Permalink
Commits on Feb 6, 2013
  1. Curl_sasl_create_digest_md5_message: fix buffer overflow

    When negotiating SASL DIGEST-MD5 authentication, the function
    Curl_sasl_create_digest_md5_message() uses the data provided from the
    server without doing the proper length checks and that data is then
    appended to a local fixed-size buffer on the stack.
    
    This vulnerability can be exploited by someone who is in control of a
    server that a libcurl based program is accessing with POP3, SMTP or
    IMAP. For applications that accept user provided URLs, it is also
    thinkable that a malicious user would feed an application with a URL to
    a server hosting code targetting this flaw.
    
    Bug: http://curl.haxx.se/docs/adv_20130206.html
    Eldar Zaitov committed with bagder Jan 30, 2013
  2. FEATURES: Removed erroneous whitespace

    Removed whitespace introduced in commit 5f8f20f that caused
    formatting issues when generating the website docs.
    captain-caveman2k committed Feb 6, 2013
  3. setup-vms.h: post VMS patch cleanup - III

    - rename post-config-vms.h to setup-vms.h
    - move its inclusion into proper location in curl_setup.h
    yangtse committed Feb 6, 2013
  4. vms_show: post VMS patch cleanup - II

    - remove multiple declarations of vms_show and add comments
    yangtse committed Feb 6, 2013
  5. tool_main.c: post VMS patch cleanup - I

    - remove header inclusion already done in curl_setup_once.h
    yangtse committed Feb 6, 2013
  6. FEATURES: Added email feature set

    Added SMTP, SMTPS, POP3, POP3S, IMAP and IMAPS features.
    captain-caveman2k committed Feb 6, 2013
Commits on Feb 5, 2013
  1. imap.h: Corrected incorrect comment clarification

    Corrected comment clarification made in commit 167717b.
    captain-caveman2k committed Feb 5, 2013
  2. RELEASE-NOTES: synced with 25f3514

    8 more bug fixes mentioned
    bagder committed Feb 5, 2013
  3. VMS: fix and generate the VMS build config

    config_h.com is a new file that generates a config.h file based on the
    curl_config.h.in file and a quick scan of the configure script.  This is
    actually a generic procedure that is shared with other VMS packages.
    
    The existing pre-built config-vms.h had over 100 entries that were not
    correct and in some cases conflicted with the build options available in
    the build_vms.com.
    
    generate_config_vms_h_curl.com is a helper procedure to the
    config_h.com.  It covers the cases that the generic config_h.com is not
    able to figure out, and accepts input from the build_vms.com procedure.
    
    build_curlbuild_h.com is a new file to generate the curlbuild.h file
    that Curl is now using when it is using a curl_config.h file.
    
    post-config-vms.h is a new file that is needed to provide VMS specific
    definitions, and most of them need to be set before the system header
    files are included.
    
    The VMS build procedure is fixed:
    
       1. Fixed to link in the correct HP ssl library.
       2. Fixed to detect if HP Kerberos is installed.
       3. Fixed to detect if HP LDAP is installed.
       4. Fixed to detect if gnv$libzshr is installed.
       5. Simplified the input parameter parsing to not use a loop.
       6. Warn that 64 bit pointer option support is not complete
          in comments.
       7. Default to IEEE floating if platform supports it so
          resulting libcurl will be compatible with other
          open source projects on VMS.
       8. Default to LARGEFILE if platform supports it.
       9. Default to enable SSL, LDAP, Kerberos, libz
          if the libraries are present.
       10. Build with exact case global symbols for libcurl.
       11. Generate linker option file needed.
       12. Compiler list option only commonly needed items.
       13. fulllist option for those who really want it.
       14. Create debug symbol file on Alpha, IA64.
    wb8tyw committed with bagder Feb 4, 2013
  4. Curl_proxyCONNECT: return once CONNECT is sent

    By doing this unconditionally, we infer a simpler and more defined
    behavior. This also has the upside that test 1021 no longer fails for me
    even if I run with valgrind.
    
    Also fixed some wrong comments.
    bagder committed Feb 5, 2013
  5. email: Reworked comments in the endofresp() functions

    Tidied up the comments in the endofresp() functions to be more
    meaningful prior to release.
    captain-caveman2k committed Feb 5, 2013
  6. schannel: Removed extended error connection setup flag

    According KB975858 this flag may cause problems on Windows 7 and
    Windows Server 2008 R2 systems. Extended error information is not
    currently used by libcurl and therefore not a requirement.
    
