| Daniel (16 December 2005) |
| - Jean Jacques Drouin pointed out that you could only have a user name or |
| password of 127 bytes or less embedded in a URL, where actually the code |
| uses a 255 byte buffer for it! Modified now to use the full buffer size. |
| |
| Daniel (12 December 2005) |
| - Dov Murik corrected the HTTP_ONLY define to disable the TFTP support properly |
| |
| Version 7.15.1 (7 December 2005) |
| |
| Daniel (6 December 2005) |
| - Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by |
| Stefan Esser. |
| |
| VULNERABILITY |
| |
| libcurl's URL parser function can overflow a malloced buffer in two ways, if |
| given a too long URL. |
| |
| These overflows happen if you |
| |
| 1 - pass in a URL with no protocol (like "http://") prefix, using no slash |
| and the string is 256 bytes or longer. This leads to a single zero byte |
| overflow of the malloced buffer. |
| |
| 2 - pass in a URL with only a question mark as separator (no slash) between |
| the host and the query part of the URL. This leads to a single zero byte |
| overflow of the malloced buffer. |
| |
| Both overflows can be made with the same input string, leading to two single |
| zero byte overwrites. |
| |
| The affected flaw cannot be triggered by a redirect, but the long URL must |
| be passed in "directly" to libcurl. It makes this a "local" problem. Of |
| course, lots of programs may still pass in user-provided URLs to libcurl |
| without doing much syntax checking of their own, allowing a user to exploit |
| this vulnerability. |
| |
| There is no known exploit at the time of this writing. |
| |
| |
| Daniel (2 December 2005) |
| - Jamie Newton pointed out that libcurl's file:// code would close() a zero |
| file descriptor if given a non-existing file. |
| |
| Daniel (24 November 2005) |
| - Doug Kaufman provided a set of patches to make curl build fine on DJGPP |
| again using configure. |
| |
| - Yang Tse provided a whole series of patches to clear up compiler warnings on |
| MSVC 6. |
| |
| Daniel (17 November 2005) |
| - I extended a patch from David Shaw to make libcurl _always_ provide an error |
| string in the given error buffer to address the flaw mention on 21 sep 2005. |
| |
| Daniel (16 November 2005) |
| - Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get |
| installed on 'make install' time. |
| |
| Daniel (14 November 2005) |
| - Quagmire reported that he needed to raise a NTLM buffer for SSPI to work |
| properly for a case, and so we did. We raised it even for non-SSPI builds |
| but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715 |
| |
| - Jan Kunder's debian bug report |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird |
| error message for when you try to upload a file and the requested directory |
| doesn't exist on the target server. |
| |
| - Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in |
| lib/memdebug.h that showed up in his msvc builds. |
| |
| Daniel (13 November 2005) |
| - Debian bug report 338681 by Jan Kunder: make curl better detect and report |
| bad limit-rate units: |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return |
| error if a bad unit is used. |
| |
| - Thanks to this nice summary of poll() implementations: |
| http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene |
| Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote |
| connectin closure so we check for that case (too) and re-enable poll for |
| cygwin builds. |
| |
| Daniel (12 November 2005) |
| - Eugene Kotlyarov found out that cygwin's poll() function isn't doing things |
| right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable |
| poll() and use select() on cygwin too (we already do the same choice on Mac |
| OS X) |
| |
| - Dima Barsky patched problem #1348930: the GnuTLS code completely ignored |
| client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930). |
| |
| Daniel (10 November 2005) |
| - David Lang fixed IPv6 support for TFTP! |
| |
| - Introducing range stepping to the curl globbing support. Now you can specify |
| step counter by adding :[num] within the brackets when specifying a range: |
| |
| [1-100:10] |
| [a-z:2] |
| |
| If no step counter is set, it defaults to 1 as before: |
| |
| [1-100] |
| [d-h] |
| |
| Daniel (8 November 2005) |
| - Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since |
| we really have no use for reverse lookups of the address. |
| |
| I truly hope these are the last reverse lookups we had lingering in the |
| code! |
| |
| - Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled |
| version of libcurl with different Windows versions. Current version of |
| libcurl imports SSPI functions from secur32.dll. However, under Windows NT |
| 4.0 these functions are located in security.dll, under Windows 9x - in |
| secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll |
| just forwards calls to secur32.dll). |
| |
| Dmitry's patch loads proper library dynamically depending on Windows |
| version. Function InitSecurityInterface() is used to obtain pointers to all |
| of SSPI function in one structure. |
| |
| Daniel (31 October 2005) |
| - Vilmos Nebehaj improved libcurl's LDAP abilities: |
| |
| The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary |
| attributes in LDAP objects. So, I made a quick patch to address these |
| problems. |
| |
| The solution is simple: if we connect to an LDAP server, first try LDAPv3 |
| (which is the preferred protocol as of now) and then fall back to LDAPv2. |
| In case of binary attributes, we first convert them to base64, just like the |
| openldap client does. It uses ldap_get_values_len() instead of |
| ldap_get_values() to be able to retrieve binary attributes correctly. I |
| defined the necessary LDAP macros in lib/ldap.c to be able to compile |
| libcurl without the presence of libldap |
| |
| Daniel (27 October 2005) |
| - Nis Jorgensen filed bug report #1338648 |
| (http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a |
| feature request, but anyway. It pointed out that --max-redirs did not allow |
| it to be set to 0, which then would return an error code on the first |
| Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS |
| set to 0, or -1 for infinity. Added test case 274 to verify. |
| |
| - tommink[at]post.pl reported in bug report #1337723 |
| (http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload |
| binary data from stdin on Windows if the data contained control-Z (hex 1a) |
| since that is treated as end-of-file when read in text mode. Gisle Vanem |
| pointed out the fix, and I made both -T and --data-binary take advantage of |
| it. |
| |
| - Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described |
| in the man page, curl would send an invalid HTTP Range: header. The correct |
| way would be to use "-r [number]-" or even "-r -[number]". Starting now, |
