov Vsevolod Novikov
Walter J. Mack Walter J. Mack
Ward Willats
Wayne Haigh Wayne Haigh
Werner Koch Werner Koch
Wesley Laxton Wesley Laxton

View File

@ -55,6 +55,7 @@ htmltitle.cc - download a HTML file and extract the <title> tag from a HTML
http-post.c - HTTP POST http-post.c - HTTP POST
httpput.c - HTTP PUT a local file httpput.c - HTTP PUT a local file
https.c - simple HTTPS transfer https.c - simple HTTPS transfer
imap.c - simple IMAP transfer
multi-app.c - a multi-interface app multi-app.c - a multi-interface app
multi-debugcallback.c - a multi-interface app using the debug callback multi-debugcallback.c - a multi-interface app using the debug callback
multi-double.c - a multi-interface app doing two simultaneous transfers multi-double.c - a multi-interface app doing two simultaneous transfers
@ -75,4 +76,5 @@ simple.c - the most simple download a URL source
simplepost.c - HTTP POST simplepost.c - HTTP POST
simplessl.c - HTTPS example with certificates many options set simplessl.c - HTTPS example with certificates many options set
synctime.c - Sync local time by extracting date from remote HTTP servers synctime.c - Sync local time by extracting date from remote HTTP servers
url2file.c - download a document and store it in a file
10-at-a-time.c - Download many files simultaneously, 10 at a time. 10-at-a-time.c - Download many files simultaneously, 10 at a time.

View File

@ -266,7 +266,7 @@ If you forward the input arguments directly to "fseek" or "lseek", note that
the data type for \fIoffset\fP is not the same as defined for curl_off_t on the data type for \fIoffset\fP is not the same as defined for curl_off_t on
many systems! (Option added in 7.18.0) many systems! (Option added in 7.18.0)
.IP CURLOPT_SEEKDATA .IP CURLOPT_SEEKDATA
Data pointer to pass to the file read function. If you use the Data pointer to pass to the file seek function. If you use the
\fICURLOPT_SEEKFUNCTION\fP option, this is the pointer you'll get as input. If \fICURLOPT_SEEKFUNCTION\fP option, this is the pointer you'll get as input. If
you don't specify a seek callback, NULL is passed. (Option added in 7.18.0) you don't specify a seek callback, NULL is passed. (Option added in 7.18.0)
.IP CURLOPT_SOCKOPTFUNCTION .IP CURLOPT_SOCKOPTFUNCTION
@ -322,7 +322,7 @@ to the \fICURLOPT_OPENSOCKETFUNCTION\fP option. Return 0 to signal success and
1 if there was an error. (Option added in 7.21.7) 1 if there was an error. (Option added in 7.21.7)
.IP CURLOPT_CLOSESOCKETDATA .IP CURLOPT_CLOSESOCKETDATA
Pass a pointer that will be untouched by libcurl and passed as the first Pass a pointer that will be untouched by libcurl and passed as the first
argument in the opensocket callback set with argument in the closesocket callback set with
\fICURLOPT_CLOSESOCKETFUNCTION\fP. (Option added in 7.21.7) \fICURLOPT_CLOSESOCKETFUNCTION\fP. (Option added in 7.21.7)
.IP CURLOPT_PROGRESSFUNCTION .IP CURLOPT_PROGRESSFUNCTION
Function pointer that should match the \fIcurl_progress_callback\fP prototype Function pointer that should match the \fIcurl_progress_callback\fP prototype
@ -2070,7 +2070,7 @@ This option requires that libcurl was built with a resolver backend that
supports this operation. The c-ares backend is the only such one. supports this operation. The c-ares backend is the only such one.
(Added in 7.24.0) (Added in 7.24.0)
.IP CURLOPT_ACCEPTTIMOUT_MS .IP CURLOPT_ACCEPTTIMEOUT_MS
Pass a long telling libcurl the maximum number of milliseconds to wait for a Pass a long telling libcurl the maximum number of milliseconds to wait for a
server to connect back to libcurl when an active FTP connection is used. If no server to connect back to libcurl when an active FTP connection is used. If no
timeout is set, the internal default of 60000 will be used. (Added in 7.24.0) timeout is set, the internal default of 60000 will be used. (Added in 7.24.0)

