11
Version 7.15.1 (7 December 2005)
13
Daniel (6 December 2005)
14
- Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by
19
libcurl's URL parser function can overflow a malloced buffer in two ways, if
22
These overflows happen if you
24
1 - pass in a URL with no protocol (like "http://") prefix, using no slash
25
and the string is 256 bytes or longer. This leads to a single zero byte
26
overflow of the malloced buffer.
28
2 - pass in a URL with only a question mark as separator (no slash) between
29
the host and the query part of the URL. This leads to a single zero byte
30
overflow of the malloced buffer.
32
Both overflows can be made with the same input string, leading to two single
35
The affected flaw cannot be triggered by a redirect, but the long URL must
36
be passed in "directly" to libcurl. It makes this a "local" problem. Of
37
course, lots of programs may still pass in user-provided URLs to libcurl
38
without doing much syntax checking of their own, allowing a user to exploit
41
There is no known exploit at the time of this writing.
44
Daniel (2 December 2005)
45
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
46
file descriptor if given a non-existing file.
48
Daniel (24 November 2005)
49
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
50
again using configure.
52
- Yang Tse provided a whole series of patches to clear up compiler warnings on
55
Daniel (17 November 2005)
56
- I extended a patch from David Shaw to make libcurl _always_ provide an error
57
string in the given error buffer to address the flaw mention on 21 sep 2005.
59
Daniel (16 November 2005)
60
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
61
installed on 'make install' time.
63
Daniel (14 November 2005)
64
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
65
properly for a case, and so we did. We raised it even for non-SSPI builds
66
but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715
68
- Jan Kunder's debian bug report
69
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
70
error message for when you try to upload a file and the requested directory
71
doesn't exist on the target server.
73
- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
74
lib/memdebug.h that showed up in his msvc builds.
76
Daniel (13 November 2005)
77
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
79
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
80
error if a bad unit is used.
82
- Thanks to this nice summary of poll() implementations:
83
http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
84
Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
85
connectin closure so we check for that case (too) and re-enable poll for
88
Daniel (12 November 2005)
89
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
90
right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
91
poll() and use select() on cygwin too (we already do the same choice on Mac
94
- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
95
client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).
97
Daniel (10 November 2005)
98
- David Lang fixed IPv6 support for TFTP!
100
- Introducing range stepping to the curl globbing support. Now you can specify
101
step counter by adding :[num] within the brackets when specifying a range:
106
If no step counter is set, it defaults to 1 as before:
111
Daniel (8 November 2005)
112
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
113
we really have no use for reverse lookups of the address.
115
I truly hope these are the last reverse lookups we had lingering in the
118
- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
119
version of libcurl with different Windows versions. Current version of
120
libcurl imports SSPI functions from secur32.dll. However, under Windows NT
121
4.0 these functions are located in security.dll, under Windows 9x - in
122
secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
123
just forwards calls to secur32.dll).
125
Dmitry's patch loads proper library dynamically depending on Windows
126
version. Function InitSecurityInterface() is used to obtain pointers to all
127
of SSPI function in one structure.
129
Daniel (31 October 2005)
130
- Vilmos Nebehaj improved libcurl's LDAP abilities:
132
The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
133
attributes in LDAP objects. So, I made a quick patch to address these
136
The solution is simple: if we connect to an LDAP server, first try LDAPv3
137
(which is the preferred protocol as of now) and then fall back to LDAPv2.
138
In case of binary attributes, we first convert them to base64, just like the
139
openldap client does. It uses ldap_get_values_len() instead of
140
ldap_get_values() to be able to retrieve binary attributes correctly. I
141
defined the necessary LDAP macros in lib/ldap.c to be able to compile
142
libcurl without the presence of libldap
144
Daniel (27 October 2005)
145
- Nis Jorgensen filed bug report #1338648
146
(http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
147
feature request, but anyway. It pointed out that --max-redirs did not allow
148
it to be set to 0, which then would return an error code on the first
149
Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
150
set to 0, or -1 for infinity. Added test case 274 to verify.
152
- tommink[at]post.pl reported in bug report #1337723
153
(http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
154
binary data from stdin on Windows if the data contained control-Z (hex 1a)
155
since that is treated as end-of-file when read in text mode. Gisle Vanem
156
pointed out the fix, and I made both -T and --data-binary take advantage of
159
- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
160
in the man page, curl would send an invalid HTTP Range: header. The correct
161
way would be to use "-r [number]-" or even "-r -[number]". Starting now,
162
curl will warn if this is discovered, and automatically append a dash to the
163
range before passing it to libcurl.
165
Daniel (25 October 2005)
166
- Amol Pattekar reported a bug with great detail and a fine example in bug
167
#1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
168
interface and connecting to a host with multiple IP addresses, and one of
169
the addresses fails to connect (the server must exist and respond, just not
170
accept connections) libcurl leaks a socket descriptor. Thanks to the fine
171
report, I could find and fix this.
173
Daniel (22 October 2005)
174
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
175
#1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
176
stream from a server and the server requests a "rehandshake", the current
177
code simply returns this as an error. I have no good way to test this, but
178
I've added a crude attempt of dealing with this situation slightly better -
179
it makes a blocking handshake if this happens. Done like this because fixing
180
this the "proper" way (that would handshake asynchronously) will require
181
quite some work and I really need a good way to test this to do such a
184
Daniel (21 October 2005)
185
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
186
it, it could then accidentally actually crash. Presumably, this concerns FTP
187
connections. http://curl.haxx.se/bug/view.cgi?id=1330310
189
- Temprimus improved the MSVC makefile so that the static debug SSL libs are
190
linked to the executable and not to the libcurld.lib
191
http://curl.haxx.se/bug/view.cgi?id=1326676
193
- Bradford Bruce made the windows resolver code properly return
194
CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
195
errors (as documented).
197
Daniel (20 October 2005)
198
- Dave Dribin made libcurl understand and handle cases when the server
199
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
200
never happen in a sane world, libcurl previously got into an infinite loop
201
when this occurred. Dave added test 273 to verify this.
203
- Temprimus improved the MSVC makefile: "makes a build option available so if
204
you set rtlibcfg=static for the make, then it would build with /MT. The
205
default behaviour is /MD (the original)."
206
http://curl.haxx.se/bug/view.cgi?id=1326665
208
Daniel (14 October 2005)
209
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
210
reported, the define is used by the configure script and is assumed to use
211
the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
214
Version 7.15.0 (13 October 2005)
216
Daniel (12 October 2005)
217
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
218
code that would overflow a buffer if given a too long user name or domain
219
name. This would happen if you enable NTLM authentication and either
221
A - pass in a user name and domain name to libcurl that together are longer
224
B - allow (lib)curl to follow HTTP "redirects" (Location: and the
225
appropriate HTTP 30x response code) and the new URL contains a URL with
226
a user name and domain name that together are longer than 192 bytes
228
See http://curl.haxx.se/docs/security.html for further details and updates
230
Daniel (5 October 2005)
231
- Darryl House reported a problem with using -z to download files from FTP.
232
It turned out that if the given time stamp was exact the same as the remote
233
time stamp, the file would still wrongly be downloaded. Added test case 272
236
Daniel (4 October 2005)
237
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
238
from the configure script.
240
- Michael Wallner reported that the date parser had wrong offset stored for
241
the MEST and CEST time zones.
243
Daniel (27 September 2005)
244
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)
245
that identified a silly problem with Content-Range: headers with the 'bytes'
246
keyword written in a different case than all lowercase! It would cause a
249
- TJ Saunders of the proftpd project identified and pointed out problems with
250
the modified FTPS negotiation change of August 19 2005. Thus, we revert the
251
change back to pre-7.14.1 status.
253
Daniel (21 September 2005)
254
- Fixed "cut off" sentence in the libcurl-tutorial man page:
255
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305
257
- Clarified in the curl_easy_setopt man page what the default
258
CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean:
259
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311
261
- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
262
sometimes doesn't fill in the buffer even though it is supposed to:
263
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313
265
- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
268
Daniel (19 September 2005)
269
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.
271
Daniel (15 September 2005)
272
- Added a TFTP server to the test suite and made the test suite capable of
275
Daniel (7 September 2005)
276
- Ben Madsen's detailed reports that funnily enough only occurred with certain
277
glibc versions turned out to be curl using an already closed file handle
278
during certain conditions (like when saving FTP server "headers").