| curl will warn if this is discovered, and automatically append a dash to the |
| range before passing it to libcurl. |
| |
| Daniel (25 October 2005) |
| - Amol Pattekar reported a bug with great detail and a fine example in bug |
| #1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi |
| interface and connecting to a host with multiple IP addresses, and one of |
| the addresses fails to connect (the server must exist and respond, just not |
| accept connections) libcurl leaks a socket descriptor. Thanks to the fine |
| report, I could find and fix this. |
| |
| Daniel (22 October 2005) |
| - Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report |
| #1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL |
| stream from a server and the server requests a "rehandshake", the current |
| code simply returns this as an error. I have no good way to test this, but |
| I've added a crude attempt of dealing with this situation slightly better - |
| it makes a blocking handshake if this happens. Done like this because fixing |
| this the "proper" way (that would handshake asynchronously) will require |
| quite some work and I really need a good way to test this to do such a |
| change. |
| |
| Daniel (21 October 2005) |
| - "Ofer" reported a problem when libcurl re-used a connection and failed to do |
| it, it could then accidentally actually crash. Presumably, this concerns FTP |
| connections. http://curl.haxx.se/bug/view.cgi?id=1330310 |
| |
| - Temprimus improved the MSVC makefile so that the static debug SSL libs are |
| linked to the executable and not to the libcurld.lib |
| http://curl.haxx.se/bug/view.cgi?id=1326676 |
| |
| - Bradford Bruce made the windows resolver code properly return |
| CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving |
| errors (as documented). |
| |
| Daniel (20 October 2005) |
| - Dave Dribin made libcurl understand and handle cases when the server |
| (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should |
| never happen in a sane world, libcurl previously got into an infinite loop |
| when this occurred. Dave added test 273 to verify this. |
| |
| - Temprimus improved the MSVC makefile: "makes a build option available so if |
| you set rtlibcfg=static for the make, then it would build with /MT. The |
| default behaviour is /MD (the original)." |
| http://curl.haxx.se/bug/view.cgi?id=1326665 |
| |
| Daniel (14 October 2005) |
| - Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin |
| reported, the define is used by the configure script and is assumed to use |
| the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0 |
| release version. |
| |
| Version 7.15.0 (13 October 2005) |
| |
| Daniel (12 October 2005) |
| - Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM |
| code that would overflow a buffer if given a too long user name or domain |
| name. This would happen if you enable NTLM authentication and either |
| |
| A - pass in a user name and domain name to libcurl that together are longer |
| than 192 bytes |
| |
| B - allow (lib)curl to follow HTTP "redirects" (Location: and the |
| appropriate HTTP 30x response code) and the new URL contains a URL with |
| a user name and domain name that together are longer than 192 bytes |
| |
| See http://curl.haxx.se/docs/security.html for further details and updates |
| |
| Daniel (5 October 2005) |
| - Darryl House reported a problem with using -z to download files from FTP. |
| It turned out that if the given time stamp was exact the same as the remote |
| time stamp, the file would still wrongly be downloaded. Added test case 272 |
| to verify. |
| |
| Daniel (4 October 2005) |
| - Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes |
| from the configure script. |
| |
| - Michael Wallner reported that the date parser had wrong offset stored for |
| the MEST and CEST time zones. |
| |
| Daniel (27 September 2005) |
| - David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181) |
| that identified a silly problem with Content-Range: headers with the 'bytes' |
| keyword written in a different case than all lowercase! It would cause a |
| segfault! |
| |
| - TJ Saunders of the proftpd project identified and pointed out problems with |
| the modified FTPS negotiation change of August 19 2005. Thus, we revert the |
| change back to pre-7.14.1 status. |
| |
| Daniel (21 September 2005) |
| - Fixed "cut off" sentence in the libcurl-tutorial man page: |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305 |
| |
| - Clarified in the curl_easy_setopt man page what the default |
| CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean: |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311 |
| |
| - Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER |
| sometimes doesn't fill in the buffer even though it is supposed to: |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313 |
| |
| - When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an |
| error string set. |
| |
| Daniel (19 September 2005) |
| - Dmitry Bartsevich made the SSPI support work on Windows 9x as well. |
| |
| Daniel (15 September 2005) |
| - Added a TFTP server to the test suite and made the test suite capable of |
| using it. |
| |
| Daniel (7 September 2005) |
| - Ben Madsen's detailed reports that funnily enough only occurred with certain |
| glibc versions turned out to be curl using an already closed file handle |
| during certain conditions (like when saving FTP server "headers"). |
| |
| - Scott Davis helped me track down a problem in the test HTTP server that made |
| test case 56 wrongly fail at times. It turned out it was due to the server |
| finding the end of a chunked-encoded POST too early. |
| |
| Daniel (6 September 2005) |
| - Now curl warns if an unknown variable is used in the -w/--writeout argument. |
| |
| Daniel (4 September 2005) |
| - I applied Nicolas François' man page patch he posted to the Debian bug |
| tracker. It corrected two lines that started with apostrophes, which isn't |
| legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511 |
| |
| - Added --ftp-skip-pasv-ip to the command line tool, that sets the new |
| CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control |
| connection's IP address when setting up the data connection instead of |
| extractting the IP address from the PASV response. It has turned out this |
| feature is frequently needed by people to circumvent silly servers and silly |
| firewalls, especially when FTPS is used and the PASV command-response is |
| sent encrtyped. |
| |
| Sponsored by CU*Answers |
| |
| Daniel (1 September 2005) |
| - John Kelly added TFTP support to libcurl. A bunch of new error codes was |
| added. TODO: add them to docs. add TFTP server to test suite. add TFTP to |
| list of protocols whereever those are mentioned. |
| |
| Version 7.14.1 (1 September 2005) |
| |
