Commit Graph

1617 Commits

Author SHA1 Message Date
Dan Fandrich 983a539503 Expanded the security section of the libcurl-tutorial man page to cover
more issues for authors to consider when writing robust libcurl-using
applications.
2009-03-05 06:44:18 +00:00
Yang Tse 94bb7fe5cb Fix NTLM authentication memory leak on SSPI enabled Windows builds 2009-03-05 01:23:14 +00:00
Dan Fandrich b98e0aa09b Fixed a problem with m4 quoting in the OpenSSL configure check reported
by Daniel Johnson.
2009-03-04 08:09:39 +00:00
Daniel Stenberg ee73fc361b - David James brought a patch that make libcurl close (all) dead connections
whenever you attempt to open a new connection.
2009-03-03 11:01:24 +00:00
Daniel Stenberg 042cc1f69e - David Kierznowski notified us about a security flaw
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
  which previous libcurl versions (by design) can be tricked to access an
  arbitrary local/different file instead of a remote one when
  CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
  together this the addition of two new setopt options for controlling this
  new behavior:

  o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
  follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
  excludes the FILE and SCP protocols and thus you nee to explicitly allow
  them in your app if you really want that behavior.

  o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
  using the primary URL option. This is useful if you want to allow a user or
  other outsiders control what URL to pass to libcurl and yet not allow all
  protocols libcurl may have been built to support.
2009-03-02 23:05:31 +00:00
Daniel Stenberg 7b7db23633 - Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and
CURLOPT_LOCALPORT were used together (the local port bind failed), and
  Markus Koetter provided the fix!
2009-02-27 12:07:14 +00:00
Daniel Stenberg d207ea1652 - As Daniel Fandrich figured out, we must do the GnuTLS initing in the
curl_global_init() function to properly maintain the performing functions
  thread-safe. We've previously (28 April 2007) moved the init to a later time
  just to avoid it to fail very early when libgcrypt dislikes the situation,
  but that move was bad and the fix should rather be in libgcrypt or
  elsewhere.
2009-02-25 12:51:17 +00:00
Daniel Stenberg ea6531cf32 - Brian J. Murrell found out that Negotiate proxy authentication didn't work.
It happened because the code used the struct for server-based auth all the
  time for both proxy and server auth which of course was wrong.
2009-02-24 08:30:09 +00:00
Daniel Stenberg 6c9f37d263 - After a bug reported by James Cheng I've made curl_easy_getinfo() for
CURLINFO_CONTENT_LENGTH_DOWNLOAD and CURLINFO_CONTENT_LENGTH_UPLOAD return
  -1 if the sizes aren't know. Previously these returned 0, make it impossible
  to detect the difference between actually zero and unknown.
2009-02-23 18:45:00 +00:00
Yang Tse f5548973ab Daniel Johnson provided a shell script that will perform all the steps needed
to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
2009-02-23 12:39:06 +00:00
Daniel Stenberg 8b66981ce0 - I renamed everything in the windows builds files that used the name 'curllib'
to the proper 'libcurl' as clearly this caused confusion.
2009-02-23 09:36:54 +00:00
Yang Tse 51b46f451f Do not halt compilation when using VS2008 to build a Windows 2000 target 2009-02-20 11:30:11 +00:00
Daniel Stenberg af91ff0e06 - Linus Nielsen Feltzing reported and helped me repeat and fix a problem with
FTP with the multi interface: when a transfer fails, like when aborted by a
  write callback, the control connection was wrongly closed and thus not
  re-used properly.

  This change is also an attempt to cleanup the code somewhat in this area, as
  now the FTP code attempts to keep (better) track on pending responses
  necessary to get read in ftp_done().
2009-02-20 08:16:03 +00:00
Daniel Stenberg 5af0629ba5 - Patrik Thunstrom reported a problem and helped me repeat it. It turned out
libcurl did a superfluous 1000ms wait when doing SFTP downloads!

  We read data with libssh2 while doing the "DO" operation for SFTP and then
  when we were about to start getting data for the actual file part, the
  "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
  libssh2-read. But in this case libssh2 had already read and buffered the
  data so we ended up always just waiting 1000ms before we get working on the
  data!
2009-02-19 10:36:20 +00:00
Patrick Monnerat 6e422c447a FTP downloads (i.e.: RETR) ending with code 550 now return error CURLE_REMOTE_FILE_NOT_FOUND instead of CURLE_FTP_COULDNT_RETR_FILE. 2009-02-18 11:40:16 +00:00
Daniel Stenberg a24fe59ee4 - Kamil Dudka made NSS-powered builds compile and run again! 2009-02-17 12:18:34 +00:00
Daniel Stenberg 4ad296c60b - A second follow-up change by Andre Guibert de Bruet to fix a related memory
leak like that fixed on the 14th. When zlib returns failure, we need to
  cleanup properly before returning error.
2009-02-17 12:14:41 +00:00
Daniel Stenberg 8f81fd6be5 - CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 in addition to 1 for
plain FTP connections, and it will then allow MKD to fail once and retry the
  CWD afterwards. This is especially useful if you're doing many simultanoes
  connections against the same server and they all have this option enabled,
  as then CWD may first fail but then another connection does MKD before this
  connection and thus MKD fails but trying CWD works! The numbers can
  (should?) now be set with the convenience enums now called
  CURLFTP_CREATE_DIR and CURLFTP_CREATE_DIR_RETRY.

