curl/lib
Tim Ruehsen 8a75dbeb23 cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

CVE-2014-3613

Bug: http://curl.haxx.se/docs/adv_20140910A.html
2014-09-10 07:32:36 +02:00
..
vtls polarassl: avoid memset() when clearing the first byte is enough 2014-09-08 10:11:34 +02:00
.gitignore
amigaos.c
amigaos.h
arpa_telnet.h
asyn-ares.c low-speed-limit: avoid timeout flood 2014-08-31 23:50:01 +02:00
asyn-thread.c low-speed-limit: avoid timeout flood 2014-08-31 23:50:01 +02:00
asyn.h
base64.c Curl_base64url_encode: unit-tested in 1302 2014-07-25 08:38:16 +02:00
bundles.c
bundles.h
checksrc.pl
CMakeLists.txt cmake: Fix for MSVC2010 project generation 2013-07-17 00:26:58 +02:00
config-amigaos.h
config-dos.h Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
config-mac.h
config-os400.h GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. 2014-07-23 16:15:01 +02:00
config-riscos.h
config-symbian.h config-symbian.h: Fixed up line lengths > 79 characters 2014-08-10 20:38:08 +01:00
config-tpf.h config-tpf.h: Fixed up line lengths > 79 characters 2014-08-10 20:38:09 +01:00
config-vxworks.h Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
config-win32.h config-win32.h: Updated for VC12 2014-06-05 22:44:46 +01:00
config-win32ce.h
conncache.c create_conn: prune dead connections 2014-08-12 23:33:56 +02:00
conncache.h create_conn: prune dead connections 2014-08-12 23:33:56 +02:00
connect.c low-speed-limit: avoid timeout flood 2014-08-31 23:50:01 +02:00
connect.h bits.close: introduce connection close tracking 2014-05-22 00:34:10 +02:00
content_encoding.c
content_encoding.h
cookie.c cookies: only use full host matches for hosts used as IP address 2014-09-10 07:32:36 +02:00
cookie.h cookies: follow-up fix for path checking 2013-06-12 11:19:56 +02:00
curl_addrinfo.c
curl_addrinfo.h
curl_base64.h base64: added Curl_base64url_encode() 2014-07-25 08:24:03 +02:00
curl_config.h.cmake Cmake: Possibility to use OpenLDAP, OpenSSL, LibSSH2 on windows 2014-08-25 12:44:24 +02:00
curl_fnmatch.c
curl_fnmatch.h
curl_gethostname.c
curl_gethostname.h
curl_gssapi.c GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. 2014-07-23 16:15:01 +02:00
curl_gssapi.h GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
curl_hmac.h
curl_ldap.h
curl_md4.h
curl_md5.h
curl_memory.h WIN32 MemoryTracking: require UNICODE for wide strdup code support 2013-07-19 12:33:10 +02:00
curl_memrchr.c
curl_memrchr.h
curl_multibyte.c
curl_multibyte.h
curl_ntlm_core.c NTLM: set a fake entropy for debug builds with CURL_ENTROPY set 2014-06-11 23:15:48 +02:00
curl_ntlm_core.h ntlm: Added support for NTLMv2 2014-01-29 20:17:11 +00:00
curl_ntlm_msgs.c sspi: Minor code tidy up to standardise coding style 2014-08-08 22:43:18 +01:00
curl_ntlm_msgs.h ntlm: Moved the identity generation into shared SSPI code 2014-04-06 00:35:22 +01:00
curl_ntlm_wb.c ntlm_wb: Avoid invoking ntlm_auth helper with empty username 2014-07-16 17:26:08 +02:00
curl_ntlm_wb.h
curl_ntlm.c ntlm: Fixed a memory leak when using NTLM with a proxy server 2014-01-30 20:59:26 +00:00
curl_ntlm.h
curl_rtmp.c INFILESIZE: fields in UserDefined must not be changed run-time 2014-04-26 18:17:10 +02:00
curl_rtmp.h
curl_sasl_sspi.c sasl_sspi: Fixed a memory leak with the GSSAPI base-64 decoded challenge 2014-08-17 23:08:55 +01:00
curl_sasl.c sasl: Fixed a memory leak on OOM 2014-08-22 21:40:05 +02:00
curl_sasl.h curl_sasl.h: Fixed compilation error from commit 4b491c675f 2014-08-14 15:53:33 +01:00
curl_sec.h security.h: rename to curl_sec.h to avoid name collision 2013-08-26 11:51:18 +02:00
curl_setup_once.h curl_setup_once: fix errno access for lwip on Windows 2013-10-09 14:45:42 +02:00
curl_setup.h curl.h/features: Deprecate GSS-Negotiate macros due to bad naming 2014-07-23 00:01:39 +02:00
curl_sspi.c ntlm: Moved the identity generation into shared SSPI code 2014-04-06 00:35:22 +01:00
curl_sspi.h sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module 2014-08-14 01:05:52 +01:00
curl_threads.c Curl_thread_create: use Curl_safefree to allow NULL better 2013-12-25 00:53:15 +01:00
curl_threads.h threaded resolver: Use pthread_t * for curl_thread_t 2013-12-25 00:28:28 +01:00
curlx.h
dict.c dict: fix memory leak in OOM exit path 2014-02-14 08:21:41 +01:00
dict.h
dotdot.c copyright: Updated following recent edits 2014-04-28 23:20:52 +01:00
dotdot.h copyright: Updated following recent edits 2014-04-28 23:20:52 +01:00
