Permalink
Commits on Jan 28, 2012
  1. Explicitly link to the nettle/gcrypt libraries

    When support for nettle was added in 64f328c, I overlooked
    the fact that AC_CHECK_LIB doesn't add the tested lib to LIBS
    if the check succeeded, if a custom success code block was present.
    (The previous version of the check had an empty block for
    successful checks, adding the lib to LIBS implicitly.)
    
    Therefore, explicitly add either nettle or gcrypt to LIBS, after
    deciding which one to use. Even if they can be linked in
    transitively, it is safer to actually link explicitly to them.
    
    This fixes building with gnutls with linkers that don't allow
    linking transitively, such as for windows.
    mstorsjo committed with bagder Jan 26, 2012
  2. more resilient connection times among IP addresses

    When connecting to a domain with multiple IP addresses, allow different,
    decreasing connection timeout values. This should guarantee some
    connections attempts with sufficiently long timeouts, while still
    providing fallback.
    linkfanel committed with bagder Jan 23, 2012
  3. remove write-only variable

    linkfanel committed with bagder Jan 23, 2012
Commits on Jan 26, 2012
  1. - fix IPV6 and IDN options

    pierrejoye committed Jan 26, 2012
Commits on Jan 25, 2012
  1. TODO-RELEASE: added item #308

    yangtse committed Jan 25, 2012
Commits on Jan 24, 2012
  1. RELEASE-NOTES: synced with 70f71bb

    Synced and prepared for 7.24.0 release. Two security problems, one bug fix,
    two more contributors.
    bagder committed Jan 24, 2012
  2. gnutls: enforced use of SSLv3

    With advice from Nikos Mavrogiannopoulos, changed the priority string to
    add "actual priorities" and favour ARCFOUR. This makes libcurl work
    better when enforcing SSLv3 with GnuTLS. Both in the sense that the
    libmicrohttpd test is now working again but also that it mitigates a
    weakness in the older SSL/TLS protocols.
    
    Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
    Reported by: Christian Grothoff
    bagder committed Jan 23, 2012
  3. tests: test CRLF in URLs

    Related to the security vulnerability: CVE-2012-0036
    
    Bug: http://curl.haxx.se/docs/adv_20120124.html
    bagder committed Jan 11, 2012
  4. URL sanitize: reject URLs containing bad data

    Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
    decoded manner now use the new Curl_urldecode() function to reject URLs
    with embedded control codes (anything that is or decodes to a byte value
    less than 32).
    
    URLs containing such codes could easily otherwise be used to do harm and
    allow users to do unintended actions with otherwise innocent tools and
    applications. Like for example using a URL like
    pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
    a mail and instead this would delete one.
    
    This flaw is considered a security vulnerability: CVE-2012-0036
    
    Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
    
    Reported by: Dan Fandrich
    bagder committed Dec 23, 2011
  5. OpenSSL: don't disable security work-around

    OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
    (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
    to SSL_OP_ALL that _disables_ that work-around despite the fact that
    SSL_OP_ALL is documented to do "rather harmless" workarounds.
    
    The libcurl code uses the SSL_OP_ALL define and thus logically always
    disables the OpenSSL fix.
    
    In order to keep the secure work-around workding, the
    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
    makes sure of this.
    
    Reported by: product-security at Apple
    bagder committed Jan 19, 2012
Commits on Jan 22, 2012
  1. RELEASE-NOTES: synced with 6e2fd2c

    3 more bugfixes, 3 more contributors
    bagder committed Jan 22, 2012
Commits on Jan 21, 2012
Commits on Jan 20, 2012
  1. URL parse: user name with ipv6 numerical address

    Using a URL with embedded user name and password didn't work if the host
    was given as a numerical IPv6 string, like ftp://user:password@[::1]/
    
    Reported by: Brandon Wang
    Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
    bagder committed Jan 20, 2012
Commits on Jan 19, 2012
  1. OpenSSL: follow-up for commit a20daf9

    avoid checking preprocessor definition official value
    yangtse committed Jan 19, 2012
  2. - s, use, enable, for options name, avoiding conflicts with the names…

    … used in the makefile
    pierrejoye committed Jan 19, 2012
  3. curl.1: improve --stderr wording

    As is pointed out in this bug report, there can indeed be situation
    where --stderr has a point even when the "real" stderr can be
    redirected. Remove the superfluous and wrong comment.
    
    bug: http://curl.haxx.se/bug/view.cgi?id=3476020
    bagder committed Jan 19, 2012
Commits on Jan 18, 2012
  1. polarssl: show cipher suite name correctly with 1.1.0

    Apparently ssl_get_ciphersuite() is needed to get the name of the used
    cipher suite.
    bagder committed Jan 18, 2012
  2. polarssl: show error code correctly

    The value was turned negative when it shouldn't have been
    bagder committed Jan 18, 2012
  3. polarssl: havege_rand is not present in version 1.1.0

    ... it is now named havege_random!
    
    Reported by: Robert Schumann
    Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
    bagder committed Jan 18, 2012
  4. RELEASE-NOTES: synced with 5d70a61

    5 more bug fixes, 1 more contributor
    bagder committed Jan 18, 2012
  5. Add two tests for telnet: URLs

    Add simple telnet tests which (ab)use the http server.
    The second test checks for an input file handling bug.
    Colin Hogben committed with bagder Jan 18, 2012
  6. Remove bogus optimisation of telnet upload.

    Remove wrongly implemented optimisation of telnet upload, apparently
    intended to allow the library to avoid manually polling for input.
    Colin Hogben committed with bagder Jan 4, 2012
  7. Use correct file descriptor for telnet upload.

    Fix a bug where input was read from stdin even when a different FILE *
    had been configured via CURLOPT_READDATA
    Colin Hogben committed with bagder Jan 4, 2012
  8. OpenSSL: fix PKCS#12 certificate parsing related memory leak

    Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
    and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
    Johannes Bauer committed with yangtse Jan 18, 2012