1184 lines
52 KiB
Plaintext
1184 lines
52 KiB
Plaintext
|
Daniel (16 December 2005)
|
|||
|
- Jean Jacques Drouin pointed out that you could only have a user name or
|
|||
|
password of 127 bytes or less embedded in a URL, where actually the code
|
|||
|
uses a 255 byte buffer for it! Modified now to use the full buffer size.
|
|||
|
|
|||
|
Daniel (12 December 2005)
|
|||
|
- Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly
|
|||
|
|
|||
|
Version 7.15.1 (7 December 2005)
|
|||
|
|
|||
|
Daniel (6 December 2005)
|
|||
|
- Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by
|
|||
|
Stefan Esser.
|
|||
|
|
|||
|
VULNERABILITY
|
|||
|
|
|||
|
libcurl's URL parser function can overflow a malloced buffer in two ways, if
|
|||
|
given a too long URL.
|
|||
|
|
|||
|
These overflows happen if you
|
|||
|
|
|||
|
1 - pass in a URL with no protocol (like "http://") prefix, using no slash
|
|||
|
and the string is 256 bytes or longer. This leads to a single zero byte
|
|||
|
overflow of the malloced buffer.
|
|||
|
|
|||
|
2 - pass in a URL with only a question mark as separator (no slash) between
|
|||
|
the host and the query part of the URL. This leads to a single zero byte
|
|||
|
overflow of the malloced buffer.
|
|||
|
|
|||
|
Both overflows can be made with the same input string, leading to two single
|
|||
|
zero byte overwrites.
|
|||
|
|
|||
|
The affected flaw cannot be triggered by a redirect, but the long URL must
|
|||
|
be passed in "directly" to libcurl. It makes this a "local" problem. Of
|
|||
|
course, lots of programs may still pass in user-provided URLs to libcurl
|
|||
|
without doing much syntax checking of their own, allowing a user to exploit
|
|||
|
this vulnerability.
|
|||
|
|
|||
|
There is no known exploit at the time of this writing.
|
|||
|
|
|||
|
|
|||
|
Daniel (2 December 2005)
|
|||
|
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
|
|||
|
file descriptor if given a non-existing file.
|
|||
|
|
|||
|
Daniel (24 November 2005)
|
|||
|
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
|
|||
|
again using configure.
|
|||
|
|
|||
|
- Yang Tse provided a whole series of patches to clear up compiler warnings on
|
|||
|
MSVC 6.
|
|||
|
|
|||
|
Daniel (17 November 2005)
|
|||
|
- I extended a patch from David Shaw to make libcurl _always_ provide an error
|
|||
|
string in the given error buffer to address the flaw mention on 21 sep 2005.
|
|||
|
|
|||
|
Daniel (16 November 2005)
|
|||
|
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
|
|||
|
installed on 'make install' time.
|
|||
|
|
|||
|
Daniel (14 November 2005)
|
|||
|
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
|
|||
|
properly for a case, and so we did. We raised it even for non-SSPI builds
|
|||
|
but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715
|
|||
|
|
|||
|
- Jan Kunder's debian bug report
|
|||
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
|
|||
|
error message for when you try to upload a file and the requested directory
|
|||
|
doesn't exist on the target server.
|
|||
|
|
|||
|
- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
|
|||
|
lib/memdebug.h that showed up in his msvc builds.
|
|||
|
|
|||
|
Daniel (13 November 2005)
|
|||
|
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
|
|||
|
bad limit-rate units:
|
|||
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
|
|||
|
error if a bad unit is used.
|
|||
|
|
|||
|
- Thanks to this nice summary of poll() implementations:
|
|||
|
http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
|
|||
|
Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
|
|||
|
connectin closure so we check for that case (too) and re-enable poll for
|
|||
|
cygwin builds.
|
|||
|
|
|||
|
Daniel (12 November 2005)
|
|||
|
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
|
|||
|
right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
|
|||
|
poll() and use select() on cygwin too (we already do the same choice on Mac
|
|||
|
OS X)
|
|||
|
|
|||
|
- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
|
|||
|
client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).
|
|||
|
|
|||
|
Daniel (10 November 2005)
|
|||
|
- David Lang fixed IPv6 support for TFTP!
|
|||
|
|
|||
|
- Introducing range stepping to the curl globbing support. Now you can specify
|
|||
|
step counter by adding :[num] within the brackets when specifying a range:
|
|||
|
|
|||
|
[1-100:10]
|
|||
|
[a-z:2]
|
|||
|
|
|||
|
If no step counter is set, it defaults to 1 as before:
|
|||
|
|
|||
|
[1-100]
|
|||
|
[d-h]
|
|||
|
|
|||
|
Daniel (8 November 2005)
|
|||
|
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
|
|||
|
we really have no use for reverse lookups of the address.
|
|||
|
|
|||
|
I truly hope these are the last reverse lookups we had lingering in the
|
|||
|
code!
|
|||
|
|
|||
|
- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
|
|||
|
version of libcurl with different Windows versions. Current version of
|
|||
|
libcurl imports SSPI functions from secur32.dll. However, under Windows NT
|
|||
|
4.0 these functions are located in security.dll, under Windows 9x - in
|
|||
|
secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
|
|||
|
just forwards calls to secur32.dll).
|
|||
|
|
|||
|
Dmitry's patch loads proper library dynamically depending on Windows
|
|||
|
version. Function InitSecurityInterface() is used to obtain pointers to all
|
|||
|
of SSPI function in one structure.
|
|||
|
|
|||
|
Daniel (31 October 2005)
|
|||
|
- Vilmos Nebehaj improved libcurl's LDAP abilities:
|
|||
|
|
|||
|
The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
|
|||
|
attributes in LDAP objects. So, I made a quick patch to address these
|
|||
|
problems.
|
|||
|
|
|||
|
The solution is simple: if we connect to an LDAP server, first try LDAPv3
|
|||
|
(which is the preferred protocol as of now) and then fall back to LDAPv2.
|
|||
|
In case of binary attributes, we first convert them to base64, just like the
|
|||
|
openldap client does. It uses ldap_get_values_len() instead of
|
|||
|
ldap_get_values() to be able to retrieve binary attributes correctly. I
|
|||
|
defined the necessary LDAP macros in lib/ldap.c to be able to compile
|
|||
|
libcurl without the presence of libldap
|
|||
|
|
|||
|
Daniel (27 October 2005)
|
|||
|
- Nis Jorgensen filed bug report #1338648
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
|
|||
|
feature request, but anyway. It pointed out that --max-redirs did not allow
|
|||
|
it to be set to 0, which then would return an error code on the first
|
|||
|
Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
|
|||
|
set to 0, or -1 for infinity. Added test case 274 to verify.
|
|||
|
|
|||
|
- tommink[at]post.pl reported in bug report #1337723
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
|
|||
|
binary data from stdin on Windows if the data contained control-Z (hex 1a)
|
|||
|
since that is treated as end-of-file when read in text mode. Gisle Vanem
|
|||
|
pointed out the fix, and I made both -T and --data-binary take advantage of
|
|||
|
it.
|
|||
|
|
|||
|
- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
|
|||
|
in the man page, curl would send an invalid HTTP Range: header. The correct
|
|||
|
way would be to use "-r [number]-" or even "-r -[number]". Starting now,
|
|||
|
curl will warn if this is discovered, and automatically append a dash to the
|
|||
|
range before passing it to libcurl.