| Daniel (29 August 2005) |
| - Kevin Lussier pointed out a problem with curllib.dsp and how to fix it. |
| |
| - Igor Polyakov fixed a rather nasty problem with the threaded name resolver |
| for Windows, that could lead to an Access Violation when the multi interface |
| was used due to an issue with how the resolver thread was and was not |
| terminated. |
| |
| - Simon Josefsson brought a patch that allows curl to get built to use GNU GSS |
| instead of MIT/Heimdal for GSS capabilities. |
| |
| Daniel (24 August 2005) |
| - Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible |
| from the command line tool with --ignore-content-length. This will make it |
| easier to download files from Apache 1.x (and similar) servers that are |
| still having problems serving files larger than 2 or 4 GB. When this option |
| is enabled, curl will simply have to wait for the server to close the |
| connection to signal end of transfer. I wrote test case 269 that runs a |
| simple test to verify that this works. |
| |
| - (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed |
| the --logfile command line option to --log-file, and thus the test script |
| valgrind autodetection now has yet another version check to do and then it |
| alters the valgrind command line accordingly. |
| |
| - Fixed CA cert verification using GnuTLS with the default bundle, which |
| previously failed due to GnuTLS not allowing x509 v1 CA certs by default. |
| Ralph Mitchell reported. |
| |
| Daniel (19 August 2005) |
| - Norbert Novotny had problems with FTPS and he helped me work out a patch |
| that made curl run fine in his end. The key was to make sure we do the |
| SSL/TLS negotiation immediately after the TCP connect is done and not after |
| a few other commands have been sent like we did previously. I don't consider |
| this change necessary to obey the standards, I think this server is pickier |
| than what the specs allow it to be, but I can't see how this modified |
| libcurl code can add any problems to those who are interpreting the |
| standards more liberally. |
| |
| Daniel (17 August 2005) |
| - Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with |
| CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to |
| write the result to a given cookie jar and then never actually call |
| curl_easy_perform() - the given file(s) to read was never read but the |
| output file was written and thus it caused a "funny" result. |
| |
| - While doing some tests for the bug above, I noticed that Firefox generates |
| large numbers (for the expire time) in the cookies.txt file and libcurl |
| didn't treat them properly. Now it does. |
| |
| Daniel (15 August 2005) |
| - Added more verbose "warning" messages to the curl client for cases where it |
| fails to open/read files etc to help users diagnose why it doesn't do what |
| you'd expect it to. Converted lots of old messages to use the new generic |
| function I wrote for this purpose. |
| |
| Daniel (13 August 2005) |
| - James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a |
| site responds with bad HTTP response that doesn't contain any header at all, |
| only a response body, and the write callback returns 0 to abort the |
| transfer, it didn't have any real effect but the write callback would be |
| called once more anyway. |
| |
| Daniel (12 August 2005) |
| - Based on Richard Clayton's reports, I found out that using curl -d @filename |
| when 'filename' was not possible to access made curl use a GET request |
| instead. |
| |
| - The time condition illegal syntax warning is now inhibited if -s is used. |
| |
| Daniel (10 August 2005) |
| - Mario Schroeder found out that one of the debug callbacks calls that regards |
| SSL data with the CURLINFO_TEXT type claimed that the data was one byte |
| larger than it actually is, thus falsely telling the application that the |
| terminating zero was part of the data. |
| |
| Daniel (9 August 2005) |
| - Christopher R. Palmer fixed the offsets used for date parsings when the time |
| zone name of a daylight savings time was used. For example, PDT vs PDS. This |
| flaw was introduced with the new date parser (11 sep 2004 - 7.12.2). |
| Fortunately, no web server or cookie string etc should be using such time |
| zone names thus limiting the effect of this bug. |
| |
| Daniel (8 August 2005) |
| - Jon Grubbs filed bug report #1249962 |
| (http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem |
| with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly |
| switches to pure HTTP internally when an HTTP proxy is used, even for FTP |
| URLs. The problem would also occur with other multi-pass auth methods. |
| |
| Daniel (7 August 2005) |
| - When curl is built with GnuTLS, curl-config didn't include "SSL" when |
| --features was used. |
| |
| Daniel (28 July 2005) |
| - If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is |
| set to 1, CURLOPT_NOBODY will now automatically be set to 0. |
| |
| Daniel (27 July 2005) |
| - Dan Fandrich changes over the last week: fixed numerous minor configure |
| option parsing flaws: --without-gnutls, --without-spnego --without-gssapi |
| and --without-krb4. Spellfixed several error messages. |
| |
| - Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a |
| simple interface to extracting and setting cookies in libcurl's internal |
| "cookie jar". See the new cookie_interface.c example code. |
| |
| Daniel (13 July 2005) |
| - Diego Casorran provided patches to make curl build fine on Amiga again. |
| |
| Daniel (12 July 2005) |
| - Adrian Schuur added trailer support in the chunked encoding stream. The |
| trailer is then sent to the normal header callback/stream. I wrote up test |
| case 266 to verify the basic functionality. Do note that test case 34 |
| contains a flawed chunked encoding stream that still works the same. |
| |
| Daniel (5 July 2005) |
| - Gisle Vanem came up with a nice little work-around for bug #1230118 |
| (http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC) |
| libc time functions may return data one hour off if TZ is not set and |
| automatic DST adjustment is enabled. This made curl_getdate() return wrong |
| value, and it also concerned internal cookie expirations etc. |
| |
| Daniel (4 July 2005) |
| - Andrew Bushnell provided enough info for me to tell that we badly needed to |
| fix the CONNECT authentication code with multi-pass auth methods (such as |
| NTLM) as it didn't previously properly ignore response-bodies - in fact it |
| stopped reading after all response headers had been received. This could |
| lead to libcurl sending the next request and reading the body from the first |
| request as response to the second request. (I also renamed the function, |
| which wasn't strictly necessary but...) |
| |
| The best fix would to once and for all make the CONNECT code use the |
