Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jan 24, 2012
  1. RELEASE-NOTES: synced with 70f71bb

    Synced and prepared for 7.24.0 release. Two security problems, one bug fix,
    two more contributors.
  2. gnutls: enforced use of SSLv3

    With advice from Nikos Mavrogiannopoulos, changed the priority string to
    add "actual priorities" and favour ARCFOUR. This makes libcurl work
    better when enforcing SSLv3 with GnuTLS. Both in the sense that the
    libmicrohttpd test is now working again but also that it mitigates a
    weakness in the older SSL/TLS protocols.
    Reported by: Christian Grothoff
  3. tests: test CRLF in URLs

    Related to the security vulnerability: CVE-2012-0036
  4. URL sanitize: reject URLs containing bad data

    Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
    decoded manner now use the new Curl_urldecode() function to reject URLs
    with embedded control codes (anything that is or decodes to a byte value
    less than 32).
    URLs containing such codes could easily otherwise be used to do harm and
    allow users to do unintended actions with otherwise innocent tools and
    applications. Like for example using a URL like
    pop3:// when the app wants a URL to get
    a mail and instead this would delete one.
    This flaw is considered a security vulnerability: CVE-2012-0036
    Security advisory at:
    Reported by: Dan Fandrich
  5. OpenSSL: don't disable security work-around

    OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
    ( In 0.9.6e they added a bit
    to SSL_OP_ALL that _disables_ that work-around despite the fact that
    SSL_OP_ALL is documented to do "rather harmless" workarounds.
    The libcurl code uses the SSL_OP_ALL define and thus logically always
    disables the OpenSSL fix.
    In order to keep the secure work-around workding, the
    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
    makes sure of this.
    Reported by: product-security at Apple
Commits on Jan 22, 2012
  1. RELEASE-NOTES: synced with 6e2fd2c

    3 more bugfixes, 3 more contributors
Commits on Jan 21, 2012
  1. @dfandrich
Commits on Jan 20, 2012
  1. URL parse: user name with ipv6 numerical address

    Using a URL with embedded user name and password didn't work if the host
    was given as a numerical IPv6 string, like ftp://user:password@[::1]/
    Reported by: Brandon Wang
Commits on Jan 19, 2012
  1. @yangtse
  2. @yangtse
  3. @yangtse

    OpenSSL: follow-up for commit a20daf9

    yangtse authored
    avoid checking preprocessor definition official value
  4. @pierrejoye
  5. curl.1: improve --stderr wording

    As is pointed out in this bug report, there can indeed be situation
    where --stderr has a point even when the "real" stderr can be
    redirected. Remove the superfluous and wrong comment.
Commits on Jan 18, 2012
  1. @yangtse
  2. polarssl: show cipher suite name correctly with 1.1.0

    Apparently ssl_get_ciphersuite() is needed to get the name of the used
    cipher suite.
  3. polarssl: show error code correctly

    The value was turned negative when it shouldn't have been
  4. polarssl: havege_rand is not present in version 1.1.0

    ... it is now named havege_random!
    Reported by: Robert Schumann
  5. RELEASE-NOTES: synced with 5d70a61

    5 more bug fixes, 1 more contributor
  6. Add two tests for telnet: URLs

    Colin Hogben authored committed
    Add simple telnet tests which (ab)use the http server.
    The second test checks for an input file handling bug.
  7. Remove bogus optimisation of telnet upload.

    Colin Hogben authored committed
    Remove wrongly implemented optimisation of telnet upload, apparently
    intended to allow the library to avoid manually polling for input.
  8. Use correct file descriptor for telnet upload.

    Colin Hogben authored committed
    Fix a bug where input was read from stdin even when a different FILE *
    had been configured via CURLOPT_READDATA
  9. @yangtse
  10. @yangtse

    OpenSSL: fix PKCS#12 certificate parsing related memory leak

    Johannes Bauer authored yangtse committed
    Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
    and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
  11. @yangtse

    OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer …

    yangtse authored
    SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
    interoperability with web server Netscape Enterprise Server 2.0.1 released
    back in 1996 more than 15 years ago.
    Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
    become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
    CVE-2010-4180 when using previous OpenSSL versions we no longer enable
    this option regardless of OpenSSL version and SSL_OP_ALL definition.
Commits on Jan 17, 2012
  1. @yangtse
  2. @yangtse

    tests: testtrace.[ch] provides debug callback for libtest usage

    yangtse authored
    Allows tests from the libtest subdir to generate log traces
    similar to those of curl with --tracetime and --trace-ascii
    options but with output going to stderr.
  3. @yangtse
Commits on Jan 16, 2012
  1. @yangtse
  2. @yangtse
  3. url2file: new simple example

    Just showing how to download the contents of a given URL into a local
    Based on a suggestion and example code by Georg Potthast
  4. imap.c: a dead simple imap example

    Just to show that IMAP is used just like other protocols
  5. @yangtse
Commits on Jan 15, 2012
  1. @yangtse
Something went wrong with that request. Please try again.