mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-02-11 14:50:40 +08:00
Code Issues Packages Projects Releases Wiki Activity
16,473 Commits 24 Branches 223 Tags 218 MiB
C 74.9%
Perl 8.1%
M4 4.9%
Python 4.2%
CMake 2.6%
Other 5.3%
365c5ba395
Go to file
Daniel Stenberg 365c5ba395 formpost: better random boundaries 
When doing multi-part formposts, libcurl used a pseudo-random value that
was seeded with time(). This turns out to be bad for users who formpost
data that is provided with users who then can guess how the boundary
string will look like and then they can forge a different formpost part
and trick the receiver.

My advice to such implementors is (still even after this change) to not
rely on the boundary strings being cryptographically strong. Fix your
code and logic to not depend on them that much!

I moved the Curl_rand() function into the sslgen.c source file now to be
able to take advantage of the SSL library's random function if it
provides one. If not, try to use the RANDOM_FILE for seeding and as a
last resort keep the old logic, just modified to also add microseconds
which makes it harder to properly guess the exact seed.

The formboundary() function in formdata.c is now using 64 bit entropy
for the boundary and therefore the string of dashes was reduced by 4
letters and there are 16 hex digits following it. The total length is
thus still the same.

Bug: http://curl.haxx.se/bug/view.cgi?id=1251
Reported-by: "Floris"
2013-06-25 09:55:49 +02:00
CMake
docs TODO: 1.8 Modified buffer size approach 2013-06-23 22:49:06 +02:00
include bump: start working towards what most likely will become 7.32.0 2013-06-22 14:13:28 +02:00
lib formpost: better random boundaries 2013-06-25 09:55:49 +02:00
m4 configure: use XC_LIBTOOL for portability across libtool versions 2013-03-08 13:27:45 +01:00
packages build_vms.com: use existing curlbuild.h and parsing fix 2013-03-20 20:44:57 +01:00
perl
src Updated zlib version in build files. 2013-05-11 17:08:00 +02:00
tests formpost: better random boundaries 2013-06-25 09:55:49 +02:00
vs move msvc IDE related files to 'vs' directory tree 2013-02-13 17:14:21 +01:00
winbuild msvc: move Makefile.msvc.names into winbuild/ 2013-02-06 23:14:11 +01:00
.gitattributes
.gitignore repository: ignore patch files generated by git 2013-02-22 23:22:22 +01:00
acinclude.m4 CURL_CHECK_CA_BUNDLE: don't check for paths when cross-compiling 2013-04-18 23:37:56 +02:00
buildconf
buildconf.bat
CHANGES
CHANGES.0
CMakeLists.txt cmake: Fix mingw build 2013-02-04 22:35:09 +01:00
configure.ac curl-config: don't output static libs when they are disabled 2013-04-16 16:07:41 +02:00
COPYING COPYING: Updated copyright year to include 2013 2013-02-05 23:05:50 +00:00
CTestConfig.cmake
curl-config.in curl-config.in: replace tabs by spaces 2013-06-22 22:08:42 +02:00
GIT-INFO
install-sh install-sh: updated to support multiple source files as arguments 2013-02-13 15:47:54 +01:00
libcurl.pc.in
log2changes.pl
MacOSX-Framework OS X framework: fix invalid symbolic link 2013-05-09 21:51:35 +02:00
Makefile.am move msvc IDE related files to 'vs' directory tree 2013-02-13 17:14:21 +01:00
Makefile.dist
maketgz maketgz: make bzip2 creation work with Parallel BZIP2 too 2013-04-18 11:13:56 +02:00
missing
mkinstalldirs install-sh: updated to support multiple source files as arguments 2013-02-13 15:47:54 +01:00
README
RELEASE-NOTES bump: start working towards what most likely will become 7.32.0 2013-06-22 14:13:28 +02:00
TODO-RELEASE TODO-RELEASE: cleaned up, not really maintained lately 2013-04-08 08:32:10 +02:00

README 

                                  _   _ ____  _
                              ___| | | |  _ \| |
                             / __| | | | |_) | |
                            | (__| |_| |  _ <| |___
                             \___|\___/|_| \_\_____|

README

  Curl is a command line tool for transferring data specified with URL
  syntax. Find out how to use curl by reading the curl.1 man page or the
  MANUAL document. Find out how to install Curl by reading the INSTALL
  document.

  libcurl is the library curl is using to do its job. It is readily
  available to be used by your software. Read the libcurl.3 man page to
  learn how!

  You find answers to the most frequent questions we get in the FAQ document.

  Study the COPYING file for distribution terms and similar. If you distribute
  curl binaries or other binaries that involve libcurl, you might enjoy the
  LICENSE-MIXING document.

CONTACT

  If you have problems, questions, ideas or suggestions, please contact us
  by posting to a suitable mailing list. See http://curl.haxx.se/mail/

  All contributors to the project are listed in the THANKS document.

WEB SITE

  Visit the curl web site for the latest news and downloads:

        http://curl.haxx.se/

GIT

  To download the very latest source off the GIT server do this:

    git clone git://github.com/bagder/curl.git

  (you'll get a directory named curl created, filled with the source code)

NOTICE

  Curl contains pieces of source code that is Copyright (c) 1998, 1999
  Kungliga Tekniska Högskolan. This notice is included here to comply with the
  distribution terms.