| ordinary request sending/receiving code, treating it as any ordinary request |
| instead of the special-purpose function we have now. It should make it |
| better for multi-interface too. And possibly lead to less code... |
| |
| Added test case 265 for this. It doesn't work as a _really_ good test case |
| since the test proxy is too stupid, but the test case helps when running the |
| debugger to verify. |
| |
| Daniel (30 June 2005) |
| - Dan Fandrich improved the configure script's ability to figure out what kind |
| of strerror_r() API that is used when cross-compiling. If __GLIB__ is |
| defined, it assumes the glibc API. If not, it issues a notice as before that |
| the user needs to manually edit lib/config.h for this. |
| |
| Daniel (23 June 2005) |
| - David Shaw's fix that unifies proxy string treatment so that a proxy given |
| with CURLOPT_PROXY can use a http:// prefix and user + password. The user |
| and password fields are now also URL decoded properly. Test case 264 added |
| to verify. |
| |
| Daniel (22 June 2005) |
| - David Shaw updated libcurl.m4 |
| |
| Daniel (14 June 2005) |
| - Gisle Vanem fixed a potential thread handle leak. Bug report #1216500 |
| (http://curl.haxx.se/bug/view.cgi?id=1216500). Comment in |
| http://curl.haxx.se/mail/lib-2005-06/0059.html |
| |
| Daniel (13 June 2005) |
| - Made buildconf run libtoolize in the ares dir too (inspired by Tupone's |
| reverted patch). |
| |
| Daniel (9 June 2005) |
| - Incorporated Tupone's findtool fix in buildconf (slightly edited) |
| |
| - Incorporated Tupone's head -n fix in buildconf. |
| |
| Daniel (8 June 2005) |
| - Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it |
| in pieces, one by one and see what we need to adjust to work all over. |
| |
| Daniel (6 June 2005) |
| - Tupone Alfredo fixed three problems in buildconf: |
| |
| 1) findtool does look per tool in PATH and think ./perl is the perl |
| executable, while is just a local directory (I have . in the PATH) |
| |
| 2) I got several warning for head -1 deprecated in favour of head -n 1 |
| |
| 3) ares directory is missing some file (missing is missing :-) ) because |
| automake and friends is not run. |
| |
| Daniel (3 June 2005) |
| - Added docs/libcurl/getinfo-times, based on feedback from 'Edi': |
| http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes |
| |
| - Andres Garcia provided yet another text mode patch for several test cases so |
| that they do text comparisions better on Windows (newline-wise). |
| |
| Daniel (1 June 2005) |
| - The configure check for c-ares now adds the cares lib before the other libs, |
| to make it build fine with mingw. Inspired by Tupone Alfredo's bug report |
| and patch: http://curl.haxx.se/bug/view.cgi?id=1212940 |
| |
| Daniel (31 May 2005) |
| - Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6 |
| address was not possible to use. It is now, but requires it written |
| RFC2732-style, within brackets - which incidently is how you enter numerical |
| IPv6 addresses in URLs. Test case 263 added to verify. |
| |
| Daniel (30 May 2005) |
| - Eric Cooper reported about a problem with HTTP servers that responds with |
| binary zeroes within the headers. They confused libcurl to do wrong so the |
| downloaded headers become incomplete. The fix is now verified with test case |
| 262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948 |
| |
| Daniel (25 May 2005) |
| - Fixed problems with the test suite, and in particular the FTP test cases |
| since it previously was failing every now and then in a nonsense manner. |
| |
| - --trace-time now outputs the full microsecond, all 6 digits. |
| |
| Daniel (24 May 2005) |
| - Andres Garcia provided a text mode patch for several test cases so that they |
| do text comparisions better on Windows (newline-wise). |
| |
| - Any 2xx response (and not just 200) is now considered a fine response to |
| TYPE, as some servers obviously sends a 226 there. Added test case 261 to |
| verify. Based on a question/report by Georg Wicherski. |
| |
| Daniel (20 May 2005) |
| - Improved runtests.pl to allow stdout tests to be mode=text as well, just |
| as file comparisons already supports. Added this info to the FILEFORMAT |
| docs. |
| |
| Daniel (18 May 2005) |
| - John McGowan identified a problem in bug report #1204435 |
| (http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like |
| "http://somehost?data" as it added a slash too much in the request ("GET |
| /?data/"...). Added test case 260 to verify. |
| |
| - The configure check for strerror_r() failed to detect the proper API at |
| times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc |
| version if the posix define wasn't set (since it _had_ found a strerror_r). |
| |
| Daniel (16 May 2005) |
| - The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail |
| due to this. There's now a configure check that attempts to detect the bad |
| function and not use it on such systems. |
| |
| Version 7.14.0 (16 May 2005) |
| |
| Daniel (13 May 2005) |
| - Grigory Entin reported that curl's configure detects a fine poll() for Mac |
| OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable |
| doesn't work as good as if built without poll(). I've adjusted the configure |
| to always skip the fine-poll() test on Mac OS X (darwin). |
| |
| Daniel (12 May 2005) |
| - When doing a second request (after a disconnect) using the same easy handle, |
| over a proxy that uses NTLM authentication, libcurl failed to use NTLM again |
| properly (the auth method was accidentally reset to the same as had been set |
| for host auth, which defaults to Basic). Bug report #1200661 |
| (http://curl.haxx.se/bug/view.cgi?id=1200661) identified the the problem and |
| the fix. |
| |
| - If -z/--time-cond is used with an invalid date syntax, this is no longer |
| silently discarded. Instead a proper warning message is diplayed that |
| informs about it. But it still continues without the condition. |
| |
| Version 7.14.0-pre2 (11 May 2005) |
| |
| Daniel (11 May 2005) |
| - Starting now, libcurl sends a little different set of headers in its default |
| HTTP requests: |
| |
| A) Normal non-proxy HTTP: |
| - no more "Pragma: no-cache" (this only makes sense to proxies) |
| |
| B) Non-CONNECT HTTP request over proxy: |
| - "Pragma: no-cache" is used (like before) |
| - "Proxy-Connection: Keep-alive" (for older style 1.0-proxies) |
| |
| C) CONNECT HTTP request over proxy: |
| - "Host: [name]:[port]" |
| - "Proxy-Connection: Keep-alive" |
| |
| The A) case is mostly to reduce the default header size and remove a |
| pointless header. |
| |
| The B) is to address (rare) problems with HTTP 1.0 proxies |
| |
| The C) headers are both to address (rare) problems with some proxies. The |
| code in libcurl that deals with CONNECT requests need a rewrite, but it |
| feels like a too big a job for me to do now. Details are added in the code |