easy.c compiler warnings: potentially uninitialized variables 2014-07-05 01:42:10 +02:00
easyif.h curl_easy_perform_ev: make it CURL_EXTERN 2013-08-21 22:19:52 +02:00
escape.c Curl_urldecode: don't allow NULL as receiver 2014-02-13 23:57:40 +01:00
escape.h
file.c INFILESIZE: fields in UserDefined must not be changed run-time 2014-04-26 18:17:10 +02:00
file.h
fileinfo.c
fileinfo.h
firefox-db2pem.sh
formdata.c formdata: Must use Curl_safefree instead of free 2014-02-09 10:10:22 +01:00
formdata.h
ftp.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
ftp.h FTP: make the data connection work when going through proxy 2013-10-26 23:33:06 +02:00
ftplistparser.c FTP parselist: fix "total" parser 2014-01-04 00:38:43 +01:00
ftplistparser.h
getenv.c
getinfo.c ssl: generalize how the ssl backend identifier is set 2014-07-31 12:19:51 +02:00
getinfo.h
gopher.c
gopher.h
hash.c string formatting: fix 25+ printf-style format strings 2013-07-24 01:21:26 +02:00
hash.h
hmac.c
hostasyn.c
hostcheck.c hostcheck: added a system include to define struct in_addr 2014-03-26 22:29:00 +01:00
hostcheck.h
hostip4.c NI_MAXSERV: remove all use of it 2013-09-10 23:18:43 +02:00
hostip6.c NI_MAXSERV: remove all use of it 2013-09-10 23:18:43 +02:00
hostip.c resolve: cache lookup for async resolvers 2014-08-31 10:49:40 +02:00
hostip.h resolve: cache lookup for async resolvers 2014-08-31 10:49:40 +02:00
hostsyn.c dns: fix compilation with MinGW from commit df69440d05 2013-09-17 20:59:43 +01:00
http2.c Compile with latest nghttp2 2014-08-26 23:02:50 +02:00
http2.h http2: more and better error checking 2014-07-23 09:23:56 +02:00
http_chunks.c chunked-encoding: provide a readable error string for chunked errors 2014-03-14 15:44:18 +01:00
http_chunks.h chunked-encoding: provide a readable error string for chunked errors 2014-03-14 15:44:18 +01:00
http_digest.c random: use Curl_rand() for proper random data 2014-06-03 18:25:48 +02:00
http_digest.h
http_negotiate_sspi.c http_negotiate_sspi: Tidy up to remove the get_gss_name() function 2014-08-09 20:43:46 +01:00
http_negotiate.c GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
http_negotiate.h curl.h/features: Deprecate GSS-Negotiate macros due to bad naming 2014-07-23 00:01:39 +02:00
http_proxy.c CONNECT: close proxy connections that fail to CONNECT 2014-08-25 13:33:34 +02:00
http_proxy.h remote_port: allow connect to port 0 2014-03-05 17:38:05 +00:00
http.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
http.h HTTP2: Support expect: 100-continue 2014-08-02 23:15:46 +02:00
idn_win32.c
if2ip.c
if2ip.h
imap.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
imap.h email: Added mutual authentication flag 2014-08-15 21:32:21 +01:00
inet_ntop.c
inet_ntop.h
inet_pton.c
inet_pton.h
krb5.c GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
ldap.c bits.close: Fixed compilation warning 2014-05-22 00:29:21 +01:00
libcurl.def
libcurl.plist
libcurl.rc
libcurl.vers.in configure: use XC_LIBTOOL for portability across libtool versions 2013-03-08 13:27:45 +01:00
llist.c
llist.h
Makefile.am vtls: created subdir, moved sslgen.[ch] there, updated all include lines 2013-12-20 17:12:42 +01:00
makefile.amiga
Makefile.b32 Makefile.b32: Fixed for vtls changes 2014-05-09 21:09:51 +01:00
makefile.dj
Makefile.inc build: Slight rename of new LIB_* makefile file variables 2014-05-18 22:16:54 +01:00
Makefile.m32 Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
Makefile.netware Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
Makefile.vc6 Makefile.vc6: Added curl_sasl_sspi.c 2014-04-06 00:57:23 +01:00
Makefile.vxworks Updated zlib version in build files. 2013-05-11 17:08:00 +02:00
Makefile.Watcom Remove all traces of FBOpenSSL SPNEGO support 2014-07-16 17:26:08 +02:00
md4.c
md5.c md5.c: fix use of uninitialized variable 2014-04-18 22:59:25 +02:00
memdebug.c curl_dofree: allow free(NULL) 2013-12-25 23:30:25 +01:00
memdebug.h WIN32 MemoryTracking: require UNICODE for wide strdup code support 2013-07-19 12:33:10 +02:00
mk-ca-bundle.pl mk-ca-bundle.pl: add missing $ 2014-08-13 23:49:01 +02:00
mk-ca-bundle.vbs Simplify check for trusted certificates. 2013-08-05 13:02:27 +02:00
mprintf.c mprintf: allow %.s with data not being zero terminated 2014-05-04 23:39:52 +02:00
multi.c multi.c: Avoid invalid memory read after free() from commit 3c8c873252 2014-09-07 07:11:14 +01:00
