1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-14 21:45:13 -05:00
Commit Graph

6813 Commits

Author SHA1 Message Date
Daniel Stenberg
ac419bf562 Digest auth: escape user names with \ or " in them
When sending the HTTP Authorization: header for digest, the user name
needs to be escaped if it contains a double-quote or backslash.

Test 1229 was added to verify

Reported and fixed by: Nach M. S
Bug: http://curl.haxx.se/bug/view.cgi?id=1230
2013-05-27 19:45:12 +02:00
Mike Giancola
520833cbe1 ossl_recv: SSL_read() returning 0 is an error too
SSL_read can return 0 for "not successful", according to the open SSL
documentation: http://www.openssl.org/docs/ssl/SSL_read.html
2013-05-22 23:42:33 +02:00
Mike Giancola
e58d9c87f7 ossl_send: SSL_write() returning 0 is an error too
We found that in specific cases if the connection is abruptly closed,
the underlying socket is listed in a close_wait state. We continue to
call the curl_multi_perform, curl_mutli_fdset etc. None of these APIs
report the socket closed / connection finished.  Since we have cases
where the multi connection is only used once, this can pose a problem
for us. I've read that if another connection was to come in, curl would
see the socket as bad and attempt to close it at that time -
unfortunately, this does not work for us.

I found that in specific situations, if SSL_write returns 0, curl did
not recognize the socket as closed (or errored out) and did not report
it to the application. I believe we need to change the code slightly, to
check if ssl_write returns 0. If so, treat it as an error - the same as
a negative return code.

For OpenSSL - the ssl_write documentation is here:
http://www.openssl.org/docs/ssl/SSL_write.html
2013-05-22 23:08:27 +02:00
Daniel Stenberg
85b9dc8023 Curl_cookie_add: handle IPv6 hosts
1 - don't skip host names with a colon in them in an attempt to bail out
on HTTP headers in the cookie file parser. It was only a shortcut anyway
and trying to parse a file with HTTP headers will still be handled, only
slightly slower.

2 - don't skip domain names based on number of dots. The original
netscape cookie spec had this oddity mentioned and while our code
decreased the check to only check for two, the existing cookie spec has
no such dot counting required.

Bug: http://curl.haxx.se/bug/view.cgi?id=1221
Reported-by: Stefan Neis
2013-05-21 23:28:59 +02:00
YAMADA Yasuharu
04f52e9b4d cookies: only consider full path matches
I found a bug which cURL sends cookies to the path not to aim at.
For example:
- cURL sends a request to http://example.fake/hoge/
- server returns cookie which with path=/hoge;
  the point is there is NOT the '/' end of path string.
- cURL sends a request to http://example.fake/hogege/ with the cookie.

The reason for this old "feature" is because that behavior is what is
described in the original netscape cookie spec:
http://curl.haxx.se/rfc/cookie_spec.html

The current cookie spec (RFC6265) clarifies the situation:
http://tools.ietf.org/html/rfc6265#section-5.2.4
2013-05-18 22:54:48 +02:00
Eric Hu
100a33f7ff axtls: prevent memleaks on SSL handshake failures 2013-05-16 20:26:42 +02:00
Daniel Stenberg
7ed25ccf0d Revert "WIN32 MemoryTracking: track wcsdup() _wcsdup() and _tcsdup() usage"
This reverts commit 8ec2cb5544.

We don't have any code anywhere in libcurl (or the curl tool) that use
wcsdup so there's no such memory use to track. It seems to cause mild
problems with the Borland compiler though that we may avoid by reverting
this change again.

Bug: http://curl.haxx.se/mail/lib-2013-05/0070.html
2013-05-12 15:10:01 +02:00
Guenter Knauf
ae26ee3489 Updated zlib version in build files. 2013-05-11 17:08:00 +02:00
Daniel Stenberg
01a2abedd7 nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send
Reported by: David Strauss
Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html
2013-05-09 11:23:15 +02:00
Daniel Stenberg
bdb396ef2a servercert: allow empty subject
Bug: http://curl.haxx.se/bug/view.cgi?id=1220
Patch by: John Gardiner Myers
2013-05-07 23:02:01 +02:00
Marc Hoersken
35874298e4 curl_schannel.c: Fixed invalid memory access during SSL shutdown 2013-05-05 17:57:37 +02:00
Steve Holme
52d72e66c2 smtp: Fix trailing whitespace warning 2013-05-04 18:37:50 +01:00
Steve Holme
f3d10aa0d4 smtp: Fix compilation warning
comparison between signed and unsigned integer expressions
2013-05-04 13:24:05 +01:00
Steve Holme
92ef5f19c8 smtp: Updated RFC-2821 references to RFC-5321 2013-05-04 10:12:01 +01:00
Steve Holme
99b4045183 smtp: Fixed sending of double CRLF caused by first in EOB
If the mail sent during the transfer contains a terminating <CRLF> then
we should not send the first <CRLF> of the EOB as specified in RFC-5321.

