2004-05-17 18:39:44 +08:00
|
|
|
|
_ _ ____ _
|
|
|
|
|
___| | | | _ \| |
|
|
|
|
|
/ __| | | | |_) | |
|
|
|
|
|
| (__| |_| | _ <| |___
|
1999-12-29 22:20:26 +08:00
|
|
|
|
\___|\___/|_| \_\_____|
|
|
|
|
|
|
2002-06-26 15:16:11 +08:00
|
|
|
|
Changelog
|
|
|
|
|
|
2006-04-05 20:35:48 +08:00
|
|
|
|
Daniel (5 April 2006)
|
|
|
|
|
- Michele Bini modified the NTLM code to work for his "weird IIS case"
|
|
|
|
|
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
|
|
|
|
|
function in addition to the LM one and making some other adjustments in the
|
|
|
|
|
order the different parts of the data block are sent in the Type-2 reply.
|
|
|
|
|
Inspiration for this work was taken from the Firefox NTLM implementation.
|
|
|
|
|
|
|
|
|
|
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
|
|
|
|
|
to the fact that we now properly include the host name in the Type-2 message
|
|
|
|
|
the test cases now only compare parts of that chunk.
|
|
|
|
|
|
2006-03-28 16:03:25 +08:00
|
|
|
|
Daniel (28 March 2006)
|
|
|
|
|
- #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that
|
|
|
|
|
occurred when asking libcurl to follow HTTP redirects and the original URL
|
|
|
|
|
had more than one question mark (?). Added test case 276 to verify.
|
|
|
|
|
|
2006-03-28 05:59:40 +08:00
|
|
|
|
Daniel (27 March 2006)
|
|
|
|
|
- David Byron found a problem multiple -d options when libcurl was built with
|
|
|
|
|
--enable-debug, as then curl used free() on memory allocated both with
|
|
|
|
|
normal malloc() and with libcurl-provided functions, when the latter MUST be
|
|
|
|
|
freed with curl_free() in debug builds.
|
|
|
|
|
|
2006-03-26 16:52:43 +08:00
|
|
|
|
Daniel (26 March 2006)
|
|
|
|
|
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
|
|
|
|
|
called bind() with a too big argument in the 3rd parameter and at least
|
|
|
|
|
Tru64, AIX and IRIX seem to be very picky about it.
|
|
|
|
|
|
2006-03-21 21:34:41 +08:00
|
|
|
|
Daniel (21 March 2006)
|
2006-03-22 06:30:03 +08:00
|
|
|
|
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.
|
|
|
|
|
|
2006-03-22 05:54:44 +08:00
|
|
|
|
- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
|
|
|
|
|
(when using OpenSSL).
|
|
|
|
|
|
2006-03-21 21:34:41 +08:00
|
|
|
|
- Tor Arntsen fixed the AIX Toolbox RPM spec
|
|
|
|
|
|
2006-03-21 06:25:14 +08:00
|
|
|
|
Daniel (20 March 2006)
|
2006-03-21 06:51:08 +08:00
|
|
|
|
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
|
|
|
|
|
reacts properly according to the CURLOPT_FTP_SSL setting.
|
|
|
|
|
|
2006-03-21 06:25:14 +08:00
|
|
|
|
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
|
|
|
|
|
whose length was a multiple of 512 bytes could have random garbage
|
|
|
|
|
appended. Also, stop processing TFTP packets which are too short to be
|
|
|
|
|
legal.
|
|
|
|
|
|
|
|
|
|
- Ilja van Sprundel reported a possible crash in the curl tool when using
|
|
|
|
|
"curl hostwithoutslash -d data -G"
|
|
|
|
|
|
2006-03-20 17:03:09 +08:00
|
|
|
|
Version 7.15.3 (20 March 2006)
|
|
|
|
|
|
2006-03-21 06:25:14 +08:00
|
|
|
|
Daniel (20 March 2006)
|
|
|
|
|
- VULNERABILITY reported to us by Ulf Harnhammar.
|
|
|
|
|
|
|
|
|
|
libcurl uses the given file part of a TFTP URL in a manner that allows a
|
|
|
|
|
malicious user to overflow a heap-based memory buffer due to the lack of
|
|
|
|
|
boundary check.
