Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set post option to false disables upload #9849

Closed
MonkeybreadSoftware opened this issue Nov 3, 2022 · 8 comments
Closed

Set post option to false disables upload #9849

MonkeybreadSoftware opened this issue Nov 3, 2022 · 8 comments
Labels

Comments

@MonkeybreadSoftware
Copy link
Contributor

MonkeybreadSoftware commented Nov 3, 2022

A client updated an application using curl library for sending emails via SMTP.

After "235 Authentication succeeded", we see that CURL sends VRFY commands instead of RCPT TO.

In smtp.c, I see that data->set.upload is not set, but in set opt.c I see it is set.

Later it turns out that setting Post to 0 also sets Upload option to 0.

May it be reasonable to request that setting Post to 1 clears upload flag and setting post to 0 lets it alone?

@MonkeybreadSoftware
Copy link
Contributor Author

MonkeybreadSoftware commented Nov 3, 2022

e.g. in code:

  case CURLOPT_POST:
    /* Does this option serve a purpose anymore? Yes it does, when
       CURLOPT_POSTFIELDS isn't used and the POST data is read off the
       callback! */
    if(va_arg(param, long)) {
      data->set.method = HTTPREQ_POST;
      data->set.opt_no_body = FALSE; /* this is implied */
    }
    else
      data->set.method = HTTPREQ_GET;
    data->set.upload = FALSE;
    break;

move the line "data->set.upload = FALSE;" up three lines into the block for when value is true.

@bagder bagder added the SMTP label Nov 3, 2022
@bagder
Copy link
Member

bagder commented Nov 3, 2022

For what purpose are you setting this option ? I don't think setting upload to false is a bug.

@MonkeybreadSoftware
Copy link
Contributor Author

MonkeybreadSoftware commented Nov 3, 2022

This is for sending email via SMTP.

We use various classes in programming and they have properties for CURL options like post, upload or URL. We transfer them to curl later. We wouldn't expect to set Upload = true and Post = false and then end up having Upload = false.

@bagder
Copy link
Member

bagder commented Nov 4, 2022

You need to provide a better motivation than that. There is no clear "opposite" of POST so its not just a boolean on/off, which is why setting the option to any value will do something. The change here that you don't like fixed a security problem so while I'm prepared to discuss other ways to go about that. It seems to me you can just avoid setting POST in the first place since it is not used for SMTP at all?

@MonkeybreadSoftware
Copy link
Contributor Author

MonkeybreadSoftware commented Nov 4, 2022

Now that I know it, we'll work around it.
e.g. by setting POST before Upload property.

@bagder
Copy link
Member

bagder commented Nov 4, 2022

Why do you set POST at all?

And why do you set POST and UPLOAD?

@MonkeybreadSoftware
Copy link
Contributor Author

MonkeybreadSoftware commented Nov 5, 2022

because a curl object may be reused and I may not now what was set before?

As said, the code used to work and set Post to false and Upload to true for sending an email.

@bagder
Copy link
Member

bagder commented Nov 7, 2022

But there is such thing as "un-POSTING" by setting POST to 0. There is no opposite of POST. You need to instead set what you want it to do. Like UPLOAD.

@bagder bagder closed this as completed Nov 14, 2022
jay added a commit to jay/curl that referenced this issue Nov 18, 2022
Bug: curl#9849
Reported-by:  MonkeybreadSoftware@users.noreply.github.com

Closes #xxxx
jay added a commit to jay/curl that referenced this issue Nov 18, 2022
Bug: curl#9849
Reported-by:  MonkeybreadSoftware@users.noreply.github.com

Closes #xxxx
jay added a commit that referenced this issue Nov 19, 2022
Bug: #9849
Reported-by:  MonkeybreadSoftware@users.noreply.github.com

Closes #9942
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants