Skip to content
  1. Jul 01, 2013
  2. Jun 30, 2013
  3. Jun 25, 2013
    • Daniel Stenberg's avatar
    • Daniel Stenberg's avatar
      digest: improve nonce generation · 98b0d66e
      Daniel Stenberg authored
      Use the new improved Curl_rand() to generate better random nonce for
      Digest auth.
      98b0d66e
    • Daniel Stenberg's avatar
      curl.1: fix typo in --xattr description · 9c2853f2
      Daniel Stenberg authored
      Bug: http://curl.haxx.se/bug/view.cgi?id=1252
      Reported-by: Jean-Noël Rouvignac
      9c2853f2
    • Daniel Stenberg's avatar
      RELEASE-NOTES: synced with 365c5ba3 · aff75629
      Daniel Stenberg authored
      The 10 first bug fixes for the pending release...
      aff75629
    • Daniel Stenberg's avatar
      formpost: better random boundaries · 365c5ba3
      Daniel Stenberg authored
      When doing multi-part formposts, libcurl used a pseudo-random value that
      was seeded with time(). This turns out to be bad for users who formpost
      data that is provided with users who then can guess how the boundary
      string will look like and then they can forge a different formpost part
      and trick the receiver.
      
      My advice to such implementors is (still even after this change) to not
      rely on the boundary strings being cryptographically strong. Fix your
      code and logic to not depend on them that much!
      
      I moved the Curl_rand() function into the sslgen.c source file now to be
      able to take advantage of the SSL library's random function if it
      provides one. If not, try to use the RANDOM_FILE for seeding and as a
      last resort keep the old logic, just modified to also add microseconds
      which makes it harder to properly guess the exact seed.
      
      The formboundary() function in formdata.c is now using 64 bit entropy
      for the boundary and therefore the string of dashes was reduced by 4
      letters and there are 16 hex digits following it. The total length is
      thus still the same.
      
      Bug: http://curl.haxx.se/bug/view.cgi?id=1251
      Reported-by: "Floris"
      365c5ba3
    • Daniel Stenberg's avatar
      printf: make sure %x are treated unsigned · cb1aa8b0
      Daniel Stenberg authored
      When using %x, the number must be treated as unsigned as otherwise it
      would get sign-extended on for example 64bit machines and do wrong
      output. This problem showed when doing printf("%08x", 0xffeeddcc) on a
      64bit host.
      cb1aa8b0
  4. Jun 24, 2013
  5. Jun 23, 2013
  6. Jun 22, 2013
  7. Jun 20, 2013
  8. Jun 18, 2013
  9. Jun 17, 2013
  10. Jun 15, 2013
  11. Jun 14, 2013
  12. Jun 13, 2013
  13. Jun 12, 2013
    • Yamada Yasuharu's avatar
      cookies: follow-up fix for path checking · f24dc09d
      Yamada Yasuharu authored
      The initial fix to only compare full path names were done in commit
      04f52e9b but found out to be incomplete. This takes should make the
      change more complete and there's now two additional tests to verify
      (test 31 and 62).
      f24dc09d