11
Version 7.15.1 (7 December 2005)
13
Daniel (6 December 2005)
14
- Full text here: http://curl.haxx.se/docs/adv_20051207.html Pointed out by
19
libcurl's URL parser function can overflow a malloced buffer in two ways, if
22
These overflows happen if you
24
1 - pass in a URL with no protocol (like "http://") prefix, using no slash
25
and the string is 256 bytes or longer. This leads to a single zero byte
26
overflow of the malloced buffer.
28
2 - pass in a URL with only a question mark as separator (no slash) between
29
the host and the query part of the URL. This leads to a single zero byte
30
overflow of the malloced buffer.
32
Both overflows can be made with the same input string, leading to two single
35
The affected flaw cannot be triggered by a redirect, but the long URL must
36
be passed in "directly" to libcurl. It makes this a "local" problem. Of
37
course, lots of programs may still pass in user-provided URLs to libcurl
38
without doing much syntax checking of their own, allowing a user to exploit
41
There is no known exploit at the time of this writing.
44
Daniel (2 December 2005)
45
- Jamie Newton pointed out that libcurl's file:// code would close() a zero
46
file descriptor if given a non-existing file.
48
Daniel (24 November 2005)
49
- Doug Kaufman provided a set of patches to make curl build fine on DJGPP
50
again using configure.
52
- Yang Tse provided a whole series of patches to clear up compiler warnings on
55
Daniel (17 November 2005)
56
- I extended a patch from David Shaw to make libcurl _always_ provide an error
57
string in the given error buffer to address the flaw mention on 21 sep 2005.
59
Daniel (16 November 2005)
60
- Applied Albert Chin's patch that makes the libcurl.pc pkgconfig file get
61
installed on 'make install' time.
63
Daniel (14 November 2005)
64
- Quagmire reported that he needed to raise a NTLM buffer for SSPI to work
65
properly for a case, and so we did. We raised it even for non-SSPI builds
66
but it should not do any harm. http://curl.haxx.se/bug/view.cgi?id=1356715
68
- Jan Kunder's debian bug report
69
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338680 identified a weird
70
error message for when you try to upload a file and the requested directory
71
doesn't exist on the target server.
73
- Yang Tse fixed compiler warnings in lib/ssluse.c with OpenSSL 0.9.8 and in
74
lib/memdebug.h that showed up in his msvc builds.
76
Daniel (13 November 2005)
77
- Debian bug report 338681 by Jan Kunder: make curl better detect and report
79
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338681 Now curl will return
80
error if a bad unit is used.
82
- Thanks to this nice summary of poll() implementations:
83
http://www.greenend.org.uk/rjk/2001/06/poll.html and further tests by Eugene
84
Kotlyarov, we now know that cygwin's poll returns only POLLHUP on remote
85
connectin closure so we check for that case (too) and re-enable poll for
88
Daniel (12 November 2005)
89
- Eugene Kotlyarov found out that cygwin's poll() function isn't doing things
90
right: http://curl.haxx.se/mail/archive-2005-11/0045.html so we now disable
91
poll() and use select() on cygwin too (we already do the same choice on Mac
94
- Dima Barsky patched problem #1348930: the GnuTLS code completely ignored
95
client certificates! (http://curl.haxx.se/bug/view.cgi?id=1348930).
97
Daniel (10 November 2005)
98
- David Lang fixed IPv6 support for TFTP!
100
- Introducing range stepping to the curl globbing support. Now you can specify
101
step counter by adding :[num] within the brackets when specifying a range:
106
If no step counter is set, it defaults to 1 as before:
111
Daniel (8 November 2005)
112
- Removed the use of AI_CANONNAME in the IPv6-enabled resolver functions since
113
we really have no use for reverse lookups of the address.
115
I truly hope these are the last reverse lookups we had lingering in the
118
- Dmitry Bartsevich discovered some issues in compatibilty of SSPI-enabled
119
version of libcurl with different Windows versions. Current version of
120
libcurl imports SSPI functions from secur32.dll. However, under Windows NT
121
4.0 these functions are located in security.dll, under Windows 9x - in
122
secur32.dll and Windows 2000 and XP contains both these DLLs (security.dll
123
just forwards calls to secur32.dll).
125
Dmitry's patch loads proper library dynamically depending on Windows
126
version. Function InitSecurityInterface() is used to obtain pointers to all
127
of SSPI function in one structure.
129
Daniel (31 October 2005)
130
- Vilmos Nebehaj improved libcurl's LDAP abilities:
132
The LDAP code in libcurl can't handle LDAP servers of LDAPv3 nor binary
133
attributes in LDAP objects. So, I made a quick patch to address these
136
The solution is simple: if we connect to an LDAP server, first try LDAPv3
137
(which is the preferred protocol as of now) and then fall back to LDAPv2.