|
|
|
|
|
|
|
|
|
|
This overflow happens if you pass in a URL with a TFTP protocol prefix
|
|
|
|
|
("tftp://"), using a valid host and a path part that is longer than 512
|
|
|
|
|
bytes.
|
|
|
|
|
|
|
|
|
|
The affected flaw can be triggered by a redirect, if curl/libcurl is told to
|
|
|
|
|
follow redirects and an HTTP server points the client to a tftp URL with the
|
|
|
|
|
characteristics described above.
|
|
|
|
|
|
|
|
|
|
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
|
|
|
|
|
CVE-2006-1061 to this issue.
|
|
|
|
|
|
2006-03-20 15:32:50 +08:00
|
|
|
|
Daniel (16 March 2006)
|
|
|
|
|
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
|
|
|
|
|
in the release archive.
|
|
|
|
|
|
|
|
|
|
Daniel (14 March 2006)
|
|
|
|
|
- David McCreedy fixed:
|
|
|
|
|
|
|
|
|
|
a bad SSL error message when OpenSSL certificates are verified fine.
|
|
|
|
|
|
|
|
|
|
a missing return code assignment in the FTP code
|
|
|
|
|
|
2006-03-08 06:28:08 +08:00
|
|
|
|
Daniel (7 March 2006)
|
2006-03-08 07:11:41 +08:00
|
|
|
|
- Markus Koetter filed debian bug report #355715 which identified a problem
|
|
|
|
|
with the multi interface and multi-part formposts. The fix from February
|
|
|
|
|
22nd could make the Curl_done() function get called twice on the same
|
|
|
|
|
connection and it was not designed for that and thus tried to call free() on
|
|
|
|
|
an already freed memory area!
|
|
|
|
|
|
2006-03-08 06:28:08 +08:00
|
|
|
|
- Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL
|
|
|
|
|
is used properly.
|
|
|
|
|
|
2006-03-07 06:35:51 +08:00
|
|
|
|
Daniel (6 March 2006)
|
|
|
|
|
- Lots of users on Windows have reported getting the "SSL: couldn't set
|
|
|
|
|
callback" error message so I've now made the setting of that callback not be
|
|
|
|
|
as critical as before. The function is only used for additional loggging/
|
|
|
|
|
trace anyway so a failure just means slightly less data. It should still be
|
|
|
|
|
able to proceed and connect fine to the server.
|
|
|
|
|
|
2006-03-05 06:39:31 +08:00
|
|
|
|
Daniel (4 March 2006)
|
|
|
|
|
- Thomas Klausner provided a patch written by Todd Vierling in bug report
|
|
|
|
|
#1442471 that fixes a build problem on Interix.
|
|
|
|
|
|
2006-03-02 19:37:05 +08:00
|
|
|
|
Daniel (2 March 2006)
|
2006-03-03 21:09:30 +08:00
|
|
|
|
- FTP upload without a file name part in the URL now causes
|
|
|
|
|
curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the
|
|
|
|
|
upload but named the file "(nil)" (without the quotes). Test case 524
|
|
|
|
|
verifies.
|
|
|
|
|
|
2006-03-02 19:37:05 +08:00
|
|
|
|
- Added a check for getprotobyname in configure so that it'll be used, thanks
|
|
|
|
|
to Gisle Vanem's change the other day.
|
|
|
|
|
|
2006-03-02 19:41:23 +08:00
|
|
|
|
Daniel (28 February 2006)
|
|
|
|
|
- Dan Fandrich prevented curl from getting stuck in an endless loop in case we
|
|
|
|
|
are out of file handles very early in curl's code where it makes sure that
|
|
|
|
|
0, 1 and 2 aren't gonna be used by the lib for transfers.
|
|
|
|
|
|
2006-03-03 21:09:30 +08:00
|
|
|
|
Daniel (27 February 2006)
|
|
|
|
|
- Marty Kuhrt pointed out that there were two VMS-specific files missing in
|
|
|
|
|
the release archive.
|
|
|
|
|
|
2006-02-28 00:09:24 +08:00
|
|
|
|
Version 7.15.2 (27 February 2006)
|
2006-02-28 00:05:16 +08:00
|
|
|
|
|
2006-02-23 20:20:48 +08:00
|
|
|
|
Daniel (22 February 2006)
|
|
|
|
|
- Lots of work and analysis by "xbx___" in bug #1431750
|
|
|
|
|
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
|
|
|
|
|
different but related bugs:
|
|
|
|
|
|
|
|
|
|
1) Removing an easy handle from a multi handle before the transfer is done
|
|
|
|
|
could leave a connection in the connection cache for that handle that is
|
|
|
|
|
in a state that isn't suitable for re-use. A subsequent re-use could then
|
|
|
|
|
read from a NULL pointer and segfault.