View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -30,13 +30,13 @@
/* This is the version number of the libcurl package from which this header /* This is the version number of the libcurl package from which this header
file origins: */ file origins: */
#define LIBCURL_VERSION "7.24.0-DEV" #define LIBCURL_VERSION "7.24.1-DEV"
/* The numeric version number is also available "in parts" by using these /* The numeric version number is also available "in parts" by using these
defines: */ defines: */
#define LIBCURL_VERSION_MAJOR 7 #define LIBCURL_VERSION_MAJOR 7
#define LIBCURL_VERSION_MINOR 24 #define LIBCURL_VERSION_MINOR 24
#define LIBCURL_VERSION_PATCH 0 #define LIBCURL_VERSION_PATCH 1
/* This is the numeric version of the libcurl version number, meant for easier /* This is the numeric version of the libcurl version number, meant for easier
parsing and comparions by programs. The LIBCURL_VERSION_NUM define will parsing and comparions by programs. The LIBCURL_VERSION_NUM define will
@ -53,7 +53,7 @@
and it is always a greater number in a more recent release. It makes and it is always a greater number in a more recent release. It makes
comparisons with greater than and less than work. comparisons with greater than and less than work.
*/ */
#define LIBCURL_VERSION_NUM 0x071800 #define LIBCURL_VERSION_NUM 0x071801
/* /*
* This is the date and time when the full source package was created. The * This is the date and time when the full source package was created. The

View File

@ -31,6 +31,7 @@
#include "urldata.h" #include "urldata.h"
#include "warnless.h" #include "warnless.h"
#include "non-ascii.h" #include "non-ascii.h"
#include "escape.h"
#define _MPRINTF_REPLACE /* use our functions only */ #define _MPRINTF_REPLACE /* use our functions only */
#include <curl/mprintf.h> #include <curl/mprintf.h>
@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
char *testing_ptr = NULL; char *testing_ptr = NULL;
unsigned char in; /* we need to treat the characters unsigned */ unsigned char in; /* we need to treat the characters unsigned */
size_t newlen = alloc; size_t newlen = alloc;
int strindex=0; size_t strindex=0;
size_t length; size_t length;
CURLcode res; CURLcode res;
@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength)
} }
/* /*
* Unescapes the given URL escaped string of given length. Returns a * Curl_urldecode() URL decodes the given string.
* pointer to a malloced string with length given in *olen. *
* If length == 0, the length is assumed to be strlen(string). * Optionally detects control characters (byte codes lower than 32) in the
* If olen == NULL, no output length is stored. * data and rejects such data.
*
* Returns a pointer to a malloced string in *ostring with length given in
* *olen. If length == 0, the length is assumed to be strlen(string).
*
*/ */
char *curl_easy_unescape(CURL *handle, const char *string, int length, CURLcode Curl_urldecode(struct SessionHandle *data,
int *olen) const char *string, size_t length,
char **ostring, size_t *olen,
bool reject_ctrl)
{ {
int alloc = (length?length:(int)strlen(string))+1; size_t alloc = (length?length:strlen(string))+1;
char *ns = malloc(alloc); char *ns = malloc(alloc);
unsigned char in; unsigned char in;
int strindex=0; size_t strindex=0;
unsigned long hex; unsigned long hex;
CURLcode res; CURLcode res;
if(!ns) if(!ns)
return NULL; return CURLE_OUT_OF_MEMORY;
while(--alloc > 0) { while(--alloc > 0) {
in = *string; in = *string;
@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */
res = Curl_convert_from_network(handle, &in, 1); res = Curl_convert_from_network(data, &in, 1);
if(res) { if(res) {
/* Curl_convert_from_network calls failf if unsuccessful */ /* Curl_convert_from_network calls failf if unsuccessful */
free(ns); free(ns);
return NULL; return res;
} }
string+=2; string+=2;
alloc-=2; alloc-=2;
} }
if(reject_ctrl && (in < 0x20)) {
free(ns);
return CURLE_URL_MALFORMAT;
}
ns[strindex++] = in; ns[strindex++] = in;
string++; string++;
@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length,
if(olen) if(olen)
/* store output size */ /* store output size */
*olen = strindex; *olen = strindex;
return ns;
if(ostring)
/* store output string */
*ostring = ns;
return CURLE_OK;
}
/*
* Unescapes the given URL escaped string of given length. Returns a
* pointer to a malloced string with length given in *olen.
* If length == 0, the length is assumed to be strlen(string).
* If olen == NULL, no output length is stored.
*/
char *curl_easy_unescape(CURL *handle, const char *string, int length,
int *olen)
{
char *str = NULL;
size_t inputlen = length;
size_t outputlen;
CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen,
FALSE);
if(res)
return NULL;
if(olen)
*olen = curlx_uztosi(outputlen);
return str;
} }
/* For operating systems/environments that use different malloc/free /* For operating systems/environments that use different malloc/free