|
|||
|
|
|||
|
Daniel (25 October 2005)
|
|||
|
- Amol Pattekar reported a bug with great detail and a fine example in bug
|
|||
|
#1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
|
|||
|
interface and connecting to a host with multiple IP addresses, and one of
|
|||
|
the addresses fails to connect (the server must exist and respond, just not
|
|||
|
accept connections) libcurl leaks a socket descriptor. Thanks to the fine
|
|||
|
report, I could find and fix this.
|
|||
|
|
|||
|
Daniel (22 October 2005)
|
|||
|
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
|
|||
|
#1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
|
|||
|
stream from a server and the server requests a "rehandshake", the current
|
|||
|
code simply returns this as an error. I have no good way to test this, but
|
|||
|
I've added a crude attempt of dealing with this situation slightly better -
|
|||
|
it makes a blocking handshake if this happens. Done like this because fixing
|
|||
|
this the "proper" way (that would handshake asynchronously) will require
|
|||
|
quite some work and I really need a good way to test this to do such a
|
|||
|
change.
|
|||
|
|
|||
|
Daniel (21 October 2005)
|
|||
|
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
|
|||
|
it, it could then accidentally actually crash. Presumably, this concerns FTP
|
|||
|
connections. http://curl.haxx.se/bug/view.cgi?id=1330310
|
|||
|
|
|||
|
- Temprimus improved the MSVC makefile so that the static debug SSL libs are
|
|||
|
linked to the executable and not to the libcurld.lib
|
|||
|
http://curl.haxx.se/bug/view.cgi?id=1326676
|
|||
|
|
|||
|
- Bradford Bruce made the windows resolver code properly return
|
|||
|
CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
|
|||
|
errors (as documented).
|
|||
|
|
|||
|
Daniel (20 October 2005)
|
|||
|
- Dave Dribin made libcurl understand and handle cases when the server
|
|||
|
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
|
|||
|
never happen in a sane world, libcurl previously got into an infinite loop
|
|||
|
when this occurred. Dave added test 273 to verify this.
|
|||
|
|
|||
|
- Temprimus improved the MSVC makefile: "makes a build option available so if
|
|||
|
you set rtlibcfg=static for the make, then it would build with /MT. The
|
|||
|
default behaviour is /MD (the original)."
|
|||
|
http://curl.haxx.se/bug/view.cgi?id=1326665
|
|||
|
|
|||
|
Daniel (14 October 2005)
|
|||
|
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
|
|||
|
reported, the define is used by the configure script and is assumed to use
|
|||
|
the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
|
|||
|
release version.
|
|||
|
|
|||
|
Version 7.15.0 (13 October 2005)
|
|||
|
|
|||
|
Daniel (12 October 2005)
|
|||
|
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
|
|||
|
code that would overflow a buffer if given a too long user name or domain
|
|||
|
name. This would happen if you enable NTLM authentication and either
|
|||
|
|
|||
|
A - pass in a user name and domain name to libcurl that together are longer
|
|||
|
than 192 bytes
|
|||
|
|
|||
|
B - allow (lib)curl to follow HTTP "redirects" (Location: and the
|
|||
|
appropriate HTTP 30x response code) and the new URL contains a URL with
|
|||
|
a user name and domain name that together are longer than 192 bytes
|
|||
|
|
|||
|
See http://curl.haxx.se/docs/security.html for further details and updates
|
|||
|
|
|||
|
Daniel (5 October 2005)
|
|||
|
- Darryl House reported a problem with using -z to download files from FTP.
|
|||
|
It turned out that if the given time stamp was exact the same as the remote
|
|||
|
time stamp, the file would still wrongly be downloaded. Added test case 272
|
|||
|
to verify.
|
|||
|
|
|||
|
Daniel (4 October 2005)
|
|||
|
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
|
|||
|
from the configure script.
|
|||
|
|
|||
|
- Michael Wallner reported that the date parser had wrong offset stored for
|
|||
|
the MEST and CEST time zones.
|
|||
|
|
|||
|
Daniel (27 September 2005)
|
|||
|
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)
|
|||
|
that identified a silly problem with Content-Range: headers with the 'bytes'
|
|||
|
keyword written in a different case than all lowercase! It would cause a
|
|||
|
segfault!
|
|||
|
|
|||
|
- TJ Saunders of the proftpd project identified and pointed out problems with
|
|||
|
the modified FTPS negotiation change of August 19 2005. Thus, we revert the
|
|||
|
change back to pre-7.14.1 status.
|
|||
|
|
|||
|
Daniel (21 September 2005)
|
|||
|
- Fixed "cut off" sentence in the libcurl-tutorial man page:
|
|||
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305
|
|||
|
|
|||
|
- Clarified in the curl_easy_setopt man page what the default
|
|||
|
CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean:
|
|||
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311
|
|||
|
|
|||
|
- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
|
|||
|
sometimes doesn't fill in the buffer even though it is supposed to:
|
|||
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313
|
|||
|
|
|||
|
- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
|
|||
|
error string set.
|
|||
|
|
|||
|
Daniel (19 September 2005)
|
|||
|
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.
|
|||
|
|
|||
|
Daniel (15 September 2005)
|
|||
|
- Added a TFTP server to the test suite and made the test suite capable of
|
|||
|
using it.
|
|||
|
|
|||
|
Daniel (7 September 2005)
|
|||
|
- Ben Madsen's detailed reports that funnily enough only occurred with certain
|
|||
|
glibc versions turned out to be curl using an already closed file handle
|
|||
|
during certain conditions (like when saving FTP server "headers").
|
|||
|
|
|||
|
- Scott Davis helped me track down a problem in the test HTTP server that made
|
|||
|
test case 56 wrongly fail at times. It turned out it was due to the server
|
|||
|
finding the end of a chunked-encoded POST too early.
|
|||
|
|
|||
|
Daniel (6 September 2005)
|
|||
|
- Now curl warns if an unknown variable is used in the -w/--writeout argument.
|
|||
|
|
|||
|
Daniel (4 September 2005)
|
|||
|
- I applied Nicolas Fran<61>ois' man page patch he posted to the Debian bug
|
|||
|
tracker. It corrected two lines that started with apostrophes, which isn't
|
|||
|
legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511
|
|||
|
|
|||
|
- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
|
|||
|
CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
|
|||
|
connection's IP address when setting up the data connection instead of
|
|||
|
extractting the IP address from the PASV response. It has turned out this
|
|||
|
feature is frequently needed by people to circumvent silly servers and silly
|
|||
|
firewalls, especially when FTPS is used and the PASV command-response is
|
|||
|
sent encrtyped.
|
|||
|
|
|||
|
Sponsored by CU*Answers
|
|||
|
|
|||
|
Daniel (1 September 2005)
|
|||
|
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
|
|||
|
added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
|
|||
|
list of protocols whereever those are mentioned.
|
|||
|
|
|||
|
Version 7.14.1 (1 September 2005)
|
|||
|
|
|||
|
Daniel (29 August 2005)
|
|||
|
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.
|
|||
|
|
|||
|
- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
|
|||
|
for Windows, that could lead to an Access Violation when the multi interface
|
|||
|
was used due to an issue with how the resolver thread was and was not
|
|||
|
terminated.
|
|||
|
|
|||
|
- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
|
|||
|
instead of MIT/Heimdal for GSS capabilities.