multihandle.h multi: convert CURLM_STATE_CONNECT_PEND handling to a list 2014-09-02 10:17:47 +02:00
multiif.h low-speed-limit: avoid timeout flood 2014-08-31 23:50:01 +02:00
netrc.c netrc: fixed thread safety problem by using getpwuid_r if available 2014-07-13 00:27:22 +02:00
netrc.h netrc: handle longer username and password 2013-08-20 11:16:38 +02:00
non-ascii.c
non-ascii.h
nonblock.c
nonblock.h
nwlib.c
nwos.c
objnames-test08.sh
objnames-test10.sh
objnames.inc
openldap.c bits.close: introduce connection close tracking 2014-05-22 00:34:10 +02:00
parsedate.c parsedate.c: fix the return code for an overflow edge condition 2014-08-05 09:25:47 +02:00
parsedate.h
pingpong.c Curl_pp_readresp: use memmove not memcpy, possibly overlapping areas 2013-12-24 21:29:18 +01:00
pingpong.h
pipeline.c pipeline: Fixed a NULL pointer dereference on OOM 2014-01-31 00:05:36 +01:00
pipeline.h pipeline: remove print_pipeline() 2014-01-03 12:04:14 +01:00
pop3.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
pop3.h email: Added mutual authentication flag 2014-08-15 21:32:21 +01:00
progress.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
progress.h timers: fix timer regression involving redirects / reconnects 2014-05-15 21:28:19 +02:00
rawstr.c
rawstr.h
README.ares
README.curl_off_t
README.curlx
README.encoding
README.hostip lib: documentation updates in README.hostip 2014-06-21 19:49:48 +02:00
README.http2 README.http2: mention some alt-svc thoughts 2014-04-17 19:23:39 +02:00
README.httpauth
README.memoryleak
README.multi_socket
README.pingpong
README.pipelining
rtsp.c INFILESIZE: fields in UserDefined must not be changed run-time 2014-04-26 18:17:10 +02:00
rtsp.h
security.c security.h: rename to curl_sec.h to avoid name collision 2013-08-26 11:51:18 +02:00
select.c Curl_poll + Curl_wait_ms: fix timeout return value 2014-08-11 15:10:13 +02:00
select.h
sendf.c handler: make 'protocol' always specified as a single bit 2014-04-23 22:36:01 +02:00
sendf.h
setup-os400.h OS400: coding style standards 2013-10-28 12:00:22 +01:00
setup-vms.h setup-vms.h: sk_pop symbol tweak 2013-07-12 12:11:11 +02:00
share.c vtls: renamed sslgen.[ch] to vtls.[ch] 2013-12-20 17:12:42 +01:00
share.h
sigpipe.h sigpipe: factor out sigpipe_reset from easy.c 2013-11-27 22:46:55 +01:00
slist.c slist.c: Curl_slist_append_nodup() OOM handling fix 2013-07-16 23:59:05 +02:00
slist.h slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup() 2013-07-15 16:53:43 +02:00
smtp.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
smtp.h email: Added mutual authentication flag 2014-08-15 21:32:21 +01:00
sockaddr.h
socks_gssapi.c GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
socks_sspi.c sspi: Moved KERB_WRAP_NO_ENCRYPT from socks_sspi module 2014-08-14 01:05:52 +01:00
socks.c docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
socks.h docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
speedcheck.c low-speed-limit: avoid timeout flood 2014-08-31 23:50:01 +02:00
speedcheck.h
splay.c copyright: Updated following recent edits 2014-04-28 23:20:52 +01:00
splay.h
ssh.c Ensure progress.size_dl/progress.size_ul are always >= 0 2014-09-07 23:23:12 +02:00
ssh.h
strdup.c
strdup.h
strequal.c
strequal.h
strerror.c http2: more and better error checking 2014-07-23 09:23:56 +02:00
strerror.h
strtok.c
strtok.h
strtoofft.c
strtoofft.h
telnet.c telnet.c: check sscanf results before passing them to snprintf 2014-04-19 15:23:04 +02:00
telnet.h
tftp.c bits.close: introduce connection close tracking 2014-05-22 00:34:10 +02:00
tftp.h
timeval.c
timeval.h
transfer.c transfer: fix info messages when switching method on 301 and 302 2014-06-09 08:29:37 +02:00
transfer.h
url.c url.c: Use CURLAUTH_NONE constant rather than 0 2014-09-06 22:23:54 +01:00
url.h FTP: make the data connection work when going through proxy 2013-10-26 23:33:06 +02:00
urldata.h urldata.h: Fixed compilation warnings from commit 3ec253532e 2014-08-14 12:07:28 +01:00
version.c curl.h/features: Deprecate GSS-Negotiate macros due to bad naming 2014-07-23 00:01:39 +02:00
warnless.c tool_getparam.c: Fixed compilation warnings 2014-05-22 21:01:51 +01:00
warnless.h tool_getparam.c: Fixed compilation warnings 2014-05-22 21:01:51 +01:00
wildcard.c
wildcard.h
x509asn1.c x509asn: moved out Curl_verifyhost from NSS builds 2014-03-03 08:44:25 +01:00
x509asn1.h NSS: support for CERTINFO feature 2013-10-30 11:12:06 +01:00

