Skip to content
  1. Mar 02, 2009
    • Daniel Stenberg's avatar
      - David Kierznowski notified us about a security flaw · 042cc1f6
      Daniel Stenberg authored
        (http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
        which previous libcurl versions (by design) can be tricked to access an
        arbitrary local/different file instead of a remote one when
        CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
        together this the addition of two new setopt options for controlling this
        new behavior:
      
        o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
        follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
        excludes the FILE and SCP protocols and thus you nee to explicitly allow
        them in your app if you really want that behavior.
      
        o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
        using the primary URL option. This is useful if you want to allow a user or
        other outsiders control what URL to pass to libcurl and yet not allow all
        protocols libcurl may have been built to support.
      curl-7_19_4
      042cc1f6
  2. Feb 27, 2009
  3. Feb 25, 2009
    • Daniel Stenberg's avatar
      - As Daniel Fandrich figured out, we must do the GnuTLS initing in the · d207ea16
      Daniel Stenberg authored
        curl_global_init() function to properly maintain the performing functions
        thread-safe. We've previously (28 April 2007) moved the init to a later time
        just to avoid it to fail very early when libgcrypt dislikes the situation,
        but that move was bad and the fix should rather be in libgcrypt or
        elsewhere.
      d207ea16
  4. Feb 24, 2009
  5. Feb 23, 2009
  6. Feb 20, 2009
  7. Feb 19, 2009
    • Daniel Stenberg's avatar
      - Patrik Thunstrom reported a problem and helped me repeat it. It turned out · 5af0629b
      Daniel Stenberg authored
        libcurl did a superfluous 1000ms wait when doing SFTP downloads!
      
        We read data with libssh2 while doing the "DO" operation for SFTP and then
        when we were about to start getting data for the actual file part, the
        "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
        libssh2-read. But in this case libssh2 had already read and buffered the
        data so we ended up always just waiting 1000ms before we get working on the
        data!
      5af0629b
  8. Feb 18, 2009
  9. Feb 17, 2009
  10. Feb 14, 2009
  11. Feb 12, 2009
  12. Feb 11, 2009
  13. Feb 05, 2009
  14. Feb 04, 2009
  15. Feb 03, 2009
  16. Feb 02, 2009
    • Daniel Stenberg's avatar
      - Patrick Scott found a rather large memory leak when using the multi · d4ac3d53
      Daniel Stenberg authored
        interface and setting CURLMOPT_MAXCONNECTS to something less than the number
        of handles you add to the multi handle. All the connections that didn't fit
        in the cache would not be properly disconnected nor freed!
      d4ac3d53
    • Daniel Stenberg's avatar
      - Craig A West brought us: libcurl now defaults to do CONNECT with HTTP · bdd4294e
      Daniel Stenberg authored
        version 1.1 instead of 1.0 like before. This change also introduces the new
        proxy type for libcurl called 'CURLPROXY_HTTP_1_0' that then allows apps to
        switch (back) to CONNECT 1.0 requests. The curl tool also got a --proxy1.0
        option that works exactly like --proxy but sets CURLPROXY_HTTP_1_0.
      
        I updated all test cases cases that use CONNECT and I tried to do some using
        --proxy1.0 and some updated to do CONNECT 1.1 to get both versions run.
      bdd4294e
  17. Jan 31, 2009
  18. Jan 30, 2009
  19. Jan 29, 2009
    • Yang Tse's avatar
      Introduced curl_sspi.c and curl_sspi.h for the implementation of functions · e813bf31
      Yang Tse authored
      Curl_sspi_global_init() and Curl_sspi_global_cleanup() which previously were
      named Curl_ntlm_global_init() and Curl_ntlm_global_cleanup() in http_ntlm.c
      Also adjusted socks_sspi.c to remove the link-time dependency on the Windows
      SSPI library using it now in the same way as it was done in http_ntlm.c.
      e813bf31
  20. Jan 28, 2009
  21. Jan 26, 2009
  22. Jan 25, 2009
  23. Jan 21, 2009
    • Dan Fandrich's avatar
      Fixed a couple more locale-dependent toupper conversions, mainly for · 55915501
      Dan Fandrich authored
      clarity.  This does fix one problem that causes ;type=i FTP URLs
      to fail in the Turkish locale when CURLOPT_PROXY_TRANSFER_MODE is
      used (test case 561)
      
      Added tests 561 and 1092 through 1094 to test various combinations
      of ;type= and ;mode= URLs that could potentially fail in the Turkish
      locale.
      55915501
  24. Jan 20, 2009
  25. Jan 19, 2009
  26. Jan 16, 2009
  27. Jan 15, 2009
  28. Jan 13, 2009