|
|||
|
|
|||
|
Daniel (24 August 2005)
|
|||
|
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
|
|||
|
from the command line tool with --ignore-content-length. This will make it
|
|||
|
easier to download files from Apache 1.x (and similar) servers that are
|
|||
|
still having problems serving files larger than 2 or 4 GB. When this option
|
|||
|
is enabled, curl will simply have to wait for the server to close the
|
|||
|
connection to signal end of transfer. I wrote test case 269 that runs a
|
|||
|
simple test to verify that this works.
|
|||
|
|
|||
|
- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
|
|||
|
the --logfile command line option to --log-file, and thus the test script
|
|||
|
valgrind autodetection now has yet another version check to do and then it
|
|||
|
alters the valgrind command line accordingly.
|
|||
|
|
|||
|
- Fixed CA cert verification using GnuTLS with the default bundle, which
|
|||
|
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
|
|||
|
Ralph Mitchell reported.
|
|||
|
|
|||
|
Daniel (19 August 2005)
|
|||
|
- Norbert Novotny had problems with FTPS and he helped me work out a patch
|
|||
|
that made curl run fine in his end. The key was to make sure we do the
|
|||
|
SSL/TLS negotiation immediately after the TCP connect is done and not after
|
|||
|
a few other commands have been sent like we did previously. I don't consider
|
|||
|
this change necessary to obey the standards, I think this server is pickier
|
|||
|
than what the specs allow it to be, but I can't see how this modified
|
|||
|
libcurl code can add any problems to those who are interpreting the
|
|||
|
standards more liberally.
|
|||
|
|
|||
|
Daniel (17 August 2005)
|
|||
|
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
|
|||
|
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
|
|||
|
write the result to a given cookie jar and then never actually call
|
|||
|
curl_easy_perform() - the given file(s) to read was never read but the
|
|||
|
output file was written and thus it caused a "funny" result.
|
|||
|
|
|||
|
- While doing some tests for the bug above, I noticed that Firefox generates
|
|||
|
large numbers (for the expire time) in the cookies.txt file and libcurl
|
|||
|
didn't treat them properly. Now it does.
|
|||
|
|
|||
|
Daniel (15 August 2005)
|
|||
|
- Added more verbose "warning" messages to the curl client for cases where it
|
|||
|
fails to open/read files etc to help users diagnose why it doesn't do what
|
|||
|
you'd expect it to. Converted lots of old messages to use the new generic
|
|||
|
function I wrote for this purpose.
|
|||
|
|
|||
|
Daniel (13 August 2005)
|
|||
|
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
|
|||
|
site responds with bad HTTP response that doesn't contain any header at all,
|
|||
|
only a response body, and the write callback returns 0 to abort the
|
|||
|
transfer, it didn't have any real effect but the write callback would be
|
|||
|
called once more anyway.
|
|||
|
|
|||
|
Daniel (12 August 2005)
|
|||
|
- Based on Richard Clayton's reports, I found out that using curl -d @filename
|
|||
|
when 'filename' was not possible to access made curl use a GET request
|
|||
|
instead.
|
|||
|
|
|||
|
- The time condition illegal syntax warning is now inhibited if -s is used.
|
|||
|
|
|||
|
Daniel (10 August 2005)
|
|||
|
- Mario Schroeder found out that one of the debug callbacks calls that regards
|
|||
|
SSL data with the CURLINFO_TEXT type claimed that the data was one byte
|
|||
|
larger than it actually is, thus falsely telling the application that the
|
|||
|
terminating zero was part of the data.
|
|||
|
|
|||
|
Daniel (9 August 2005)
|
|||
|
- Christopher R. Palmer fixed the offsets used for date parsings when the time
|
|||
|
zone name of a daylight savings time was used. For example, PDT vs PDS. This
|
|||
|
flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
|
|||
|
Fortunately, no web server or cookie string etc should be using such time
|
|||
|
zone names thus limiting the effect of this bug.
|
|||
|
|
|||
|
Daniel (8 August 2005)
|
|||
|
- Jon Grubbs filed bug report #1249962
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem
|
|||
|
with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
|
|||
|
switches to pure HTTP internally when an HTTP proxy is used, even for FTP
|
|||
|
URLs. The problem would also occur with other multi-pass auth methods.
|
|||
|
|
|||
|
Daniel (7 August 2005)
|
|||
|
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
|
|||
|
--features was used.
|
|||
|
|
|||
|
Daniel (28 July 2005)
|
|||
|
- If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is
|
|||
|
set to 1, CURLOPT_NOBODY will now automatically be set to 0.
|
|||
|
|
|||
|
Daniel (27 July 2005)
|
|||
|
- Dan Fandrich changes over the last week: fixed numerous minor configure
|
|||
|
option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
|
|||
|
and --without-krb4. Spellfixed several error messages.
|
|||
|
|
|||
|
- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
|
|||
|
simple interface to extracting and setting cookies in libcurl's internal
|
|||
|
"cookie jar". See the new cookie_interface.c example code.
|
|||
|
|
|||
|
Daniel (13 July 2005)
|
|||
|
- Diego Casorran provided patches to make curl build fine on Amiga again.
|
|||
|
|
|||
|
Daniel (12 July 2005)
|
|||
|
- Adrian Schuur added trailer support in the chunked encoding stream. The
|
|||
|
trailer is then sent to the normal header callback/stream. I wrote up test
|
|||
|
case 266 to verify the basic functionality. Do note that test case 34
|
|||
|
contains a flawed chunked encoding stream that still works the same.
|
|||
|
|
|||
|
Daniel (5 July 2005)
|
|||
|
- Gisle Vanem came up with a nice little work-around for bug #1230118
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC)
|
|||
|
libc time functions may return data one hour off if TZ is not set and
|
|||
|
automatic DST adjustment is enabled. This made curl_getdate() return wrong
|
|||
|
value, and it also concerned internal cookie expirations etc.
|
|||
|
|
|||
|
Daniel (4 July 2005)
|
|||
|
- Andrew Bushnell provided enough info for me to tell that we badly needed to
|
|||
|
fix the CONNECT authentication code with multi-pass auth methods (such as
|
|||
|
NTLM) as it didn't previously properly ignore response-bodies - in fact it
|
|||
|
stopped reading after all response headers had been received. This could
|
|||
|
lead to libcurl sending the next request and reading the body from the first
|
|||
|
request as response to the second request. (I also renamed the function,
|
|||
|
which wasn't strictly necessary but...)
|
|||
|
|
|||
|
The best fix would to once and for all make the CONNECT code use the
|
|||
|
ordinary request sending/receiving code, treating it as any ordinary request
|
|||
|
instead of the special-purpose function we have now. It should make it
|
|||
|
better for multi-interface too. And possibly lead to less code...
|
|||
|
|
|||
|
Added test case 265 for this. It doesn't work as a _really_ good test case
|
|||
|
since the test proxy is too stupid, but the test case helps when running the
|
|||
|
debugger to verify.
|
|||
|
|
|||
|
Daniel (30 June 2005)
|
|||
|
- Dan Fandrich improved the configure script's ability to figure out what kind
|
|||
|
of strerror_r() API that is used when cross-compiling. If __GLIB__ is
|
|||
|
defined, it assumes the glibc API. If not, it issues a notice as before that
|
|||
|
the user needs to manually edit lib/config.h for this.
|
|||
|
|
|||
|
Daniel (23 June 2005)
|
|||
|
- David Shaw's fix that unifies proxy string treatment so that a proxy given
|
|||
|
with CURLOPT_PROXY can use a http:// prefix and user + password. The user
|
|||
|
and password fields are now also URL decoded properly. Test case 264 added
|
|||
|
to verify.
