| _ _ ____ _ |
| ___| | | | _ \| | |
| / __| | | | |_) | | |
| | (__| |_| | _ <| |___ |
| \___|\___/|_| \_\_____| |
| |
| Changelog |
| |
| Daniel (5 April 2006) |
| - Michele Bini modified the NTLM code to work for his "weird IIS case" |
| (http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash |
| function in addition to the LM one and making some other adjustments in the |
| order the different parts of the data block are sent in the Type-2 reply. |
| Inspiration for this work was taken from the Firefox NTLM implementation. |
| |
| I edited the existing 21(!) NTLM test cases to run fine with these news. Due |
| to the fact that we now properly include the host name in the Type-2 message |
| the test cases now only compare parts of that chunk. |
| |
| Daniel (28 March 2006) |
| - #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that |
| occurred when asking libcurl to follow HTTP redirects and the original URL |
| had more than one question mark (?). Added test case 276 to verify. |
| |
| Daniel (27 March 2006) |
| - David Byron found a problem multiple -d options when libcurl was built with |
| --enable-debug, as then curl used free() on memory allocated both with |
| normal malloc() and with libcurl-provided functions, when the latter MUST be |
| freed with curl_free() in debug builds. |
| |
| Daniel (26 March 2006) |
| - Tor Arntsen figured out that TFTP was broken on a lot of systems since we |
| called bind() with a too big argument in the 3rd parameter and at least |
| Tru64, AIX and IRIX seem to be very picky about it. |
| |
| Daniel (21 March 2006) |
| - David McCreedy added CURLINFO_FTP_ENTRY_PATH. |
| |
| - Xavier Bouchoux made the SSL connection non-blocking for the multi interface |
| (when using OpenSSL). |
| |
| - Tor Arntsen fixed the AIX Toolbox RPM spec |
| |
| Daniel (20 March 2006) |
| - David McCreedy fixed libcurl to no longer ignore AUTH failures and now it |
| reacts properly according to the CURLOPT_FTP_SSL setting. |
| |
| - Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file |
| whose length was a multiple of 512 bytes could have random garbage |
| appended. Also, stop processing TFTP packets which are too short to be |
| legal. |
| |
| - Ilja van Sprundel reported a possible crash in the curl tool when using |
| "curl hostwithoutslash -d data -G" |
| |
| Version 7.15.3 (20 March 2006) |
| |
| Daniel (20 March 2006) |
| - VULNERABILITY reported to us by Ulf Harnhammar. |
| |
| libcurl uses the given file part of a TFTP URL in a manner that allows a |
| malicious user to overflow a heap-based memory buffer due to the lack of |
| boundary check. |
| |
| This overflow happens if you pass in a URL with a TFTP protocol prefix |
| ("tftp://"), using a valid host and a path part that is longer than 512 |
| bytes. |
| |
| The affected flaw can be triggered by a redirect, if curl/libcurl is told to |
| follow redirects and an HTTP server points the client to a tftp URL with the |
| characteristics described above. |
| |
| The Common Vulnerabilities and Exposures (CVE) project has assigned the name |
| CVE-2006-1061 to this issue. |
| |
| Daniel (16 March 2006) |
| - Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included |
| in the release archive. |
| |
| Daniel (14 March 2006) |
| - David McCreedy fixed: |
| |
| a bad SSL error message when OpenSSL certificates are verified fine. |
| |
| a missing return code assignment in the FTP code |
| |
| Daniel (7 March 2006) |
| - Markus Koetter filed debian bug report #355715 which identified a problem |
| with the multi interface and multi-part formposts. The fix from February |
| 22nd could make the Curl_done() function get called twice on the same |
| connection and it was not designed for that and thus tried to call free() on |
| an already freed memory area! |
| |
| - Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL |
| is used properly. |
| |
| Daniel (6 March 2006) |
| - Lots of users on Windows have reported getting the "SSL: couldn't set |
| callback" error message so I've now made the setting of that callback not be |
| as critical as before. The function is only used for additional loggging/ |
| trace anyway so a failure just means slightly less data. It should still be |
| able to proceed and connect fine to the server. |
| |
| Daniel (4 March 2006) |
| - Thomas Klausner provided a patch written by Todd Vierling in bug report |
| #1442471 that fixes a build problem on Interix. |
| |
| Daniel (2 March 2006) |
| - FTP upload without a file name part in the URL now causes |
| curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the |
| upload but named the file "(nil)" (without the quotes). Test case 524 |
| verifies. |
| |
| - Added a check for getprotobyname in configure so that it'll be used, thanks |
| to Gisle Vanem's change the other day. |
| |
| Daniel (28 February 2006) |
| - Dan Fandrich prevented curl from getting stuck in an endless loop in case we |
