Commit Graph

5948 Commits

Author SHA1 Message Date
Daniel Stenberg
2a699bc6e9 CURLOPT_SSL_OPTIONS: added
Allow an appliction to set libcurl specific SSL options. The first and
only options supported right now is CURLSSLOPT_ALLOW_BEAST.

It will make libcurl to disable any work-arounds the underlying SSL
library may have to address a known security flaw in the SSL3 and TLS1.0
protocol versions.

This is a reaction to us unconditionally removing that behavior after
this security advisory:

http://curl.haxx.se/docs/adv_20120124B.html

... it did however cause a lot of programs to fail because of old
servers not liking this work-around. Now programs can opt to decrease
the security in order to interoperate with old servers better.
2012-02-09 22:22:54 +01:00
Dave Reisner
705f0f7a5b add library support for tuning TCP_KEEPALIVE
This adds three new options to control the behavior of TCP keepalives:

- CURLOPT_TCP_KEEPALIVE: enable/disable probes
- CURLOPT_TCP_KEEPIDLE: idle time before sending first probe
- CURLOPT_TCP_KEEPINTVL: delay between successive probes

While not all operating systems support the TCP_KEEPIDLE and
TCP_KEEPINTVL knobs, the library will still allow these options to be
set by clients, silently ignoring the values.
2012-02-09 18:53:51 +01:00
Daniel Stenberg
ea055407fa curl_easy_reset: reset the referer string
When CURLOPT_REFERER has been used, curl_easy_reset() did not properly
clear it.

Verified with the new test 598

Bug: http://curl.haxx.se/bug/view.cgi?id=3481551
Reported by: Michael Day
2012-02-07 23:07:43 +01:00
Daniel Stenberg
466150bc64 CONNECT: send correct Host: with IPv6 numerical address
When the target host was given as a IPv6 numerical address, it was not
properly put within square brackets for the Host: header in the CONNECT
request. The "normal" request did fine.

Reported by: "zooloo"
Bug: http://curl.haxx.se/bug/view.cgi?id=3482093
2012-01-31 22:52:10 +01:00
Pierre Ynard
f4d3c0cbfb more resilient connection times among IP addresses
When connecting to a domain with multiple IP addresses, allow different,
decreasing connection timeout values. This should guarantee some
connections attempts with sufficiently long timeouts, while still
providing fallback.
2012-01-28 14:00:52 +01:00
Pierre Ynard
4d2737bcb2 remove write-only variable 2012-01-28 13:58:49 +01:00
Daniel Stenberg
70f71bb99f gnutls: enforced use of SSLv3
With advice from Nikos Mavrogiannopoulos, changed the priority string to
add "actual priorities" and favour ARCFOUR. This makes libcurl work
better when enforcing SSLv3 with GnuTLS. Both in the sense that the
libmicrohttpd test is now working again but also that it mitigates a
weakness in the older SSL/TLS protocols.

Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
Reported by: Christian Grothoff
2012-01-24 08:54:26 +01:00
Daniel Stenberg
75ca568fa1 URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).

URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.

This flaw is considered a security vulnerability: CVE-2012-0036

Security advisory at: http://curl.haxx.se/docs/adv_20120124.html

Reported by: Dan Fandrich
2012-01-24 08:54:26 +01:00
Daniel Stenberg
db1a856b4f OpenSSL: don't disable security work-around
OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
(http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
to SSL_OP_ALL that _disables_ that work-around despite the fact that
SSL_OP_ALL is documented to do "rather harmless" workarounds.

The libcurl code uses the SSL_OP_ALL define and thus logically always
disables the OpenSSL fix.

In order to keep the secure work-around workding, the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
makes sure of this.

Reported by: product-security at Apple
2012-01-24 08:54:26 +01:00
Daniel Stenberg
7883cd5af3 URL parse: user name with ipv6 numerical address
Using a URL with embedded user name and password didn't work if the host
was given as a numerical IPv6 string, like ftp://user:password@[::1]/

Reported by: Brandon Wang
Bug: http://curl.haxx.se/mail/archive-2012-01/0047.html
2012-01-20 23:32:43 +01:00
Yang Tse
d7af7de5b2 telnet.c: fix OOM triggered segfault 2012-01-20 00:11:15 +01:00
Yang Tse
e64d332e79 OpenSSL: follow-up for commit a20daf90e3
avoid checking preprocessor definition official value
2012-01-19 22:29:00 +01:00
Yang Tse
d56b4c3f89 ssl session caching: fix compiler warnings 2012-01-18 23:42:39 +01:00
Daniel Stenberg
d1becc3231 polarssl: show cipher suite name correctly with 1.1.0
Apparently ssl_get_ciphersuite() is needed to get the name of the used
cipher suite.
2012-01-18 23:19:37 +01:00
Daniel Stenberg
f55f95d49c polarssl: show error code correctly
The value was turned negative when it shouldn't have been
2012-01-18 23:19:01 +01:00
Daniel Stenberg
61d31a3caf polarssl: havege_rand is not present in version 1.1.0
... it is now named havege_random!