|
|||
|
|
|||
|
Daniel (22 June 2005)
|
|||
|
- David Shaw updated libcurl.m4
|
|||
|
|
|||
|
Daniel (14 June 2005)
|
|||
|
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1216500). Comment in
|
|||
|
http://curl.haxx.se/mail/lib-2005-06/0059.html
|
|||
|
|
|||
|
Daniel (13 June 2005)
|
|||
|
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
|
|||
|
reverted patch).
|
|||
|
|
|||
|
Daniel (9 June 2005)
|
|||
|
- Incorporated Tupone's findtool fix in buildconf (slightly edited)
|
|||
|
|
|||
|
- Incorporated Tupone's head -n fix in buildconf.
|
|||
|
|
|||
|
Daniel (8 June 2005)
|
|||
|
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
|
|||
|
in pieces, one by one and see what we need to adjust to work all over.
|
|||
|
|
|||
|
Daniel (6 June 2005)
|
|||
|
- Tupone Alfredo fixed three problems in buildconf:
|
|||
|
|
|||
|
1) findtool does look per tool in PATH and think ./perl is the perl
|
|||
|
executable, while is just a local directory (I have . in the PATH)
|
|||
|
|
|||
|
2) I got several warning for head -1 deprecated in favour of head -n 1
|
|||
|
|
|||
|
3) ares directory is missing some file (missing is missing :-) ) because
|
|||
|
automake and friends is not run.
|
|||
|
|
|||
|
Daniel (3 June 2005)
|
|||
|
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
|
|||
|
http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes
|
|||
|
|
|||
|
- Andres Garcia provided yet another text mode patch for several test cases so
|
|||
|
that they do text comparisions better on Windows (newline-wise).
|
|||
|
|
|||
|
Daniel (1 June 2005)
|
|||
|
- The configure check for c-ares now adds the cares lib before the other libs,
|
|||
|
to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
|
|||
|
and patch: http://curl.haxx.se/bug/view.cgi?id=1212940
|
|||
|
|
|||
|
Daniel (31 May 2005)
|
|||
|
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
|
|||
|
address was not possible to use. It is now, but requires it written
|
|||
|
RFC2732-style, within brackets - which incidently is how you enter numerical
|
|||
|
IPv6 addresses in URLs. Test case 263 added to verify.
|
|||
|
|
|||
|
Daniel (30 May 2005)
|
|||
|
- Eric Cooper reported about a problem with HTTP servers that responds with
|
|||
|
binary zeroes within the headers. They confused libcurl to do wrong so the
|
|||
|
downloaded headers become incomplete. The fix is now verified with test case
|
|||
|
262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948
|
|||
|
|
|||
|
Daniel (25 May 2005)
|
|||
|
- Fixed problems with the test suite, and in particular the FTP test cases
|
|||
|
since it previously was failing every now and then in a nonsense manner.
|
|||
|
|
|||
|
- --trace-time now outputs the full microsecond, all 6 digits.
|
|||
|
|
|||
|
Daniel (24 May 2005)
|
|||
|
- Andres Garcia provided a text mode patch for several test cases so that they
|
|||
|
do text comparisions better on Windows (newline-wise).
|
|||
|
|
|||
|
- Any 2xx response (and not just 200) is now considered a fine response to
|
|||
|
TYPE, as some servers obviously sends a 226 there. Added test case 261 to
|
|||
|
verify. Based on a question/report by Georg Wicherski.
|
|||
|
|
|||
|
Daniel (20 May 2005)
|
|||
|
- Improved runtests.pl to allow stdout tests to be mode=text as well, just
|
|||
|
as file comparisons already supports. Added this info to the FILEFORMAT
|
|||
|
docs.
|
|||
|
|
|||
|
Daniel (18 May 2005)
|
|||
|
- John McGowan identified a problem in bug report #1204435
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like
|
|||
|
"http://somehost?data" as it added a slash too much in the request ("GET
|
|||
|
/?data/"...). Added test case 260 to verify.
|
|||
|
|
|||
|
- The configure check for strerror_r() failed to detect the proper API at
|
|||
|
times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
|
|||
|
version if the posix define wasn't set (since it _had_ found a strerror_r).
|
|||
|
|
|||
|
Daniel (16 May 2005)
|
|||
|
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
|
|||
|
due to this. There's now a configure check that attempts to detect the bad
|
|||
|
function and not use it on such systems.
|
|||
|
|
|||
|
Version 7.14.0 (16 May 2005)
|
|||
|
|
|||
|
Daniel (13 May 2005)
|
|||
|
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
|
|||
|
OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
|
|||
|
doesn't work as good as if built without poll(). I've adjusted the configure
|
|||
|
to always skip the fine-poll() test on Mac OS X (darwin).
|
|||
|
|
|||
|
Daniel (12 May 2005)
|
|||
|
- When doing a second request (after a disconnect) using the same easy handle,
|
|||
|
over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
|
|||
|
properly (the auth method was accidentally reset to the same as had been set
|
|||
|
for host auth, which defaults to Basic). Bug report #1200661
|
|||
|
(http://curl.haxx.se/bug/view.cgi?id=1200661) identified the the problem and
|
|||
|
the fix.
|
|||
|
|
|||
|
- If -z/--time-cond is used with an invalid date syntax, this is no longer
|
|||
|
silently discarded. Instead a proper warning message is diplayed that
|
|||
|
informs about it. But it still continues without the condition.
|
|||
|
|
|||
|
Version 7.14.0-pre2 (11 May 2005)
|
|||
|
|
|||
|
Daniel (11 May 2005)
|
|||
|
- Starting now, libcurl sends a little different set of headers in its default
|
|||
|
HTTP requests:
|
|||
|
|
|||
|
A) Normal non-proxy HTTP:
|
|||
|
- no more "Pragma: no-cache" (this only makes sense to proxies)
|
|||
|
|
|||
|
B) Non-CONNECT HTTP request over proxy:
|
|||
|
- "Pragma: no-cache" is used (like before)
|
|||
|
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
|
|||
|
|
|||
|
C) CONNECT HTTP request over proxy:
|
|||
|
- "Host: [name]:[port]"
|
|||
|
- "Proxy-Connection: Keep-alive"
|
|||
|
|
|||
|
The A) case is mostly to reduce the default header size and remove a
|
|||
|
pointless header.
|
|||
|
|
|||
|
The B) is to address (rare) problems with HTTP 1.0 proxies
|
|||
|
|
|||
|
The C) headers are both to address (rare) problems with some proxies. The
|
|||
|
code in libcurl that deals with CONNECT requests need a rewrite, but it
|
|||
|
feels like a too big a job for me to do now. Details are added in the code
|
|||
|
comments for now.
|
|||
|
|
|||
|
Updated a large amount of test cases to reflect the news.
|
|||
|
|
|||
|
Daniel (10 May 2005)
|
|||
|
- Half-baked attempt to bail out if select() returns _only_ errorfds when the
|
|||
|
transfer is in progress. An attempt to fix Allan's problem. See
|
|||
|
http://curl.haxx.se/mail/lib-2005-05/0073.html and the rest of that thread
|
|||
|
for details.
|
|||
|
|
|||
|
I'm still not sure this is the right fix, but...