280
- Scott Davis helped me track down a problem in the test HTTP server that made
281
test case 56 wrongly fail at times. It turned out it was due to the server
282
finding the end of a chunked-encoded POST too early.
284
Daniel (6 September 2005)
285
- Now curl warns if an unknown variable is used in the -w/--writeout argument.
287
Daniel (4 September 2005)
288
- I applied Nicolas Fran�ois' man page patch he posted to the Debian bug
289
tracker. It corrected two lines that started with apostrophes, which isn't
290
legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511
292
- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
293
CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
294
connection's IP address when setting up the data connection instead of
295
extractting the IP address from the PASV response. It has turned out this
296
feature is frequently needed by people to circumvent silly servers and silly
297
firewalls, especially when FTPS is used and the PASV command-response is
300
Sponsored by CU*Answers
302
Daniel (1 September 2005)
303
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
304
added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
305
list of protocols whereever those are mentioned.
307
Version 7.14.1 (1 September 2005)
309
Daniel (29 August 2005)
310
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.
312
- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
313
for Windows, that could lead to an Access Violation when the multi interface
314
was used due to an issue with how the resolver thread was and was not
317
- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
318
instead of MIT/Heimdal for GSS capabilities.
320
Daniel (24 August 2005)
321
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
322
from the command line tool with --ignore-content-length. This will make it
323
easier to download files from Apache 1.x (and similar) servers that are
324
still having problems serving files larger than 2 or 4 GB. When this option
325
is enabled, curl will simply have to wait for the server to close the
326
connection to signal end of transfer. I wrote test case 269 that runs a
327
simple test to verify that this works.
329
- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
330
the --logfile command line option to --log-file, and thus the test script
331
valgrind autodetection now has yet another version check to do and then it
332
alters the valgrind command line accordingly.
334
- Fixed CA cert verification using GnuTLS with the default bundle, which
335
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
336
Ralph Mitchell reported.
338
Daniel (19 August 2005)
339
- Norbert Novotny had problems with FTPS and he helped me work out a patch
340
that made curl run fine in his end. The key was to make sure we do the
341
SSL/TLS negotiation immediately after the TCP connect is done and not after
342
a few other commands have been sent like we did previously. I don't consider
343
this change necessary to obey the standards, I think this server is pickier
344
than what the specs allow it to be, but I can't see how this modified
345
libcurl code can add any problems to those who are interpreting the
346
standards more liberally.
348
Daniel (17 August 2005)
349
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
350
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
351
write the result to a given cookie jar and then never actually call
352
curl_easy_perform() - the given file(s) to read was never read but the
353
output file was written and thus it caused a "funny" result.
355
- While doing some tests for the bug above, I noticed that Firefox generates
356
large numbers (for the expire time) in the cookies.txt file and libcurl
357
didn't treat them properly. Now it does.
359
Daniel (15 August 2005)
360
- Added more verbose "warning" messages to the curl client for cases where it
361
fails to open/read files etc to help users diagnose why it doesn't do what
362
you'd expect it to. Converted lots of old messages to use the new generic
363
function I wrote for this purpose.
365
Daniel (13 August 2005)
366
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
367
site responds with bad HTTP response that doesn't contain any header at all,
368
only a response body, and the write callback returns 0 to abort the
369
transfer, it didn't have any real effect but the write callback would be
370
called once more anyway.
372
Daniel (12 August 2005)
373
- Based on Richard Clayton's reports, I found out that using curl -d @filename
374
when 'filename' was not possible to access made curl use a GET request
377
- The time condition illegal syntax warning is now inhibited if -s is used.
379
Daniel (10 August 2005)
380
- Mario Schroeder found out that one of the debug callbacks calls that regards
381
SSL data with the CURLINFO_TEXT type claimed that the data was one byte
382
larger than it actually is, thus falsely telling the application that the
383
terminating zero was part of the data.
385
Daniel (9 August 2005)
386
- Christopher R. Palmer fixed the offsets used for date parsings when the time
387
zone name of a daylight savings time was used. For example, PDT vs PDS. This
388
flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
389
Fortunately, no web server or cookie string etc should be using such time
390
zone names thus limiting the effect of this bug.
392
Daniel (8 August 2005)
393
- Jon Grubbs filed bug report #1249962
394
(http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem
395
with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
396
switches to pure HTTP internally when an HTTP proxy is used, even for FTP
397
URLs. The problem would also occur with other multi-pass auth methods.
399
Daniel (7 August 2005)
400
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
403
Daniel (28 July 2005)
404
- If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is
405
set to 1, CURLOPT_NOBODY will now automatically be set to 0.
407
Daniel (27 July 2005)
408
- Dan Fandrich changes over the last week: fixed numerous minor configure
409
option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
410
and --without-krb4. Spellfixed several error messages.
412
- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
413
simple interface to extracting and setting cookies in libcurl's internal
414
"cookie jar". See the new cookie_interface.c example code.
416
Daniel (13 July 2005)
417
- Diego Casorran provided patches to make curl build fine on Amiga again.
419
Daniel (12 July 2005)
420
- Adrian Schuur added trailer support in the chunked encoding stream. The
421
trailer is then sent to the normal header callback/stream. I wrote up test
422
case 266 to verify the basic functionality. Do note that test case 34
423
contains a flawed chunked encoding stream that still works the same.
426
- Gisle Vanem came up with a nice little work-around for bug #1230118
427
(http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC)
428
libc time functions may return data one hour off if TZ is not set and
429
automatic DST adjustment is enabled. This made curl_getdate() return wrong
430
value, and it also concerned internal cookie expirations etc.
433
- Andrew Bushnell provided enough info for me to tell that we badly needed to
434
fix the CONNECT authentication code with multi-pass auth methods (such as
435
NTLM) as it didn't previously properly ignore response-bodies - in fact it
436
stopped reading after all response headers had been received. This could
437
lead to libcurl sending the next request and reading the body from the first
438
request as response to the second request. (I also renamed the function,
439
which wasn't strictly necessary but...)
441
The best fix would to once and for all make the CONNECT code use the
442
ordinary request sending/receiving code, treating it as any ordinary request
443
instead of the special-purpose function we have now. It should make it
444
better for multi-interface too. And possibly lead to less code...
446
Added test case 265 for this. It doesn't work as a _really_ good test case
447
since the test proxy is too stupid, but the test case helps when running the
450
Daniel (30 June 2005)
451
- Dan Fandrich improved the configure script's ability to figure out what kind
452
of strerror_r() API that is used when cross-compiling. If __GLIB__ is
453
defined, it assumes the glibc API. If not, it issues a notice as before that
454
the user needs to manually edit lib/config.h for this.
456
Daniel (23 June 2005)
457
- David Shaw's fix that unifies proxy string treatment so that a proxy given
458
with CURLOPT_PROXY can use a http:// prefix and user + password. The user
459
and password fields are now also URL decoded properly. Test case 264 added
462
Daniel (22 June 2005)
463
- David Shaw updated libcurl.m4
465
Daniel (14 June 2005)
466
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
467
(http://curl.haxx.se/bug/view.cgi?id=1216500). Comment in
468
http://curl.haxx.se/mail/lib-2005-06/0059.html
470
Daniel (13 June 2005)
471
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
475
- Incorporated Tupone's findtool fix in buildconf (slightly edited)
477
- Incorporated Tupone's head -n fix in buildconf.
480
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
481
in pieces, one by one and see what we need to adjust to work all over.
484
- Tupone Alfredo fixed three problems in buildconf:
486
1) findtool does look per tool in PATH and think ./perl is the perl
487
executable, while is just a local directory (I have . in the PATH)
489
2) I got several warning for head -1 deprecated in favour of head -n 1
491
3) ares directory is missing some file (missing is missing :-) ) because
492
automake and friends is not run.
495
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
496
http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes
498
- Andres Garcia provided yet another text mode patch for several test cases so
499
that they do text comparisions better on Windows (newline-wise).
502
- The configure check for c-ares now adds the cares lib before the other libs,
503
to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
504
and patch: http://curl.haxx.se/bug/view.cgi?id=1212940
507
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
508
address was not possible to use. It is now, but requires it written
509
RFC2732-style, within brackets - which incidently is how you enter numerical
510
IPv6 addresses in URLs. Test case 263 added to verify.