Reported by: Robert Schumann
Bug: http://curl.haxx.se/mail/lib-2012-01/0178.html
2012-01-18 23:17:54 +01:00
Colin Hogben
4563eeb9f4 Use correct file descriptor for telnet upload.
Fix a bug where input was read from stdin even when a different FILE *
had been configured via CURLOPT_READDATA
2012-01-18 22:17:10 +01:00
Yang Tse
2cafb0e97c OpenLDAP: fix LDAP connection phase memory leak
bug: http://curl.haxx.se/bug/view.cgi?id=3474308
2012-01-18 16:06:29 +01:00
Johannes Bauer
6ea7acf5a9 OpenSSL: fix PKCS#12 certificate parsing related memory leak
Leak triggered when CURLOPT_SSLCERTTYPE and CURLOPT_SSLKEYTYPE set to P12
and both CURLOPT_SSLCERT and CURLOPT_SSLKEY point to the same PKCS#12 file.
2012-01-18 13:39:12 +01:00
Yang Tse
a20daf90e3 OpenSSL: SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is no longer enabled
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed successfull
interoperability with web server Netscape Enterprise Server 2.0.1 released
back in 1996 more than 15 years ago.

Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
2012-01-18 11:59:20 +01:00
Yang Tse
0ce2bca741 add LF termination to infof() trace string 2012-01-16 21:14:05 +01:00
Yang Tse
6d62c5a6fc Curl_proxyCONNECT() trace known bug #39 2012-01-15 19:21:55 +01:00
Yang Tse
8e82ef9c32 http_negotiate_sspi.c: fix compiler warning 2012-01-13 13:34:43 +01:00
Yang Tse
d016f5f5f5 ssh.c: fix compiler warning 2012-01-13 12:57:09 +01:00
Daniel Stenberg
9f20379fe4 hostip: avoid getaddrinfo when c-ares is used
Some functions using getaddrinfo and gethostbyname were still
mistakingly being used/linked even if c-ares was selected as resolver
backend.

Reported by: Arthur Murray
Bug: http://curl.haxx.se/mail/lib-2012-01/0160.html
2012-01-12 23:13:19 +01:00
gsengun
d28411c3cc FTP: CURLE_PARTIAL_FILE should not cause control connection to be closed
Test 161 updated accordingly
2012-01-09 22:50:20 +01:00
Yang Tse
f34ddb90e6 lib/setup.h: portable symbolic names for Winsock shutdown() mode flags 2012-01-08 02:32:51 +01:00
Daniel Stenberg
4897f4e517 win32-threaded-resolver: stop using a dummy socket
Previously the code would create a dummy socket while resolving just to
have curl_multi_fdset() return something but the non-win32 version
doesn't do it this way and the creation and use of a socket that isn't
made with the common create-socket callback can be confusing to apps
using the multi_socket API etc.

This change removes the dummy socket and thus will cause
curl_multi_fdset() to return with maxfd == -1 more often.
2012-01-04 23:16:30 +01:00
Peter Sylvester
81524cbfa0 OpenSSL: remove reference to openssl internal struct
With this change, curl compiles with the new OPENSSL_NO_SSL_INTERN
cflag. This flag might become the default in some distant future.
2012-01-04 23:02:36 +01:00
Yang Tse
7bd2add06f krb5.c: fix compiler warning: variable set but not used 2012-01-04 19:11:54 +01:00
Steve Holme
db4f69ef06 Fixed use of CURLUSESSL_TRY for POP3 and IMAP based connections.
Fixed a problem in POP3 and IMAP where a connection would fail when
CURLUSESSL_TRY was specified for a server that didn't support
SSL/TLS connections rather than continuing.
2012-01-04 00:48:20 +01:00
Steve Holme
277022b2e4 Fixed incorrect error code being returned in STARTTLS
The STARTTLS response code in SMTP, POP3 and IMAP would return
CURLE_LOGIN_DENIED rather than CURLE_USE_SSL_FAILED when SSL/TLS
was not available on the server.

Reported by: Gokhan Sengun
Bug: http://curl.haxx.se/mail/lib-2012-01/0018.html
2012-01-04 00:47:58 +01:00
Yang Tse
cc69e56ce3 hostip.c: fix potential write past the end of string buffer 2012-01-02 13:44:56 +01:00
Yang Tse
8e25d1b93b hostip.c: fix Curl_loadhostpairs() OOM handling 2012-01-02 13:41:09 +01:00
Daniel Stenberg
7f472618de Curl_input_negotiate: use the correct buffer for input
Unfortunately we have no test cases for this and I have no SSPI build or
server to verify this with. The change seems simple enough though.