|
|
|
|
|
|
|
|
|
|
2) When an easy handle was removed from the multi handle, there could be an
|
|
|
|
|
outstanding c-ares DNS name resolve request. When the response arrived,
|
|
|
|
|
it caused havoc since the connection struct it "belonged" to could've
|
|
|
|
|
been freed already.
|
|
|
|
|
|
|
|
|
|
Now Curl_done() is called when an easy handle is removed from a multi handle
|
|
|
|
|
pre-maturely (that is, before the transfer was complteted). Curl_done() also
|
|
|
|
|
makes sure to cancel all (if any) outstanding c-ares requests.
|
|
|
|
|
|
2006-02-21 15:46:41 +08:00
|
|
|
|
Daniel (21 February 2006)
|
|
|
|
|
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
|
|
|
|
|
type to the already provided type CURLPROXY_SOCKS4.
|
|
|
|
|
|
|
|
|
|
I added a --socks4 option that works like the current --socks5 option but
|
|
|
|
|
instead use the socks4 protocol.
|
|
|
|
|
|
2006-02-20 07:16:48 +08:00
|
|
|
|
Daniel (20 February 2006)
|
|
|
|
|
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
|
|
|
|
|
content when libcurl didn't honor the internal ignorebody flag.
|
|
|
|
|
|
2006-02-19 06:27:01 +08:00
|
|
|
|
Daniel (18 February 2006)
|
|
|
|
|
- Ulf H<>rnhammar fixed a format string (printf style) problem in the Negotiate
|
|
|
|
|
code. It should however not be the cause of any troubles. He also fixed a
|
|
|
|
|
few similar problems in the HTTP test server code.
|
|
|
|
|
|
2006-02-17 07:42:32 +08:00
|
|
|
|
Daniel (17 February 2006)
|
|
|
|
|
- Shmulik Regev provided a fix for the DNS cache when using short life times,
|
|
|
|
|
as previously it could be holding on to old cached entries longer than
|
|
|
|
|
requested.
|
|
|
|
|
|
2006-02-11 20:56:52 +08:00
|
|
|
|
Daniel (11 February 2006)
|
2006-02-17 07:42:32 +08:00
|
|
|
|
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
|
|
|
|
|
that an app can use to let libcurl only connect to a remote host and then
|
|
|
|
|
extract the socket from libcurl. libcurl will then not attempt to do any
|
|
|
|
|
transfer at all after the connect is done.
|
2006-02-12 06:35:16 +08:00
|
|
|
|
|
2006-02-11 20:56:52 +08:00
|
|
|
|
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
|
|
|
|
|
instead of LDFLAGS.
|
|
|
|
|
|
2006-02-08 07:09:04 +08:00
|
|
|
|
Daniel (8 February 2006)
|
|
|
|
|
- Philippe Vaucher provided a brilliant piece of test code that show a problem
|
|
|
|
|
with re-used FTP connections. If the second request on the same connection
|
|
|
|
|
was set not to fetch a "body", libcurl could get confused and consider it an
|
|
|
|
|
attempt to use a dead connection and would go acting mighty strange.
|
|
|
|
|
|
2006-02-02 07:28:22 +08:00
|
|
|
|
Daniel (2 February 2006)
|
|
|
|
|
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
|
|
|
|
|
change done in November 2005.
|
|
|
|
|
|
2006-01-30 16:20:52 +08:00
|
|
|
|
Daniel (30 January 2006)
|
2006-01-30 16:24:07 +08:00
|
|
|
|
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
|
|
|
|
|
curl tool with --local-port. Plain and simply set the range of ports to bind
|
|
|
|
|
the local end of connections to. Implemented on to popular demand.
|
|
|
|
|
|
2006-01-30 16:20:52 +08:00
|
|
|
|
- Based on an error report by Philippe Vaucher, we no longer count a retried
|
|
|
|
|
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
|
|
|
|
|
connection is re-setup and 2) it does make the max-redirs counter behave
|
2006-02-08 07:09:04 +08:00
|
|
|
|
wrong.
