Commit Graph

5971 Commits

Author SHA1 Message Date
Yang Tse
8af4b657d0 fix some compiler warnings 2012-03-16 19:06:34 +01:00
Maxim Prohorov
97386c3c84 resolve with c-ares: don't resolve IPv6 when not working
If the Curl_ipv6works() function says no, there is no reason to try AAAA
names even if libcurl was built with IPv6 support enabled.

Bug: http://curl.haxx.se/mail/lib-2012-03/0045.html
2012-03-13 22:52:39 +01:00
Steve Holme
e25590a2b3 smtp.c: Changed the curl error code for EHLO and HELO responses
Changed the returned curl error codes for EHLO and HELO responses from
CURLE_LOGIN_DENIED to CURLE_REMOTE_ACCESS_DENIED as a negative response
from these commands represents no service as opposed to a login error.
2012-03-10 22:03:42 +00:00
Andrei Cipu
e650dbde86 Curl_http: strip off [brackets] from ipv6-only host headers
Since the host name is passed in to the cookie engine it will not work
correctly if the brackets are left in the name.

Bug:http://curl.haxx.se/mail/lib-2012-03/0036.html
2012-03-10 16:48:59 +01:00
John Joseph Bachir
9f0e1689f1 mk-ca-bundle.pl: use LWP::UserAgent with proper https verify behavior.
An alternative would be:

1. specify HTTPS_CA_DIR and/or HTTPS_CA_FILE
2. ensure that Net::SSL is being used, and IO::Socket::SSL is NOT being
   used

This question and answer explain:
http://stackoverflow.com/questions/74358/
2012-03-10 15:51:24 +01:00
John Joseph Bachir
f7e2ab629e access the CA source file using HTTPS 2012-03-10 15:50:27 +01:00
Daniel Stenberg
2764bf2c5b includes: remove inclusion of unused file http_proxy.h 2012-03-09 00:05:24 +01:00
Daniel Stenberg
41b0237834 CONNECT: made generically not per-protocol
Curl_protocol_connect() now does the tunneling through the HTTP proxy if
requested instead of letting each protocol specific connection function
do it.
2012-03-08 23:31:38 +01:00
Daniel Stenberg
cabd010dd4 ssh_connect: tunnel through HTTP proxy if requested 2012-03-08 21:47:54 +01:00
Daniel Stenberg
c55a0809bb LWIP: don't consider HAVE_ERRNO_H to be winsock
The check for Winsock definition was a bit too broad

Bug: http://curl.haxx.se/mail/lib-2012-03/0046.html
2012-03-08 21:25:35 +01:00
Daniel Stenberg
79b6f4a2d3 CONNECT: fix ipv6 address in the Request-Line
Commit 466150bc64 fixed the Host: header with CONNECT, but I then
forgot the preceeding request-line. Now this too uses [brackets]
properly if a ipv6 numerical address was given.

Bug: http://curl.haxx.se/bug/view.cgi?id=3493129
Reported by: "Blacat"
2012-02-24 23:33:14 +01:00
Steve Holme
5430007222 SMTP: Added support for returning SMTP response codes
Set the conn->data->info.httpcode variable in smtp_statemach_act() to
allow Curl_getinfo() to return the SMTP response code via the
CURLINFO_RESPONSE_CODE action.
2012-02-23 23:29:03 +01:00
Steve Holme
2f1ad7d6e2 smtp.c: Fixed an issue with writing postdata
Fixed a problem in smtp_done() when writing out the postdata as
Curl_write() would periodically return zero bytes written.
2012-02-21 22:50:46 +01:00
Steve Holme
035ef06bda pop3.c: Fixed drop of final CRLF in EOB checking
Curl_pop3_write() would drop the final CRLF of a message as it was
considered part of the EOB as opposed to part of the message. Whilst
the EOB sequence needs to be searched for by the function only the
final 3 characters should be removed as per RFC-1939 section 3.

