Newer
Older
Daniel (22 February 2005)
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
http://www.securityfocus.com/archive/1/391042 and the CAN report here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
If these security guys were serious, we'd been notified in advance and we
could've saved a few of you a little surprise, but now we weren't.
Daniel (19 February 2005)
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.
Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
configure when mingw is used.
Daniel (17 February 2005)
- David in bug report #1124588 found and fixed a socket leak when libcurl
didn't close the socket properly when returning error due to failing
localbind
Daniel Stenberg
committed
Daniel (16 February 2005)
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
that picks NTLM. Thanks to David Byron letting me test NTLM against his
servers, I could quickly repeat and fix the problem. It turned out to be:
When libcurl POSTs without knowing/using an authentication and it gets back
a list of types from which it picks NTLM, it needs to either continue
sending its data if it keeps the connection alive, or not send the data but
close the connection. Then do the first step in the NTLM auth. libcurl
didn't send the data nor close the connection but simply read the
response-body and then sent the first negotiation step. Which then failed
miserably of course. The fixed version forces a connection if there is more
than 2000 bytes left to send.
Daniel (14 February 2005)
- The configure script didn't check for ENGINE_load_builtin_engines() so it
was never used.
Daniel (11 February 2005)
- Removed all uses of strftime() since it uses the localised version of the
week day names and month names and servers don't like that.
Daniel (10 February 2005)
- Now the test script disables valgrind-testing when the test suite runs if
libcurl is built shared. Otherwise valgrind only tests the shell that runs
the wrapper-script named 'curl' that is a front-end to curl in this case.
This should also fix the huge amount of reports of false positives when
valgrind has identified leaks in (ba)sh and not in curl and people report
that as curl bugs. Bug report #1116672 is one example.
Also, the valgrind report parser has been adapted to check that at least one
of the sources in a stack strace is one of (lib)curl's source files or
otherwise it will not consider the problem to concern (lib)curl.
- Marty Kuhrt streamlined the VMS build.
- David Byron fixed his SSL problems, initially mentioned here:
http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
SSL_pending() as we should.
- Converted lots of FTP code to a statemachine, so that the multi interface
doesn't block while communicating commands-responses with an FTP server.
I've added a comment like BLOCKING in the code on all spots I could find
where we still have blocking operations. When we change curl_easy_perform()
to use the multi interface, we'll also be able to simplify the code since
there will only be one "internal interface".
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
like changing directory or retrieving a file, while the second means that we
were denied login.
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
case of future need.
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
Daniel (8 February 2005)
- Gisle fixed problems when libcurl runs out of memory, and worked on making
sure the proper error code is returned for those occations.
Daniel (7 February 2005)
- Maruko pointed out a problem with inflate decompressing exactly 64K
contents.
Daniel (5 February 2005)
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
PORT on ipv6-enabled hosts.
- David Byron pointed out we could use BUFSIZE to read data (in
lib/transfer.c) instead of using BUFSIZE -1.
Version 7.13.0 (1 February 2005)
Daniel (31 January 2005)
- Added Lars Nilsson's htmltitle.cc example
Daniel (30 January 2005)
- Fixed a memory leak when using the multi interface and the DO operation
failed (as in test case 205).
- Fixed a valgrind warning for file:// operations.
- Fixed a valgrind report in the url globbing code for the curl command line
tool.
- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
I noticed that it previously didn't detect and report the "Conditional jump
or move depends on uninitialised value(s)" error. When I fixed this, I
caught a few curl bugs with it. And then I had to spend time to make the
test suite IGNORE these errors when OpenSSL is used since it produce massive
amounts of valgrind warnings (but only of the "Conditional..." kind it
seems). So, if a test that requires SSL is run, it ignores the
"Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
of "valgrind OK".
Daniel Stenberg
committed
Daniel (29 January 2005)
- Using the multi interface, and doing a requsted a re-used connection that
gets closed just after the request has been sent failed and did not re-issue
a request on a fresh reconnect like the easy interface did. Now it does!
- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
my new curl_easy_perform() that uses the multi interface to run the
request. It is a great testbed for the multi interface and I believe we
shall do it this way for real in the future when we have a successor to
curl_multi_fdset(). I've used this approach to detect and fix several of the
recent multi-interfaces issues.
- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
bad assumptions.
Daniel Stenberg
committed
- multi interface: when a request is denied due to "Maximum redirects
followed" libcurl leaked the last Location: URL.
Daniel Stenberg
committed
- Connect failures with the multi interface was often returned as "connect()
timed out" even though the reason was different.
Daniel Stenberg
committed
Daniel (28 January 2005)
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
curl_easy_perform() invokes. It was previously unlocked at disconnect, which
could mean that it remained locked between multiple transfers. The DNS cache
may not live as long as the connection cache does, as they are separate.
To deal with the lack of DNS (host address) data availability in re-used
connections, libcurl now keeps a copy of the IP adress as a string, to be
able to show it even on subsequent requests on the same connection.
The problem could be made to appear with this stunt:
1. create a multi handle
2. add an easy handle
3. fetch a URL that is persistent (leaves the connection alive)
4. remove the easy handle from the multi
5. kill the multi handle
6. create a multi handle
7. add the same easy handle to the new multi handle
8. fetch a URL from the same server as before (re-using the connection)
Daniel Stenberg
committed
- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
when built ipv6-enabled. I've now made a fix for it. Writing test cases for
custom port hosts turned too tricky so unfortunately there's none.