| comments for now. |
| |
| Updated a large amount of test cases to reflect the news. |
| |
| Daniel (10 May 2005) |
| - Half-baked attempt to bail out if select() returns _only_ errorfds when the |
| transfer is in progress. An attempt to fix Allan's problem. See |
| http://curl.haxx.se/mail/lib-2005-05/0073.html and the rest of that thread |
| for details. |
| |
| I'm still not sure this is the right fix, but... |
| |
| Version 7.14.0-pre1 (9 May 2005) |
| |
| Daniel (2 May 2005) |
| - Sort of "fixed" KNOWN_BUGS #4: curl now builds IPv6 enabled on AIX 4.3. At |
| least it should no longer cause a compiler error. However, it does not have |
| AI_NUMERICHOST so we cannot getaddrinfo() any numerical addresses with it |
| (we use that for FTP PORT/EPRT)! So, I modified the configure check that |
| checks if the getaddrinfo() is working, to use AI_NUMERICHOST since then |
| it'll fail on AIX 4.3 and it will automatically build with IPv6 support |
| disabled. |
| |
| - Added --trace-time that when used adds a time stamp to each trace line that |
| --trace, --trace-ascii and --verbose output. I also made the '>' display |
| separate each line on the linefeed so that HTTP requests etc look nicer in |
| the -v output. |
| |
| - Made curl recognize the environment variables Lynx (and others?) support for |
| pointing out the CA cert path/file: SSL_CERT_DIR and SSL_CERT_FILE. If |
| CURL_CA_BUNDLE is not set, they are checked afterwards. |
| |
| Like before: on windows if none of these are set, it checks for the ca cert |
| file like this: |
| |
| 1. application's directory |
| 2. current working directory |
| 3. Windows System directory (e.g. C:\windows\system32) |
| 4. Windows Directory (e.g. C:\windows) |
| 5. all directories along %PATH% |
| |
| Daniel (1 May 2005) |
| - The runtests.pl script now starts test servers by doing fork() and exec() |
| instead of the previous approach. This is less complicated and should |
| hopefully lead to less "leaked" servers (servers that aren't stopped |
| properly when the tests are stopped). |
| |
| - Alexander Zhuravlev found a case when you did "curl -I [URL]" and it |
| complained on the chunked encoding, even though a HEAD should never return a |
| body and thus it cannot be a chunked-encoding problem! |
| |
| Daniel (30 April 2005) |
| - Alexander Zhuravlev found out that (lib)curl SIGSEGVed when using |
| --interface on an address that can't be bound. |
| |
| Daniel (28 April 2005) |
| - Working on fixing up test cases to mark sections as 'mode=text' for things |
| that curl writes as text files, since then they can get different line |
| endings depending on OS. Andrés García helps me work this out. |
| |
| Did lots of other minor tweaks on the test scripts to work better and more |
| reliably find test servers and also kill test servers. |
| |
| - Dan Fandrich pointed out how the runtests.pl script killed the HTTP server |
| instead of the HTTPS server when closing it down. |
| |
| Daniel (27 April 2005) |
| - Paul Moore made curl check for the .curlrc file (_curlrc on windows) on two |
| more places. First, CURL_HOME is a new environment variable that is used |
| instead of HOME if it is set, to point out where the default config file |
| lives. If there's no config file in the dir pointed out by one of the |
| environment variables, the Windows version will instead check the same |
| directory the executable curl is located in. |
| |
| Daniel (26 April 2005) |
| - Cory Nelson's work on nuking compiler warnings when building on x64 with |
| VS2005. |
| |
| Daniel (25 April 2005) |
| - Fred New reported a bug where we used Basic auth and user name and password |
| in .netrc, and when following a Location: the subsequent requests didn't |
| properly use the auth as found in the netrc file. Added test case 257 to |
| verify my fix. |
| |
| - Based on feedback from Cory Nelson, I added some preprocessor magic in |
| */setup.h and */config-win32.h to build fine with VS2005 on x64. |
| |
| Daniel (23 April 2005) |
| - Alex Suykov made the curl tool now assume that uploads using HTTP:// or |
| HTTPS:// are the only ones that show output and thus motivates a switched |
| off progress meter if the output is sent to the terminal. This makes FTP |
| uploads without '>', -o or -O show the progress meter. |
| |
| Daniel (22 April 2005) |
| - Dave Dribin's MSVC makefile fix: set CURL_STATICLIB when it builds static |
| library variants. |
| |
| - Andres Garcia fixed configure to set the proper define when building static |
| libcurl on windows. |
| |
| - --retry-delay didn't work. |
| |
| Daniel (18 April 2005) |
| - Olivier reported that even though he used CURLOPT_PORT, libcurl clearly |
| still used the default port. He was right. I fixed the problem and added the |
| test cases 521, 522 and 523 to verify the fix. |
| |
| - Toshiyuki Maezawa reported that when doing a POST with a read callback, |
| libcurl didn't properly send an Expect: 100-continue header. It does now. |
| |
| - I committed by mig change in the test suite's FTP server that moves out all |
| socket/TCP code to a separate C program named sockfilt. And added 4 new |
| test cases for FTP over IPv6. |
| |
| Daniel (8 April 2005) |
| - Cory Nelson reported a problem with a HTTP server that responded with a 304 |
| response containing an "illegal" Content-Length: header, which was not |
| properly ignored by libcurl. Now it is. Test case 249 verifies. |
| |
| Daniel (7 April 2005) |
| - Added ability to build and run with GnuTLS as an alternative to OpenSSL for |
| the secure layer. configure --with-gnutls enables with. Note that the |
| previous OpenSSL check still has preference and if it first detects OpenSSL, |
| it will not check for GnuTLS. You may need to explictly diable OpenSSL with |
| --without-ssl. |
| |
| This work has been sponsored by The Written Word. |
| |
| Daniel (5 April 2005) |
| - Christophe Legry fixed the post-upload check for FTP to not complain if the |
| upload was skipped due to a time-condition as set with |
| CURLOPT_TIMECONDITION. I added test case 247 and 248 to verify. |
| |
| Version 7.13.2 (5 April 2005) |
| |
| Daniel (4 April 2005) |
| - Marcelo Juchem fixed the MSVC makefile for libcurl |
| |
| - Gisle Vanem fixed a crash in libcurl, that could happen if the easy handle |
| was killed before the threading resolver (windows only) still hadn't |
| completed. |
| |
| - Hardeep Singh reported a problem doing HTTP POST with Digest. (It was |
| actually also affecting NTLM and Negotiate.) It turned out that if the |
| server responded with 100 Continue before the initial 401 response, libcurl |
| didn't take care of the response properly. Test case 245 and 246 added to |
| verify this. |
| |
| Daniel (30 March 2005) |
| - Andres Garcia modified the configure script to check for libgdi32 before |