    The flag may improve the SSL-connection shutdown in case of an
    error. This means it might be a good improvement in the future.
    
    Fixes bug/issue #1187 - thanks for the report
    mback2k committed Feb 5, 2013
  7. singleipconnect: Update *sockp for all CURLE_OK

    The 56b7c87 change left a case where a good sockfd was not copied to
    *sockp before returning with CURLE_OK
    Tor Arntsen committed with bagder Feb 5, 2013
  8. curl_easy_perform: Value stored to 'mcode' is never read

    pointed out by clang-analyzer
    bagder committed Feb 5, 2013
  9. singleipconnect: remove dead assignment

    pointed out by clang-analyzer
    bagder committed Feb 5, 2013
  10. CURLMOPT_MAXCONNECTS: restore functionality

    When a connection is no longer used, it is kept in the cache. If the
    cache is full, the oldest idle connection is closed. If no connection is
    idle, the current one is closed instead.
    linusnielsen committed Feb 5, 2013
  11. RELEASE-NOTES: Updated following recent changes to the email protocols

    Added recent additions and fixes following the changes to imap, pop3
    and smtp. Additionally added another contributor that helped to test
    the imap sasl changes.
    captain-caveman2k committed Feb 5, 2013
Commits on Feb 4, 2013
  1. email: Provided extra comments following recent pop3/imap fixes

    Provided additional clarification about the logic of the authenticate()
    functions following commit 6b6bdc8 and b4270a9.
    captain-caveman2k committed Feb 4, 2013
  2. FAQ: clarify 5.13 How do I stop an ongoing transfer

    Rich Gray provided good feedback and we now clarify that you can in fact
    stop a multi transfer at any point you like by removing the easy handle.
    bagder committed Feb 4, 2013
  3. cmake: Fix mingw build

    arsenm committed with bagder Feb 4, 2013
  4. cmake: updated OpenSSL build

    snikulov committed with bagder Jan 17, 2013
  5. pop3.c: Updated variable names to use shorter / more readable variant

    Tidied up code from commit 6b6bdc83bdUpdated where a few instances of
    the pop3c struct variable used the longer conndata struct rather than
    matching what other code in pop3_authenticate() used.
    captain-caveman2k committed Feb 4, 2013
  6. updated copyright years.

    gknauf committed Feb 4, 2013
Commits on Feb 3, 2013
  1. imap: Fixed no known authentication mechanism when fallback is required

    Fixed an issue where (lib)curl is compiled without support for a
    supported challenge-response based SASL authentication mechanism, such
    as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
    mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
    
    Note: In order to fallback to Clear Text authentication properly this
    fix adds support for the LOGINDISABLED server capability.
    imap: Fixed no known authentication mechanism when fallback is required
    
    Fixed an issue where (lib)curl is compiled without support for a
    supported challenge-response based SASL authentication mechanism, such
    as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
    mechanisms and (lib)curl doesn't fallback to Clear Text authentication.
    
    Note: In order to fallback to Clear Text authentication properly this
    fix adds support for the LOGINDISABLED server capability.
    
    Related bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
    Reported by: Stanislav Ivochkin
    captain-caveman2k committed Feb 3, 2013
  2. pop3: Fixed no known authentication mechanism when fallback is required

    Fixed an issue where (lib)curl is compiled without support for a
    supported challenge-response based SASL authentication mechanism, such
    as CRAM-MD5 or NTLM, the server doesn't support the LOGIN or PLAIN
    mechanisms and (lib)curl doesn't fallback to APOP or Clear Text
    authentication.
    
    Bug: http://curl.haxx.se/mail/lib-2013-02/0004.html
    Reported by: Stanislav Ivochkin
    captain-caveman2k committed Feb 3, 2013
Commits on Feb 1, 2013
  1. singleipconnect: simplify and clean up

    Remove timeout argument that's never used.
    
    Make the actual connection get detected on a single spot to reduce code
    duplication.
    
    Store the IPv6 state already when the connection is attempted.
    bagder committed Jan 31, 2013
  2. Curl_perfom: removed

    Curl_perfom is no longer used anywhere since the always-multi commit
    c431274, and some related functions were used only from within
    Curl_perfom.
    bagder committed Jan 31, 2013
Commits on Jan 30, 2013
  1. Updated date.

    gknauf committed Jan 30, 2013