  Tests has proven that if you're making an application that uploads a set of
  files to an ftp server, you will get a noticable gain in speed if you're
  using multiple connections and this option will be then be very useful.
2009-02-17 09:07:25 +00:00
Daniel Stenberg d315d41a12 - Andre Guibert de Bruet found and fixed a memory leak in the content encoding
code, which could happen on libz errors.
2009-02-14 09:09:09 +00:00
Dan Fandrich 9a4c887c4a Added support for Digest and NTLM authentication using GnuTLS. 2009-02-12 20:48:40 +00:00
Daniel Stenberg de41c6ef43 credit Jocelyn Jaubert for his bug report and associated work 2009-02-12 08:05:23 +00:00
Daniel Stenberg 002cf105c6 - CURLINFO_CONDITION_UNMET was added to allow an application to get to know if
the condition in the previous request was unmet. This is typically a time
  condition set with CURLOPT_TIMECONDITION and was previously not possible to
  reliably figure out. From bug report #2565128
  (http://curl.haxx.se/bug/view.cgi?id=2565128)
2009-02-11 21:47:14 +00:00
Dan Fandrich 77da9a0087 Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
This couldn't ever overflow in curl, but might if the code were used
elsewhere or under different conditions.
2009-02-05 00:13:40 +00:00
Dan Fandrich 4b441ebac5 Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
(respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
2009-02-04 23:33:34 +00:00
Daniel Stenberg 71f3877f3a - Hidemoto Nakada provided a small fix that makes it possible to get the
CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
  CURLOPT_NOBODY set true.
2009-02-03 22:28:41 +00:00
Daniel Stenberg d4ac3d53fc - Patrick Scott found a rather large memory leak when using the multi
interface and setting CURLMOPT_MAXCONNECTS to something less than the number
  of handles you add to the multi handle. All the connections that didn't fit
  in the cache would not be properly disconnected nor freed!
2009-02-02 21:36:47 +00:00
Daniel Stenberg bdd4294e79 - Craig A West brought us: libcurl now defaults to do CONNECT with HTTP
version 1.1 instead of 1.0 like before. This change also introduces the new
  proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
  switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
  option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.

  I updated all test cases cases that use CONNECT and I tried to do some using
  --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
2009-02-02 16:19:23 +00:00
Daniel Stenberg dcf92bffd2 - When building with c-ares 1.6.1 (not yet released) or later and IPv6 support
enabled, we can now take advantage of its brand new AF_UNSPEC support in
  ares_gethostbyname(). This makes test case 241 finally run fine for me wtih
  this setup since it now parses the "::1 ip6-localhost" line fine in my
  /etc/hosts file!
2009-01-31 20:25:55 +00:00
Daniel Stenberg 8b6805572a - Scott Cantor filed bug report #2550061
(http://curl.haxx.se/bug/view.cgi?id=2550061) mentioning that I failed to
  properly make sure that the VC9 makefiles got included in the latest
  release. I've now fixed the release script and verified it so next release
  will hopefully include them properly!
2009-01-31 18:38:41 +00:00
Dan Fandrich 09f4a1c5e5 Fixed --disable-proxy for FTP and SOCKS. Thanks to Daniel Egger for reporting
the problem.
2009-01-30 19:29:25 +00:00
Yang Tse e813bf31d7 Introduced curl_sspi.c and curl_sspi.h for the implementation of functions
Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
SSPI library using it now in the same way as it was done in http_ntlm.c.
2009-01-29 20:32:27 +00:00
Daniel Stenberg de4610a55f - Markus Moeller introduced two new options to libcurl:
CURLOPT_SOCKS5_GSSAPI_SERVICE and CURLOPT_SOCKS5_GSSAPI_NEC to allow libcurl
  to do GSS-style authentication with SOCKS5 proxies. The curl tool got the
  options called --socks5-gssapi-service and --socks5-gssapi-nec to enable
  these.
2009-01-28 21:33:58 +00:00
Daniel Stenberg 0516ce7786 - Chad Monroe provided the new CURLOPT_TFTP_BLKSIZE option that allows an app
to set desired block size to use for TFTP transfers instead of the default
  512 bytes.
2009-01-26 22:43:06 +00:00
Daniel Stenberg 8fa8df95fb - The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
disable "rfc4507bis session ticket support".  rfc4507bis was later turned
  into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077

  The enabled extension concerns the session management. I wonder how often
  libcurl stops a connection and then resumes a TLS session. also, sending the
  session data is some overhead. .I suggest that you just use your proposed
  patch (which explicitly disables TICKET).

  If someone writes an application with libcurl and openssl who wants to
  enable the feature, one can do this in the SSL callback.