| libcrypto, to make the SSL check work fine on msys/mingw. |
| |
| Daniel (29 March 2005) |
| - Tom Moers identified a flaw when you sent a POST with Digest authentication, |
| as in the first request when curl sends a POST with Content-Length: 0, it |
| still forcibly closed the connection before doing the next step in the auth |
| negotiation. |
| |
| - Jesper Jensen found out that FTP-SSL didn't work since my FTP |
| rewrite. Fixing that was easy, but it also revealed a much worse problem: |
| the FTP server response reader function didn't properly deal with reading |
| responses in multiple tiny chunks properly! I modified the FTP server to |
| allow it to produce such split-up responses to make sure curl deals with |
| them as it should. |
| |
| - Based on Augustus Saunders' comments and findings, the HTTP output auth |
| function was fixed to use the proper proxy authentication when multiple ones |
| are accepted. test 239 and test 243 were added to repeat the problems and |
| verify the fixes. |
| |
| --proxy-anyauth was added to the curl tool |
| |
| Daniel (16 March 2005) |
| - Tru64 and some IRIX boxes seem to not like test 237 as it is. Their |
| inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted |
| address which makes a different failure... Now I've modified the ipv4 |
| resolve code to use inet_pton() instead in an attempt to make these systems |
| better detect this as a bad IP address rather than creating a toally bogus |
| address that is then passed on and used. |
| |
| Daniel (15 March 2005) |
| - Dan Fandrich made the code properly use the uClibc's version of |
| inet_ntoa_r() when built with it. |
| |
| - Added test 237 and 238: test EPSV and PASV response handling when they get |
| well- formated data back but using illegal values. In 237 PASV gets an IP |
| address that is way bad. In 238 EPSV gets a port that is way out of range. |
| |
| Daniel (14 March 2005) |
| - Added a few missing features to the curl-config --features list |
| |
| - Modified testcurl.pl to now offer |
| 1 - command line options for all info it previously only read from |
| file: --name, --email, --desc and --configure |
| 2 - --nocvsup makes it not attempt to do cvs update |
| 3 - --crosscompile informs it and makes it not attempt things it can't do |
| |
| - Fixed numerous win32 compiler warnings. |
| |
| - Removed the lib/security.h file since it shadowed the mingw/win32 header |
| with the same name which is needed for SSPI builds. The contents of the |
| former security.h is now i krb4.h |
| |
| - configure --enable-sspi now enables SSPI in the build. It only works for |
| windows builds (including cross-compiles for windows). |
| |
| Daniel (12 March 2005) |
| - David Houlder added --form-string that adds that string to a multipart |
| formpost part, without special characters having special meanings etc like |
| --form features. |
| |
| Daniel (11 March 2005) |
| - curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was |
| built with SSPI support. |
| |
| - Christopher R. Palmer made it possible to build libcurl with the |
| USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the |
| native way to do NTLM. SSPI also allows libcurl to pass on the current user |
| and its password in the request. |
| |
| Daniel (9 March 2005) |
| - Dan F improved the SSL lib setup in configure. |
| |
| - Nodak Sodak reported a crash when using a SOCKS4 proxy. |
| |
| - Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the |
| multi interface code. |
| |
| - Adjusted the man page for the curl_getdate() return value for dates after |
| year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it |
| returns either the correct value or even -1 on some systems that still seem |
| to not deal with this properly. Tor Arntsen found a 64bit AIX system for us |
| that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on |
| this problem in the first place. |
| |
| Daniel (8 March 2005) |
| - Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP |
| file got a Last-Modified: header written to the data stream, corrupting the |
| actual data. This was because some conditions from the previous FTP code was |
| not properly brought into the new FTP code. I fixed and I added test case |
| 520 to verify. (This bug was introduced in 7.13.1) |
| |
| - Dan Fandrich fixed the configure --with-zlib option to always consider the |
| given path before any standard paths. |
| |
| Daniel (6 March 2005) |
| - Randy McMurchy was the first to report that valgrind.pm was missing from the |
| release archive and thus 'make test' fails. |
| |
| Daniel (5 March 2005) |
| - Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files. |
| |
| - Added test case 235 that makes a resumed upload of a file that isn't present |
| on the remote side. This then converts the operation to an ordinary STOR |
| upload. This was requested/pointed out by Ignacio Vazquez-Abrams. |
| |
| It also proved (and I fixed) a bug in the newly rewritten ftp code (and |
| present in the 7.13.1 release) when trying to resume an upload and the |
| servers returns an error to the SIZE command. libcurl then loops and sends |
| SIZE commands infinitely. |
| |
| - Dan Fandrich fixed a SSL problem introduced on February 9th that made |
| libcurl attempt to load the whole random file to seed the PRNG. This is |
| really bad since this turns out to be using /dev/urandom at times... |
| |
| Version 7.13.1 (4 March 2005) |
| |
| Daniel (4 March 2005) |
| - Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate |
| the cookie "engine" without having to provide an empty or non-existing file. |
| |
| - Rene Rebe fixed a -# crash when more data than expected was retrieved. |
| |
| Daniel (22 February 2005) |
| - NTLM and ftp-krb4 buffer overflow fixed, as reported here: |
| http://www.securityfocus.com/archive/1/391042 and the CAN report here: |
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490 |
| |
| If these security guys were serious, we'd been notified in advance and we |
| could've saved a few of you a little surprise, but now we weren't. |
| |
| Daniel (19 February 2005) |
| - Ralph Mitchell reported a flaw when you used a proxy with auth, and you |
| requested data from a host and then followed a redirect to another |
| host. libcurl then didn't use the proxy-auth properly in the second request, |
| due to the host-only check for original host name wrongly being extended to |
| the proxy auth as well. Added test case 233 to verify the flaw and that the |
| fix removed the problem. |
| |
| Daniel (18 February 2005) |
| - Mike Dobbs reported a mingw build failure due to the lack of |
| BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by |
| configure when mingw is used. |
| |
| Daniel (17 February 2005) |
| - David in bug report #1124588 found and fixed a socket leak when libcurl |