513
- Eric Cooper reported about a problem with HTTP servers that responds with
514
binary zeroes within the headers. They confused libcurl to do wrong so the
515
downloaded headers become incomplete. The fix is now verified with test case
516
262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948
519
- Fixed problems with the test suite, and in particular the FTP test cases
520
since it previously was failing every now and then in a nonsense manner.
522
- --trace-time now outputs the full microsecond, all 6 digits.
525
- Andres Garcia provided a text mode patch for several test cases so that they
526
do text comparisions better on Windows (newline-wise).
528
- Any 2xx response (and not just 200) is now considered a fine response to
529
TYPE, as some servers obviously sends a 226 there. Added test case 261 to
530
verify. Based on a question/report by Georg Wicherski.
533
- Improved runtests.pl to allow stdout tests to be mode=text as well, just
534
as file comparisons already supports. Added this info to the FILEFORMAT
538
- John McGowan identified a problem in bug report #1204435
539
(http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like
540
"http://somehost?data" as it added a slash too much in the request ("GET
541
/?data/"...). Added test case 260 to verify.
543
- The configure check for strerror_r() failed to detect the proper API at
544
times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
545
version if the posix define wasn't set (since it _had_ found a strerror_r).
548
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
549
due to this. There's now a configure check that attempts to detect the bad
550
function and not use it on such systems.
552
Version 7.14.0 (16 May 2005)
555
- Grigory Entin reported that curl's configure detects a fine poll() for Mac
556
OS X 10.4 (while 10.3 or later detected a "bad" one), but the executable
557
doesn't work as good as if built without poll(). I've adjusted the configure
558
to always skip the fine-poll() test on Mac OS X (darwin).
561
- When doing a second request (after a disconnect) using the same easy handle,
562
over a proxy that uses NTLM authentication, libcurl failed to use NTLM again
563
properly (the auth method was accidentally reset to the same as had been set
564
for host auth, which defaults to Basic). Bug report #1200661
565
(http://curl.haxx.se/bug/view.cgi?id=1200661) identified the the problem and
568
- If -z/--time-cond is used with an invalid date syntax, this is no longer
569
silently discarded. Instead a proper warning message is diplayed that
570
informs about it. But it still continues without the condition.
572
Version 7.14.0-pre2 (11 May 2005)
575
- Starting now, libcurl sends a little different set of headers in its default
578
A) Normal non-proxy HTTP:
579
- no more "Pragma: no-cache" (this only makes sense to proxies)
581
B) Non-CONNECT HTTP request over proxy:
582
- "Pragma: no-cache" is used (like before)
583
- "Proxy-Connection: Keep-alive" (for older style 1.0-proxies)
585
C) CONNECT HTTP request over proxy:
586
- "Host: [name]:[port]"
587
- "Proxy-Connection: Keep-alive"
589
The A) case is mostly to reduce the default header size and remove a
592
The B) is to address (rare) problems with HTTP 1.0 proxies
594
The C) headers are both to address (rare) problems with some proxies. The
595
code in libcurl that deals with CONNECT requests need a rewrite, but it
596
feels like a too big a job for me to do now. Details are added in the code
599
Updated a large amount of test cases to reflect the news.
602
- Half-baked attempt to bail out if select() returns _only_ errorfds when the
603
transfer is in progress. An attempt to fix Allan's problem. See
604
http://curl.haxx.se/mail/lib-2005-05/0073.html and the rest of that thread
607
I'm still not sure this is the right fix, but...
609
Version 7.14.0-pre1 (9 May 2005)
612
- Sort of "fixed" KNOWN_BUGS #4: curl now builds IPv6 enabled on AIX 4.3. At
613
least it should no longer cause a compiler error. However, it does not have
614
AI_NUMERICHOST so we cannot getaddrinfo() any numerical addresses with it
615
(we use that for FTP PORT/EPRT)! So, I modified the configure check that
616
checks if the getaddrinfo() is working, to use AI_NUMERICHOST since then
617
it'll fail on AIX 4.3 and it will automatically build with IPv6 support
620
- Added --trace-time that when used adds a time stamp to each trace line that
621
--trace, --trace-ascii and --verbose output. I also made the '>' display
622
separate each line on the linefeed so that HTTP requests etc look nicer in
625
- Made curl recognize the environment variables Lynx (and others?) support for
626
pointing out the CA cert path/file: SSL_CERT_DIR and SSL_CERT_FILE. If
627
CURL_CA_BUNDLE is not set, they are checked afterwards.
629
Like before: on windows if none of these are set, it checks for the ca cert
632
1. application's directory
633
2. current working directory
634
3. Windows System directory (e.g. C:\windows\system32)
635
4. Windows Directory (e.g. C:\windows)
636
5. all directories along %PATH%
639
- The runtests.pl script now starts test servers by doing fork() and exec()
640
instead of the previous approach. This is less complicated and should
641
hopefully lead to less "leaked" servers (servers that aren't stopped
642
properly when the tests are stopped).
644
- Alexander Zhuravlev found a case when you did "curl -I [URL]" and it
645
complained on the chunked encoding, even though a HEAD should never return a
646
body and thus it cannot be a chunked-encoding problem!
648
Daniel (30 April 2005)
649
- Alexander Zhuravlev found out that (lib)curl SIGSEGVed when using
650
--interface on an address that can't be bound.
652
Daniel (28 April 2005)
653
- Working on fixing up test cases to mark sections as 'mode=text' for things
654
that curl writes as text files, since then they can get different line
655
endings depending on OS. Andr�s Garc�a helps me work this out.
657
Did lots of other minor tweaks on the test scripts to work better and more
658
reliably find test servers and also kill test servers.
660
- Dan Fandrich pointed out how the runtests.pl script killed the HTTP server
661
instead of the HTTPS server when closing it down.
663
Daniel (27 April 2005)
664
- Paul Moore made curl check for the .curlrc file (_curlrc on windows) on two
665
more places. First, CURL_HOME is a new environment variable that is used
666
instead of HOME if it is set, to point out where the default config file
667
lives. If there's no config file in the dir pointed out by one of the
668
environment variables, the Windows version will instead check the same
669
directory the executable curl is located in.
671
Daniel (26 April 2005)
672
- Cory Nelson's work on nuking compiler warnings when building on x64 with
675
Daniel (25 April 2005)
676
- Fred New reported a bug where we used Basic auth and user name and password
677
in .netrc, and when following a Location: the subsequent requests didn't
678
properly use the auth as found in the netrc file. Added test case 257 to
681
- Based on feedback from Cory Nelson, I added some preprocessor magic in
682
*/setup.h and */config-win32.h to build fine with VS2005 on x64.
684
Daniel (23 April 2005)
685
- Alex Suykov made the curl tool now assume that uploads using HTTP:// or
686
HTTPS:// are the only ones that show output and thus motivates a switched
687
off progress meter if the output is sent to the terminal. This makes FTP
688
uploads without '>', -o or -O show the progress meter.
690
Daniel (22 April 2005)
691
- Dave Dribin's MSVC makefile fix: set CURL_STATICLIB when it builds static
694
- Andres Garcia fixed configure to set the proper define when building static
697
- --retry-delay didn't work.
699
Daniel (18 April 2005)
700
- Olivier reported that even though he used CURLOPT_PORT, libcurl clearly
701
still used the default port. He was right. I fixed the problem and added the
702
test cases 521, 522 and 523 to verify the fix.
704
- Toshiyuki Maezawa reported that when doing a POST with a read callback,
705
libcurl didn't properly send an Expect: 100-continue header. It does now.
707
- I committed by mig change in the test suite's FTP server that moves out all
708
socket/TCP code to a separate C program named sockfilt. And added 4 new
709
test cases for FTP over IPv6.
711
Daniel (8 April 2005)
712
- Cory Nelson reported a problem with a HTTP server that responded with a 304
713
response containing an "illegal" Content-Length: header, which was not
714
properly ignored by libcurl. Now it is. Test case 249 verifies.
716
Daniel (7 April 2005)
717
- Added ability to build and run with GnuTLS as an alternative to OpenSSL for
718
the secure layer. configure --with-gnutls enables with. Note that the
719
previous OpenSSL check still has preference and if it first detects OpenSSL,
720
it will not check for GnuTLS. You may need to explictly diable OpenSSL with
723
This work has been sponsored by The Written Word.
725
Daniel (5 April 2005)
726
- Christophe Legry fixed the post-upload check for FTP to not complain if the
727
upload was skipped due to a time-condition as set with
728
CURLOPT_TIMECONDITION. I added test case 247 and 248 to verify.