|
|||
|
|
|||
|
Version 7.14.0-pre1 (9 May 2005)
|
|||
|
|
|||
|
Daniel (2 May 2005)
|
|||
|
- Sort of "fixed" KNOWN_BUGS #4: curl now builds IPv6 enabled on AIX 4.3. At
|
|||
|
least it should no longer cause a compiler error. However, it does not have
|
|||
|
AI_NUMERICHOST so we cannot getaddrinfo() any numerical addresses with it
|
|||
|
(we use that for FTP PORT/EPRT)! So, I modified the configure check that
|
|||
|
checks if the getaddrinfo() is working, to use AI_NUMERICHOST since then
|
|||
|
it'll fail on AIX 4.3 and it will automatically build with IPv6 support
|
|||
|
disabled.
|
|||
|
|
|||
|
- Added --trace-time that when used adds a time stamp to each trace line that
|
|||
|
--trace, --trace-ascii and --verbose output. I also made the '>' display
|
|||
|
separate each line on the linefeed so that HTTP requests etc look nicer in
|
|||
|
the -v output.
|
|||
|
|
|||
|
- Made curl recognize the environment variables Lynx (and others?) support for
|
|||
|
pointing out the CA cert path/file: SSL_CERT_DIR and SSL_CERT_FILE. If
|
|||
|
CURL_CA_BUNDLE is not set, they are checked afterwards.
|
|||
|
|
|||
|
Like before: on windows if none of these are set, it checks for the ca cert
|
|||
|
file like this:
|
|||
|
|
|||
|
1. application's directory
|
|||
|
2. current working directory
|
|||
|
3. Windows System directory (e.g. C:\windows\system32)
|
|||
|
4. Windows Directory (e.g. C:\windows)
|
|||
|
5. all directories along %PATH%
|
|||
|
|
|||
|
Daniel (1 May 2005)
|
|||
|
- The runtests.pl script now starts test servers by doing fork() and exec()
|
|||
|
instead of the previous approach. This is less complicated and should
|
|||
|
hopefully lead to less "leaked" servers (servers that aren't stopped
|
|||
|
properly when the tests are stopped).
|
|||
|
|
|||
|
- Alexander Zhuravlev found a case when you did "curl -I [URL]" and it
|
|||
|
complained on the chunked encoding, even though a HEAD should never return a
|
|||
|
body and thus it cannot be a chunked-encoding problem!
|
|||
|
|
|||
|
Daniel (30 April 2005)
|
|||
|
- Alexander Zhuravlev found out that (lib)curl SIGSEGVed when using
|
|||
|
--interface on an address that can't be bound.
|
|||
|
|
|||
|
Daniel (28 April 2005)
|
|||
|
- Working on fixing up test cases to mark sections as 'mode=text' for things
|
|||
|
that curl writes as text files, since then they can get different line
|
|||
|
endings depending on OS. Andr<64>s Garc<72>a helps me work this out.
|
|||
|
|
|||
|
Did lots of other minor tweaks on the test scripts to work better and more
|
|||
|
reliably find test servers and also kill test servers.
|
|||
|
|
|||
|
- Dan Fandrich pointed out how the runtests.pl script killed the HTTP server
|
|||
|
instead of the HTTPS server when closing it down.
|
|||
|
|
|||
|
Daniel (27 April 2005)
|
|||
|
- Paul Moore made curl check for the .curlrc file (_curlrc on windows) on two
|
|||
|
more places. First, CURL_HOME is a new environment variable that is used
|
|||
|
instead of HOME if it is set, to point out where the default config file
|
|||
|
lives. If there's no config file in the dir pointed out by one of the
|
|||
|
environment variables, the Windows version will instead check the same
|
|||
|
directory the executable curl is located in.
|
|||
|
|
|||
|
Daniel (26 April 2005)
|
|||
|
- Cory Nelson's work on nuking compiler warnings when building on x64 with
|
|||
|
VS2005.
|
|||
|
|
|||
|
Daniel (25 April 2005)
|
|||
|
- Fred New reported a bug where we used Basic auth and user name and password
|
|||
|
in .netrc, and when following a Location: the subsequent requests didn't
|
|||
|
properly use the auth as found in the netrc file. Added test case 257 to
|
|||
|
verify my fix.
|
|||
|
|
|||
|
- Based on feedback from Cory Nelson, I added some preprocessor magic in
|
|||
|
*/setup.h and */config-win32.h to build fine with VS2005 on x64.
|
|||
|
|
|||
|
Daniel (23 April 2005)
|
|||
|
- Alex Suykov made the curl tool now assume that uploads using HTTP:// or
|
|||
|
HTTPS:// are the only ones that show output and thus motivates a switched
|
|||
|
off progress meter if the output is sent to the terminal. This makes FTP
|
|||
|
uploads without '>', -o or -O show the progress meter.
|
|||
|
|
|||
|
Daniel (22 April 2005)
|
|||
|
- Dave Dribin's MSVC makefile fix: set CURL_STATICLIB when it builds static
|
|||
|
library variants.
|
|||
|
|
|||
|
- Andres Garcia fixed configure to set the proper define when building static
|
|||
|
libcurl on windows.
|
|||
|
|
|||
|
- --retry-delay didn't work.
|
|||
|
|
|||
|
Daniel (18 April 2005)
|
|||
|
- Olivier reported that even though he used CURLOPT_PORT, libcurl clearly
|
|||
|
still used the default port. He was right. I fixed the problem and added the
|
|||
|
test cases 521, 522 and 523 to verify the fix.
|
|||
|
|
|||
|
- Toshiyuki Maezawa reported that when doing a POST with a read callback,
|
|||
|
libcurl didn't properly send an Expect: 100-continue header. It does now.
|
|||
|
|
|||
|
- I committed by mig change in the test suite's FTP server that moves out all
|
|||
|
socket/TCP code to a separate C program named sockfilt. And added 4 new
|
|||
|
test cases for FTP over IPv6.
|
|||
|
|
|||
|
Daniel (8 April 2005)
|
|||
|
- Cory Nelson reported a problem with a HTTP server that responded with a 304
|
|||
|
response containing an "illegal" Content-Length: header, which was not
|
|||
|
properly ignored by libcurl. Now it is. Test case 249 verifies.
|
|||
|
|
|||
|
Daniel (7 April 2005)
|
|||
|
- Added ability to build and run with GnuTLS as an alternative to OpenSSL for
|
|||
|
the secure layer. configure --with-gnutls enables with. Note that the
|
|||
|
previous OpenSSL check still has preference and if it first detects OpenSSL,
|
|||
|
it will not check for GnuTLS. You may need to explictly diable OpenSSL with
|
|||
|
--without-ssl.
|
|||
|
|
|||
|
This work has been sponsored by The Written Word.
|
|||
|
|
|||
|
Daniel (5 April 2005)
|
|||
|
- Christophe Legry fixed the post-upload check for FTP to not complain if the
|
|||
|
upload was skipped due to a time-condition as set with
|
|||
|
CURLOPT_TIMECONDITION. I added test case 247 and 248 to verify.
|
|||
|
|
|||
|
Version 7.13.2 (5 April 2005)
|
|||
|
|
|||
|
Daniel (4 April 2005)
|
|||
|
- Marcelo Juchem fixed the MSVC makefile for libcurl
|
|||
|
|
|||
|
- Gisle Vanem fixed a crash in libcurl, that could happen if the easy handle
|
|||
|
was killed before the threading resolver (windows only) still hadn't
|
|||
|
completed.
|
|||
|
|
|||
|
- Hardeep Singh reported a problem doing HTTP POST with Digest. (It was
|
|||
|
actually also affecting NTLM and Negotiate.) It turned out that if the
|
|||
|
server responded with 100 Continue before the initial 401 response, libcurl
|
|||
|
didn't take care of the response properly. Test case 245 and 246 added to
|
|||
|
verify this.