| didn't close the socket properly when returning error due to failing |
| localbind |
| |
| Daniel (16 February 2005) |
| - Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth" |
| that picks NTLM. Thanks to David Byron letting me test NTLM against his |
| servers, I could quickly repeat and fix the problem. It turned out to be: |
| |
| When libcurl POSTs without knowing/using an authentication and it gets back |
| a list of types from which it picks NTLM, it needs to either continue |
| sending its data if it keeps the connection alive, or not send the data but |
| close the connection. Then do the first step in the NTLM auth. libcurl |
| didn't send the data nor close the connection but simply read the |
| response-body and then sent the first negotiation step. Which then failed |
| miserably of course. The fixed version forces a connection if there is more |
| than 2000 bytes left to send. |
| |
| Daniel (14 February 2005) |
| - The configure script didn't check for ENGINE_load_builtin_engines() so it |
| was never used. |
| |
| Daniel (11 February 2005) |
| - Removed all uses of strftime() since it uses the localised version of the |
| week day names and month names and servers don't like that. |
| |
| Daniel (10 February 2005) |
| - Now the test script disables valgrind-testing when the test suite runs if |
| libcurl is built shared. Otherwise valgrind only tests the shell that runs |
| the wrapper-script named 'curl' that is a front-end to curl in this case. |
| This should also fix the huge amount of reports of false positives when |
| valgrind has identified leaks in (ba)sh and not in curl and people report |
| that as curl bugs. Bug report #1116672 is one example. |
| |
| Also, the valgrind report parser has been adapted to check that at least one |
| of the sources in a stack strace is one of (lib)curl's source files or |
| otherwise it will not consider the problem to concern (lib)curl. |
| |
| - Marty Kuhrt streamlined the VMS build. |
| |
| Daniel (9 February 2005) |
| - David Byron fixed his SSL problems, initially mentioned here: |
| http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use |
| SSL_pending() as we should. |
| |
| - Converted lots of FTP code to a statemachine, so that the multi interface |
| doesn't block while communicating commands-responses with an FTP server. |
| |
| I've added a comment like BLOCKING in the code on all spots I could find |
| where we still have blocking operations. When we change curl_easy_perform() |
| to use the multi interface, we'll also be able to simplify the code since |
| there will only be one "internal interface". |
| |
| While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the |
| new CURLE_LOGIN_DENIED. The first one is now access denied to a function, |
| like changing directory or retrieving a file, while the second means that we |
| were denied login. |
| |
| The CVS tag 'before_ftp_statemachine' was set just before this went in, in |
| case of future need. |
| |
| - Gisle made the DICT code send CRLF and not just LF as the spec says so. |
| |
| Daniel (8 February 2005) |
| - Gisle fixed problems when libcurl runs out of memory, and worked on making |
| sure the proper error code is returned for those occations. |
| |
| Daniel (7 February 2005) |
| - Maruko pointed out a problem with inflate decompressing exactly 64K |
| contents. |
| |
| Daniel (5 February 2005) |
| - Eric Vergnaud found a use of an uninitialised variable in the ftp when doing |
| PORT on ipv6-enabled hosts. |
| |
| - David Byron pointed out we could use BUFSIZE to read data (in |
| lib/transfer.c) instead of using BUFSIZE -1. |
| |
| Version 7.13.0 (1 February 2005) |
| |
| Daniel (31 January 2005) |
| - Added Lars Nilsson's htmltitle.cc example |
| |
| Daniel (30 January 2005) |
| - Fixed a memory leak when using the multi interface and the DO operation |
| failed (as in test case 205). |
| |
| - Fixed a valgrind warning for file:// operations. |
| |
| - Fixed a valgrind report in the url globbing code for the curl command line |
| tool. |
| |
| - Bugfixed the parser that scans the valgrind report outputs (in runtests.pl). |
| I noticed that it previously didn't detect and report the "Conditional jump |
| or move depends on uninitialised value(s)" error. When I fixed this, I |
| caught a few curl bugs with it. And then I had to spend time to make the |
| test suite IGNORE these errors when OpenSSL is used since it produce massive |
| amounts of valgrind warnings (but only of the "Conditional..." kind it |
| seems). So, if a test that requires SSL is run, it ignores the |
| "Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead |
| of "valgrind OK". |
| |
| Daniel (29 January 2005) |
| - Using the multi interface, and doing a requsted a re-used connection that |
| gets closed just after the request has been sent failed and did not re-issue |
| a request on a fresh reconnect like the easy interface did. Now it does! |
| |
| - Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use |
| my new curl_easy_perform() that uses the multi interface to run the |
| request. It is a great testbed for the multi interface and I believe we |
| shall do it this way for real in the future when we have a successor to |
| curl_multi_fdset(). I've used this approach to detect and fix several of the |
| recent multi-interfaces issues. |
| |
| - Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some |
| bad assumptions. |
| |
| - multi interface: when a request is denied due to "Maximum redirects |
| followed" libcurl leaked the last Location: URL. |
| |
| - Connect failures with the multi interface was often returned as "connect() |
| timed out" even though the reason was different. |
| |
| Daniel (28 January 2005) |
| - KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two |
| curl_easy_perform() invokes. It was previously unlocked at disconnect, which |
| could mean that it remained locked between multiple transfers. The DNS cache |
| may not live as long as the connection cache does, as they are separate. |
| |
| To deal with the lack of DNS (host address) data availability in re-used |
| connections, libcurl now keeps a copy of the IP adress as a string, to be |
| able to show it even on subsequent requests on the same connection. |
| |
| The problem could be made to appear with this stunt: |
| |
| 1. create a multi handle |
| 2. add an easy handle |
| 3. fetch a URL that is persistent (leaves the connection alive) |
| 4. remove the easy handle from the multi |
| 5. kill the multi handle |
| 6. create a multi handle |
| 7. add the same easy handle to the new multi handle |
| 8. fetch a URL from the same server as before (re-using the connection) |
| |
| - Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work |
| when built ipv6-enabled. I've now made a fix for it. Writing test cases for |
| custom port hosts turned too tricky so unfortunately there's none. |