View File

@ -1,5 +1,5 @@
#ifndef __ESCAPE_H #ifndef HEADER_CURL_ESCAPE_H
#define __ESCAPE_H #define HEADER_CURL_ESCAPE_H
/*************************************************************************** /***************************************************************************
* _ _ ____ _ * _ _ ____ _
@ -8,7 +8,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -25,5 +25,9 @@
/* Escape and unescape URL encoding in strings. The functions return a new /* Escape and unescape URL encoding in strings. The functions return a new
* allocated string or NULL if an error occurred. */ * allocated string or NULL if an error occurred. */
CURLcode Curl_urldecode(struct SessionHandle *data,
const char *string, size_t length,
char **ostring, size_t *olen,
bool reject_crlf);
#endif #endif

View File

@ -453,7 +453,13 @@ gtls_connect_step1(struct connectdata *conn,
rc = gnutls_protocol_set_priority(session, protocol_priority); rc = gnutls_protocol_set_priority(session, protocol_priority);
#else #else
const char *err; const char *err;
rc = gnutls_priority_set_direct(session, "-VERS-TLS-ALL:+VERS-SSL3.0", /* the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not
vulnerable to attacks such as the BEAST, why this code now explicitly
asks for that
*/
rc = gnutls_priority_set_direct(session,
"NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:"
"-CIPHER-ALL:+ARCFOUR-128",
&err); &err);
#endif #endif
if(rc != GNUTLS_E_SUCCESS) if(rc != GNUTLS_E_SUCCESS)

View File

@ -953,17 +953,12 @@ static CURLcode imap_parse_url_path(struct connectdata *conn)
struct imap_conn *imapc = &conn->proto.imapc; struct imap_conn *imapc = &conn->proto.imapc;
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
const char *path = data->state.path; const char *path = data->state.path;
int len;
if(!*path) if(!*path)
path = "INBOX"; path = "INBOX";
/* url decode the path and use this mailbox */ /* url decode the path and use this mailbox */
imapc->mailbox = curl_easy_unescape(data, path, 0, &len); return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE);
if(!imapc->mailbox)
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
} }
/* call this when the DO phase has completed */ /* call this when the DO phase has completed */

View File

@ -914,11 +914,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn)
const char *path = data->state.path; const char *path = data->state.path;
/* url decode the path and use this mailbox */ /* url decode the path and use this mailbox */
pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE);
if(!pop3c->mailbox)
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
} }
/* call this when the DO phase has completed */ /* call this when the DO phase has completed */

View File

@ -1244,7 +1244,6 @@ static CURLcode smtp_connect(struct connectdata *conn,
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
struct pingpong *pp = &smtpc->pp; struct pingpong *pp = &smtpc->pp;
const char *path = conn->data->state.path; const char *path = conn->data->state.path;
int len;
char localhost[HOSTNAME_MAX + 1]; char localhost[HOSTNAME_MAX + 1];
*done = FALSE; /* default to not done yet */ *done = FALSE; /* default to not done yet */
@ -1316,9 +1315,9 @@ static CURLcode smtp_connect(struct connectdata *conn,
} }
/* url decode the path and use it as domain with EHLO */ /* url decode the path and use it as domain with EHLO */
smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE);
if(!smtpc->domain) if(result)
return CURLE_OUT_OF_MEMORY; return result;
/* When we connect, we start in the state where we await the server greeting /* When we connect, we start in the state where we await the server greeting
*/ */

