Skip to content
  1. Aug 25, 2013
    • Kyle L. Huff's avatar
      sasl: added basic SASL XOAUTH2 support · 19a05c90
      Kyle L. Huff authored
      Added the ability to generated a base64 encoded XOAUTH2 token
      containing: "user=<username>^Aauth=Bearer <bearer token>^A^A"
      as per RFC6749 "OAuth 2.0 Authorization Framework".
      19a05c90
    • Daniel Stenberg's avatar
      FTP: remove krb4 support · bb552933
      Daniel Stenberg authored
      We've announced this pending removal for a long time and we've
      repeatedly asked if anyone would care or if anyone objects. Nobody has
      objected. It has probably not even been working for a good while since
      nobody has tested/used this code recently.
      
      The stuff in krb4.h that was generic enough to be used by other sources
      is now present in security.h
      bb552933
    • Daniel Stenberg's avatar
  2. Aug 24, 2013
    • Daniel Stenberg's avatar
      FAQ: editorial updates · 1a911f7e
      Daniel Stenberg authored
      Several language fixes. Several reformats that should make the HTML
      generation of this document look better.
      
      Reported-by: Dave Thompson
      1a911f7e
  3. Aug 23, 2013
  4. Aug 22, 2013
  5. Aug 21, 2013
  6. Aug 20, 2013
    • Daniel Stenberg's avatar
      CURLM_ADDED_ALREADY: new error code · 19122c07
      Daniel Stenberg authored
      Doing curl_multi_add_handle() on an easy handle that is already added to
      a multi handle now returns this error code. It previously returned
      CURLM_BAD_EASY_HANDLE for this condition.
      19122c07
    • Daniel Stenberg's avatar
      multi_init: moved init code here from add_handle · c346c4c8
      Daniel Stenberg authored
      The closure_handle is "owned" by the multi handle and it is
      unconditional so the setting up of it should be in the Curl_multi_handle
      function rather than curl_multi_add_handle.
      c346c4c8
    • Daniel Stenberg's avatar
      multi: remove dns cache creation code from *add_handle · bc7d806e
      Daniel Stenberg authored
      As it is done unconditionally in multi_init() this code will never run!
      bc7d806e
    • Daniel Stenberg's avatar
      curl_easy_perform_ev: debug/test function · 6cf8413e
      Daniel Stenberg authored
      This function is meant to work *exactly* as curl_easy_perform() but will
      use the event-based libcurl API internally instead of
      curl_multi_perform(). To avoid relying on an actual event-based library
      and to not use non-portable functions (like epoll or similar), there's a
      rather inefficient emulation layer implemented on top of Curl_poll()
      instead.
      
      There's currently some convenience logging done in curl_easy_perform_ev
      which helps when tracking down problems. They may be suitable to remove
      or change once things seem to be fine enough.
      
      curl has a new --test-event option when built with debug enabled that
      then uses curl_easy_perform_ev() instead of curl_easy_perform(). If
      built without debug, using --test-event will only output a warning
      message.
      
      NOTE: curl_easy_perform_ev() is not part if the public API on purpose.
      It is only present in debug builds of libcurl and MUST NOT be considered
      stable even then. Use it for libcurl-testing purposes only.
      
      runtests.pl now features an -e command line option that makes it use
      --test-event for all curl command line tests. The man page is updated.
      6cf8413e
    • Gisle Vanem's avatar
    • Daniel Stenberg's avatar
      e4a1888b
    • Jonathan Nieder's avatar
      url: handle arbitrary-length username and password before '@' · 2f1a0bc0
      Jonathan Nieder authored
      libcurl quietly truncates usernames, passwords, and options from
      before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1)
      characters to fit in fixed-size buffers on the stack.  Allocate a
      buffer large enough to fit the parsed fields on the fly instead to
      support longer passwords.
      
      After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH
      left, so stop defining that constant while at it.  The hardcoded max
      username and password length constants, on the other hand, are still
      used in HTTP proxy credential handling (which this patch doesn't
      touch).
      
      Reported-by: Colby Ranger
      2f1a0bc0
    • Jonathan Nieder's avatar
      url: handle exceptional cases first in parse_url_login() · 09ddb1d6
      Jonathan Nieder authored
      Instead of nesting "if(success)" blocks and leaving the reader in
      suspense about what happens in the !success case, deal with failure
      cases early, usually with a simple goto to clean up and return from
      the function.
      
      No functional change intended.  The main effect is to decrease the
      indentation of this function slightly.
      09ddb1d6
    • Jonathan Nieder's avatar
      Curl_setopt: handle arbitrary-length username and password · 15f76bf7
      Jonathan Nieder authored
      libcurl truncates usernames, passwords, and options set with
      curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
      This doesn't affect the return value from curl_easy_setopt(), so from
      the caller's point of view, there is no sign anything strange has
      happened, except that authentication fails.
      