|
|||
|
|
|||
|
Daniel (30 March 2005)
|
|||
|
- Andres Garcia modified the configure script to check for libgdi32 before
|
|||
|
libcrypto, to make the SSL check work fine on msys/mingw.
|
|||
|
|
|||
|
Daniel (29 March 2005)
|
|||
|
- Tom Moers identified a flaw when you sent a POST with Digest authentication,
|
|||
|
as in the first request when curl sends a POST with Content-Length: 0, it
|
|||
|
still forcibly closed the connection before doing the next step in the auth
|
|||
|
negotiation.
|
|||
|
|
|||
|
- Jesper Jensen found out that FTP-SSL didn't work since my FTP
|
|||
|
rewrite. Fixing that was easy, but it also revealed a much worse problem:
|
|||
|
the FTP server response reader function didn't properly deal with reading
|
|||
|
responses in multiple tiny chunks properly! I modified the FTP server to
|
|||
|
allow it to produce such split-up responses to make sure curl deals with
|
|||
|
them as it should.
|
|||
|
|
|||
|
- Based on Augustus Saunders' comments and findings, the HTTP output auth
|
|||
|
function was fixed to use the proper proxy authentication when multiple ones
|
|||
|
are accepted. test 239 and test 243 were added to repeat the problems and
|
|||
|
verify the fixes.
|
|||
|
|
|||
|
--proxy-anyauth was added to the curl tool
|
|||
|
|
|||
|
Daniel (16 March 2005)
|
|||
|
- Tru64 and some IRIX boxes seem to not like test 237 as it is. Their
|
|||
|
inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted
|
|||
|
address which makes a different failure... Now I've modified the ipv4
|
|||
|
resolve code to use inet_pton() instead in an attempt to make these systems
|
|||
|
better detect this as a bad IP address rather than creating a toally bogus
|
|||
|
address that is then passed on and used.
|
|||
|
|
|||
|
Daniel (15 March 2005)
|
|||
|
- Dan Fandrich made the code properly use the uClibc's version of
|
|||
|
inet_ntoa_r() when built with it.
|
|||
|
|
|||
|
- Added test 237 and 238: test EPSV and PASV response handling when they get
|
|||
|
well- formated data back but using illegal values. In 237 PASV gets an IP
|
|||
|
address that is way bad. In 238 EPSV gets a port that is way out of range.
|
|||
|
|
|||
|
Daniel (14 March 2005)
|
|||
|
- Added a few missing features to the curl-config --features list
|
|||
|
|
|||
|
- Modified testcurl.pl to now offer
|
|||
|
1 - command line options for all info it previously only read from
|
|||
|
file: --name, --email, --desc and --configure
|
|||
|
2 - --nocvsup makes it not attempt to do cvs update
|
|||
|
3 - --crosscompile informs it and makes it not attempt things it can't do
|
|||
|
|
|||
|
- Fixed numerous win32 compiler warnings.
|
|||
|
|
|||
|
- Removed the lib/security.h file since it shadowed the mingw/win32 header
|
|||
|
with the same name which is needed for SSPI builds. The contents of the
|
|||
|
former security.h is now i krb4.h
|
|||
|
|
|||
|
- configure --enable-sspi now enables SSPI in the build. It only works for
|
|||
|
windows builds (including cross-compiles for windows).
|
|||
|
|
|||
|
Daniel (12 March 2005)
|
|||
|
- David Houlder added --form-string that adds that string to a multipart
|
|||
|
formpost part, without special characters having special meanings etc like
|
|||
|
--form features.
|
|||
|
|
|||
|
Daniel (11 March 2005)
|
|||
|
- curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was
|
|||
|
built with SSPI support.
|
|||
|
|
|||
|
- Christopher R. Palmer made it possible to build libcurl with the
|
|||
|
USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
|
|||
|
native way to do NTLM. SSPI also allows libcurl to pass on the current user
|
|||
|
and its password in the request.
|
|||
|
|
|||
|
Daniel (9 March 2005)
|
|||
|
- Dan F improved the SSL lib setup in configure.
|
|||
|
|
|||
|
- Nodak Sodak reported a crash when using a SOCKS4 proxy.
|
|||
|
|
|||
|
- Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the
|
|||
|
multi interface code.
|
|||
|
|
|||
|
- Adjusted the man page for the curl_getdate() return value for dates after
|
|||
|
year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it
|
|||
|
returns either the correct value or even -1 on some systems that still seem
|
|||
|
to not deal with this properly. Tor Arntsen found a 64bit AIX system for us
|
|||
|
that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on
|
|||
|
this problem in the first place.
|
|||
|
|
|||
|
Daniel (8 March 2005)
|
|||
|
- Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP
|
|||
|
file got a Last-Modified: header written to the data stream, corrupting the
|
|||
|
actual data. This was because some conditions from the previous FTP code was
|
|||
|
not properly brought into the new FTP code. I fixed and I added test case
|
|||
|
520 to verify. (This bug was introduced in 7.13.1)
|
|||
|
|
|||
|
- Dan Fandrich fixed the configure --with-zlib option to always consider the
|
|||
|
given path before any standard paths.
|
|||
|
|
|||
|
Daniel (6 March 2005)
|
|||
|
- Randy McMurchy was the first to report that valgrind.pm was missing from the
|
|||
|
release archive and thus 'make test' fails.
|
|||
|
|
|||
|
Daniel (5 March 2005)
|
|||
|
- Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files.
|
|||
|
|
|||
|
- Added test case 235 that makes a resumed upload of a file that isn't present
|
|||
|
on the remote side. This then converts the operation to an ordinary STOR
|
|||
|
upload. This was requested/pointed out by Ignacio Vazquez-Abrams.
|
|||
|
|
|||
|
It also proved (and I fixed) a bug in the newly rewritten ftp code (and
|
|||
|
present in the 7.13.1 release) when trying to resume an upload and the
|
|||
|
servers returns an error to the SIZE command. libcurl then loops and sends
|
|||
|
SIZE commands infinitely.
|
|||
|
|
|||
|
- Dan Fandrich fixed a SSL problem introduced on February 9th that made
|
|||
|
libcurl attempt to load the whole random file to seed the PRNG. This is
|
|||
|
really bad since this turns out to be using /dev/urandom at times...
|
|||
|
|
|||
|
Version 7.13.1 (4 March 2005)
|
|||
|
|
|||
|
Daniel (4 March 2005)
|
|||
|
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
|
|||
|
the cookie "engine" without having to provide an empty or non-existing file.
|
|||
|
|
|||
|
- Rene Rebe fixed a -# crash when more data than expected was retrieved.
|
|||
|
|
|||
|
Daniel (22 February 2005)
|
|||
|
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
|
|||
|
http://www.securityfocus.com/archive/1/391042 and the CAN report here:
|
|||
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
|
|||
|
|
|||
|
If these security guys were serious, we'd been notified in advance and we
|
|||
|
could've saved a few of you a little surprise, but now we weren't.
|
|||
|
|
|||
|
Daniel (19 February 2005)
|
|||
|
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
|
|||
|
requested data from a host and then followed a redirect to another
|
|||
|
host. libcurl then didn't use the proxy-auth properly in the second request,
|
|||
|
due to the host-only check for original host name wrongly being extended to
|
|||
|
the proxy auth as well. Added test case 233 to verify the flaw and that the
|
|||
|
fix removed the problem.
