- Aug 20, 2013
-
-
Daniel Stenberg authored
-
Jonathan Nieder authored
libcurl quietly truncates usernames, passwords, and options from before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters to fit in fixed-size buffers on the stack. Allocate a buffer large enough to fit the parsed fields on the fly instead to support longer passwords. After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH left, so stop defining that constant while at it. The hardcoded max username and password length constants, on the other hand, are still used in HTTP proxy credential handling (which this patch doesn't touch). Reported-by: Colby Ranger
-
Jonathan Nieder authored
Instead of nesting "if(success)" blocks and leaving the reader in suspense about what happens in the !success case, deal with failure cases early, usually with a simple goto to clean up and return from the function. No functional change intended. The main effect is to decrease the indentation of this function slightly.
-
Jonathan Nieder authored
libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' <out | tr -d '\r' | base64 -d ) password=${userpass#me:} echo ${#password} Expected result: 300 Actual result: 255 The fix is simple: allocate appropriately sized buffers on the heap instead of trying to squeeze the provided values into fixed-size on-stack buffers. Bug: http://bugs.debian.org/719856 Reported-by: Colby Ranger
-
Jonathan Nieder authored
libcurl truncates usernames and passwords it reads from .netrc to LOGINSIZE and PASSWORDSIZE (64) characters without any indication to the user, to ensure the values returned from Curl_parsenetrc fit in a caller-provided buffer. Fix the interface by passing back dynamically allocated buffers allocated to fit the user's input. The parser still relies on a 256-character buffer to read each line, though. So now you can include an ~246-character password in your .netrc, instead of the previous limit of 63 characters. Reported-by: Colby Ranger
-
Jonathan Nieder authored
This makes it possible to increase the size of the buffers when needed in later patches. No functional change yet.
-
Jonathan Nieder authored
Instead of remembering before each "return" statement which temporary allocations, if any, need to be freed, take care to set pointers to NULL when no longer needed and use a goto to a common block to exit the function and free all temporaries. No functional change intended. Currently the only temporary buffer in this function is "proxy" which is already correctly freed when appropriate, but there will be more soon.
-
Jonathan Nieder authored
Use appropriately sized buffers on the heap instead of fixed-size buffers on the stack, to allow for longer usernames and passwords. Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
-
- Aug 19, 2013
-
-
Alex McLellan authored
Adding this line allows libcurl to return the server response when performing a search command via a custom request.
-
- Aug 16, 2013
-
-
Daniel Stenberg authored
The new multiply() function detects range value overflows. 32bit machines will overflow on a 32bit boundary while 64bit hosts support ranges up to the full 64 bit range. Added test 1236 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1267 Reported-by: Will Dietz
-
Daniel Stenberg authored
A rather big overhaul and cleanup. 1 - curl wouldn't properly detect and reject globbing that ended with an open brace if there were brackets or braces before it. Like "{}{" or "[0-1]{" 2 - curl wouldn't properly reject empty lists so that "{}{}" would result in curl getting (nil) strings in the output. 3 - By using strtoul() instead of sscanf() the code will now detected over and underflows. It now also better parses the step argument to only accept positive numbers and only step counters that is smaller than the delta between the maximum and minimum numbers. 4 - By switching to unsigned longs instead of signed ints for the counters, the max values for []-ranges are now very large (on 64bit machines). 5 - Bumped the maximum number of globs in a single URL to 100 (from 10) 6 - Simplified the code somewhat and now it stores fixed strings as single- entry lists. That's also one of the reasons why I did (5) as now all strings between "globs" will take a slot in the array. Added test 1234 and 1235 to verify. Updated test 87. This commit fixes three separate bug reports. Bug: http://curl.haxx.se/bug/view.cgi?id=1264 Bug: http://curl.haxx.se/bug/view.cgi?id=1265 Bug: http://curl.haxx.se/bug/view.cgi?id=1266 Reported-by: Will Dietz
-
- Aug 15, 2013
-
-
John Malmberg authored
Add the curl release notes to the release note document generated for VMS packages. Add the different filenames generated by a daily build to the cleanup procedures.
-
Tor Arntsen authored
-
- Aug 14, 2013
-
-
Daniel Stenberg authored
... just to make them easier to print in debug ouputs while debugging. They are still within #ifdef [debugbuild].
-
Daniel Stenberg authored
-
Daniel Stenberg authored
This makes the socket callback get called with the proper bitmask as otherwise the application could be left hanging waiting for reading on an upload connection! Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html Reported-by: Bill Doyle
-
Daniel Stenberg authored
--create-dirs, --crlf, --socks5-gssapi-nec and --sasl-ir
-
- Aug 12, 2013
-
-
Kamil Dudka authored
... prior to calling PK11_GenerateRandom()
-
Daniel Stenberg authored
With everything being struct SessionHandle pointers now, this rename makes multi.c use the library-wide practise of calling that pointer 'data' instead of the previously used 'easy'.
-
Daniel Stenberg authored
Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to easy_addmulti and made it static. Removed Curl_easy_initHandleData() and uses of it since it was emptied in commit cdda92ab67b47d74a.
-
Daniel Stenberg authored
All protocol handler structs are now opaque (void *) in the SessionHandle struct and moved in the request-specific sub-struct 'SingleRequest'. The intension is to keep the protocol specific knowledge in their own dedicated source files [protocol].c etc. There's some "leakage" where this policy is violated, to be addressed at a later point in time.
-
Daniel Stenberg authored
1 - always allocate the struct in protocol->setup_connection. Some protocol handlers had to get this function added. 2 - always free at the end of a request. This is also an attempt to keep less memory in the handle after it is completed.
-
Daniel Stenberg authored
Start working on the next version and up some counters.
-
- Aug 11, 2013
-
-
Daniel Stenberg authored
-
Fabian Keil authored
-
Fabian Keil authored
-
Fabian Keil authored
-
Fabian Keil authored
-
Fabian Keil authored
-
Fabian Keil authored
-
- Aug 10, 2013
-
-
Daniel Stenberg authored
It shows intermittent failures and I haven't been able to track them down yet. Disable this test for now.
-
- Aug 09, 2013
-
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
-
- Aug 08, 2013
-
-
John E. Malmberg authored
-
Daniel Stenberg authored
-
Daniel Stenberg authored
The take down of the global dns cache didn't take CURLOPT_RESOLVE names into account.
-
Daniel Stenberg authored
CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c4312741 (been broken since the libcurl 7.29.0 release). While this option has been documented as deprecated for almost a decade and nobody even reported this bug, it should remain functional. Added test case 1512 to verify
-
John Malmberg authored
VMS modified files either missing from a previous commit and changes to remove references to CVS repositories.
-
Daniel Stenberg authored
The previous naming scheme ftp_state_post_XXXX() wasn't really helpful as it wasn't always immediately after 'xxxx' and it wasn't easy to understand what it does based on such a name. This new one is instead ftp_state_yyyy() where yyyy describes what it does or sends.
-