Bug: http://curl.haxx.se/bug/view.cgi?id=3466497
Reported by: Patrice Guerin
2012-01-01 22:36:32 +01:00
Daniel Stenberg
a3403db02f just a stupid typo 2011-12-31 23:53:52 +01:00
Daniel Stenberg
c9a3cab6c4 SFTP dir: increase buffer size counter
When the buffer gets realloced to hold the file name in the
SSH_SFTP_READDIR_LINK state, the counter was not bumped accordingly.

Reported by: Armel Asselin
Patch by: Armel Asselin
Bug: http://curl.haxx.se/mail/lib-2011-12/0249.html
2011-12-31 23:52:15 +01:00
Daniel Stenberg
81ebdd9e28 create_hostcache_id: use the key lower cased
... to make sure the DNS cache is properly case insensitive
2011-12-31 10:58:05 +01:00
Daniel Stenberg
207cf15032 changed case: use new host name for subsequent HTTP requests
When a HTTP connection is re-used for a subsequent request without
proxy, it would always re-use the Host: header of the first request. As
host names are case insensitive it would make curl send another host
name case that what the particular request used.

Now it will instead always use the most recent host name to always use
the desired casing.

Added test case 1318 to verify.

Bug: http://curl.haxx.se/mail/lib-2011-12/0314.html
Reported by: Alex Vinnik
2011-12-31 10:45:28 +01:00
Daniel Stenberg
5e0a44e4d5 CURLOPT_RESOLVE: avoid adding already present host names
The load host names to DNS cache function was moved to hostip.c and it
now makes sure to not add host names that already are present in the
cache. It would previously lead to memory leaks when for example using
the --resolve and multiple URLs on the command line.
2011-12-31 10:45:27 +01:00
Yang Tse
ed0364343d removed trailing whitespace 2011-12-30 03:36:18 +01:00
Kamil Dudka
9f7f6a62ff transfer: avoid unnecessary timeout event when waiting for 100-continue
The commit 9dd85bc unintentionally changed the way we compute the time
spent waiting for 100-continue.  In particular, when using a SSL client
certificate, the time spent by SSL handshake was included and could
cause the CURL_TIMEOUT_EXPECT_100 timeout to be mistakenly fired up.

Bug: https://bugzilla.redhat.com/767490
Reported by: Mamoru Tasaka
2011-12-25 22:37:24 +01:00
Yang Tse
98292bcdd0 transfer.c: move a logging statement placement 2011-12-25 12:11:51 +01:00
Yang Tse
996f2454ba hash.c: fix OOM triggered segfault 2011-12-25 11:35:45 +01:00
Daniel Stenberg
99a12baa34 ftp_do_more: don't return success until all is done
ftp_do_more() returns after accepting the server connect however it
needs to fall through and set "*complete" to TRUE before exit from the
function.

Bug: http://curl.haxx.se/mail/lib-2011-12/0250.html
Reported by: Gokhan Sengun
2011-12-24 00:12:00 +01:00
Daniel Stenberg
4f8db8bf95 Curl_do_more: fix typo logic
In the recent do_more fix the new logic was mistakenly checking the
pointer instead of what it points to.

Reported by: Gokhan Sengun
Bug: http://curl.haxx.se/mail/lib-2011-12/0250.html
2011-12-24 00:09:41 +01:00
Daniel Stenberg
5ac9ec7205 SFTP mkdir: use correct permission
When sending quote command to a SFTP server and 'mkdir' was used, it
would send fixed permissions and not use the CURLOPT_NEW_DIRECTORY_PERMS
as it should.

Reported by: Armel
Patch by: Armel
Bug: http://curl.haxx.se/mail/lib-2011-12/0249.html
2011-12-24 00:04:04 +01:00
Daniel Stenberg
2caa454dc1 resolve: don't leak pre-populated dns entries
CURLOPT_RESOLVE populates the DNS cache with entries that are marked as
eternally in use. Those entries need to be taken care of when the cache
is killed off.

Bug: http://curl.haxx.se/bug/view.cgi?id=3463121
Reported by: "tw84452852"
2011-12-23 14:46:20 +01:00
Yang Tse
1afbccc676 formdata.c: OOM handling fixes 2011-12-21 15:39:44 +01:00
Daniel Stenberg
926916e28e Curl_socket_check: enlarge poll struct array to 3
This function was introduced in commit 5527417afa and as pointed out
by Gokhan Sengun, the array with poll structs must large enough to hold
3 sockets since that is what the function can accept. It could be noted
that he had this fixed in his patch as posted in
http://curl.haxx.se/mail/lib-2011-12/0179.html

Bug: http://curl.haxx.se/mail/lib-2011-12/0228.html
Reported by: Gokhan Sengun
2011-12-20 23:33:54 +01:00