|
2006-01-30 16:20:52 +08:00
|
|
|
|
|
2006-01-24 22:40:43 +08:00
|
|
|
|
Daniel (24 January 2006)
|
|
|
|
|
- Michal Marek provided a patch for FTP that makes libcurl continue to try
|
|
|
|
|
PASV even after EPSV returned a positive response code, if libcurl failed to
|
|
|
|
|
connect to the port number the EPSV response said. Obviously some people are
|
|
|
|
|
going through protocol-sensitive firewalls (or similar) that don't
|
|
|
|
|
understand EPSV and then they don't allow the second connection unless PASV
|
|
|
|
|
was used. This also called for a minor fix of test case 238.
|
|
|
|
|
|
2006-01-20 07:52:03 +08:00
|
|
|
|
Daniel (20 January 2006)
|
|
|
|
|
- Duane Cathey was one of our friends who reported that curl -P [IP]
|
|
|
|
|
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
|
|
|
|
|
"native" IP while it works fine for ipv6-disabled builds!
|
|
|
|
|
|
|
|
|
|
In the process of fixing this, I removed the support for LPRT since I can't
|
|
|
|
|
think of many reasons to keep doing it and asking on the mailing list didn't
|
|
|
|
|
reveal anyone else that could either. The code that sends EPRT and PORT is
|
|
|
|
|
now also a lot simpler than before (IMHO).
|
|
|
|
|
|
2006-01-20 06:02:46 +08:00
|
|
|
|
Daniel (19 January 2006)
|
2006-01-20 07:52:03 +08:00
|
|
|
|
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
|
|
|
|
|
(built ipv4-only) didn't work.
|
2006-01-20 06:02:46 +08:00
|
|
|
|
|
2006-01-18 18:00:36 +08:00
|
|
|
|
Daniel (18 January 2006)
|
|
|
|
|
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
|
|
|
|
|
the configure script complained about a missing "missing" script if you ran
|
|
|
|
|
configure within a path whose name included one or more spaces. This is due
|
|
|
|
|
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
|
|
|
|
|
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
|
|
|
|
|
be used instead of the one automake ships with. This kludge needs to be
|
|
|
|
|
removed once we get an automake version with this problem corrected.
|
|
|
|
|
Possibly we'll then need to convert this into a kludge depending on what
|
|
|
|
|
automake version that is used and that is gonna be painful and I don't even
|
|
|
|
|
want to think about that now...!
|
|
|
|
|
|
2006-01-18 20:17:20 +08:00
|
|
|
|
Daniel (17 January 2006)
|
|
|
|
|
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
|
|
|
|
|
the latest features and protocols that libcurl supports and has a minor fix
|
|
|
|
|
to better deal with the obscure case where someone has more than one libcurl
|
|
|
|
|
installed at the same time.
|
|
|
|
|
|
2006-01-16 07:55:53 +08:00
|
|
|
|
Daniel (16 January 2006)
|
2006-01-17 06:14:37 +08:00
|
|
|
|
- David Shaw finally removed all traces of Gopher and we are now officially
|
|
|
|
|
not supporting it. It hasn't been functioning for years anyway, so this is
|
|
|
|
|
just finally stating what already was true. And a cleanup at the same time.
|
|
|
|
|
|
2006-01-16 07:55:53 +08:00
|
|
|
|
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
|
|
|
|
|
into a counter, and thus you can now do multiple curl_global_init() and you
|
|
|
|
|
are then supposed to do the same amount of calls to curl_global_cleanup().
|
|
|
|
|
Bryan has also updated the docs accordingly.
|
|
|
|
|
|
2006-01-13 20:16:16 +08:00
|
|
|
|
Daniel (13 January 2006)
|
|
|
|
|
- Andrew Benham fixed a race condition in the test suite that could cause the
|
|
|
|
|
test script to kill all processes in the current process group!
|
|
|
|
|
|
2006-01-12 20:40:04 +08:00
|
|
|
|
Daniel (12 January 2006)
|
2006-01-13 06:18:38 +08:00
|
|
|
|
- Michael Jahn:
|
|
|
|
|
|
|
|
|
|
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
|
|
|
|
|
HTTP proxy.
|
|
|
|
|
|
|
|
|
|
Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would
|
|
|
|
|
previously overwrite internal memory and cause unpredicted behaviour!
