- 31 Jan, 2012 1 commit
-
-
Daniel Stenberg authored
When the target host was given as a IPv6 numerical address, it was not properly put within square brackets for the Host: header in the CONNECT request. The "normal" request did fine. Reported by: "zooloo" Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
-
- 28 Jan, 2012 3 commits
-
-
Martin Storsjo authored
When support for nettle was added in 64f328c7, I overlooked the fact that AC_CHECK_LIB doesn't add the tested lib to LIBS if the check succeeded, if a custom success code block was present. (The previous version of the check had an empty block for successful checks, adding the lib to LIBS implicitly.) Therefore, explicitly add either nettle or gcrypt to LIBS, after deciding which one to use. Even if they can be linked in transitively, it is safer to actually link explicitly to them. This fixes building with gnutls with linkers that don't allow linking transitively, such as for windows.
-
Pierre Ynard authored
When connecting to a domain with multiple IP addresses, allow different, decreasing connection timeout values. This should guarantee some connections attempts with sufficiently long timeouts, while still providing fallback.
-
Pierre Ynard authored
-
- 26 Jan, 2012 2 commits
-
-
Pierre Joye authored
-
Pierre Joye authored
-
- 25 Jan, 2012 5 commits
-
-
Yang Tse authored
-
Daniel Stenberg authored
-
Yang Tse authored
-
Yang Tse authored
-
Dan Fandrich authored
-
- 24 Jan, 2012 5 commits
-
-
Daniel Stenberg authored
Synced and prepared for 7.24.0 release. Two security problems, one bug fix, two more contributors.
-
Daniel Stenberg authored
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
-
Daniel Stenberg authored
Related to the security vulnerability: CVE-2012-0036 Bug: http://curl.haxx.se/docs/adv_20120124.html
-
Daniel Stenberg authored
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
-
Daniel Stenberg authored
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around despite the fact that SSL_OP_ALL is documented to do "rather harmless" workarounds. The libcurl code uses the SSL_OP_ALL define and thus logically always disables the OpenSSL fix. In order to keep the secure work-around workding, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change makes sure of this. Reported by: product-security at Apple
-
- 22 Jan, 2012 1 commit
-
-
Daniel Stenberg authored
3 more bugfixes, 3 more contributors
-
- 21 Jan, 2012 2 commits
-
-
Daniel Stenberg authored
-
Dan Fandrich authored
-
- 20 Jan, 2012 1 commit
-
-
Daniel Stenberg authored
Using a URL with embedded user name and password didn't work if the host was given as a numerical IPv6 string, like ftp://user:password@[::1]/ Reported by: Brandon Wang Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
-
- 19 Jan, 2012 5 commits
-
-
Yang Tse authored
-
Yang Tse authored
-
Yang Tse authored
avoid checking preprocessor definition official value
-
Pierre Joye authored
-
Daniel Stenberg authored
As is pointed out in this bug report, there can indeed be situation where --stderr has a point even when the "real" stderr can be redirected. Remove the superfluous and wrong comment. bug: http://curl.haxx.se/bug/view.cgi?id=3476020
-
- 18 Jan, 2012 12 commits
-
-
-
Yang Tse authored
-
Daniel Stenberg authored
Apparently ssl_get_ciphersuite() is needed to get the name of the used cipher suite.
-
Daniel Stenberg authored
The value was turned negative when it shouldn't have been
-
Daniel Stenberg authored
... it is now named havege_random! Reported by: Robert Schumann Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
-
Daniel Stenberg authored
5 more bug fixes, 1 more contributor
-
Colin Hogben authored
Add simple telnet tests which (ab)use the http server. The second test checks for an input file handling bug.
-
Colin Hogben authored
Remove wrongly implemented optimisation of telnet upload, apparently intended to allow the library to avoid manually polling for input.
-
Colin Hogben authored
Fix a bug where input was read from stdin even when a different FILE * had been configured via CURLOPT_READDATA
-
Yang Tse authored
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
-
Johannes Bauer authored
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12 and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
-
Yang Tse authored
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull interoperability with web server Netscape Enterprise Server 2.0.1 released back in 1996 more than 15 years ago. Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate CVE-2010-4180 when using previous OpenSSL versions we no longer enable this option regardless of OpenSSL version and SSL_OP_ALL definition.
-
- 17 Jan, 2012 3 commits