730
Version 7.13.2 (5 April 2005)
732
Daniel (4 April 2005)
733
- Marcelo Juchem fixed the MSVC makefile for libcurl
735
- Gisle Vanem fixed a crash in libcurl, that could happen if the easy handle
736
was killed before the threading resolver (windows only) still hadn't
739
- Hardeep Singh reported a problem doing HTTP POST with Digest. (It was
740
actually also affecting NTLM and Negotiate.) It turned out that if the
741
server responded with 100 Continue before the initial 401 response, libcurl
742
didn't take care of the response properly. Test case 245 and 246 added to
745
Daniel (30 March 2005)
746
- Andres Garcia modified the configure script to check for libgdi32 before
747
libcrypto, to make the SSL check work fine on msys/mingw.
749
Daniel (29 March 2005)
750
- Tom Moers identified a flaw when you sent a POST with Digest authentication,
751
as in the first request when curl sends a POST with Content-Length: 0, it
752
still forcibly closed the connection before doing the next step in the auth
755
- Jesper Jensen found out that FTP-SSL didn't work since my FTP
756
rewrite. Fixing that was easy, but it also revealed a much worse problem:
757
the FTP server response reader function didn't properly deal with reading
758
responses in multiple tiny chunks properly! I modified the FTP server to
759
allow it to produce such split-up responses to make sure curl deals with
762
- Based on Augustus Saunders' comments and findings, the HTTP output auth
763
function was fixed to use the proper proxy authentication when multiple ones
764
are accepted. test 239 and test 243 were added to repeat the problems and
767
--proxy-anyauth was added to the curl tool
769
Daniel (16 March 2005)
770
- Tru64 and some IRIX boxes seem to not like test 237 as it is. Their
771
inet_addr() functions seems to use &255 on all numericals in a ipv4 dotted
772
address which makes a different failure... Now I've modified the ipv4
773
resolve code to use inet_pton() instead in an attempt to make these systems
774
better detect this as a bad IP address rather than creating a toally bogus
775
address that is then passed on and used.
777
Daniel (15 March 2005)
778
- Dan Fandrich made the code properly use the uClibc's version of
779
inet_ntoa_r() when built with it.
781
- Added test 237 and 238: test EPSV and PASV response handling when they get
782
well- formated data back but using illegal values. In 237 PASV gets an IP
783
address that is way bad. In 238 EPSV gets a port that is way out of range.
785
Daniel (14 March 2005)
786
- Added a few missing features to the curl-config --features list
788
- Modified testcurl.pl to now offer
789
1 - command line options for all info it previously only read from
790
file: --name, --email, --desc and --configure
791
2 - --nocvsup makes it not attempt to do cvs update
792
3 - --crosscompile informs it and makes it not attempt things it can't do
794
- Fixed numerous win32 compiler warnings.
796
- Removed the lib/security.h file since it shadowed the mingw/win32 header
797
with the same name which is needed for SSPI builds. The contents of the
798
former security.h is now i krb4.h
800
- configure --enable-sspi now enables SSPI in the build. It only works for
801
windows builds (including cross-compiles for windows).
803
Daniel (12 March 2005)
804
- David Houlder added --form-string that adds that string to a multipart
805
formpost part, without special characters having special meanings etc like
808
Daniel (11 March 2005)
809
- curl_version_info() returns the feature bit CURL_VERSION_SSPI if it was
810
built with SSPI support.
812
- Christopher R. Palmer made it possible to build libcurl with the
813
USE_WINDOWS_SSPI on Windows, and then libcurl will be built to use the
814
native way to do NTLM. SSPI also allows libcurl to pass on the current user
815
and its password in the request.
817
Daniel (9 March 2005)
818
- Dan F improved the SSL lib setup in configure.
820
- Nodak Sodak reported a crash when using a SOCKS4 proxy.
822
- Jean-Marc Ranger pointed out an embarassing debug printf() leftover in the
823
multi interface code.
825
- Adjusted the man page for the curl_getdate() return value for dates after
826
year 2038. For 32 bit time_t it returns 0x7fffffff but for 64bit time_t it
827
returns either the correct value or even -1 on some systems that still seem
828
to not deal with this properly. Tor Arntsen found a 64bit AIX system for us
829
that did the latter. Gwenole Beauchesne's Mandrake patch put the lights on
830
this problem in the first place.
832
Daniel (8 March 2005)
833
- Dominick Meglio reported that using CURLOPT_FILETIME when transferring a FTP
834
file got a Last-Modified: header written to the data stream, corrupting the
835
actual data. This was because some conditions from the previous FTP code was
836
not properly brought into the new FTP code. I fixed and I added test case
837
520 to verify. (This bug was introduced in 7.13.1)
839
- Dan Fandrich fixed the configure --with-zlib option to always consider the
840
given path before any standard paths.
842
Daniel (6 March 2005)
843
- Randy McMurchy was the first to report that valgrind.pm was missing from the
844
release archive and thus 'make test' fails.
846
Daniel (5 March 2005)
847
- Dan Fandrich added HAVE_FTRUNCATE to several config-*.h files.
849
- Added test case 235 that makes a resumed upload of a file that isn't present
850
on the remote side. This then converts the operation to an ordinary STOR
851
upload. This was requested/pointed out by Ignacio Vazquez-Abrams.
853
It also proved (and I fixed) a bug in the newly rewritten ftp code (and
854
present in the 7.13.1 release) when trying to resume an upload and the
855
servers returns an error to the SIZE command. libcurl then loops and sends
856
SIZE commands infinitely.
858
- Dan Fandrich fixed a SSL problem introduced on February 9th that made
859
libcurl attempt to load the whole random file to seed the PRNG. This is
860
really bad since this turns out to be using /dev/urandom at times...
862
Version 7.13.1 (4 March 2005)
864
Daniel (4 March 2005)
865
- Dave Dribin made it possible to set CURLOPT_COOKIEFILE to "" to activate
866
the cookie "engine" without having to provide an empty or non-existing file.
868
- Rene Rebe fixed a -# crash when more data than expected was retrieved.
870
Daniel (22 February 2005)
871
- NTLM and ftp-krb4 buffer overflow fixed, as reported here:
872
http://www.securityfocus.com/archive/1/391042 and the CAN report here:
873
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490
875
If these security guys were serious, we'd been notified in advance and we
876
could've saved a few of you a little surprise, but now we weren't.
878
Daniel (19 February 2005)
879
- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
880
requested data from a host and then followed a redirect to another
881
host. libcurl then didn't use the proxy-auth properly in the second request,
882
due to the host-only check for original host name wrongly being extended to
883
the proxy auth as well. Added test case 233 to verify the flaw and that the
884
fix removed the problem.
886
Daniel (18 February 2005)
887
- Mike Dobbs reported a mingw build failure due to the lack of
888
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
889
configure when mingw is used.
891
Daniel (17 February 2005)
892
- David in bug report #1124588 found and fixed a socket leak when libcurl
893
didn't close the socket properly when returning error due to failing
896
Daniel (16 February 2005)
897
- Christopher R. Palmer reported a problem with HTTP-POSTing using "anyauth"
898
that picks NTLM. Thanks to David Byron letting me test NTLM against his
899
servers, I could quickly repeat and fix the problem. It turned out to be:
901
When libcurl POSTs without knowing/using an authentication and it gets back
902
a list of types from which it picks NTLM, it needs to either continue
903
sending its data if it keeps the connection alive, or not send the data but
904
close the connection. Then do the first step in the NTLM auth. libcurl
905
didn't send the data nor close the connection but simply read the
906
response-body and then sent the first negotiation step. Which then failed
907
miserably of course. The fixed version forces a connection if there is more
908
than 2000 bytes left to send.
910
Daniel (14 February 2005)
911
- The configure script didn't check for ENGINE_load_builtin_engines() so it
914
Daniel (11 February 2005)
915
- Removed all uses of strftime() since it uses the localised version of the
916
week day names and month names and servers don't like that.
918
Daniel (10 February 2005)
919
- Now the test script disables valgrind-testing when the test suite runs if
920
libcurl is built shared. Otherwise valgrind only tests the shell that runs
921
the wrapper-script named 'curl' that is a front-end to curl in this case.
922
This should also fix the huge amount of reports of false positives when
923
valgrind has identified leaks in (ba)sh and not in curl and people report
924
that as curl bugs. Bug report #1116672 is one example.