|
2006-01-12 20:40:04 +08:00
|
|
|
|
|
2006-01-11 07:08:38 +08:00
|
|
|
|
Daniel (11 January 2006)
|
|
|
|
|
- I decided to document the "secret option" here now, as I've received *NO*
|
|
|
|
|
feedback at all on my mailing list requests from November 2005:
|
2005-04-24 06:08:15 +08:00
|
|
|
|
|
2006-01-11 07:08:38 +08:00
|
|
|
|
I'm looking for feedback and comments. I added some experimental code the
|
|
|
|
|
other day, that allows a libcurl user to select what method libcurl should
|
|
|
|
|
use to reach a file on a FTP(S) server.
|
|
|
|
|
|
|
|
|
|
This functionality is available in CVS code and in recent daily snapshots.
|
|
|
|
|
|
|
|
|
|
Let me explain...
|
|
|
|
|
|
|
|
|
|
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
|
|
|
|
|
the command line tool) and you set it to a long (there are currenly no
|
|
|
|
|
defines for the argument values, just plain numericals). You can set three
|
|
|
|
|
different "methods" that do this:
|
|
|
|
|
|
|
|
|
|
1 multicwd - like today, curl will do a single CWD operation for each path
|
|
|
|
|
part in the given URL. For deep hierarchies this means very many
|
|
|
|
|
commands. This is how RFC1738 says it should be done. This is the
|
|
|
|
|
default.
|
|
|
|
|
|
|
|
|
|
2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
|
|
|
|
|
a full path to the server.
|
|
|
|
|
|
|
|
|
|
3 singlecwd - make one CWD with the full target directory and then operate
|
|
|
|
|
on the file "normally".
|
|
|
|
|
|
|
|
|
|
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
|
|
|
|
|
one of "multicwd", "nocwd" or "singlecwd".)
|
|
|
|
|
|
|
|
|
|
What feedback I'm interested in:
|
|
|
|
|
|
|
|
|
|
1 - Do they work at all? Do you find servers where one of these don't work?
|
|
|
|
|
|
|
|
|
|
2 - What would proper names for the option and its arguments be, if we
|
|
|
|
|
consider this feature good enough to get included and documented in
|
|
|
|
|
upcoming releases?
|
|
|
|
|
|
|
|
|
|
3 - Should we make libcurl able to "walk through" these options in case of
|
|
|
|
|
(path related) failures, or should it fail and let the user redo any
|
|
|
|
|
possible retries?
|
|
|
|
|
|
|
|
|
|
(This option is not documented in any man page just yet since I'm not sure
|
|
|
|
|
these names will be used or if the functionality will end up exactly like
|
|
|
|
|
this. And for the same reasons we have no test cases for these yet.)
|
2005-10-05 02:15:33 +08:00
|
|
|
|
|
2006-01-11 07:03:22 +08:00
|
|
|
|
Daniel (10 January 2006)
|
|
|
|
|
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
|
|
|
|
|
given subdirs, libcurl would still "remember" the full path as if it is the
|
|
|
|
|
current directory libcurl is in so that the next curl_easy_perform() would
|
|
|
|
|
get really confused if it tried the same path again - as it would not issue
|
|
|
|
|
any CWD commands at all, assuming it is already in the "proper" dir.
|
|
|
|
|
|
|
|
|
|
Starting now, a failed CWD command sets a flag that prevents the path to be
|
|
|
|
|
"remembered" after returning.
|
|
|
|
|
|
2006-01-08 06:24:16 +08:00
|
|
|
|
Daniel (7 January 2006)
|
2006-01-11 07:03:22 +08:00
|
|
|
|
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
|
|
|
|
|
proxy actually used a new connection and not sent the second request on the
|
|
|
|
|
first socket!
|
2006-01-08 06:24:16 +08:00
|
|
|
|
|
2006-01-07 06:59:34 +08:00
|
|
|
|
Daniel (6 January 2006)
|
|
|
|
|
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
|
|
|
|
|
is present instead of trying to mimic that script in curl's buildconf
|
|
|
|
|
script.
|
|
|
|
|
|
2006-01-04 18:07:36 +08:00
|
|
|
|
Daniel (3 January 2006)
|
|
|
|
|
- Andres Garcia made the TFTP test server build with mingw.
|