Skip to content
  1. Mar 17, 2012
  2. Mar 16, 2012
  3. Mar 13, 2012
  4. Mar 10, 2012
  5. Mar 08, 2012
  6. Feb 24, 2012
  7. Feb 23, 2012
  8. Feb 21, 2012
  9. Feb 19, 2012
  10. Feb 17, 2012
    • Steve Holme's avatar
      smtp.c: Fixed an issue with the EOB checking · 3d98aed5
      Steve Holme authored
      Curl_smtp_escape_eob() would leave off final CRLFs from emails ending
      in multiple blank lines additionally leaving the smtpc->eob variable
      with the character count in, which would cause problems for additional
      emails when sent through multiple calls to curl_easy_perform() after a
      CURLOPT_CONNECT_ONLY.
      3d98aed5
  11. Feb 16, 2012
  12. Feb 15, 2012
  13. Feb 14, 2012
    • Steve Holme's avatar
      smtp_mail: Added support to MAIL FROM for the optional AUTH parameter · 0cf0ab6f
      Steve Holme authored
      Added a new CURLOPT_MAIL_AUTH option that allows the calling program to
      set the optional AUTH parameter in the MAIL FROM command.
      
      When this option is specified and an authentication mechanism is used
      to communicate with the mail server then the AUTH parameter will be
      included in the MAIL FROM command. This is particularly useful when the
      calling program is acting as a relay in a trusted environment and
      performing server to server communication, as it allows the relaying
      server to specify the address of the mailbox that was used to
      authenticate and send the original email.
      0cf0ab6f
    • toddouska's avatar
      cyassl: update to CyaSSL 2.0.x API · ee7e4fc1
      toddouska authored
      Modify configure.ac to test for new CyaSSL Init function and remove
      default install path to system.  Change to CyaSSL OpenSSL header and
      proper Init in code as well.
      
      Note that this no longer detects or works with CyaSSL before v2
      ee7e4fc1
    • Steve Holme's avatar
      SMTP: Fixed error when using CURLOPT_CONNECT_ONLY · 69406f0b
      Steve Holme authored
      Fixed incorrect behavior in smtp_done() which would cause the end of
      block data to be sent to the SMTP server if libcurl was operating in
      connect only mode. This would cause the server to return an error as
      data would not be expected which in turn caused libcurl to return
      CURLE_RECV_ERROR.
      69406f0b
  14. Feb 10, 2012
  15. Feb 09, 2012
    • Kamil Dudka's avatar
      nss: add support for the CURLSSLOPT_ALLOW_BEAST option · ebf31389
      Kamil Dudka authored
      ... and fix some typos from the 62d15f15 commit.
      ebf31389
    • Daniel Stenberg's avatar
      CURLOPT_SSL_OPTIONS: added · 2a699bc6
      Daniel Stenberg authored
      Allow an appliction to set libcurl specific SSL options. The first and
      only options supported right now is CURLSSLOPT_ALLOW_BEAST.
      
      It will make libcurl to disable any work-arounds the underlying SSL
      library may have to address a known security flaw in the SSL3 and TLS1.0
      protocol versions.
      
      This is a reaction to us unconditionally removing that behavior after
      this security advisory:
      
      http://curl.haxx.se/docs/adv_20120124B.html
      
      ... it did however cause a lot of programs to fail because of old
      servers not liking this work-around. Now programs can opt to decrease
      the security in order to interoperate with old servers better.
      2a699bc6
    • Dave Reisner's avatar
      add library support for tuning TCP_KEEPALIVE · 705f0f7a
      Dave Reisner authored
      This adds three new options to control the behavior of TCP keepalives:
      
      - CURLOPT_TCP_KEEPALIVE: enable/disable probes
      - CURLOPT_TCP_KEEPIDLE: idle time before sending first probe
      - CURLOPT_TCP_KEEPINTVL: delay between successive probes
      
      While not all operating systems support the TCP_KEEPIDLE and
      TCP_KEEPINTVL knobs, the library will still allow these options to be
      set by clients, silently ignoring the values.
      705f0f7a
  16. Feb 07, 2012
  17. Jan 31, 2012
  18. Jan 28, 2012
  19. Jan 24, 2012
    • Daniel Stenberg's avatar
      gnutls: enforced use of SSLv3 · 70f71bb9
      Daniel Stenberg authored
      With advice from Nikos Mavrogiannopoulos, changed the priority string to
      add "actual priorities" and favour ARCFOUR. This makes libcurl work
      better when enforcing SSLv3 with GnuTLS. Both in the sense that the
      libmicrohttpd test is now working again but also that it mitigates a
      weakness in the older SSL/TLS protocols.
      
      Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
      Reported by: Christian Grothoff
      70f71bb9
    • Daniel Stenberg's avatar
      URL sanitize: reject URLs containing bad data · 75ca568f
      Daniel Stenberg authored
      Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
      decoded manner now use the new Curl_urldecode() function to reject URLs
      with embedded control codes (anything that is or decodes to a byte value
      less than 32).
      
      URLs containing such codes could easily otherwise be used to do harm and
      allow users to do unintended actions with otherwise innocent tools and
      applications. Like for example using a URL like
      pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
      a mail and instead this would delete one.
      
      This flaw is considered a security vulnerability: CVE-2012-0036
      
      Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
      
      Reported by: Dan Fandrich
      75ca568f
    • Daniel Stenberg's avatar
      OpenSSL: don't disable security work-around · db1a856b
      Daniel Stenberg authored
      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
      (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
      to SSL_OP_ALL that _disables_ that work-around despite the fact that
      SSL_OP_ALL is documented to do "rather harmless" workarounds.
      
      The libcurl code uses the SSL_OP_ALL define and thus logically always
      disables the OpenSSL fix.
      
      In order to keep the secure work-around workding, the
      SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
      makes sure of this.
      
      Reported by: product-security at Apple
      db1a856b
  20. Jan 20, 2012
  21. Jan 19, 2012
  22. Jan 18, 2012