926
Also, the valgrind report parser has been adapted to check that at least one
927
of the sources in a stack strace is one of (lib)curl's source files or
928
otherwise it will not consider the problem to concern (lib)curl.
930
- Marty Kuhrt streamlined the VMS build.
932
Daniel (9 February 2005)
933
- David Byron fixed his SSL problems, initially mentioned here:
934
http://curl.haxx.se/mail/lib-2005-01/0240.html. It turned out we didn't use
935
SSL_pending() as we should.
937
- Converted lots of FTP code to a statemachine, so that the multi interface
938
doesn't block while communicating commands-responses with an FTP server.
940
I've added a comment like BLOCKING in the code on all spots I could find
941
where we still have blocking operations. When we change curl_easy_perform()
942
to use the multi interface, we'll also be able to simplify the code since
943
there will only be one "internal interface".
945
While doing this, I've now made CURLE_FTP_ACCESS_DENIED separate from the
946
new CURLE_LOGIN_DENIED. The first one is now access denied to a function,
947
like changing directory or retrieving a file, while the second means that we
950
The CVS tag 'before_ftp_statemachine' was set just before this went in, in
953
- Gisle made the DICT code send CRLF and not just LF as the spec says so.
955
Daniel (8 February 2005)
956
- Gisle fixed problems when libcurl runs out of memory, and worked on making
957
sure the proper error code is returned for those occations.
959
Daniel (7 February 2005)
960
- Maruko pointed out a problem with inflate decompressing exactly 64K
963
Daniel (5 February 2005)
964
- Eric Vergnaud found a use of an uninitialised variable in the ftp when doing
965
PORT on ipv6-enabled hosts.
967
- David Byron pointed out we could use BUFSIZE to read data (in
968
lib/transfer.c) instead of using BUFSIZE -1.
970
Version 7.13.0 (1 February 2005)
972
Daniel (31 January 2005)
973
- Added Lars Nilsson's htmltitle.cc example
975
Daniel (30 January 2005)
976
- Fixed a memory leak when using the multi interface and the DO operation
977
failed (as in test case 205).
979
- Fixed a valgrind warning for file:// operations.
981
- Fixed a valgrind report in the url globbing code for the curl command line
984
- Bugfixed the parser that scans the valgrind report outputs (in runtests.pl).
985
I noticed that it previously didn't detect and report the "Conditional jump
986
or move depends on uninitialised value(s)" error. When I fixed this, I
987
caught a few curl bugs with it. And then I had to spend time to make the
988
test suite IGNORE these errors when OpenSSL is used since it produce massive
989
amounts of valgrind warnings (but only of the "Conditional..." kind it
990
seems). So, if a test that requires SSL is run, it ignores the
991
"Conditional..." errors, and you'll get a "valgrind PARTIAL" output instead
994
Daniel (29 January 2005)
995
- Using the multi interface, and doing a requsted a re-used connection that
996
gets closed just after the request has been sent failed and did not re-issue
997
a request on a fresh reconnect like the easy interface did. Now it does!
999
- Define CURL_MULTIEASY when building libcurl (lib/easy.c to be exact), to use
1000
my new curl_easy_perform() that uses the multi interface to run the
1001
request. It is a great testbed for the multi interface and I believe we
1002
shall do it this way for real in the future when we have a successor to
1003
curl_multi_fdset(). I've used this approach to detect and fix several of the
1004
recent multi-interfaces issues.
1006
- Adjusted the KNOWN_BUGS #17 fix a bit more since the FTP code also did some
1009
- multi interface: when a request is denied due to "Maximum redirects
1010
followed" libcurl leaked the last Location: URL.
1012
- Connect failures with the multi interface was often returned as "connect()
1013
timed out" even though the reason was different.
1015
Daniel (28 January 2005)
1016
- KNOWN_BUGS #17 fixed. A DNS cache entry may not remain locked between two
1017
curl_easy_perform() invokes. It was previously unlocked at disconnect, which
1018
could mean that it remained locked between multiple transfers. The DNS cache
1019
may not live as long as the connection cache does, as they are separate.
1021
To deal with the lack of DNS (host address) data availability in re-used
1022
connections, libcurl now keeps a copy of the IP adress as a string, to be
1023
able to show it even on subsequent requests on the same connection.
1025
The problem could be made to appear with this stunt:
1027
1. create a multi handle
1028
2. add an easy handle
1029
3. fetch a URL that is persistent (leaves the connection alive)
1030
4. remove the easy handle from the multi
1031
5. kill the multi handle
1032
6. create a multi handle
1033
7. add the same easy handle to the new multi handle
1034
8. fetch a URL from the same server as before (re-using the connection)
1036
- Stephen More pointed out that CURLOPT_FTPPORT and the -P option didn't work
1037
when built ipv6-enabled. I've now made a fix for it. Writing test cases for
1038
custom port hosts turned too tricky so unfortunately there's none.
1040
Daniel (25 January 2005)
1041
- Ian Ford asked about support for the FTP command ACCT, and I discovered it
1042
is present in RFC959... so now (lib)curl supports it as well. --ftp-account
1043
and CURLOPT_FTP_ACCOUNT set the account string. (The server may ask for an
1044
account string after PASS have been sent away. The client responds
1045
with "ACCT [account string]".) Added test case 228 and 229 to verify the
1046
functionality. Updated the test FTP server to support ACCT somewhat.
1048
- David Shaw contributed a fairly complete and detailed autoconf test you can
1049
use to detect libcurl and setup variables for the protocols the installed
1050
libcurl supports: docs/libcurl/libcurl.m4
1052
Daniel (21 January 2005)
1053
- Major FTP third party transfer overhaul.
1055
These four options are now obsolete: CURLOPT_SOURCE_HOST,
1056
CURLOPT_SOURCE_PATH, CURLOPT_SOURCE_PORT (this option didn't work before)
1057
and CURLOPT_PASV_HOST.
1059
These two options are added: CURLOPT_SOURCE_URL and CURLOPT_SOURCE_QUOTE.
1061
The target-side didn't use the proper path with RETR, and thus this only
1062
worked correctly in the login path (i.e without doing any CWD). The source-
1063
side still uses a wrong path, but the fix for this will need to wait. Verify
1064
the flaw by using a source URL with included %XX-codes.
1066
Made CURLOPT_FTPPORT control weather the target operation should use PORT
1067
(or not). The other side thus uses passive (PASV) mode.
1069
Updated the ftp3rdparty.c example source to use the updated options.
1071
Added support for a second FTP server in the test suite. Named... ftp2.
1072
Added test cases 230, 231 and 232 as a few first basic tests of very simple
1073
3rd party transfers.
1075
Changed the debug output to include 'target' and 'source' when a 3rd party
1076
is being made, to make it clearer what commands/responses came on what
1079
Added three new command line options: --3p-url, --3p-user and --3p-quote.
1081
Documented the command line options and the curl_easy_setopt options related
1082
to third party transfers.
1084
(Temporarily) disabled the ability to re-use an existing connection for the
1085
source connection. This is because it needs to force a new in case the
1086
source and target is the same host, and the host name check is trickier now
1087
when the source is identified with a full URL instead of a plain host name
1090
TODO (short-term) for 3rd party transfers: quote support. The options are
1091
there, we need to add test cases to verify their functionality.
1093
TODO (long-term) for 3rd party transfers: IPv6 support (EPRT and EPSV etc)
1094
and SSL/TSL support.
1096
Daniel (20 January 2005)
1097
- Philippe Hameau found out that -Q "+[command]" didn't work, although some
1098
code was written for it. I fixed and added test case 227 to verify it.
1099
The curl.1 man page didn't mention the '+' so I added it.
1101
Daniel (19 January 2005)
1102
- Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL
1103
contains %0a or %0d in the user, password or CWD parts. (A future fix would
1104
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case
1105
225 and 226 were added to verify this
1107
- Stephan Bergmann pointed out two flaws in libcurl built with HTTP disabled:
1109
1) the proxy environment variables are still read and used to set HTTP proxy
1111
2) you couldn't disable http proxy with CURLOPT_PROXY (since the option was
1112
disabled). This is important since apps may want to disable HTTP proxy
1113
without actually knowing if libcurl was built to disable HTTP or not.
1115
Based on Stephan's patch, both these issues should now be fixed.