Additionally don't send the <CRLF> if there is "no mail data" as the
DATA command already includes it.
2013-05-04 10:00:33 +01:00
Lars Johannesen
1c435295b8 bindlocal: move brace out of #ifdef
The code within #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID wrongly had two
closing braces when it should only have one, so builds without that
define would fail.

Bug: http://curl.haxx.se/mail/lib-2013-05/0000.html
2013-05-01 14:18:47 +02:00
Steve Holme
46d26a0e77 smtp: Tidy up to move the eob counter to the per-request structure
Move the eob counter from the smtp_conn structure to the SMTP structure
as it is associated with a SMTP payload on a per-request basis.
2013-04-30 22:25:23 +01:00
Steve Holme
b52cf5d2cd smtp: Fixed unknown percentage complete in progress bar
The curl command line utility would display the the completed progress
bar with a percentage of zero as the progress routines didn't know the
size of the transfer.
2013-04-29 22:34:26 +01:00
Steve Holme
9ea5145952 email: Tidy up of *_perform_authenticate()
Removed the hard returns from imap and pop3 by using the same style for
sending the authentication string as smtp. Moved the "Other mechanisms
not supported" check in smtp to match that of imap and pop3 to provide
consistency between the three email protocols.
2013-04-28 12:57:42 +01:00
Steve Holme
1d7c38e1f0 smtp: Updated limit check to be more readable like the check in pop3 2013-04-28 12:26:44 +01:00
Steve Holme
18bfc8f2d7 pop3: Added 255 octet limit check when sending initial response
Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.
2013-04-28 12:26:11 +01:00
Nick Zitzmann
a5c0e20939 darwinssl: add TLS crypto authentication
Users using the Secure Transport (darwinssl) back-end can now use a
certificate and private key to authenticate with a site using TLS. Because
Apple's security system is based around the keychain and does not have any
non-public function to create a SecIdentityRef data structure from data
loaded outside of the Keychain, the certificate and private key have to be
loaded into the Keychain first (using the certtool command line tool or
the Security framework's C API) before we can find it and use it.
2013-04-27 23:15:07 -06:00
Steve Holme
dacbdaab94 imap: Added support for overriding the SASL initial response
In addition to checking for the SASL-IR capability the user can override
the sending of the client's initial response in the AUTHENTICATION
command with the use of CURLOPT_SASL_IR should the server erroneously
not report SASL-IR when it does support it.
2013-04-27 12:12:59 +01:00
Steve Holme
70e30f6caa smtp: Added support for disabling the SASL initial response
Updated the default behaviour of sending the client's initial response in the AUTH
command to not send it and added support for CURLOPT_SASL_IR to allow the user to
specify including the response.

Related Bug: http://curl.haxx.se/mail/lib-2012-03/0114.html
Reported-by: Gokhan Sengun
2013-04-27 12:09:15 +01:00
Steve Holme
7cb6c31370 pop3: Added support for enabling the SASL initial response
Allowed the user to specify whether to send the client's intial response
in the AUTH command via CURLOPT_SASL_IR.
2013-04-27 12:07:39 +01:00
Steve Holme
a846fbbe2a sasl-ir: Added CURLOPT_SASL_IR to enable/disable the SASL initial response 2013-04-27 09:58:20 +01:00
Daniel Stenberg
6420672879 curl_easy_init: use less mallocs
By introducing an internal alternative to curl_multi_init() that accepts
parameters to set the hash sizes, easy handles will now use tiny socket
and connection hash tables since it will only ever add a single easy
handle to that multi handle.

This decreased the number mallocs in test 40 (which is a rather simple
and typical easy interface use case) from 1142 to 138. The maximum
amount of memory allocated used went down from 118969 to 78805.
2013-04-26 22:55:55 +02:00
Daniel Stenberg
0523152ad6 ftp_state_pasv_resp: connect through proxy also when set by env
When connecting back to an FTP server after having sent PASV/EPSV,
libcurl sometimes didn't use the proxy properly even though the proxy
was used for the initial connect.

The function wrongly checked for the CURLOPT_PROXY variable to be set,
which made it act wrongly if the proxy information was set with an
environment variable.

