With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff

Related to the security vulnerability: CVE-2012-0036

Bug: http://curl.haxx.se/docs/adv_20120124.html

Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).

URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.

This flaw is considered a security vulnerability: CVE-2012-0036

Security advisory at: http://curl.haxx.se/docs/adv_20120124.html

Reported by: Dan Fandrich

OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple

3 more bugfixes, 3 more contributors

Using a URL with embedded user name and password didn't work if the host
was given as a numerical IPv6 string, like ftp://user:password@[::1]/

Reported by: Brandon Wang
Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html

avoid checking preprocessor definition official value

As is pointed out in this bug report, there can indeed be situation
where --stderr has a point even when the "real" stderr can be
redirected. Remove the superfluous and wrong comment.

bug: http://curl.haxx.se/bug/view.cgi?id=3476020

http://curl.haxx.se/bug/view.cgi?id=3438362

Apparently ssl_get_ciphersuite() is needed to get the name of the used
cipher suite.

The value was turned negative when it shouldn't have been

... it is now named havege_random!

Reported by: Robert Schumann
Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html

5 more bug fixes, 1 more contributor

Add simple telnet tests which (ab)use the http server.
The second test checks for an input file handling bug.

Remove wrongly implemented optimisation of telnet upload, apparently
intended to allow the library to avoid manually polling for input.

Fix a bug where input was read from stdin even when a different FILE *
had been configured via CURLOPT_READDATA

bug: http://curl.haxx.se/bug/view.cgi?id=3474308

Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.

SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.

Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.

Allows tests from the libtest subdir to generate log traces
similar to those of curl with --tracetime and --trace-ascii
options but with output going to stderr.

Just showing how to download the contents of a given URL into a local
file.

Based on a suggestion and example code by Georg Potthast

Just to show that IMAP is used just like other protocols

This newly speced HTTP status code already works as intended in the new
spec:
http://greenbytes.de/tech/webdav/draft-reschke-http-status-308-02.html

Test 1325 is added to verify that the method is kept after the redirect

5 bug fixes, 3 more contributors