Reported by: Rich Gray
Bug: http://curl.haxx.se/mail/lib-2012-02/0051.html
2012-02-19 23:48:14 +01:00
Steve Holme
3d98aed5b3 smtp.c: Fixed an issue with the EOB checking
Curl_smtp_escape_eob() would leave off final CRLFs from emails ending
in multiple blank lines additionally leaving the smtpc->eob variable
with the character count in, which would cause problems for additional
emails when sent through multiple calls to curl_easy_perform() after a
CURLOPT_CONNECT_ONLY.
2012-02-17 22:47:19 +01:00
Steve Holme
5c409d03ec SMTP: Code policing and tidy up 2012-02-16 13:20:34 +01:00
Steve Holme
b685481d52 smtp.c: Fixed use of angled brackets in AUTH parameter.
Fixed the use of angled brackets "<>" in the optional AUTH parameter as
per RFC-2554 section 5. The address should not include them but an
empty address should be replaced by them.
2012-02-15 21:51:45 +01:00
Steve Holme
0cf0ab6f30 smtp_mail: Added support to MAIL FROM for the optional AUTH parameter
Added a new CURLOPT_MAIL_AUTH option that allows the calling program to
set the optional AUTH parameter in the MAIL FROM command.

When this option is specified and an authentication mechanism is used
to communicate with the mail server then the AUTH parameter will be
included in the MAIL FROM command. This is particularly useful when the
calling program is acting as a relay in a trusted environment and
performing server to server communication, as it allows the relaying
server to specify the address of the mailbox that was used to
authenticate and send the original email.
2012-02-14 22:50:49 +01:00
toddouska
ee7e4fc1d1 cyassl: update to CyaSSL 2.0.x API
Modify configure.ac to test for new CyaSSL Init function and remove
default install path to system.  Change to CyaSSL OpenSSL header and
proper Init in code as well.

Note that this no longer detects or works with CyaSSL before v2
2012-02-14 19:49:54 +01:00
Steve Holme
69406f0be7 SMTP: Fixed error when using CURLOPT_CONNECT_ONLY
Fixed incorrect behavior in smtp_done() which would cause the end of
block data to be sent to the SMTP server if libcurl was operating in
connect only mode. This would cause the server to return an error as
data would not be expected which in turn caused libcurl to return
CURLE_RECV_ERROR.
2012-02-14 19:12:28 +01:00
Daniel Stenberg
7ed25fcc5c parse_proxy: simply memory handling
... by making sure that the string is always freed after the invoke as
parse_proxy will always copy the data and this way there's a single
free() instead of multiple ones.
2012-02-10 17:00:55 +01:00
Daniel Stenberg
ecc93caaeb parse_proxy: bail out on zero-length proxy names!
The proxy parser function strips off trailing slashes off the proxy name
which could lead to a mistaken zero length proxy name which would be
treated as no proxy at all by subsequent functions!

This is now detected and an error is returned. Verified by the new test
1329.

Reported by: Chandrakant Bagul
Bug: http://curl.haxx.se/mail/lib-2012-02/0000.html
2012-02-10 16:26:20 +01:00
Kamil Dudka
ebf3138992 nss: add support for the CURLSSLOPT_ALLOW_BEAST option
... and fix some typos from the 62d15f1 commit.
2012-02-09 23:25:55 +01:00
Daniel Stenberg
2a699bc6e9 CURLOPT_SSL_OPTIONS: added
Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.

It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.

This is a reaction to us unconditionally removing that behavior after
this security advisory:

http://curl.haxx.se/docs/adv_20120124B.html

... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
2012-02-09 22:22:54 +01:00
Dave Reisner
705f0f7a5b add library support for tuning TCP_KEEPALIVE
This adds three new options to control the behavior of TCP keepalives:

- CURLOPT_TCP_KEEPALIVE: enable/disable probes
- CURLOPT_TCP_KEEPIDLE: idle time before sending first probe
- CURLOPT_TCP_KEEPINTVL: delay between successive probes

While not all operating systems support the TCP_KEEPIDLE and
TCP_KEEPINTVL knobs, the library will still allow these options to be
set by clients, silently ignoring the values.
2012-02-09 18:53:51 +01:00
Daniel Stenberg
ea055407fa curl_easy_reset: reset the referer string
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly
clear it.

Verified with the new test 598

Bug: http://curl.haxx.se/bug/view.cgi?id=3481551
Reported by: Michael Day
2012-02-07 23:07:43 +01:00
Daniel Stenberg
466150bc64 CONNECT: send correct Host: with IPv6 numerical address
When the target host was given as a IPv6 numerical address, it was not
properly put within square brackets for the Host: header in the CONNECT
request. The "normal" request did fine.