1117
Daniel (18 January 2005)
1118
- Cody Jones' enhanced version of Samuel D�az Garc�a's MSVC makefile patch was
1121
Daniel (16 January 2005)
1122
- Alex aka WindEagle pointed out that when doing "curl -v dictionary.com", curl
1123
assumed this used the DICT protocol. While guessing protocols will remain
1124
fuzzy, I've now made sure that the host names must start with "[protocol]."
1125
for them to be a valid guessable name. I also removed "https" as a prefix
1126
that indicates HTTPS, since we hardly ever see any host names using that.
1128
Daniel (13 January 2005)
1129
- Inspired by Martijn Koster's patch and example source at
1130
http://www.greenhills.co.uk/mak/gentoo/curl-eintr-bug.c, I now made the
1131
select() and poll() calls properly loop if they return -1 and errno is
1132
EINTR. glibc docs for this is found here:
1133
http://www.gnu.org/software/libc/manual/html_node/Interrupted-Primitives.html
1135
This last link says BSD doesn't have this "effect". Will there be a problem
1136
if we do this unconditionally?
1138
Daniel (11 January 2005)
1139
- Dan Torop cleaned up a few no longer used variables from David Phillips'
1140
select() overhaul fix.
1142
- Cyrill Osterwalder posted a detailed analysis about a bug that occurs when
1143
using a custom Host: header and curl fails to send a request on a re-used
1144
persistent connection and thus creates a new connection and resends it. It
1145
then sent two Host: headers. Cyrill's analysis was posted here:
1146
http://curl.haxx.se/mail/archive-2005-01/0022.html
1148
- Bruce Mitchener identified (bug report #1099640) the never-ending SOCKS5
1149
problem with the version byte and the check for bad versions. Bruce has lots
1150
of clues on this, and based on his suggestion I've now removed the check of
1151
that byte since it seems to be able to contain 1 or 5.
1153
Daniel (10 January 2005)
1154
- Pavel Orehov reported memory problems with the multi interface in bug report
1155
#1098843. In short, a shared DNS cache was setup for a multi handle and when
1156
the shared cache was deleted before the individual easy handles, the latter
1157
cleanups caused read/writes to already freed memory.
1159
- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
1160
remote certificate name when it didn't match the used host name.
1162
Gisle (8 January 2005)
1163
- Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
1165
Daniel (7 January 2005)
1166
- Improved the test script's valgrind log parser to actually work! Also added
1167
the ability to disable the log scanner for specific test cases. Test case
1168
509 results in numerous problems and leaks in OpenSSL and has to get it
1171
Daniel (6 January 2005)
1172
- Fixed a single-byte read out of bounds in test case 39 in the curl tool code
1173
(i.e not in the library).
1175
- Bug report #1097019 identified a problem when doing -d "data" with -G and
1176
sending it to two URLs with {}. Added test 199 to verify the fix.
1178
Daniel (4 January 2005)
1179
- Marty Kuhrt adjusted a VMS build script slightly
1181
- Kai Sommerfeld and Gisle Vanem fixed libcurl to build with IPv6 support on
1184
Daniel (2 January 2005)
1185
- Alex Neblett updated the MSVC makefiles slightly.
9
Version 7.15.4 (12 June 2006)
12
- Brian Dessent fixed the code for cygwin in three distinct ways:
14
The first modifies {lib,src}/setup.h to not include the winsock headers
15
under Cygwin. This fixes the reported build problem. Cygwin attempts as
16
much as possible to emulate a posix environment under Windows. This means
17
that WIN32 is *not* #defined and (to the extent possible) everything is done
18
as it would be on a *ix type system. Thus <sys/socket.h> is the proper
19
include, and even though winsock2.h is present, including it just introduces
20
a whole bunch of incompatible socket API stuff.
22
The second is a patch I've included in the Cygwin binary packages for a
23
while. It skips two unnecessary library checks (-lwinmm and -lgdi32). The
24
checks are innocuous and they do succeed, but they pollute LIBS with
25
unnecessary stuff which gets recorded as such in the libcurl.la file, which
26
brings them into the build of any libcurl-downstream. As far as I know
27
these libs are really only necessary for mingw, so alternatively they could
28
be designed to only run if $host matches *-*-mingw* but I took the safer
29
route of skipping them for *-*-cygwin*.
31
The third patch replaces all uses of the ancient and obsolete __CYGWIN32__
32
with __CYGWIN__. Ref: <http://cygwin.com/ml/cygwin/2003-09/msg01520.html>.
35
- Mikael Sennerholm provided a patch that added NTLM2 session response support
36
to libcurl. The 21 NTLM test cases were again modified to comply...
39
- �scar Morales Viv� updated the libcurl.framework.make file.
42
- Olaf St�ben fixed a bug that caused Digest authentication with md5-sess to
43
fail. When using the md5-sess, the result was not Md5 encoded and Base64
47
- Michael Wallner provided a patch that allows "SESS" to be set with
48
CURLOPT_COOKIELIST, which then makes all session cookies get cleared.
51
- Tor Arntsen made test 271 run fine again since the TFTP path fix.
54
- Martin Michlmayr filed debian bug report #367954, but the same error also
55
showed up in the autobuilds. It seems a rather long-since introduced shell
56
script flaw in the configure script suddenly was detected by the bash
57
version in Debian Unstable. It had previously passed undetected by all
60
- David McCreedy updated lib/config-tpf.h
63
- Fixed the configure's check for old-style SSLeay headers since I fell over a
64
case with a duplicate file name (a krb4 implementation with an err.h
65
file). I converted the check to manually make sure three of the headers are
66
present before considering them fine.
68
- David McCreedy provided a fix for CURLINFO_LASTSOCKET that does extended
69
checks on the to-be-returned socket to make sure it truly seems to be alive
70
and well. For SSL connection it (only) uses OpenSSL functions.
73
- Fixed DICT in two aspects:
75
1 - allow properly URL-escaped words, like using %20 for spaces
77
2 - properly escape certain letters within a word to comply to the RFC2229
80
- Andreas Ntaflos reported a bug in libcurl.m4: When configuring my GNU
81
autotools project, which optionally (default=yes) uses libcurl on a system
82
without a (usable) libcurl installation, but not specifying
83
`--without-libcurl', configure determines correctly that no libcurl is
84
available, however, the LIBCURL variable gets expanded to `LIBCURL = -lcurl'
85
in the resulting Makefiles.
87
David Shaw fixed the flaw.
89
- Robson Braga Araujo fixed two problems in the recently added non-blocking SSL
90
connects. The state machine was not reset properly so that subsequent
91
connects using the same handle would fail, and there were two memory leaks.
93
- Robson Braga Araujo fixed a memory leak when you added an easy handle to a
94
multi stack and that easy handle had already been used to do one or more
95
easy interface transfers, as then the code threw away the previously used
96
DNS cache without properly freeing it.
99
- Dan Fandrich went over the TFTP code and he pointed out and fixed numerous
102
* The received file is corrupted when a packet is lost and retransmitted
103
(this is a serious problem!)
105
* Transmitting a file aborts if a block is lost and retransmitted
107
* Data is stored in the wrong location in the buffer for uploads, so uploads
108
always fail (I don't see how it could have ever worked, but it did on x86
111
* A number of calls are made to strerror instead of Curl_strerror, making
112
the code not thread safe
114
* There are references to errno instead of Curl_sockerrno(), causing
115
incorrect error messages on Windows
117
* The file name includes a leading / which violates RFC3617. Doing something
118
similar to ftp, where two slashes after the host name means an absolute
119
reference seems a reasonable extension to fix this.
121
* Failures in EBCDIC conversion are not propagated up to the caller but are
124
- Fixed known bug #28. The TFTP code no longer assumes a packed struct and
125
thus works reliably on more platforms.
128
- Roland Blom filed bug report #1481217
129
(http://curl.haxx.se/bug/view.cgi?id=1481217), with follow-ups by Michele
130
Bini and David Byron. libcurl previously wrongly used GetLastError() on
131
windows to get error details after socket-related function calls, when it
132
really should use WSAGetLastError() instead.
134
When changing to this, the former function Curl_ourerrno() is now instead
135
called Curl_sockerrno() as it is necessary to only use it to get errno from
136
socket-related functions as otherwise it won't work as intended on Windows.
