Skip to content
  1. Jan 24, 2012
    • Daniel Stenberg's avatar
      URL sanitize: reject URLs containing bad data · 75ca568f
      Daniel Stenberg authored
      Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
      decoded manner now use the new Curl_urldecode() function to reject URLs
      with embedded control codes (anything that is or decodes to a byte value
      less than 32).
      
      URLs containing such codes could easily otherwise be used to do harm and
      allow users to do unintended actions with otherwise innocent tools and
      applications. Like for example using a URL like
      pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
      a mail and instead this would delete one.
      
      This flaw is considered a security vulnerability: CVE-2012-0036
      
      Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
      
      Reported by: Dan Fandrich
      75ca568f
    • Daniel Stenberg's avatar
      OpenSSL: don't disable security work-around · db1a856b
      Daniel Stenberg authored
      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
      (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
      to SSL_OP_ALL that _disables_ that work-around despite the fact that
      SSL_OP_ALL is documented to do "rather harmless" workarounds.
      
      The libcurl code uses the SSL_OP_ALL define and thus logically always
      disables the OpenSSL fix.
      
      In order to keep the secure work-around workding, the
      SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
      makes sure of this.
      
      Reported by: product-security at Apple
      db1a856b
  2. Jan 22, 2012
  3. Jan 21, 2012
  4. Jan 20, 2012
  5. Jan 19, 2012
  6. Jan 18, 2012
  7. Jan 17, 2012
  8. Jan 16, 2012
  9. Jan 15, 2012
  10. Jan 14, 2012
  11. Jan 13, 2012
  12. Jan 12, 2012
  13. Jan 09, 2012