| are out of file handles very early in curl's code where it makes sure that |
| 0, 1 and 2 aren't gonna be used by the lib for transfers. |
| |
| Daniel (27 February 2006) |
| - Marty Kuhrt pointed out that there were two VMS-specific files missing in |
| the release archive. |
| |
| Version 7.15.2 (27 February 2006) |
| |
| Daniel (22 February 2006) |
| - Lots of work and analysis by "xbx___" in bug #1431750 |
| (http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two |
| different but related bugs: |
| |
| 1) Removing an easy handle from a multi handle before the transfer is done |
| could leave a connection in the connection cache for that handle that is |
| in a state that isn't suitable for re-use. A subsequent re-use could then |
| read from a NULL pointer and segfault. |
| |
| 2) When an easy handle was removed from the multi handle, there could be an |
| outstanding c-ares DNS name resolve request. When the response arrived, |
| it caused havoc since the connection struct it "belonged" to could've |
| been freed already. |
| |
| Now Curl_done() is called when an easy handle is removed from a multi handle |
| pre-maturely (that is, before the transfer was complteted). Curl_done() also |
| makes sure to cancel all (if any) outstanding c-ares requests. |
| |
| Daniel (21 February 2006) |
| - Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy |
| type to the already provided type CURLPROXY_SOCKS4. |
| |
| I added a --socks4 option that works like the current --socks5 option but |
| instead use the socks4 protocol. |
| |
| Daniel (20 February 2006) |
| - Shmulik Regev fixed an issue with multi-pass authentication and compressed |
| content when libcurl didn't honor the internal ignorebody flag. |
| |
| Daniel (18 February 2006) |
| - Ulf Hรคrnhammar fixed a format string (printf style) problem in the Negotiate |
| code. It should however not be the cause of any troubles. He also fixed a |
| few similar problems in the HTTP test server code. |
| |
| Daniel (17 February 2006) |
| - Shmulik Regev provided a fix for the DNS cache when using short life times, |
| as previously it could be holding on to old cached entries longer than |
| requested. |
| |
| Daniel (11 February 2006) |
| - Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options |
| that an app can use to let libcurl only connect to a remote host and then |
| extract the socket from libcurl. libcurl will then not attempt to do any |
| transfer at all after the connect is done. |
| |
| - Kent Boortz improved the configure check for GnuTLS to properly set LIBS |
| instead of LDFLAGS. |
| |
| Daniel (8 February 2006) |
| - Philippe Vaucher provided a brilliant piece of test code that show a problem |
| with re-used FTP connections. If the second request on the same connection |
| was set not to fetch a "body", libcurl could get confused and consider it an |
| attempt to use a dead connection and would go acting mighty strange. |
| |
| Daniel (2 February 2006) |
| - Make --limit-rate [num] mean bytes. It used to be that but it broke in my |
| change done in November 2005. |
| |
| Daniel (30 January 2006) |
| - Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the |
| curl tool with --local-port. Plain and simply set the range of ports to bind |
| the local end of connections to. Implemented on to popular demand. |
| |
| - Based on an error report by Philippe Vaucher, we no longer count a retried |
| connection setup as a follow-redirect. It turns out 1) this fails when a FTP |
| connection is re-setup and 2) it does make the max-redirs counter behave |
| wrong. |
| |
| Daniel (24 January 2006) |
| - Michal Marek provided a patch for FTP that makes libcurl continue to try |
| PASV even after EPSV returned a positive response code, if libcurl failed to |
| connect to the port number the EPSV response said. Obviously some people are |
| going through protocol-sensitive firewalls (or similar) that don't |
| understand EPSV and then they don't allow the second connection unless PASV |
| was used. This also called for a minor fix of test case 238. |
| |
| Daniel (20 January 2006) |
| - Duane Cathey was one of our friends who reported that curl -P [IP] |
| (CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a |
| "native" IP while it works fine for ipv6-disabled builds! |
| |
| In the process of fixing this, I removed the support for LPRT since I can't |
| think of many reasons to keep doing it and asking on the mailing list didn't |
| reveal anyone else that could either. The code that sends EPRT and PORT is |
| now also a lot simpler than before (IMHO). |
| |
| Daniel (19 January 2006) |
| - Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl |
| (built ipv4-only) didn't work. |
| |
| Daniel (18 January 2006) |
| - As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742), |
| the configure script complained about a missing "missing" script if you ran |