Added test case 711 to verify (based on 707 which uses --socks5). Also
added test712 to verify another variation of setting the proxy: with
--proxy socks5://

Bug: http://curl.haxx.se/bug/view.cgi?id=1218
Reported-by: Zekun Ni
2013-04-26 16:49:25 +02:00
Zdenek Pavlas
b37b5233ca url: initialize speed-check data for file:// protocol
... in order to prevent an artificial timeout event based on stale
speed-check data from a previous network transfer.  This commit fixes
a regression caused by 9dd85bced5.

Bug: https://bugzilla.redhat.com/906031
2013-04-26 15:38:22 +02:00
Steve Holme
2af9fd4960 url: Added smtp and pop3 hostnames to the protocol detection list 2013-04-23 19:44:14 +01:00
Alessandro Ghedini
c49ed0b6c0 getinfo.c: reset timecond when clearing session-info variables
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=705783
Reported-by: Ludovico Cavedon <cavedon@debian.org>
2013-04-22 22:43:32 +02:00
Steve Holme
ddac43b38e url: Fixed missing length check in parse_proxy()
Commit 11332577b3 removed the length check that was performed by the
old scanf() code.
2013-04-21 18:29:33 +01:00
Steve Holme
416ecc1584 url: Fixed crash when no username or password supplied for proxy
Fixed an issue in parse_proxy(), introduced in commit 11332577b3,
where an empty username or password (For example: http://:@example.com)
would cause a crash.
2013-04-21 16:55:19 +01:00
Steve Holme
455ba691a7 url: Removed unused text length constants 2013-04-21 12:16:12 +01:00
Steve Holme
11332577b3 url: Updated proxy URL parsing to use parse_login_details() 2013-04-21 12:12:29 +01:00
Steve Holme
702b0dd408 url: Tidy up of setstropt_userpwd() parameters
Updated the naming convention of the login parameters to match those of
other functions.
2013-04-21 10:27:42 +01:00
Steve Holme
e8a9f794f0 url: Tidy up of code and comments following recent changes
Tidy up of variable names and comments in setstropt_userpwd() and
parse_login_details().
2013-04-21 10:23:47 +01:00
Steve Holme
bddf3d4705 url: Simplified setstropt_userpwd() following recent changes
There is no need to perform separate clearing of data if a NULL option
pointer is passed in. Instead this operation can be performed by simply
not calling parse_login_details() and letting the rest of the code do
the work.
2013-04-20 20:04:00 +01:00
Steve Holme
e99c81a07c url: Correction to scope of if statements when setting data 2013-04-20 19:10:10 +01:00
Steve Holme
fe880475ed url: Fixed memory leak in setstropt_userpwd()
setstropt_userpwd() was calling setstropt() in commit fddb7b44a7 to
set each of the login details which would duplicate the strings and
subsequently cause a memory leak.
2013-04-20 18:40:13 +01:00
Steve Holme
d535c4a2e1 url: Added overriding of URL login options from CURLOPT_USERPWD 2013-04-20 09:18:51 +01:00
Steve Holme
fddb7b44a7 url: Added support for parsing login options from the CURLOPT_USERPWD
In addition to parsing the optional login options from the URL, added
support for parsing them from CURLOPT_USERPWD, to allow the following
supported command line:

--user username:password;options
2013-04-20 09:08:28 +01:00
Steve Holme
49184c3723 url: Added bounds checking to parse_login_details()
Added bounds checking when searching for the separator characters within
the login string as this string may not be NULL terminated (For example
it is the login part of a URL). We do this in preference to allocating a
new string to copy the login details into which could then be passed to
parse_login_details() for performance reasons.
2013-04-19 19:37:55 +01:00
Steve Holme
cc7f6a2ddf url: Added size_t cast to pointer based length calculations 2013-04-19 14:11:43 +01:00
Steve Holme
90fe59b829 url: Corrected minor typo in comment 2013-04-19 12:53:59 +01:00
Steve Holme
8763374f0e url: Fix chksrc longer than 79 columns warning 2013-04-18 20:21:11 +01:00
Steve Holme
63388fe1f3 url: Fix incorrect variable type for result code 2013-04-18 19:18:02 +01:00
Steve Holme
b75a88aa72 url: Fix compiler warning
signed and unsigned type in conditional expression
2013-04-18 19:14:25 +01:00
Steve Holme
bb20989a63 url: Moved parsing of login details out of parse_url_login()
Separated the parsing of login details from the processing of them in
parse_url_login() ready for use by setstropt_userpwd().
2013-04-18 18:09:53 +01:00
Steve Holme
0d49e408a4 url: Re-factored set_userpass() and parse_url_userpass()
Re-factored these functions to reflect their new behaviour following the
addition of login options.
2013-04-18 17:36:15 +01:00