View File

@ -1545,6 +1545,13 @@ ossl_connect_step1(struct connectdata *conn,
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition. this option regardless of OpenSSL version and SSL_OP_ALL definition.
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
must not be set.
*/ */
ctx_options = SSL_OP_ALL; ctx_options = SSL_OP_ALL;
@ -1553,12 +1560,15 @@ ossl_connect_step1(struct connectdata *conn,
ctx_options |= SSL_OP_NO_TICKET; ctx_options |= SSL_OP_NO_TICKET;
#endif #endif
#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG == 0x00000008L)
/* mitigate CVE-2010-4180 */ /* mitigate CVE-2010-4180 */
ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
#endif #endif
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
/* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */
if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT)
ctx_options |= SSL_OP_NO_SSLv2; ctx_options |= SSL_OP_NO_SSLv2;

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -1273,11 +1273,13 @@ static CURLcode telnet_done(struct connectdata *conn,
(void)status; /* unused */ (void)status; /* unused */
(void)premature; /* not used */ (void)premature; /* not used */
if(!tn)
return CURLE_OK;
curl_slist_free_all(tn->telnet_vars); curl_slist_free_all(tn->telnet_vars);
tn->telnet_vars = NULL; tn->telnet_vars = NULL;
free(conn->data->state.proto.telnet); Curl_safefree(conn->data->state.proto.telnet);
conn->data->state.proto.telnet = NULL;
return CURLE_OK; return CURLE_OK;
} }

View File

@ -137,7 +137,9 @@ static long ConnectionKillOne(struct SessionHandle *data);
static void conn_free(struct connectdata *conn); static void conn_free(struct connectdata *conn);
static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke); static void signalPipeClose(struct curl_llist *pipeline, bool pipe_broke);
static CURLcode do_init(struct connectdata *conn); static CURLcode do_init(struct connectdata *conn);
static CURLcode parse_url_userpass(struct SessionHandle *data,
struct connectdata *conn,
char *user, char *passwd);
/* /*
* Protocol table. * Protocol table.
*/ */
@ -3666,7 +3668,9 @@ static CURLcode findprotocol(struct SessionHandle *data,
*/ */
static CURLcode parseurlandfillconn(struct SessionHandle *data, static CURLcode parseurlandfillconn(struct SessionHandle *data,
struct connectdata *conn, struct connectdata *conn,
bool *prot_missing) bool *prot_missing,
char *user,
char *passwd)
{ {
char *at; char *at;
char *fragment; char *fragment;
@ -3675,6 +3679,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
int rc; int rc;
char protobuf[16]; char protobuf[16];
const char *protop; const char *protop;
CURLcode result;
*prot_missing = FALSE; *prot_missing = FALSE;
@ -3841,6 +3846,14 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
path[0] = '/'; path[0] = '/';
} }
/*************************************************************
* Parse a user name and password in the URL and strip it out
* of the host name
*************************************************************/
result = parse_url_userpass(data, conn, user, passwd);
if(result != CURLE_OK)
return result;
if(conn->host.name[0] == '[') { if(conn->host.name[0] == '[') {
/* This looks like an IPv6 address literal. See if there is an address /* This looks like an IPv6 address literal. See if there is an address
scope. */ scope. */
@ -4783,7 +4796,7 @@ static CURLcode create_conn(struct SessionHandle *data,
conn->host.name = conn->host.rawalloc; conn->host.name = conn->host.rawalloc;
conn->host.name[0] = 0; conn->host.name[0] = 0;
result = parseurlandfillconn(data, conn, &prot_missing); result = parseurlandfillconn(data, conn, &prot_missing, user, passwd);
if(result != CURLE_OK) if(result != CURLE_OK)
return result; return result;
@ -4812,15 +4825,6 @@ static CURLcode create_conn(struct SessionHandle *data,
data->change.url_alloc = TRUE; /* free this later */ data->change.url_alloc = TRUE; /* free this later */
} }
/*************************************************************
* Parse a user name and password in the URL and strip it out
* of the host name
*************************************************************/
result = parse_url_userpass(data, conn, user, passwd);
if(result != CURLE_OK)
return result;
/************************************************************* /*************************************************************
* If the protocol can't handle url query strings, then cut * If the protocol can't handle url query strings, then cut
* of the unhandable part * of the unhandable part