| configure within a path whose name included one or more spaces. This is due |
| to a flaw in automake (1.9.6 and earlier). I've now worked around it by |
| including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll |
| be used instead of the one automake ships with. This kludge needs to be |
| removed once we get an automake version with this problem corrected. |
| Possibly we'll then need to convert this into a kludge depending on what |
| automake version that is used and that is gonna be painful and I don't even |
| want to think about that now...! |
| |
| Daniel (17 January 2006) |
| - David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with |
| the latest features and protocols that libcurl supports and has a minor fix |
| to better deal with the obscure case where someone has more than one libcurl |
| installed at the same time. |
| |
| Daniel (16 January 2006) |
| - David Shaw finally removed all traces of Gopher and we are now officially |
| not supporting it. It hasn't been functioning for years anyway, so this is |
| just finally stating what already was true. And a cleanup at the same time. |
| |
| - Bryan Henderson turned the 'initialized' variable for curl_global_init() |
| into a counter, and thus you can now do multiple curl_global_init() and you |
| are then supposed to do the same amount of calls to curl_global_cleanup(). |
| Bryan has also updated the docs accordingly. |
| |
| Daniel (13 January 2006) |
| - Andrew Benham fixed a race condition in the test suite that could cause the |
| test script to kill all processes in the current process group! |
| |
| Daniel (12 January 2006) |
| - Michael Jahn: |
| |
| Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru |
| HTTP proxy. |
| |
| Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would |
| previously overwrite internal memory and cause unpredicted behaviour! |
| |
| Daniel (11 January 2006) |
| - I decided to document the "secret option" here now, as I've received *NO* |
| feedback at all on my mailing list requests from November 2005: |
| |
| I'm looking for feedback and comments. I added some experimental code the |
| other day, that allows a libcurl user to select what method libcurl should |
| use to reach a file on a FTP(S) server. |
| |
| This functionality is available in CVS code and in recent daily snapshots. |
| |
| Let me explain... |
| |
| The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for |
| the command line tool) and you set it to a long (there are currenly no |
| defines for the argument values, just plain numericals). You can set three |
| different "methods" that do this: |
| |
| 1 multicwd - like today, curl will do a single CWD operation for each path |
| part in the given URL. For deep hierarchies this means very many |
| commands. This is how RFC1738 says it should be done. This is the |
| default. |
| |
| 2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give |
| a full path to the server. |
| |
| 3 singlecwd - make one CWD with the full target directory and then operate |
| on the file "normally". |
| |
| (With the command line tool you do --ftp-method [METHOD], where [METHOD] is |
| one of "multicwd", "nocwd" or "singlecwd".) |
| |
| What feedback I'm interested in: |
| |
| 1 - Do they work at all? Do you find servers where one of these don't work? |
| |
| 2 - What would proper names for the option and its arguments be, if we |
| consider this feature good enough to get included and documented in |
| upcoming releases? |
| |
| 3 - Should we make libcurl able to "walk through" these options in case of |
| (path related) failures, or should it fail and let the user redo any |
| possible retries? |
| |
| (This option is not documented in any man page just yet since I'm not sure |
| these names will be used or if the functionality will end up exactly like |
| this. And for the same reasons we have no test cases for these yet.) |
| |
| Daniel (10 January 2006) |
| - When using a bad path over FTP, as in when libcurl couldn't CWD into all |
| given subdirs, libcurl would still "remember" the full path as if it is the |
| current directory libcurl is in so that the next curl_easy_perform() would |
| get really confused if it tried the same path again - as it would not issue |
| any CWD commands at all, assuming it is already in the "proper" dir. |
| |
| Starting now, a failed CWD command sets a flag that prevents the path to be |
| "remembered" after returning. |
| |
| Daniel (7 January 2006) |
| - Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP |
| proxy actually used a new connection and not sent the second request on the |
| first socket! |
| |
| Daniel (6 January 2006) |
| - Alexander Lazic made the buildconf run the buildconf in the ares dir if that |
| is present instead of trying to mimic that script in curl's buildconf |
| script. |
| |
| Daniel (3 January 2006) |
| - Andres Garcia made the TFTP test server build with mingw. |