138
In case of binary attributes, we first convert them to base64, just like the
139
openldap client does. It uses ldap_get_values_len() instead of
140
ldap_get_values() to be able to retrieve binary attributes correctly. I
141
defined the necessary LDAP macros in lib/ldap.c to be able to compile
142
libcurl without the presence of libldap
144
Daniel (27 October 2005)
145
- Nis Jorgensen filed bug report #1338648
146
(http://curl.haxx.se/bug/view.cgi?id=1338648) which really is more of a
147
feature request, but anyway. It pointed out that --max-redirs did not allow
148
it to be set to 0, which then would return an error code on the first
149
Location: found. Based on Nis' patch, now libcurl supports CURLOPT_MAXREDIRS
150
set to 0, or -1 for infinity. Added test case 274 to verify.
152
- tommink[at]post.pl reported in bug report #1337723
153
(http://curl.haxx.se/bug/view.cgi?id=1337723) that curl could not upload
154
binary data from stdin on Windows if the data contained control-Z (hex 1a)
155
since that is treated as end-of-file when read in text mode. Gisle Vanem
156
pointed out the fix, and I made both -T and --data-binary take advantage of
159
- Jaz Fresh pointed out that if you used "-r [number]" as was wrongly described
160
in the man page, curl would send an invalid HTTP Range: header. The correct
161
way would be to use "-r [number]-" or even "-r -[number]". Starting now,
162
curl will warn if this is discovered, and automatically append a dash to the
163
range before passing it to libcurl.
165
Daniel (25 October 2005)
166
- Amol Pattekar reported a bug with great detail and a fine example in bug
167
#1326306 (http://curl.haxx.se/bug/view.cgi?id=1326306). When using the multi
168
interface and connecting to a host with multiple IP addresses, and one of
169
the addresses fails to connect (the server must exist and respond, just not
170
accept connections) libcurl leaks a socket descriptor. Thanks to the fine
171
report, I could find and fix this.
173
Daniel (22 October 2005)
174
- Dima Barsky reported a problem with GnuTLS-enabled libcurl in bug report
175
#1334338 (http://curl.haxx.se/bug/view.cgi?id=1334338). When reading an SSL
176
stream from a server and the server requests a "rehandshake", the current
177
code simply returns this as an error. I have no good way to test this, but
178
I've added a crude attempt of dealing with this situation slightly better -
179
it makes a blocking handshake if this happens. Done like this because fixing
180
this the "proper" way (that would handshake asynchronously) will require
181
quite some work and I really need a good way to test this to do such a
184
Daniel (21 October 2005)
185
- "Ofer" reported a problem when libcurl re-used a connection and failed to do
186
it, it could then accidentally actually crash. Presumably, this concerns FTP
187
connections. http://curl.haxx.se/bug/view.cgi?id=1330310
189
- Temprimus improved the MSVC makefile so that the static debug SSL libs are
190
linked to the executable and not to the libcurld.lib
191
http://curl.haxx.se/bug/view.cgi?id=1326676
193
- Bradford Bruce made the windows resolver code properly return
194
CURLE_COULDNT_RESOLVE_PROXY and CURLE_COULDNT_RESOLVE_HOST on resolving
195
errors (as documented).
197
Daniel (20 October 2005)
198
- Dave Dribin made libcurl understand and handle cases when the server
199
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
200
never happen in a sane world, libcurl previously got into an infinite loop
201
when this occurred. Dave added test 273 to verify this.
203
- Temprimus improved the MSVC makefile: "makes a build option available so if
204
you set rtlibcfg=static for the make, then it would build with /MT. The
205
default behaviour is /MD (the original)."
206
http://curl.haxx.se/bug/view.cgi?id=1326665
208
Daniel (14 October 2005)
209
- Reverted the LIBCURL_VERSION_NUM change from October 6. As Dave Dribin
210
reported, the define is used by the configure script and is assumed to use
211
the 0xYYXXZZ format. This made "curl-config --vernum" fail in the 7.15.0
214
Version 7.15.0 (13 October 2005)
216
Daniel (12 October 2005)
217
- Michael Sutton of iDEFENSE reported and I fixed a securitfy flaw in the NTLM
218
code that would overflow a buffer if given a too long user name or domain
219
name. This would happen if you enable NTLM authentication and either
221
A - pass in a user name and domain name to libcurl that together are longer
224
B - allow (lib)curl to follow HTTP "redirects" (Location: and the
225
appropriate HTTP 30x response code) and the new URL contains a URL with
226
a user name and domain name that together are longer than 192 bytes
228
See http://curl.haxx.se/docs/security.html for further details and updates
230
Daniel (5 October 2005)
231
- Darryl House reported a problem with using -z to download files from FTP.