| |
| Daniel (25 January 2005) |
| - Ian Ford asked about support for the FTP command ACCT, and I discovered it |
| is present in RFC959... so now (lib)curl supports it as well. --ftp-account |
| and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an |
| account string after PASS have been sent away. The client responds |
| with "ACCT [account string]".) Added test case 228 and 229 to verify the |
| functionality. Updated the test FTP server to support ACCT somewhat. |
| |
| - David Shaw contributed a fairly complete and detailed autoconf test you can |
| use to detect libcurl and setup variables for the protocols the installed |
| libcurl supports: docs/libcurl/libcurl.m4 |
| |
| Daniel (21 January 2005) |
| - Major FTP third party transfer overhaul. |
| |
| These four options are now obsolete: CURLOPT_SOURCE_HOST, |
| CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before) |
| and CURLOPT_PASV_HOST. |
| |
| These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE. |
| |
| The target-side didn't use the proper path with RETR, and thus this only |
| worked correctly in the login path (i.e without doing any CWD). The source- |
| side still uses a wrong path, but the fix for this will need to wait. Verify |
| the flaw by using a source URL with included %XX-codes. |
| |
| Made CURLOPT_FTPPORT control weather the target operation should use PORT |
| (or not). The other side thus uses passive (PASV) mode. |
| |
| Updated the ftp3rdparty.c example source to use the updated options. |
| |
| Added support for a second FTP server in the test suite. Named... ftp2. |
| Added test cases 230, 231 and 232 as a few first basic tests of very simple |
| 3rd party transfers. |
| |
| Changed the debug output to include 'target' and 'source' when a 3rd party |
| is being made, to make it clearer what commands/responses came on what |
| connection. |
| |
| Added three new command line options: --3p-url, --3p-user and --3p-quote. |
| |
| Documented the command line options and the curl_easy_setopt options related |
| to third party transfers. |
| |
| (Temporarily) disabled the ability to re-use an existing connection for the |
| source connection. This is because it needs to force a new in case the |
| source and target is the same host, and the host name check is trickier now |
| when the source is identified with a full URL instead of a plain host name |
| like before. |
| |
| TODO (short-term) for 3rd party transfers: quote support. The options are |
| there, we need to add test cases to verify their functionality. |
| |
| TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc) |
| and SSL/TSL support. |
| |
| Daniel (20 January 2005) |
| - Philippe Hameau found out that -Q "+[command]" didn't work, although some |
| code was written for it. I fixed and added test case 227 to verify it. |
| The curl.1 man page didn't mention the '+' so I added it. |
| |
| Daniel (19 January 2005) |
| - Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL |
| contains %0a or %0d in the user, password or CWD parts. (A future fix would |
| include doing it for %00 as well - see KNOWN_BUGS for details.) Test case |
| 225 and 226 were added to verify this |
| |
| - Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled: |
| |
| 1) the proxy environment variables are still read and used to set HTTP proxy |
| |
| 2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was |
| disabled). This is important since apps may want to disable HTTP proxy |
| without actually knowing if libcurl was built to disable HTTP or not. |
| |
| Based on Stephan's patch, both these issues should now be fixed. |
| |
| Daniel (18 January 2005) |
| - Cody Jones' enhanced version of Samuel Díaz García's MSVC makefile patch was |
| applied. |
| |
| Daniel (16 January 2005) |
| - Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl |
| assumed this used the DICT protocol. While guessing protocols will remain |
| fuzzy, I've now made sure that the host names must start with "[protocol]." |
| for them to be a valid guessable name. I also removed "https" as a prefix |
| that indicates HTTPS, since we hardly ever see any host names using that. |
| |
| Daniel (13 January 2005) |
| - Inspired by Martijn Koster's patch and example source at |
| http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the |
| select() and poll() calls properly loop if they return -1 and errno is |
| EINTR. glibc docs for this is found here: |
| http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html |
| |
| This last link says BSD doesn't have this "effect". Will there be a problem |
| if we do this unconditionally? |
| |
| Daniel (11 January 2005) |
| - Dan Torop cleaned up a few no longer used variables from David Phillips' |
| select() overhaul fix. |
| |
| - Cyrill Osterwalder posted a detailed analysis about a bug that occurs when |
| using a custom Host: header and curl fails to send a request on a re-used |
| persistent connection and thus creates a new connection and resends it. It |
| then sent two Host: headers. Cyrill's analysis was posted here: |
| http://curl.haxx.se/mail/archive-2005-01/0022.html |
| |
| - Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5 |
| problem with the version byte and the check for bad versions. Bruce has lots |
| of clues on this, and based on his suggestion I've now removed the check of |
| that byte since it seems to be able to contain 1 or 5. |
| |
| Daniel (10 January 2005) |
| - Pavel Orehov reported memory problems with the multi interface in bug report |
| #1098843. In short, a shared DNS cache was setup for a multi handle and when |
| the shared cache was deleted before the individual easy handles, the latter |
| cleanups caused read/writes to already freed memory. |
| |
| - Hzhijun reported a memory leak in the SSL certificate code, that leaked the |
| remote certificate name when it didn't match the used host name. |
| |
| Gisle (8 January 2005) |
| - Added Makefile.Watcom files (src/lib). Updated Makefile.dist. |
| |
| Daniel (7 January 2005) |
| - Improved the test script's valgrind log parser to actually work! Also added |
| the ability to disable the log scanner for specific test cases. Test case |
| 509 results in numerous problems and leaks in OpenSSL and has to get it |
| disabled. |
| |
| Daniel (6 January 2005) |
| - Fixed a single-byte read out of bounds in test case 39 in the curl tool code |
| (i.e not in the library). |
| |
| - Bug report #1097019 identified a problem when doing -d "data" with -G and |
| sending it to two URLs with {}. Added test 199 to verify the fix. |
| |
| Daniel (4 January 2005) |
| - Marty Kuhrt adjusted a VMS build script slightly |
| |
| - Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on |
| Win2000. |
| |
| Daniel (2 January 2005) |
| - Alex Neblett updated the MSVC makefiles slightly. |