Skip to content
CHANGES 53.7 KiB
Newer Older
                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
Daniel Stenberg's avatar
Daniel Stenberg committed
                             \___|\___/|_| \_\_____|

Daniel Stenberg's avatar
Daniel Stenberg committed
                                  Changelog
- Scott Cantor posted the bug report #2829955
  (http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert
  verification flaw found and exploited by Moxie Marlinspike. The presentation
  he did at Black Hat is available here:
  https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike

  Apparently at least one CA allowed a subjectAltName or CN that contain a
  zero byte, and thus clients that assumed they would never have zero bytes
  were exploited to OK a certificate that didn't actually match the site. Like
  if the name in the cert was "example.com\0theatualsite.com", libcurl would
  happily verify that cert for example.com.

  libcurl now better use the length of the extracted name, not assuming it is
  zero terminated.

- Tanguy Fautre pointed out that OpenSSL's function RAND_screen() (present
  only in some OpenSSL installs - like on Windows) isn't thread-safe and we
  agreed that moving it to the global_init() function is a decent way to deal
  with this situation.

- Alexander Beedie provided the patch for a noproxy problem: If I have set
  CURLOPT_NOPROXY to "*", or to a host that should not use a proxy, I actually
  could still end up using a proxy if a proxy environment variable was set.

Daniel Stenberg (27 Jul 2009)
- All the quote options (CURLOPT_QUOTE, CURLOPT_POSTQUOTE and
  CURLOPT_PREQUOTE) now accept a preceeding asterisk before the command to
  send when using FTP, as a sign that libcurl shall simply ignore the response
  from the server instead of treating it as an error. Not treating a 400+ FTP
  response code as an error means that failed commands will not abort the
  chain of commands, nor will they cause the connection to get disconnected.

- Johan van Selst posted bug report #2825989
  (http://curl.haxx.se/bug/view.cgi?id=2825989) pointing out that
  OpenSSL-powered libcurl didn't support the SHA-2 digest algorithm, and
  provided the solution too: to use OpenSSL_add_all_algorithms() in addition
  to the older SSLeay_* alternative. OpenSSL_add_all_algorithms was added in
  OpenSSL 0.9.5
Daniel Stenberg (23 Jul 2009)
- Added CURLOPT_SSH_KNOWNHOSTS, CURLOPT_SSH_KEYFUNCTION, CURLOPT_SSH_KEYDATA.
  They introduce known_host support for SSH keys to libcurl. See docs for
  details. Note that this feature depends on a new enough libssh2 version, to
  be supported in libssh2 1.2 and later (or current git repo at this time).

Michal Marek (22 Jul 2009)
- David Binderman found a memory and fd leak in lib/gtls.c:load_file()
  (https://bugzilla.novell.com/523919). When looking at the code, I found that
  also the ptr pointer can leak.

- Claes Jakobsson improved the support for client certificates handling in
  NSS-powered libcurl. Now the client certificates can be selected
  automatically by a NSS built-in hook. Additionally pre-login to all PKCS11
  slots is no more performed. It used to cause problems with HW tokens.

- Fixed reference counting for NSS client certificates. Now the PEM reader
  module should be always properly unloaded on Curl_nss_cleanup(). If the
  unload fails though, libcurl will try to reuse the already loaded instance.
Daniel Fandrich (15 Jul 2009)
- Added nonblock.c to the non-automake makefiles (note that the dependencies
  in the Watcom makefiles aren't quite correct).

Michal Marek (15 Jul 2009)
- Changed the description of CURLINFO_OS_ERRNO to make it clear that the
  errno is not reset on success.

Guenter Knauf (14 Jul 2009)
- renamed generated config.h to curl_config.h to avoid any future clashes
  with config.h from other projects.
  
Daniel Stenberg (9 Jul 2009)
- Eric Wong introduced curlx_nonblock() that the curl tool now (re-)uses for
  setting a file descriptor non-blocking. Used by the functionality Eric
  himself brough on June 15th.

Daniel Stenberg (8 Jul 2009)
- Constantine Sapuntzakis posted bug report #2813123
  (http://curl.haxx.se/bug/view.cgi?id=2813123) and an a patch that fixes the
  problem:

  Url A is accessed using auth. Url A redirects to Url B (on a different
  server0. Url B reuses a persistent connection. Url B has auth, even though
  it's on a different server.