232
It turned out that if the given time stamp was exact the same as the remote
233
time stamp, the file would still wrongly be downloaded. Added test case 272
236
Daniel (4 October 2005)
237
- Domenico Andreoli fixed a man page malformat and removed odd (0xa0) bytes
238
from the configure script.
240
- Michael Wallner reported that the date parser had wrong offset stored for
241
the MEST and CEST time zones.
243
Daniel (27 September 2005)
244
- David Yan filed bug #1299181 (http://curl.haxx.se/bug/view.cgi?id=1299181)
245
that identified a silly problem with Content-Range: headers with the 'bytes'
246
keyword written in a different case than all lowercase! It would cause a
249
- TJ Saunders of the proftpd project identified and pointed out problems with
250
the modified FTPS negotiation change of August 19 2005. Thus, we revert the
251
change back to pre-7.14.1 status.
253
Daniel (21 September 2005)
254
- Fixed "cut off" sentence in the libcurl-tutorial man page:
255
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329305
257
- Clarified in the curl_easy_setopt man page what the default
258
CURLOPT_WRITEFUNCTION and CURLOPT_WRITEDATA mean:
259
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329311
261
- Clarified in the curl_easy_setopt man page that CURLOPT_ERRORBUFFER
262
sometimes doesn't fill in the buffer even though it is supposed to:
263
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=329313
265
- When CURLE_URL_MALFORMAT is returned due to a missing URL, it now has an
268
Daniel (19 September 2005)
269
- Dmitry Bartsevich made the SSPI support work on Windows 9x as well.
271
Daniel (15 September 2005)
272
- Added a TFTP server to the test suite and made the test suite capable of
275
Daniel (7 September 2005)
276
- Ben Madsen's detailed reports that funnily enough only occurred with certain
277
glibc versions turned out to be curl using an already closed file handle
278
during certain conditions (like when saving FTP server "headers").
280
- Scott Davis helped me track down a problem in the test HTTP server that made
281
test case 56 wrongly fail at times. It turned out it was due to the server
282
finding the end of a chunked-encoded POST too early.
284
Daniel (6 September 2005)
285
- Now curl warns if an unknown variable is used in the -w/--writeout argument.
287
Daniel (4 September 2005)
288
- I applied Nicolas Fran�ois' man page patch he posted to the Debian bug
289
tracker. It corrected two lines that started with apostrophes, which isn't
290
legal nroff format. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=326511
292
- Added --ftp-skip-pasv-ip to the command line tool, that sets the new
293
CURLOPT_FTP_SKIP_PASV_IP option. It makes libcurl re-use the control
294
connection's IP address when setting up the data connection instead of
295
extractting the IP address from the PASV response. It has turned out this
296
feature is frequently needed by people to circumvent silly servers and silly
297
firewalls, especially when FTPS is used and the PASV command-response is
300
Sponsored by CU*Answers
302
Daniel (1 September 2005)
303
- John Kelly added TFTP support to libcurl. A bunch of new error codes was
304
added. TODO: add them to docs. add TFTP server to test suite. add TFTP to
305
list of protocols whereever those are mentioned.
307
Version 7.14.1 (1 September 2005)
309
Daniel (29 August 2005)
310
- Kevin Lussier pointed out a problem with curllib.dsp and how to fix it.
312
- Igor Polyakov fixed a rather nasty problem with the threaded name resolver
313
for Windows, that could lead to an Access Violation when the multi interface
314
was used due to an issue with how the resolver thread was and was not
317
- Simon Josefsson brought a patch that allows curl to get built to use GNU GSS
318
instead of MIT/Heimdal for GSS capabilities.
320
Daniel (24 August 2005)
321
- Toby Peterson added CURLOPT_IGNORE_CONTENT_LENGTH to the library, accessible
322
from the command line tool with --ignore-content-length. This will make it
323
easier to download files from Apache 1.x (and similar) servers that are
324
still having problems serving files larger than 2 or 4 GB. When this option
325
is enabled, curl will simply have to wait for the server to close the
326
connection to signal end of transfer. I wrote test case 269 that runs a
327
simple test to verify that this works.
329
- (Trying hard to exclude emotions now.) valgrind version 3 suddenly renamed
330
the --logfile command line option to --log-file, and thus the test script
331
valgrind autodetection now has yet another version check to do and then it
332
alters the valgrind command line accordingly.
334
- Fixed CA cert verification using GnuTLS with the default bundle, which
335
previously failed due to GnuTLS not allowing x509 v1 CA certs by default.