      For example:
      
        # Prepare a long (300-char) password.
        s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
        # Start a server.
        nc -l -p 8888 | tee out & pid=$!
        # Tell curl to pass the password to the server.
        curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
        # Extract the password.
        userpass=$(
      	awk '/Authorization: Basic/ {print $3}' <out |
      	tr -d '\r' |
      	base64 -d
        )
        password=${userpass#me:}
        echo ${#password}
      
      Expected result: 300
      Actual result: 255
      
      The fix is simple: allocate appropriately sized buffers on the heap
      instead of trying to squeeze the provided values into fixed-size
      on-stack buffers.
      
      Bug: http://bugs.debian.org/719856
      Reported-by: Colby Ranger
      15f76bf7
    • Jonathan Nieder's avatar
      netrc: handle longer username and password · 36585b53
      Jonathan Nieder authored
      libcurl truncates usernames and passwords it reads from .netrc to
      LOGINSIZE and PASSWORDSIZE (64) characters without any indication to
      the user, to ensure the values returned from Curl_parsenetrc fit in a
      caller-provided buffer.
      
      Fix the interface by passing back dynamically allocated buffers
      allocated to fit the user's input.  The parser still relies on a
      256-character buffer to read each line, though.
      
      So now you can include an ~246-character password in your .netrc,
      instead of the previous limit of 63 characters.
      
      Reported-by: Colby Ranger
      36585b53
    • Jonathan Nieder's avatar
      url: allocate username, password, and options on the heap · 11baffbf
      Jonathan Nieder authored
      This makes it possible to increase the size of the buffers when needed
      in later patches.  No functional change yet.
      11baffbf
    • Jonathan Nieder's avatar
      url: use goto in create_conn() for exception handling · 53333a43
      Jonathan Nieder authored
      Instead of remembering before each "return" statement which temporary
      allocations, if any, need to be freed, take care to set pointers to
      NULL when no longer needed and use a goto to a common block to exit
      the function and free all temporaries.
      
      No functional change intended.  Currently the only temporary buffer in
      this function is "proxy" which is already correctly freed when
      appropriate, but there will be more soon.
      53333a43
    • Jonathan Nieder's avatar
      sasl: allow arbitrarily long username and password · c56f9797
      Jonathan Nieder authored
      Use appropriately sized buffers on the heap instead of fixed-size
      buffers on the stack, to allow for longer usernames and passwords.
      
      Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp.
      MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
      c56f9797
  7. Aug 19, 2013
  8. Aug 16, 2013
    • Daniel Stenberg's avatar
      glob: error out on range overflow · f15a88f2
      Daniel Stenberg authored
      The new multiply() function detects range value overflows. 32bit
      machines will overflow on a 32bit boundary while 64bit hosts support
      ranges up to the full 64 bit range.
      
      Added test 1236 to verify.
      
      Bug: http://curl.haxx.se/bug/view.cgi?id=1267
      Reported-by: Will Dietz
      f15a88f2
    • Daniel Stenberg's avatar
      urlglob: better detect unclosed braces, empty lists and overflows · 5ca96cb8
      Daniel Stenberg authored
      A rather big overhaul and cleanup.
      
      1 - curl wouldn't properly detect and reject globbing that ended with an
      open brace if there were brackets or braces before it. Like "{}{" or
      "[0-1]{"
      
      2 - curl wouldn't properly reject empty lists so that "{}{}" would
      result in curl getting (nil) strings in the output.
      
      3 - By using strtoul() instead of sscanf() the code will now detected
      over and underflows. It now also better parses the step argument to only
      accept positive numbers and only step counters that is smaller than the
      delta between the maximum and minimum numbers.
      
      4 - By switching to unsigned longs instead of signed ints for the
      counters, the max values for []-ranges are now very large (on 64bit
      machines).
      
      5 - Bumped the maximum number of globs in a single URL to 100 (from 10)
      
      6 - Simplified the code somewhat and now it stores fixed strings as
      single- entry lists. That's also one of the reasons why I did (5) as now
      all strings between "globs" will take a slot in the array.
      
      Added test 1234 and 1235 to verify. Updated test 87.
      
      This commit fixes three separate bug reports.
      
      Bug: http://curl.haxx.se/bug/view.cgi?id=1264
      Bug: http://curl.haxx.se/bug/view.cgi?id=1265
      Bug: http://curl.haxx.se/bug/view.cgi?id=1266
      Reported-by: Will Dietz
      5ca96cb8
  9. Aug 15, 2013
  10. Aug 14, 2013
  11. Aug 12, 2013
  12. Aug 11, 2013