  Note: if Url B does not reuse a persistent connection, auth is not sent.

  reason:

  data->state.first_host is not initialized becuase Curl_http_connect is not
  called when a connection is reused.

  Solution:

  move initialization of data->state.first_host to Curl_http. No code before
  Curl_http uses data->state.first_host anyway.

Guenter Knauf (4 Jul 2009)
- Markus Koetter provided a patch to avoid getnameinfo() usage which broke a
  couple of both IPv4 and IPv6 autobuilds.

Daniel Stenberg (29 Jun 2009)
- Markus Koetter made CURLOPT_FTPPORT (and curl's -P/--ftpport) support a port
  range if given colon-separated after the host name/address part. Like
  "192.168.0.1:2000-10000"

- Modified the separators used for CURLOPT_CERTINFO in multi-part outputs. I
  don't know how they got wrong in the first place, but using this output
  format makes it possible to quite easily separate the string into an array
  of multiple items.

Daniel Fandrich (16 June 2009)
- Added a few more compiler warning options for gcc.

Daniel Stenberg (16 Jun 2009)
- Reuven Wachtfogel made curl -o - properly produce a binary output on windows
  (no newline translations). Use -B/--use-ascii if you rather get the ascii
  approach.

Michal Marek (16 Jun 2009)
- When doing non-anonymous ftp via http proxies and the password is not
  provided in the url, add it there (squid needs this).

Daniel Stenberg's avatar
Daniel Stenberg committed
Daniel Stenberg (15 Jun 2009)
- Eric Wong's patch:

  This allows curl(1) to be used as a client-side tunnel for arbitrary stream
  protocols by abusing chunked transfer encoding in both the HTTP request and
  HTTP response.  This requires server support for sending a response while a
  request is still being read, of course.

  If attempting to read from stdin returns EAGAIN, then we pause our sender.
  This leaves curl to attempt to read from the socket while reading from stdin
  (and thus sending) is paused.

  This change was needed to allow successfully tunneling the git protocol over
  HTTP (--no-buffer is needed, as well).

Patrick Monnerat (15 Jun 2009)
- Replaced use of standard C library rand()/srand() by our own pseudo-random
  number generator.

Yang Tse's avatar
 
Yang Tse committed
Yang Tse (11 Jun 2009)
- I adapted testcurl script to allow building test harness programs when
  cross-compiling for a *-*-mingw* host.

Daniel Stenberg (10 Jun 2009)
- Fabian Keil ran clang on the (lib)curl code, found a bunch of warnings and
  contributed a range of patches to fix them.

Yang Tse's avatar
 
Yang Tse committed
Yang Tse (10 Jun 2009)
- I introduced configure script option --enable-curldebug which now allows
  the decoupled enabling or disabling of the curl debug memory tracking
  feature from the --enable-debug option which no longer controls this.

  curl --version will list 'Debug' feature for debug enabled builds, and
  will list 'TrackMemory' feature for curl debug memory tracking capable
  builds. These features are independent and can be controlled when running
  the configure script. When --enable-debug is given both features will be
  enabled, unless some restriction prevents memory tracking from being used.

  Internally, definition of preprocessor symbol DEBUGBUILD restricts code
  which is only compiled for debug enabled builds. And symbol CURLDEBUG is
  used to differentiate code which is _only_ used for memory tracking.

Yang Tse (9 Jun 2009)
- Daniel Steinberg pointed out that Curl_FormInit() in formdata.c was not
  initializing the fread callback pointer and this triggered a compiler
  warning, also provided a friendly suggestion on how to fix it.

- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
  issue with client certs that caused issues like segfaults.
  http://curl.haxx.se/mail/lib-2009-05/0316.html

- Triggered by bug report #2798852 and the patch in there, I fixed configure
  to detect gnutls build options with pkg-config only and not libgnutls-config
  anymore since GnuTLS has stopped distributing that tool. If an explicit path
  is given to configure, we will instead guess on how to link and use that
  lib. I did not use the patch from the bug report.

Yang Tse's avatar
Yang Tse committed
Yang Tse (8 Jun 2009)
- Igor Novoseltsev adjusted Makefile.vxworks to get sources and headers
  included from Makefile.inc, and provided docs\INSTALL VxWorks section.

- I removed buildconf.bat from release and daily snapshot archives. This
Yang Tse's avatar
Yang Tse committed
  file is only for CVS tree checkout builds.

Loading full blame...