|
|||
|
|
|||
|
Daniel (18 February 2005)
|
|||
|
- Mike Dobbs reported a mingw build failure due to the lack of
|
|||
|
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
|
|||
|
configure when mingw is used.
|
|||
|
|
|||
|
Daniel (17 February 2005)
|
|||
|
- David in bug report #1124588 found and fixed a socket leak when libcurl
|
|||
|
didn't close the socket properly when returning error due to failing
|
|||
|
localbind
|
|||
|
|
|||
|
Daniel (16 February 2005)
|
|||
|
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
|
|||
|
that picks NTLM. Thanks to David Byron letting me test NTLM against his
|
|||
|
servers, I could quickly repeat and fix the problem. It turned out to be:
|
|||
|
|
|||
|
When libcurl POSTs without knowing/using an authentication and it gets back
|
|||
|
a list of types from which it picks NTLM, it needs to either continue
|
|||
|
sending its data if it keeps the connection alive, or not send the data but
|
|||
|
close the connection. Then do the first step in the NTLM auth. libcurl
|
|||
|
didn't send the data nor close the connection but simply read the
|
|||
|
response-body and then sent the first negotiation step. Which then failed
|
|||
|
miserably of course. The fixed version forces a connection if there is more
|
|||
|
than 2000 bytes left to send.
|
|||
|
|
|||
|
Daniel (14 February 2005)
|
|||
|
- The configure script didn't check for ENGINE_load_builtin_engines() so it
|
|||
|
was never used.
|
|||
|
|
|||
|
Daniel (11 February 2005)
|
|||
|
- Removed all uses of strftime() since it uses the localised version of the
|
|||
|
week day names and month names and servers don't like that.
|
|||
|
|
|||
|
Daniel (10 February 2005)
|
|||
|
- Now the test script disables valgrind-testing when the test suite runs if
|
|||
|
libcurl is built shared. Otherwise valgrind only tests the shell that runs
|
|||
|
the wrapper-script named 'curl' that is a front-end to curl in this case.
|
|||
|
This should also fix the huge amount of reports of false positives when
|
|||
|
valgrind has identified leaks in (ba)sh and not in curl and people report
|
|||
|
that as curl bugs. Bug report #1116672 is one example.
|
|||
|
|
|||
|
Also, the valgrind report parser has been adapted to check that at least one
|
|||
|
of the sources in a stack strace is one of (lib)curl's source files or
|
|||
|
otherwise it will not consider the problem to concern (lib)curl.
|
|||
|
|
|||
|
- Marty Kuhrt streamlined the VMS build.
|
|||
|
|
|||
|
Daniel (9 February 2005)
|
|||
|
- David Byron fixed his SSL problems, initially mentioned here:
|
|||
|
http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
|
|||
|
SSL_pending() as we should.
|
|||
|
|
|||
|
- Converted lots of FTP code to a statemachine, so that the multi interface
|
|||
|
doesn't block while communicating commands-responses with an FTP server.
|
|||
|
|
|||
|
I've added a comment like BLOCKING in the code on all spots I could find
|
|||
|
where we still have blocking operations. When we change curl_easy_perform()
|
|||
|
to use the multi interface, we'll also be able to simplify the code since
|
|||
|
there will only be one "internal interface".
|
|||
|
|
|||
|
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
|
|||
|
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
|
|||
|
like changing directory or retrieving a file, while the second means that we
|
|||
|
were denied login.
|
|||
|
|
|||
|
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
|
|||
|
case of future need.
|
|||
|
|
|||
|
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
|
|||
|
|
|||
|
Daniel (8 February 2005)
|
|||
|
- Gisle fixed problems when libcurl runs out of memory, and worked on making
|
|||
|
sure the proper error code is returned for those occations.
|
|||
|
|
|||
|
Daniel (7 February 2005)
|
|||
|
- Maruko pointed out a problem with inflate decompressing exactly 64K
|
|||
|
contents.
|
|||
|
|
|||
|
Daniel (5 February 2005)
|
|||
|
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
|
|||
|
PORT on ipv6-enabled hosts.
|
|||
|
|
|||
|
- David Byron pointed out we could use BUFSIZE to read data (in
|
|||
|
lib/transfer.c) instead of using BUFSIZE -1.
|
|||
|
|
|||
|
Version 7.13.0 (1 February 2005)
|
|||
|
|
|||
|
Daniel (31 January 2005)
|
|||
|
- Added Lars Nilsson's htmltitle.cc example
|
|||
|
|
|||
|
Daniel (30 January 2005)
|
|||
|
- Fixed a memory leak when using the multi interface and the DO operation
|
|||
|
failed (as in test case 205).
|
|||
|
|
|||
|
- Fixed a valgrind warning for file:// operations.
|
|||
|
|
|||
|
- Fixed a valgrind report in the url globbing code for the curl command line
|
|||
|
tool.
|
|||
|
|
|||
|
- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
|
|||
|
I noticed that it previously didn't detect and report the "Conditional jump
|
|||
|
or move depends on uninitialised value(s)" error. When I fixed this, I
|
|||
|
caught a few curl bugs with it. And then I had to spend time to make the
|
|||
|
test suite IGNORE these errors when OpenSSL is used since it produce massive
|
|||
|
amounts of valgrind warnings (but only of the "Conditional..." kind it
|
|||
|
seems). So, if a test that requires SSL is run, it ignores the
|
|||
|
"Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
|
|||
|
of "valgrind OK".
|
|||
|
|
|||
|
Daniel (29 January 2005)
|
|||
|
- Using the multi interface, and doing a requsted a re-used connection that
|
|||
|
gets closed just after the request has been sent failed and did not re-issue
|
|||
|
a request on a fresh reconnect like the easy interface did. Now it does!
|
|||
|
|
|||
|
- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
|
|||
|
my new curl_easy_perform() that uses the multi interface to run the
|
|||
|
request. It is a great testbed for the multi interface and I believe we
|
|||
|
shall do it this way for real in the future when we have a successor to
|
|||
|
curl_multi_fdset(). I've used this approach to detect and fix several of the
|
|||
|
recent multi-interfaces issues.
|
|||
|
|
|||
|
- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
|
|||
|
bad assumptions.
|
|||
|
|
|||
|
- multi interface: when a request is denied due to "Maximum redirects
|
|||
|
followed" libcurl leaked the last Location: URL.
|
|||
|
|
|||
|
- Connect failures with the multi interface was often returned as "connect()
|
|||
|
timed out" even though the reason was different.
|
|||
|
|
|||
|
Daniel (28 January 2005)
|
|||
|
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
|
|||
|
curl_easy_perform() invokes. It was previously unlocked at disconnect, which
|
|||
|
could mean that it remained locked between multiple transfers. The DNS cache
|
|||
|
may not live as long as the connection cache does, as they are separate.
|
|||
|
|
|||
|
To deal with the lack of DNS (host address) data availability in re-used
|
|||
|
connections, libcurl now keeps a copy of the IP adress as a string, to be
|
|||
|
able to show it even on subsequent requests on the same connection.
|
|||
|
|
|||
|
The problem could be made to appear with this stunt:
|
|||
|
|
|||
|
1. create a multi handle
|
|||
|
2. add an easy handle
|
|||
|
3. fetch a URL that is persistent (leaves the connection alive)
|
|||
|
4. remove the easy handle from the multi
|
|||
|
5. kill the multi handle
|
|||
|
6. create a multi handle
|
|||
|
7. add the same easy handle to the new multi handle
|
|||
|
8. fetch a URL from the same server as before (re-using the connection)
|
|||
|
|
|||
|
- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
|
|||
|
when built ipv6-enabled. I've now made a fix for it. Writing test cases for
|
|||
|
custom port hosts turned too tricky so unfortunately there's none.
