1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 22:15:13 -05:00
Commit Graph

15037 Commits

Author SHA1 Message Date
Daniel Stenberg
a8e063b087 RELEASE-NOTES: synced with 70f71bb99f
Synced and prepared for 7.24.0 release. Two security problems, one bug fix,
two more contributors.
2012-01-24 09:24:37 +01:00
Daniel Stenberg
70f71bb99f gnutls: enforced use of SSLv3
With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
2012-01-24 08:54:26 +01:00
Daniel Stenberg
c11c30a8c8 tests: test CRLF in URLs
Related to the security vulnerability: CVE-2012-0036

Bug: http://curl.haxx.se/docs/adv_20120124.html
2012-01-24 08:54:26 +01:00
Daniel Stenberg
75ca568fa1 URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).

URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.

This flaw is considered a security vulnerability: CVE-2012-0036

Security advisory at: http://curl.haxx.se/docs/adv_20120124.html

Reported by: Dan Fandrich
2012-01-24 08:54:26 +01:00
Daniel Stenberg
db1a856b4f OpenSSL: don't disable security work-around
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple
2012-01-24 08:54:26 +01:00
Daniel Stenberg
ee57e9dea6 RELEASE-NOTES: synced with 6e2fd2c9ea
3 more bugfixes, 3 more contributors
2012-01-22 23:44:51 +01:00
Daniel Stenberg
6e2fd2c9ea CURLOPT_ACCEPTTIMEOUT_MS: spellfix 2012-01-22 00:00:55 +01:00
Dan Fandrich
5d7a319a55 examples: updated README with two new example programs 2012-01-20 22:44:59 -08:00
Daniel Stenberg
7883cd5af3 URL parse: user name with ipv6 numerical address
Using a URL with embedded user name and password didn't work if the host
was given as a numerical IPv6 string, like ftp://user:password@[::1]/

Reported by: Brandon Wang
Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20 23:32:43 +01:00
Yang Tse
d7af7de5b2 telnet.c: fix OOM triggered segfault 2012-01-20 00:11:15 +01:00
Yang Tse
a7e8f4aabc testtrace.c: fix compiler warning 2012-01-19 22:54:57 +01:00
Yang Tse
e64d332e79 OpenSSL: follow-up for commit a20daf90e3
avoid checking preprocessor definition official value
2012-01-19 22:29:00 +01:00
Pierre Joye
00e615de7e - s, use, enable, for options name, avoiding conflicts with the names used in the makefile 2012-01-19 14:08:24 +01:00
Daniel Stenberg
b2aaf3c2ad curl.1: improve --stderr wording
As is pointed out in this bug report, there can indeed be situation
where --stderr has a point even when the "real" stderr can be
redirected. Remove the superfluous and wrong comment.

bug: http://curl.haxx.se/bug/view.cgi?id=3476020
2012-01-19 13:42:56 +01:00
Daniel Stenberg
c41f304c43 KNOWN_BUGS: can't receive zero bytes file properly
http://curl.haxx.se/bug/view.cgi?id=3438362
2012-01-18 23:45:09 +01:00
Yang Tse
d56b4c3f89 ssl session caching: fix compiler warnings 2012-01-18 23:42:39 +01:00
Daniel Stenberg
d1becc3231 polarssl: show cipher suite name correctly with 1.1.0
Apparently ssl_get_ciphersuite() is needed to get the name of the used
cipher suite.
2012-01-18 23:19:37 +01:00
Daniel Stenberg
f55f95d49c polarssl: show error code correctly
The value was turned negative when it shouldn't have been
2012-01-18 23:19:01 +01:00
Daniel Stenberg
61d31a3caf polarssl: havege_rand is not present in version 1.1.0
... it is now named havege_random!

Reported by: Robert Schumann
Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18 23:17:54 +01:00
Daniel Stenberg
4b9af77d54 RELEASE-NOTES: synced with 5d70a61b94
5 more bug fixes, 1 more contributor
2012-01-18 22:33:45 +01:00
Colin Hogben
5d70a61b94 Add two tests for telnet: URLs
Add simple telnet tests which (ab)use the http server.
The second test checks for an input file handling bug.
2012-01-18 22:20:33 +01:00
Colin Hogben
51c485342b Remove bogus optimisation of telnet upload.
Remove wrongly implemented optimisation of telnet upload, apparently
intended to allow the library to avoid manually polling for input.
2012-01-18 22:17:46 +01:00
Colin Hogben
4563eeb9f4 Use correct file descriptor for telnet upload.
Fix a bug where input was read from stdin even when a different FILE *
had been configured via CURLOPT_READDATA
2012-01-18 22:17:10 +01:00
Yang Tse
2cafb0e97c OpenLDAP: fix LDAP connection phase memory leak
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18 16:06:29 +01:00
Johannes Bauer
6ea7acf5a9 OpenSSL: fix PKCS#12 certificate parsing related memory leak
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18 13:39:12 +01:00
Yang Tse
a20daf90e3 OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabled
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.

Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-18 11:59:20 +01:00
Yang Tse
24526d0c0f tests: enable time tracing on tests 500, 573 and 585 2012-01-17 21:33:17 +01:00
Yang Tse
a752850acc tests: testtrace.[ch] provides debug callback for libtest usage
Allows tests from the libtest subdir to generate log traces
similar to those of curl with --tracetime and --trace-ascii
options but with output going to stderr.
2012-01-17 21:32:05 +01:00
Yang Tse
2b9fafd622 sws.c: fix proxy mode secondary connection monitoring condition 2012-01-17 12:28:28 +01:00
Yang Tse
0ce2bca741 add LF termination to infof() trace string 2012-01-16 21:14:05 +01:00
Yang Tse
b15024be4d sws.c: improve proxy mode torture testing support - followup to 18c6c8a5 2012-01-16 19:01:35 +01:00
Daniel Stenberg
21401840fa url2file: new simple example
Just showing how to download the contents of a given URL into a local
file.

Based on a suggestion and example code by Georg Potthast
2012-01-16 14:47:00 +01:00
Daniel Stenberg
e3e24e5b36 imap.c: a dead simple imap example
Just to show that IMAP is used just like other protocols
2012-01-16 14:47:00 +01:00
Yang Tse
18c6c8a5e7 sws.c: improve proxy mode torture testing support - followup to c731fc58 2012-01-16 12:30:03 +01:00
Yang Tse
c731fc58ea sws.c: improve proxy mode torture testing support - followup to d4bf87dc 2012-01-15 20:13:32 +01:00
Yang Tse
6d62c5a6fc Curl_proxyCONNECT() trace known bug #39 2012-01-15 19:21:55 +01:00
Daniel Stenberg
f1092b387e test: verify HTTP response code 308
This newly speced HTTP status code already works as intended in the new
spec:
http://greenbytes.de/tech/webdav/draft-reschke-http-status-308-02.html

Test 1325 is added to verify that the method is kept after the redirect
2012-01-14 16:34:59 +01:00
Yang Tse
8e82ef9c32 http_negotiate_sspi.c: fix compiler warning 2012-01-13 13:34:43 +01:00
Yang Tse
d016f5f5f5 ssh.c: fix compiler warning 2012-01-13 12:57:09 +01:00
Yang Tse
d4bf87dc0e sws.c: improve proxy mode torture testing support 2012-01-13 05:13:48 +01:00
Daniel Stenberg
54dede4166 RELEASE-NOTES: synced with 9f20379fe4
5 bug fixes, 3 more contributors
2012-01-12 23:30:19 +01:00
Daniel Stenberg
9f20379fe4 hostip: avoid getaddrinfo when c-ares is used
Some functions using getaddrinfo and gethostbyname were still
mistakingly being used/linked even if c-ares was selected as resolver
backend.

Reported by: Arthur Murray
Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-12 23:13:19 +01:00
Yang Tse
123c92c904 sws.c: replace sleep() usage with wait_ms() 2012-01-09 22:50:47 +01:00
gsengun
d28411c3cc FTP: CURLE_PARTIAL_FILE should not cause control connection to be closed
Test 161 updated accordingly
2012-01-09 22:50:20 +01:00
Yang Tse
2705af6267 sws.c: some compiler warning fixes 2012-01-08 19:28:46 +01:00
Yang Tse
f34ddb90e6 lib/setup.h: portable symbolic names for Winsock shutdown() mode flags 2012-01-08 02:32:51 +01:00
Yang Tse
dd69a3e868 sws.c: 812fa73057 follow-up 2012-01-06 01:52:45 +01:00
Yang Tse
812fa73057 sws.c: some IPv6 proxy mode peparatory adjustments 2012-01-05 20:52:48 +01:00
Daniel Stenberg
52824ed1ab curl.h: provide backwards compatible symbols
In commit c834213ad5 we re-used some obsolete error codes, and here are
two defines that makes sure existing source codes that happen to use any
of these deprecated ones will still compile.

As usual, define CURL_NO_OLDIES to avoid getting these "precaution
defines".
2012-01-05 19:57:39 +01:00
Daniel Stenberg
4897f4e517 win32-threaded-resolver: stop using a dummy socket
Previously the code would create a dummy socket while resolving just to
have curl_multi_fdset() return something but the non-win32 version
doesn't do it this way and the creation and use of a socket that isn't
made with the common create-socket callback can be confusing to apps
using the multi_socket API etc.

This change removes the dummy socket and thus will cause
curl_multi_fdset() to return with maxfd == -1 more often.
2012-01-04 23:16:30 +01:00