  Sharad Gupta brought this to my attention. Peter Sylvester helped me decide
  on the proper action.
2009-01-26 14:36:18 +00:00
Daniel Stenberg 82ca52713b - Alexey Borzov filed bug report #2535504
(http://curl.haxx.se/bug/view.cgi?id=2535504) pointing out that realms with
  quoted quotation marks in HTTP Digest headers didn't work. I've now added
  test case 1095 that verifies my fix.
2009-01-26 13:19:03 +00:00
Daniel Stenberg 5aeef9c1c8 - Craig A West brought CURLOPT_NOPROXY and the corresponding --noproxy option.
They basically offer the same thing the NO_PROXY environment variable only
  offered previously: list a set of host names that shall not use the proxy
  even if one is specified.
2009-01-25 23:26:25 +00:00
Dan Fandrich 5591550167 Fixed a couple more locale-dependent toupper conversions, mainly for
clarity.  This does fix one problem that causes ;type=i FTP URLs
to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
used (test case 561)

Added tests 561 and 1092 through 1094 to test various combinations
of ;type= and ;mode= URLs that could potentially fail in the Turkish
locale.
2009-01-21 04:42:47 +00:00
Daniel Stenberg 14a6788535 - Lisa Xu pointed out that the ssh.obj file was missing from the lib/Makefile.vc6
file (and thus from the vc8 and vc9 ones too).
2009-01-20 06:24:25 +00:00
Daniel Stenberg 1dc54324f4 time to release 2009-01-19 09:59:20 +00:00
Daniel Stenberg 37c5250e03 - Andrew de los Reyes fixed curlbuild.h for "generic" gcc builds on PPC, both
32 bit and 64 bit.
2009-01-16 08:36:40 +00:00
Daniel Stenberg 5e74c58b73 - Tim Ansell fixed a compiler warning in lib/cookie.c 2009-01-15 08:32:58 +00:00
Daniel Stenberg 1225d36188 Grant Erickson fixed timeouts for TFTP 2009-01-13 23:24:06 +00:00
Daniel Stenberg a19e02be5e - Michael Wallner fixed a NULL pointer deref when calling
curl_easy_setup(curl, CURLOPT_COOKIELIST, "SESS") on a CURL handle with no
  cookies data.
2009-01-13 22:21:14 +00:00
Daniel Stenberg 0de0e95020 - Stefan Teleman brought a patch to fix the default curlbuild.h file for the
SunPro compilers.
2009-01-13 22:01:39 +00:00
Daniel Stenberg b9fdc0c251 - Based on bug report #2498665 (http://curl.haxx.se/bug/view.cgi?id=2498665)
by Daniel Black, I've now added magic to the configure script that makes it
  use pkg-config to detect gnutls details as well if the existing method
  (using libgnutls-config) fails. While doing this, I cleaned up and unified
  the pkg-config usage when detecting openssl and nss as well.
2009-01-11 23:41:50 +00:00
Daniel Stenberg f471b4836f credit Karl Moerder properly 2009-01-11 22:05:38 +00:00
Daniel Stenberg f7e3bd28b4 - Karl M brought the patch that creates vc9 Makefiles, and I made 'maketgz'
now use the actual makefile targets to do the VC8 and VC9 makefiles.
2009-01-11 13:34:05 +00:00
Daniel Stenberg 452e52f958 - Emil Romanus fixed:
When using the multi interface over HTTP and the server returns a Location
  header, the running easy handle will get stuck in the CURLM_STATE_PERFORM
  state, leaving the external event loop stuck waiting for data from the
  ingoing socket (when using the curl_multi_socket_action stuff). While this
  bug was pretty hard to find, it seems to require only a one-line fix. The
  break statement on line 1374 in multi.c caused the function to skip the call
  to multistate().

  How to reproduce this bug? Well, that's another question.  evhiperfifo.c in
  the examples directory chokes on this bug only _sometimes_, probably
  depending on how fast the URLs are added. One way of testing the bug out is
  writing to hiper.fifo from more than one source at the same time.
2009-01-10 22:10:57 +00:00
Dan Fandrich bc93011554 Unified much of the SessionHandle initialization done in Curl_open() and
curl_easy_reset() by creating Curl_init_userdefined(). This had the side effect
of fixing curl_easy_reset() so it now also resets CURLOPT_FTP_FILEMETHOD and
CURLOPT_SSL_SESSIONID_CACHE
2009-01-08 00:31:49 +00:00
Daniel Stenberg 3c2ad4022c - Rob Crittenden did once again provide an NSS update:
I have to jump through a few hoops now with the NSS library initialization
  since another part of an application may have already initialized NSS by the
  time Curl gets invoked. This patch is more careful to only shutdown the NSS
  library if Curl did the initialization.

  It also adds in a bit of code to set the default ciphers if the app that
  call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
  ciphers. One might argue that this lets other application developers get
  lazy and/or they aren't using the NSS API correctly, and you'd be right.
  But still, this will avoid terribly difficult-to-trace crashes and is
  generally helpful.
2009-01-07 14:10:35 +00:00