139
- Mark Eichin submitted bug report #1480821
140
(http://curl.haxx.se/bug/view.cgi?id=1480821) He found and identified a
141
problem with how libcurl dealt with GnuTLS and a case where gnutls returned
142
GNUTLS_E_AGAIN indicating it would block. It would then return an unexpected
143
return code, making Curl_ssl_send() confuse the upper layer - causing random
144
28 bytes trash data to get inserted in the transfered stream.
146
The proper fix was to make the Curl_gtls_send() function return the proper
147
return codes that the callers would expect. The Curl_ossl_send() function
151
- Added a --checkfor option to curl-config to allow users to easier
152
write for example shell scripts that test for the presence of a
153
new-enough libcurl version. If --checkfor is given a version string
154
newer than what is currently installed, curl-config will return a
155
non-zero exit code and output a string about the unfulfilled
158
Daniel (26 April 2006)
159
- David McCreedy brought initial line end conversions when doing FTP ASCII
160
transfers. They are done on non-windows systems and translate CRLF to LF.
162
I modified the 15 LIST-using test cases accordingly. The downside is that now
163
we'll have even more trouble to get the tests to run on Windows since they
164
should get CRLF newlines left intact which the *nix versions don't. I figure
165
the only sane thing to do is to add some kind of [newline] macro for the test
166
case files and have them expanded to the proper native line ending when the
167
test cases are run. This is however left to implement.
169
Daniel (25 April 2006)
170
- Paul Querna fixed libcurl to better deal with deflate content encoding
171
when the stream (wrongly) lacks a proper zlib header. This seems to be the
172
case on too many actual server implementations.
174
Daniel (21 April 2006)
175
- Ale Vesely fixed CURLOPT_INTERFACE when using a hostname.
177
Daniel (19 April 2006)
178
- Based on previous info from Tor Arntsen, I made configure detect the Intel
179
ICC compiler to add a compiler option for it, in order for configure to
180
properly be able to detect function prototypes.
182
- Robson Braga Araujo provided a patch that makes libcurl less eager to close
183
the control connection when using FTP, for example when you remove an easy
184
handle from a multi stack.
186
- Applied a patch by Ates Goral and Katie Wang that corrected my bad fix
187
attempt from April 10.
189
Daniel (11 April 2006)
190
- #1468330 (http://curl.haxx.se/bug/view.cgi?id=1468330) pointed out a bad
191
typecast in the curl tool leading to a crash with (64bit?) VS2005 (at least)
192
since the struct timeval field tv_sec is an int while time_t is 64bit.
194
Daniel (10 April 2006)
195
- Ates Goral found out that if you specified both CURLOPT_CONNECTTIMEOUT and
196
CURLOPT_TIMEOUT, the _longer_ time would wrongly be used for the SSL
199
- I merged my hiper patch (http://curl.haxx.se/libcurl/hiper/) into the main
200
sources. See the lib/README.multi_socket for implementation story with
201
details. Don't expect it to work fully yet. I don't intend to blow any
202
whistles or ring any bells about it until I'm more convinced it works at
203
least somewhat reliably.
205
Daniel (7 April 2006)
206
- David McCreedy's EBCDIC and TPF changes. Three new curl_easy_setopt()
207
options (callbacks) were added:
209
CONV_FROM_NETWORK_FUNCTION
210
CONV_TO_NETWORK_FUNCTION
211
CONV_FROM_UTF8_FUNCTION
213
Daniel (5 April 2006)
214
- Michele Bini modified the NTLM code to work for his "weird IIS case"
215
(http://curl.haxx.se/mail/lib-2006-02/0154.html) by adding the NTLM hash
216
function in addition to the LM one and making some other adjustments in the
217
order the different parts of the data block are sent in the Type-2 reply.
218
Inspiration for this work was taken from the Firefox NTLM implementation.
220
I edited the existing 21(!) NTLM test cases to run fine with these news. Due
221
to the fact that we now properly include the host name in the Type-2 message
222
the test cases now only compare parts of that chunk.
224
Daniel (28 March 2006)
225
- #1451929 (http://curl.haxx.se/bug/view.cgi?id=1451929) detailed a bug that
226
occurred when asking libcurl to follow HTTP redirects and the original URL
227
had more than one question mark (?). Added test case 276 to verify.
229
Daniel (27 March 2006)
230
- David Byron found a problem multiple -d options when libcurl was built with
231
--enable-debug, as then curl used free() on memory allocated both with
232
normal malloc() and with libcurl-provided functions, when the latter MUST be
233
freed with curl_free() in debug builds.
235
Daniel (26 March 2006)
236
- Tor Arntsen figured out that TFTP was broken on a lot of systems since we
237
called bind() with a too big argument in the 3rd parameter and at least
238
Tru64, AIX and IRIX seem to be very picky about it.
240
Daniel (21 March 2006)
241
- David McCreedy added CURLINFO_FTP_ENTRY_PATH.
243
- Xavier Bouchoux made the SSL connection non-blocking for the multi interface
244
(when using OpenSSL).
246
- Tor Arntsen fixed the AIX Toolbox RPM spec
248
Daniel (20 March 2006)
249
- David McCreedy fixed libcurl to no longer ignore AUTH failures and now it
250
reacts properly according to the CURLOPT_FTP_SSL setting.
252
- Dan Fandrich fixed two TFTP problems: Fixed a bug whereby a received file
253
whose length was a multiple of 512 bytes could have random garbage
254
appended. Also, stop processing TFTP packets which are too short to be
257
- Ilja van Sprundel reported a possible crash in the curl tool when using
258
"curl hostwithoutslash -d data -G"
260
Version 7.15.3 (20 March 2006)
262
Daniel (20 March 2006)
263
- VULNERABILITY reported to us by Ulf Harnhammar.
265
libcurl uses the given file part of a TFTP URL in a manner that allows a
266
malicious user to overflow a heap-based memory buffer due to the lack of
269
This overflow happens if you pass in a URL with a TFTP protocol prefix
270
("tftp://"), using a valid host and a path part that is longer than 512
273
The affected flaw can be triggered by a redirect, if curl/libcurl is told to
274
follow redirects and an HTTP server points the client to a tftp URL with the
275
characteristics described above.
277
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
278
CVE-2006-1061 to this issue.
280
Daniel (16 March 2006)
281
- Tor Arntsen provided a RPM spec file for AIX Toolbox, that now is included
282
in the release archive.
284
Daniel (14 March 2006)
285
- David McCreedy fixed:
287
a bad SSL error message when OpenSSL certificates are verified fine.
289
a missing return code assignment in the FTP code
291
Daniel (7 March 2006)
292
- Markus Koetter filed debian bug report #355715 which identified a problem
293
with the multi interface and multi-part formposts. The fix from February
294
22nd could make the Curl_done() function get called twice on the same
295
connection and it was not designed for that and thus tried to call free() on
296
an already freed memory area!
298
- Peter Heuchert made sure the CURLFTPSSL_CONTROL setting for CURLOPT_FTP_SSL
301
Daniel (6 March 2006)
302
- Lots of users on Windows have reported getting the "SSL: couldn't set
303
callback" error message so I've now made the setting of that callback not be
304
as critical as before. The function is only used for additional loggging/
305
trace anyway so a failure just means slightly less data. It should still be
306
able to proceed and connect fine to the server.
308
Daniel (4 March 2006)
309
- Thomas Klausner provided a patch written by Todd Vierling in bug report
310
#1442471 that fixes a build problem on Interix.
312
Daniel (2 March 2006)
313
- FTP upload without a file name part in the URL now causes
314
curl_easy_perform() to return CURLE_URL_MALFORMAT. Previously it allowed the
315
upload but named the file "(nil)" (without the quotes). Test case 524
318
- Added a check for getprotobyname in configure so that it'll be used, thanks
319
to Gisle Vanem's change the other day.
321
Daniel (28 February 2006)
322
- Dan Fandrich prevented curl from getting stuck in an endless loop in case we
323
are out of file handles very early in curl's code where it makes sure that
324
0, 1 and 2 aren't gonna be used by the lib for transfers.
326
Daniel (27 February 2006)
327
- Marty Kuhrt pointed out that there were two VMS-specific files missing in
330
Version 7.15.2 (27 February 2006)
332
Daniel (22 February 2006)
333
- Lots of work and analysis by "xbx___" in bug #1431750
334
(http://curl.haxx.se/bug/view.cgi?id=1431750) helped me identify and fix two
335
different but related bugs:
337
1) Removing an easy handle from a multi handle before the transfer is done
338
could leave a connection in the connection cache for that handle that is
339
in a state that isn't suitable for re-use. A subsequent re-use could then
340
read from a NULL pointer and segfault.