Daniel Stenberg
committed
Daniel (25 January 2005)
Daniel Stenberg
committed
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
is present in RFC959... so now (lib)curl supports it as well. --ftp-account
and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
account string after PASS have been sent away. The client responds
with "ACCT [account string]".) Added test case 228 and 229 to verify the
functionality. Updated the test FTP server to support ACCT somewhat.
Daniel Stenberg
committed
- David Shaw contributed a fairly complete and detailed autoconf test you can
use to detect libcurl and setup variables for the protocols the installed
libcurl supports: docs/libcurl/libcurl.m4
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
Daniel (21 January 2005)
- Major FTP third party transfer overhaul.
These four options are now obsolete: CURLOPT_SOURCE_HOST,
CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
and CURLOPT_PASV_HOST.
These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.
The target-side didn't use the proper path with RETR, and thus this only
worked correctly in the login path (i.e without doing any CWD). The source-
side still uses a wrong path, but the fix for this will need to wait. Verify
the flaw by using a source URL with included %XX-codes.
Made CURLOPT_FTPPORT control weather the target operation should use PORT
(or not). The other side thus uses passive (PASV) mode.
Updated the ftp3rdparty.c example source to use the updated options.
Added support for a second FTP server in the test suite. Named... ftp2.
Added test cases 230, 231 and 232 as a few first basic tests of very simple
3rd party transfers.
Changed the debug output to include 'target' and 'source' when a 3rd party
is being made, to make it clearer what commands/responses came on what
connection.
Added three new command line options: --3p-url, --3p-user and --3p-quote.
Documented the command line options and the curl_easy_setopt options related
to third party transfers.
(Temporarily) disabled the ability to re-use an existing connection for the
source connection. This is because it needs to force a new in case the
source and target is the same host, and the host name check is trickier now
when the source is identified with a full URL instead of a plain host name
like before.
TODO (short-term) for 3rd party transfers: quote support. The options are
there, we need to add test cases to verify their functionality.
TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
and SSL/TSL support.
Daniel Stenberg
committed
Daniel (20 January 2005)
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
code was written for it. I fixed and added test case 227 to verify it.
The curl.1 man page didn't mention the '+' so I added it.
Daniel Stenberg
committed
Daniel (19 January 2005)
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
contains %0a or %0d in the user, password or CWD parts. (A future fix would
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
225 and 226 were added to verify this
Daniel Stenberg
committed
- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:
1) the proxy environment variables are still read and used to set HTTP proxy
2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
disabled). This is important since apps may want to disable HTTP proxy
without actually knowing if libcurl was built to disable HTTP or not.
Daniel Stenberg
committed
Based on Stephan's patch, both these issues should now be fixed.
Daniel (18 January 2005)
- Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was
applied.
Daniel Stenberg
committed
Daniel (16 January 2005)
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
assumed this used the DICT protocol. While guessing protocols will remain
fuzzy, I've now made sure that the host names must start with "[protocol]."
for them to be a valid guessable name. I also removed "https" as a prefix
that indicates HTTPS, since we hardly ever see any host names using that.
Daniel (13 January 2005)
- Inspired by Martijn Koster's patch and example source at
http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
select() and poll() calls properly loop if they return -1 and errno is
EINTR. glibc docs for this is found here:
http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
This last link says BSD doesn't have this "effect". Will there be a problem
if we do this unconditionally?
Daniel (11 January 2005)
- Dan Torop cleaned up a few no longer used variables from David Phillips'
select() overhaul fix.
Daniel Stenberg
committed
- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
using a custom Host: header and curl fails to send a request on a re-used
persistent connection and thus creates a new connection and resends it. It
then sent two Host: headers. Cyrill's analysis was posted here:
http://curl.haxx.se/mail/archive-2005-01/0022.html
- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
problem with the version byte and the check for bad versions. Bruce has lots
of clues on this, and based on his suggestion I've now removed the check of
that byte since it seems to be able to contain 1 or 5.
Daniel Stenberg
committed
Daniel (10 January 2005)
Daniel Stenberg
committed
- Pavel Orehov reported memory problems with the multi interface in bug report
#1098843. In short, a shared DNS cache was setup for a multi handle and when
the shared cache was deleted before the individual easy handles, the latter
cleanups caused read/writes to already freed memory.
Daniel Stenberg
committed
- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
remote certificate name when it didn't match the used host name.
Gisle (8 January 2005)
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
Daniel (7 January 2005)
- Improved the test script's valgrind log parser to actually work! Also added
the ability to disable the log scanner for specific test cases. Test case
509 results in numerous problems and leaks in OpenSSL and has to get it
disabled.
Daniel (6 January 2005)
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
(i.e not in the library).
- Bug report #1097019 identified a problem when doing -d "data" with -G and
sending it to two URLs with {}. Added test 199 to verify the fix.
Daniel (4 January 2005)
- Marty Kuhrt adjusted a VMS build script slightly
- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
Win2000.
Daniel (2 January 2005)
- Alex Neblett updated the MSVC makefiles slightly.