generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- David Kierznowski notified us about a security flaw

Browse Source 
(http://curl.haxx.se/docs/adv_20090303.html also known as CVE-2009-0037) in
  which previous libcurl versions (by design) can be tricked to access an
  arbitrary local/different file instead of a remote one when
  CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
  together this the addition of two new setopt options for controlling this
  new behavior:

  o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
  follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
  excludes the FILE and SCP protocols and thus you nee to explicitly allow
  them in your app if you really want that behavior.

  o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
  using the primary URL option. This is useful if you want to allow a user or
  other outsiders control what URL to pass to libcurl and yet not allow all
  protocols libcurl may have been built to support.
This commit is contained in:
Daniel Stenberg
2009-03-02 23:05:31 +00:00
parent 90b804d3fa
commit 042cc1f69e
7 changed files with 152 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
RELEASE-NOTES
View File

@@ -2,11 +2,16 @@ Curl and libcurl 7.19.4
Public curl releases: 110
Command line options: 132
curl_easy_setopt() options: 161
curl_easy_setopt() options: 163
Public functions in libcurl: 58
Known libcurl bindings: 38
Contributors: 700
This release includes the following security-related fix:
o CVE-2009-0037 with the curl advisory here:
http://curl.haxx.se/docs/adv_20090303.html
This release includes the following changes:
o Added CURLOPT_NOPROXY and the corresponding --noproxy
@@ -24,6 +29,7 @@ This release includes the following changes:
o CURLOPT_FTP_CREATE_MISSING_DIRS can now be set to 2 to retry the CWD even
when MKD fails
o GnuTLS initing moved to curl_global_init()
o Added CURLOPT_REDIR_PROTOCOLS and CURLOPT_PROTOCOLS
This release includes the following bugfixes:
@@ -59,6 +65,6 @@ advice from friends like these:
Patrick Scott, Hidemoto Nakada, Jocelyn Jaubert, Andre Guibert de Bruet,
Kamil Dudka, Patrik Thunstrom, Linus Nielsen Feltzing, Mark Incley,
Daniel Johnson, James Cheng, Brian J. Murrell, Senthil Raja Velu,
Markus Koetter
Markus Koetter, David Kierznowski, Michal Marek
Thanks! (and sorry if I forgot to mention someone)