342
2) When an easy handle was removed from the multi handle, there could be an
343
outstanding c-ares DNS name resolve request. When the response arrived,
344
it caused havoc since the connection struct it "belonged" to could've
347
Now Curl_done() is called when an easy handle is removed from a multi handle
348
pre-maturely (that is, before the transfer was complteted). Curl_done() also
349
makes sure to cancel all (if any) outstanding c-ares requests.
351
Daniel (21 February 2006)
352
- Peter Su added support for SOCKS4 proxies. Enable this by setting the proxy
353
type to the already provided type CURLPROXY_SOCKS4.
355
I added a --socks4 option that works like the current --socks5 option but
356
instead use the socks4 protocol.
358
Daniel (20 February 2006)
359
- Shmulik Regev fixed an issue with multi-pass authentication and compressed
360
content when libcurl didn't honor the internal ignorebody flag.
362
Daniel (18 February 2006)
363
- Ulf H�rnhammar fixed a format string (printf style) problem in the Negotiate
364
code. It should however not be the cause of any troubles. He also fixed a
365
few similar problems in the HTTP test server code.
367
Daniel (17 February 2006)
368
- Shmulik Regev provided a fix for the DNS cache when using short life times,
369
as previously it could be holding on to old cached entries longer than
372
Daniel (11 February 2006)
373
- Karl Moerder added the CURLOPT_CONNECT_ONLY and CURLINFO_LASTSOCKET options
374
that an app can use to let libcurl only connect to a remote host and then
375
extract the socket from libcurl. libcurl will then not attempt to do any
376
transfer at all after the connect is done.
378
- Kent Boortz improved the configure check for GnuTLS to properly set LIBS
381
Daniel (8 February 2006)
382
- Philippe Vaucher provided a brilliant piece of test code that show a problem
383
with re-used FTP connections. If the second request on the same connection
384
was set not to fetch a "body", libcurl could get confused and consider it an
385
attempt to use a dead connection and would go acting mighty strange.
387
Daniel (2 February 2006)
388
- Make --limit-rate [num] mean bytes. It used to be that but it broke in my
389
change done in November 2005.
391
Daniel (30 January 2006)
392
- Added CURLOPT_LOCALPORT and CURLOPT_LOCALPORTRANGE to libcurl. Set with the
393
curl tool with --local-port. Plain and simply set the range of ports to bind
394
the local end of connections to. Implemented on to popular demand.
396
- Based on an error report by Philippe Vaucher, we no longer count a retried
397
connection setup as a follow-redirect. It turns out 1) this fails when a FTP
398
connection is re-setup and 2) it does make the max-redirs counter behave
401
Daniel (24 January 2006)
402
- Michal Marek provided a patch for FTP that makes libcurl continue to try
403
PASV even after EPSV returned a positive response code, if libcurl failed to
404
connect to the port number the EPSV response said. Obviously some people are
405
going through protocol-sensitive firewalls (or similar) that don't
406
understand EPSV and then they don't allow the second connection unless PASV
407
was used. This also called for a minor fix of test case 238.
409
Daniel (20 January 2006)
410
- Duane Cathey was one of our friends who reported that curl -P [IP]
411
(CURLOPT_FTPPORT) didn't work for ipv6-enabed curls if the IP wasn't a
412
"native" IP while it works fine for ipv6-disabled builds!
414
In the process of fixing this, I removed the support for LPRT since I can't
415
think of many reasons to keep doing it and asking on the mailing list didn't
416
reveal anyone else that could either. The code that sends EPRT and PORT is
417
now also a lot simpler than before (IMHO).
419
Daniel (19 January 2006)
420
- Jon Turner pointed out that doing -P [hostname] (CURLOPT_FTPPORT) with curl
421
(built ipv4-only) didn't work.
423
Daniel (18 January 2006)
424
- As reported in bug #1408742 (http://curl.haxx.se/bug/view.cgi?id=1408742),
425
the configure script complained about a missing "missing" script if you ran
426
configure within a path whose name included one or more spaces. This is due
427
to a flaw in automake (1.9.6 and earlier). I've now worked around it by
428
including an "overloaded" version of the AM_MISSING_HAS_RUN script that'll
429
be used instead of the one automake ships with. This kludge needs to be
430
removed once we get an automake version with this problem corrected.
431
Possibly we'll then need to convert this into a kludge depending on what
432
automake version that is used and that is gonna be painful and I don't even
433
want to think about that now...!
435
Daniel (17 January 2006)
436
- David Shaw: Here is the latest libcurl.m4 autoconf tests. It is updated with
437
the latest features and protocols that libcurl supports and has a minor fix
438
to better deal with the obscure case where someone has more than one libcurl
439
installed at the same time.
441
Daniel (16 January 2006)
442
- David Shaw finally removed all traces of Gopher and we are now officially
443
not supporting it. It hasn't been functioning for years anyway, so this is
444
just finally stating what already was true. And a cleanup at the same time.
446
- Bryan Henderson turned the 'initialized' variable for curl_global_init()
447
into a counter, and thus you can now do multiple curl_global_init() and you
448
are then supposed to do the same amount of calls to curl_global_cleanup().
449
Bryan has also updated the docs accordingly.
451
Daniel (13 January 2006)
452
- Andrew Benham fixed a race condition in the test suite that could cause the
453
test script to kill all processes in the current process group!
455
Daniel (12 January 2006)
458
Fixed FTP_SKIP_PASV_IP and FTP_USE_EPSV to "do right" when used on FTP thru
461
Fixed PROXYTUNNEL to work fine when you do ftp through a proxy. It would
462
previously overwrite internal memory and cause unpredicted behaviour!
464
Daniel (11 January 2006)
465
- I decided to document the "secret option" here now, as I've received *NO*
466
feedback at all on my mailing list requests from November 2005:
468
I'm looking for feedback and comments. I added some experimental code the
469
other day, that allows a libcurl user to select what method libcurl should
470
use to reach a file on a FTP(S) server.
472
This functionality is available in CVS code and in recent daily snapshots.
476
The current name for the option is CURLOPT_FTP_FILEMETHOD (--ftp-method for
477
the command line tool) and you set it to a long (there are currenly no
478
defines for the argument values, just plain numericals). You can set three
479
different "methods" that do this:
481
1 multicwd - like today, curl will do a single CWD operation for each path
482
part in the given URL. For deep hierarchies this means very many
483
commands. This is how RFC1738 says it should be done. This is the
486
2 nocwd - no CWD at all is done, curl will do SIZE, RETR, STOR etc and give
487
a full path to the server.
489
3 singlecwd - make one CWD with the full target directory and then operate
490
on the file "normally".
492
(With the command line tool you do --ftp-method [METHOD], where [METHOD] is
493
one of "multicwd", "nocwd" or "singlecwd".)
495
What feedback I'm interested in:
497
1 - Do they work at all? Do you find servers where one of these don't work?
499
2 - What would proper names for the option and its arguments be, if we
500
consider this feature good enough to get included and documented in
503
3 - Should we make libcurl able to "walk through" these options in case of
504
(path related) failures, or should it fail and let the user redo any
507
(This option is not documented in any man page just yet since I'm not sure
508
these names will be used or if the functionality will end up exactly like
509
this. And for the same reasons we have no test cases for these yet.)
511
Daniel (10 January 2006)
512
- When using a bad path over FTP, as in when libcurl couldn't CWD into all
513
given subdirs, libcurl would still "remember" the full path as if it is the
514
current directory libcurl is in so that the next curl_easy_perform() would
515
get really confused if it tried the same path again - as it would not issue
516
any CWD commands at all, assuming it is already in the "proper" dir.
518
Starting now, a failed CWD command sets a flag that prevents the path to be
519
"remembered" after returning.
521
Daniel (7 January 2006)
522
- Michael Jahn fixed so that the second CONNECT when doing FTP over a HTTP
523
proxy actually used a new connection and not sent the second request on the
526
Daniel (6 January 2006)
527
- Alexander Lazic made the buildconf run the buildconf in the ares dir if that
528
is present instead of trying to mimic that script in curl's buildconf
531
Daniel (3 January 2006)
532
- Andres Garcia made the TFTP test server build with mingw.