|
|||
|
|
|||
|
Daniel (25 January 2005)
|
|||
|
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
|
|||
|
is present in RFC959... so now (lib)curl supports it as well. --ftp-account
|
|||
|
and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
|
|||
|
account string after PASS have been sent away. The client responds
|
|||
|
with "ACCT [account string]".) Added test case 228 and 229 to verify the
|
|||
|
functionality. Updated the test FTP server to support ACCT somewhat.
|
|||
|
|
|||
|
- David Shaw contributed a fairly complete and detailed autoconf test you can
|
|||
|
use to detect libcurl and setup variables for the protocols the installed
|
|||
|
libcurl supports: docs/libcurl/libcurl.m4
|
|||
|
|
|||
|
Daniel (21 January 2005)
|
|||
|
- Major FTP third party transfer overhaul.
|
|||
|
|
|||
|
These four options are now obsolete: CURLOPT_SOURCE_HOST,
|
|||
|
CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
|
|||
|
and CURLOPT_PASV_HOST.
|
|||
|
|
|||
|
These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.
|
|||
|
|
|||
|
The target-side didn't use the proper path with RETR, and thus this only
|
|||
|
worked correctly in the login path (i.e without doing any CWD). The source-
|
|||
|
side still uses a wrong path, but the fix for this will need to wait. Verify
|
|||
|
the flaw by using a source URL with included %XX-codes.
|
|||
|
|
|||
|
Made CURLOPT_FTPPORT control weather the target operation should use PORT
|
|||
|
(or not). The other side thus uses passive (PASV) mode.
|
|||
|
|
|||
|
Updated the ftp3rdparty.c example source to use the updated options.
|
|||
|
|
|||
|
Added support for a second FTP server in the test suite. Named... ftp2.
|
|||
|
Added test cases 230, 231 and 232 as a few first basic tests of very simple
|
|||
|
3rd party transfers.
|
|||
|
|
|||
|
Changed the debug output to include 'target' and 'source' when a 3rd party
|
|||
|
is being made, to make it clearer what commands/responses came on what
|
|||
|
connection.
|
|||
|
|
|||
|
Added three new command line options: --3p-url, --3p-user and --3p-quote.
|
|||
|
|
|||
|
Documented the command line options and the curl_easy_setopt options related
|
|||
|
to third party transfers.
|
|||
|
|
|||
|
(Temporarily) disabled the ability to re-use an existing connection for the
|
|||
|
source connection. This is because it needs to force a new in case the
|
|||
|
source and target is the same host, and the host name check is trickier now
|
|||
|
when the source is identified with a full URL instead of a plain host name
|
|||
|
like before.
|
|||
|
|
|||
|
TODO (short-term) for 3rd party transfers: quote support. The options are
|
|||
|
there, we need to add test cases to verify their functionality.
|
|||
|
|
|||
|
TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
|
|||
|
and SSL/TSL support.
|
|||
|
|
|||
|
Daniel (20 January 2005)
|
|||
|
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
|
|||
|
code was written for it. I fixed and added test case 227 to verify it.
|
|||
|
The curl.1 man page didn't mention the '+' so I added it.
|
|||
|
|
|||
|
Daniel (19 January 2005)
|
|||
|
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
|
|||
|
contains %0a or %0d in the user, password or CWD parts. (A future fix would
|
|||
|
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
|
|||
|
225 and 226 were added to verify this
|
|||
|
|
|||
|
- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:
|
|||
|
|
|||
|
1) the proxy environment variables are still read and used to set HTTP proxy
|
|||
|
|
|||
|
2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
|
|||
|
disabled). This is important since apps may want to disable HTTP proxy
|
|||
|
without actually knowing if libcurl was built to disable HTTP or not.
|
|||
|
|
|||
|
Based on Stephan's patch, both these issues should now be fixed.
|
|||
|
|
|||
|
Daniel (18 January 2005)
|
|||
|
- Cody Jones' enhanced version of Samuel D<>az Garc<72>a's MSVC makefile patch was
|
|||
|
applied.
|
|||
|
|
|||
|
Daniel (16 January 2005)
|
|||
|
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
|
|||
|
assumed this used the DICT protocol. While guessing protocols will remain
|
|||
|
fuzzy, I've now made sure that the host names must start with "[protocol]."
|
|||
|
for them to be a valid guessable name. I also removed "https" as a prefix
|
|||
|
that indicates HTTPS, since we hardly ever see any host names using that.
|
|||
|
|
|||
|
Daniel (13 January 2005)
|
|||
|
- Inspired by Martijn Koster's patch and example source at
|
|||
|
http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
|
|||
|
select() and poll() calls properly loop if they return -1 and errno is
|
|||
|
EINTR. glibc docs for this is found here:
|
|||
|
http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
|
|||
|
|
|||
|
This last link says BSD doesn't have this "effect". Will there be a problem
|
|||
|
if we do this unconditionally?
|
|||
|
|
|||
|
Daniel (11 January 2005)
|
|||
|
- Dan Torop cleaned up a few no longer used variables from David Phillips'
|
|||
|
select() overhaul fix.
|
|||
|
|
|||
|
- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
|
|||
|
using a custom Host: header and curl fails to send a request on a re-used
|
|||
|
persistent connection and thus creates a new connection and resends it. It
|
|||
|
then sent two Host: headers. Cyrill's analysis was posted here:
|
|||
|
http://curl.haxx.se/mail/archive-2005-01/0022.html
|
|||
|
|
|||
|
- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
|
|||
|
problem with the version byte and the check for bad versions. Bruce has lots
|
|||
|
of clues on this, and based on his suggestion I've now removed the check of
|
|||
|
that byte since it seems to be able to contain 1 or 5.
|
|||
|
|
|||
|
Daniel (10 January 2005)
|
|||
|
- Pavel Orehov reported memory problems with the multi interface in bug report
|
|||
|
#1098843. In short, a shared DNS cache was setup for a multi handle and when
|
|||
|
the shared cache was deleted before the individual easy handles, the latter
|
|||
|
cleanups caused read/writes to already freed memory.
|
|||
|
|
|||
|
- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
|
|||
|
remote certificate name when it didn't match the used host name.
|
|||
|
|
|||
|
Gisle (8 January 2005)
|
|||
|
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
|
|||
|
|
|||
|
Daniel (7 January 2005)
|
|||
|
- Improved the test script's valgrind log parser to actually work! Also added
|
|||
|
the ability to disable the log scanner for specific test cases. Test case
|
|||
|
509 results in numerous problems and leaks in OpenSSL and has to get it
|
|||
|
disabled.
|
|||
|
|
|||
|
Daniel (6 January 2005)
|
|||
|
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
|
|||
|
(i.e not in the library).
|
|||
|
|
|||
|
- Bug report #1097019 identified a problem when doing -d "data" with -G and
|
|||
|
sending it to two URLs with {}. Added test 199 to verify the fix.
|
|||
|
|
|||
|
Daniel (4 January 2005)
|
|||
|
- Marty Kuhrt adjusted a VMS build script slightly
|
|||
|
|
|||
|
- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
|
|||
|
Win2000.
|
|||
|
|
|||
|
Daniel (2 January 2005)
|
|||
|
- Alex Neblett updated the MSVC makefiles slightly.
|