View File

@ -82,7 +82,7 @@ test1220 \
test1300 test1301 test1302 test1303 test1304 test1305 \ test1300 test1301 test1302 test1303 test1304 test1305 \
test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \
test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \
test1325 test1326 test1327 \ test1322 test1323 test1324 test1325 test1326 test1327 \
test2000 test2001 test2002 test2003 test2004 test2000 test2001 test2002 test2003 test2004
EXTRA_DIST = $(TESTCASES) DISABLED EXTRA_DIST = $(TESTCASES) DISABLED

29
tests/data/test1322 Normal file
View File

@ -0,0 +1,29 @@
<testcase>
<info>
<keywords>
POP3
CRLF-in-URL
</keywords>
</info>
# Client-side
<client>
<server>
pop3
</server>
<name>
POP3 with URL-encoded CR LF in the URL
</name>
<command>
pop3://%HOSTIP:%POP3PORT/%0d%0a/1322
</command>
</client>
#
<verify>
# 3 - CURLE_URL_MALFORMAT
<errorcode>
3
</errorcode>
</verify>
</testcase>

29
tests/data/test1323 Normal file
View File

@ -0,0 +1,29 @@
<testcase>
<info>
<keywords>
SMTP
CRLF-in-URL
</keywords>
</info>
# Client-side
<client>
<server>
smtp
</server>
<name>
SMTP with URL-encoded CR LF in the URL
</name>
<command>
smtp://%HOSTIP:%SMTPPORT/%0d%0a/1323
</command>
</client>
#
<verify>
# 3 - CURLE_URL_MALFORMAT
<errorcode>
3
</errorcode>
</verify>
</testcase>

29
tests/data/test1324 Normal file
View File

@ -0,0 +1,29 @@
<testcase>
<info>
<keywords>
IMAP
CRLF-in-URL
</keywords>
</info>
# Client-side
<client>
<server>
imap
</server>
<name>
IMAP with URL-encoded CR LF in the URL
</name>
<command>
imap://%HOSTIP:%IMAPPORT/%0d%0a/1322
</command>
</client>
#
<verify>
# 3 - CURLE_URL_MALFORMAT
<errorcode>
3
</errorcode>
</verify>
</testcase>

View File

@ -111,7 +111,7 @@ int libtest_debug_cb(CURL *handle, curl_infotype type,
switch (type) { switch (type) {
case CURLINFO_TEXT: case CURLINFO_TEXT:
fprintf(stderr, "%s== Info: %s", timebuf, data); fprintf(stderr, "%s== Info: %s", &timebuf[0], data);
default: /* in case a new one is introduced to shock us */ default: /* in case a new one is introduced to shock us */
return 0; return 0;

View File

@ -137,6 +137,7 @@ Ft896NmH4QFsDAetZcCFf24AM4DbUQo5jtG+dkanI/7IxxNYJ1PQ64/yscdQFvHW
xhIX3Q6FqABjcN5nc80Rog+b6eS8QRX1BRnQqbGtocuptUgW5mWsSb+DR6pZbA== xhIX3Q6FqABjcN5nc80Rog+b6eS8QRX1BRnQqbGtocuptUgW5mWsSb+DR6pZbA==
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN DH PARAMETERS----- -----BEGIN DH PARAMETERS-----
MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx MIGHAoGBAMq/KFGh2oy16WzkFs1U71Uz7dIEKvSYfc+zo439pYyVzcD8MkcC15Zb
q3YvALe/enMbIq8F3OUmppq3UHwTAgEC ayK3jPBYf07eKzc2TvI3/ZSducmECNP8gk2gAndP1P1rmpheN+owZJS7kQVfQmHl
UmT87U99NPaMHXMNOsFj/3mbAaANndKEnd8PM2r5fg16C4+2e5KzAgEC
-----END DH PARAMETERS----- -----END DH PARAMETERS-----