HTTP Pipelining with libcurl
============================

Background

Since pipelining implies that one or more requests are sent to a server before
the previous response(s) have been received, we only support it for multi
interface use.

Considerations

When using the multi interface, you create one easy handle for each transfer.
Bascially any number of handles can be created, added and used with the multi
interface - simultaneously. It is an interface designed to allow many
simultaneous transfers while still using a single thread. Pipelining does not
change any of these details.

API

We've added a new option to curl_multi_setopt() called CURLMOPT_PIPELINING
that enables "attempted pipelining" and then all easy handles used on that
handle will attempt to use an existing pipeline.

Details

- A pipeline is only created if a previous connection exists to the same IP
  address that the new request is being made to use.

- Pipelines are only supported for HTTP(S) as no other currently supported
  protocol has features resemembling this, but we still name this feature
  plain 'pipelining' to possibly one day support it for other protocols as
  well.

- HTTP Pipelining is for GET and HEAD requests only.

- When a pipeline is in use, we must take precautions so that when used easy
  handles (i.e those who still wait for a response) are removed from the multi
  handle, we must deal with the outstanding response nicely.

- Explicitly asking for pipelining handle X and handle Y won't be supported.
  It isn't easy for an app to do this association. The lib should probably
  still resolve the second one properly to make sure that they actually _can_
  be considered for pipelining. Also, asking for explicit pipelining on handle
  X may be tricky when handle X get a closed connection.