Commits on Mar 2, 2009
  1. - David Kierznowski notified us about a security flaw

    bagder committed Mar 2, 2009
      ( also known as CVE-2009-0037) in
      which previous libcurl versions (by design) can be tricked to access an
      arbitrary local/different file instead of a remote one when
      CURLOPT_FOLLOWLOCATION is enabled. This flaw is now fixed in this release
      together this the addition of two new setopt options for controlling this
      new behavior:
      o CURLOPT_REDIR_PROTOCOLS controls what protocols libcurl is allowed to
      follow to when CURLOPT_FOLLOWLOCATION is enabled. By default, this option
      excludes the FILE and SCP protocols and thus you nee to explicitly allow
      them in your app if you really want that behavior.
      o CURLOPT_PROTOCOLS controls what protocol(s) libcurl is allowed to fetch
      using the primary URL option. This is useful if you want to allow a user or
      other outsiders control what URL to pass to libcurl and yet not allow all
      protocols libcurl may have been built to support.
  2. the Eiffel binding

    bagder committed Mar 2, 2009
Commits on Mar 1, 2009
  1. nothing more left for 7.19.4, the issue #216 is moved to 7.19.5 since…

    bagder committed Mar 1, 2009
    … we're
    too close to release now
Commits on Feb 28, 2009
  1. fix compiler warning

    yangtse committed Feb 28, 2009
Commits on Feb 27, 2009
  1. mention the '-o -' trick

    bagder committed Feb 27, 2009
  2. 217 - Dan Fandrich's "GnuTLS initialization thread safety"

    bagder committed Feb 27, 2009
    218 - Senthil Raja Velu's "CURLOPT_LOCALPORT option broken", patch by
          Markus Koetter
    Both are now committed
  3. - Senthil Raja Velu reported a problem when CURLOPT_INTERFACE and

    bagder committed Feb 27, 2009
      CURLOPT_LOCALPORT were used together (the local port bind failed), and
      Markus Koetter provided the fix!
Commits on Feb 25, 2009
  1. - As Daniel Fandrich figured out, we must do the GnuTLS initing in the

    bagder committed Feb 25, 2009
      curl_global_init() function to properly maintain the performing functions
      thread-safe. We've previously (28 April 2007) moved the init to a later time
      just to avoid it to fail very early when libgcrypt dislikes the situation,
      but that move was bad and the fix should rather be in libgcrypt or
Commits on Feb 24, 2009
  1. improved

    bagder committed Feb 24, 2009
  2. A handy little helper file for doing recursive diffs on curl source/b…

    bagder committed Feb 24, 2009
    …uild trees
    without involving CVS:
    diff -X diff-exclude -ru curl-old curl-patched
  3. - Brian J. Murrell found out that Negotiate proxy authentication didn…

    bagder committed Feb 24, 2009
    …'t work.
      It happened because the code used the struct for server-based auth all the
      time for both proxy and server auth which of course was wrong.
Commits on Feb 23, 2009
  1. - After a bug reported by James Cheng I've made curl_easy_getinfo() for

    bagder committed Feb 23, 2009
      -1 if the sizes aren't know. Previously these returned 0, make it impossible
      to detect the difference between actually zero and unknown.
  2. For 7.19.5 (due to feature freeze)

    bagder committed Feb 23, 2009
    220 - Take advantage of libssh2_version() that's been added for the upcoming
          1.1, to extract the run-time version number properly.
  3. Daniel Johnson provided a shell script that will perform all the step…

    yangtse committed Feb 23, 2009
    …s needed
    to build a Mac OS X fat ppc/i386 or ppc64/x86_64 libcurl.framework
  4. mention default port number

    bagder committed Feb 23, 2009
  5. - I renamed everything in the windows builds files that used the name…

    bagder committed Feb 23, 2009
    … 'curllib'
      to the proper 'libcurl' as clearly this caused confusion.
Commits on Feb 20, 2009
  1. the FTP multi interface bug

    bagder committed Feb 20, 2009
  2. - Linus Nielsen Feltzing reported and helped me repeat and fix a prob…

    bagder committed Feb 20, 2009
    …lem with
      FTP with the multi interface: when a transfer fails, like when aborted by a
      write callback, the control connection was wrongly closed and thus not
      re-used properly.
      This change is also an attempt to cleanup the code somewhat in this area, as
      now the FTP code attempts to keep (better) track on pending responses
      necessary to get read in ftp_done().
Commits on Feb 19, 2009
  1. verify that a 550-response for a RETR returns 78 but also that the co…

    bagder committed Feb 19, 2009
    connection is kept alive afterwards
  2. - Patrik Thunstrom reported a problem and helped me repeat it. It tur…

    bagder committed Feb 19, 2009
    …ned out
      libcurl did a superfluous 1000ms wait when doing SFTP downloads!
      We read data with libssh2 while doing the "DO" operation for SFTP and then
      when we were about to start getting data for the actual file part, the
      "TRANSFER" part, we waited for socket action (in 1000ms) before doing a
      libssh2-read. But in this case libssh2 had already read and buffered the
      data so we ended up always just waiting 1000ms before we get working on the
Commits on Feb 18, 2009
  1. FTP downloads (i.e.: RETR) ending with code 550 now return error CURL…

    Patrick Monnerat Patrick Monnerat
    Patrick Monnerat authored and Patrick Monnerat committed Feb 18, 2009