Reported by: "zooloo"
Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
2012-01-31 22:52:10 +01:00
Pierre Ynard
f4d3c0cbfb more resilient connection times among IP addresses
When connecting to a domain with multiple IP addresses, allow different,
decreasing connection timeout values. This should guarantee some
connections attempts with sufficiently long timeouts, while still
providing fallback.
2012-01-28 14:00:52 +01:00
Pierre Ynard
4d2737bcb2 remove write-only variable 2012-01-28 13:58:49 +01:00
Daniel Stenberg
70f71bb99f gnutls: enforced use of SSLv3
With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
2012-01-24 08:54:26 +01:00
Daniel Stenberg
75ca568fa1 URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).

URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.

This flaw is considered a security vulnerability: CVE-2012-0036

Security advisory at: http://curl.haxx.se/docs/adv_20120124.html

Reported by: Dan Fandrich
2012-01-24 08:54:26 +01:00
Daniel Stenberg
db1a856b4f OpenSSL: don't disable security work-around
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple
2012-01-24 08:54:26 +01:00
Daniel Stenberg
7883cd5af3 URL parse: user name with ipv6 numerical address
Using a URL with embedded user name and password didn't work if the host
was given as a numerical IPv6 string, like ftp://user:password@[::1]/

Reported by: Brandon Wang
Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20 23:32:43 +01:00
Yang Tse
d7af7de5b2 telnet.c: fix OOM triggered segfault 2012-01-20 00:11:15 +01:00
Yang Tse
e64d332e79 OpenSSL: follow-up for commit a20daf90e3
avoid checking preprocessor definition official value
2012-01-19 22:29:00 +01:00
Yang Tse
d56b4c3f89 ssl session caching: fix compiler warnings 2012-01-18 23:42:39 +01:00
Daniel Stenberg
d1becc3231 polarssl: show cipher suite name correctly with 1.1.0
Apparently ssl_get_ciphersuite() is needed to get the name of the used
cipher suite.
2012-01-18 23:19:37 +01:00
Daniel Stenberg
f55f95d49c polarssl: show error code correctly
The value was turned negative when it shouldn't have been
2012-01-18 23:19:01 +01:00
Daniel Stenberg
61d31a3caf polarssl: havege_rand is not present in version 1.1.0
... it is now named havege_random!

Reported by: Robert Schumann
Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18 23:17:54 +01:00
Colin Hogben
4563eeb9f4 Use correct file descriptor for telnet upload.
Fix a bug where input was read from stdin even when a different FILE *
had been configured via CURLOPT_READDATA
2012-01-18 22:17:10 +01:00
Yang Tse
2cafb0e97c OpenLDAP: fix LDAP connection phase memory leak
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18 16:06:29 +01:00
Johannes Bauer
6ea7acf5a9 OpenSSL: fix PKCS#12 certificate parsing related memory leak
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18 13:39:12 +01:00
Yang Tse
a20daf90e3 OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabled
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.

Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-18 11:59:20 +01:00
Yang Tse
0ce2bca741 add LF termination to infof() trace string 2012-01-16 21:14:05 +01:00
Yang Tse
6d62c5a6fc Curl_proxyCONNECT() trace known bug #39 2012-01-15 19:21:55 +01:00
Yang Tse
8e82ef9c32 http_negotiate_sspi.c: fix compiler warning 2012-01-13 13:34:43 +01:00
Yang Tse
d016f5f5f5 ssh.c: fix compiler warning 2012-01-13 12:57:09 +01:00
Daniel Stenberg
9f20379fe4 hostip: avoid getaddrinfo when c-ares is used
Some functions using getaddrinfo and gethostbyname were still
mistakingly being used/linked even if c-ares was selected as resolver
backend.

Reported by: Arthur Murray
Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-12 23:13:19 +01:00
gsengun
d28411c3cc FTP: CURLE_PARTIAL_FILE should not cause control connection to be closed
Test 161 updated accordingly
2012-01-09 22:50:20 +01:00
Yang Tse
f34ddb90e6 lib/setup.h: portable symbolic names for Winsock shutdown() mode flags 2012-01-08 02:32:51 +01:00