336
Ralph Mitchell reported.
338
Daniel (19 August 2005)
339
- Norbert Novotny had problems with FTPS and he helped me work out a patch
340
that made curl run fine in his end. The key was to make sure we do the
341
SSL/TLS negotiation immediately after the TCP connect is done and not after
342
a few other commands have been sent like we did previously. I don't consider
343
this change necessary to obey the standards, I think this server is pickier
344
than what the specs allow it to be, but I can't see how this modified
345
libcurl code can add any problems to those who are interpreting the
346
standards more liberally.
348
Daniel (17 August 2005)
349
- Jeff Pohlmeyer found out that if you ask libcurl to load a cookiefile (with
350
CURLOPT_COOKIEFILE), add a cookie (with CURLOPT_COOKIELIST), tell it to
351
write the result to a given cookie jar and then never actually call
352
curl_easy_perform() - the given file(s) to read was never read but the
353
output file was written and thus it caused a "funny" result.
355
- While doing some tests for the bug above, I noticed that Firefox generates
356
large numbers (for the expire time) in the cookies.txt file and libcurl
357
didn't treat them properly. Now it does.
359
Daniel (15 August 2005)
360
- Added more verbose "warning" messages to the curl client for cases where it
361
fails to open/read files etc to help users diagnose why it doesn't do what
362
you'd expect it to. Converted lots of old messages to use the new generic
363
function I wrote for this purpose.
365
Daniel (13 August 2005)
366
- James Bursa identified a libcurl HTTP bug and a good way to repeat it. If a
367
site responds with bad HTTP response that doesn't contain any header at all,
368
only a response body, and the write callback returns 0 to abort the
369
transfer, it didn't have any real effect but the write callback would be
370
called once more anyway.
372
Daniel (12 August 2005)
373
- Based on Richard Clayton's reports, I found out that using curl -d @filename
374
when 'filename' was not possible to access made curl use a GET request
377
- The time condition illegal syntax warning is now inhibited if -s is used.
379
Daniel (10 August 2005)
380
- Mario Schroeder found out that one of the debug callbacks calls that regards
381
SSL data with the CURLINFO_TEXT type claimed that the data was one byte
382
larger than it actually is, thus falsely telling the application that the
383
terminating zero was part of the data.
385
Daniel (9 August 2005)
386
- Christopher R. Palmer fixed the offsets used for date parsings when the time
387
zone name of a daylight savings time was used. For example, PDT vs PDS. This
388
flaw was introduced with the new date parser (11 sep 2004 - 7.12.2).
389
Fortunately, no web server or cookie string etc should be using such time
390
zone names thus limiting the effect of this bug.
392
Daniel (8 August 2005)
393
- Jon Grubbs filed bug report #1249962
394
(http://curl.haxx.se/bug/view.cgi?id=1249962) which identified a problem
395
with NTLM on a HTTP proxy if an FTP URL was given. libcurl now properly
396
switches to pure HTTP internally when an HTTP proxy is used, even for FTP
397
URLs. The problem would also occur with other multi-pass auth methods.
399
Daniel (7 August 2005)
400
- When curl is built with GnuTLS, curl-config didn't include "SSL" when
403
Daniel (28 July 2005)
404
- If any of the options CURLOPT_HTTPGET, CURLOPT_POST and CURLOPT_HTTPPOST is
405
set to 1, CURLOPT_NOBODY will now automatically be set to 0.
407
Daniel (27 July 2005)
408
- Dan Fandrich changes over the last week: fixed numerous minor configure
409
option parsing flaws: --without-gnutls, --without-spnego --without-gssapi
410
and --without-krb4. Spellfixed several error messages.
412
- Peteris Krumins added CURLOPT_COOKIELIST and CURLINFO_COOKIELIST, which is a
413
simple interface to extracting and setting cookies in libcurl's internal
414
"cookie jar". See the new cookie_interface.c example code.
416
Daniel (13 July 2005)
417
- Diego Casorran provided patches to make curl build fine on Amiga again.
419
Daniel (12 July 2005)
420
- Adrian Schuur added trailer support in the chunked encoding stream. The
421
trailer is then sent to the normal header callback/stream. I wrote up test
422
case 266 to verify the basic functionality. Do note that test case 34
423
contains a flawed chunked encoding stream that still works the same.
426
- Gisle Vanem came up with a nice little work-around for bug #1230118
427
(http://curl.haxx.se/bug/view.cgi?id=1230118). It seems the Windows (MSVC)
428
libc time functions may return data one hour off if TZ is not set and
429
automatic DST adjustment is enabled. This made curl_getdate() return wrong
430
value, and it also concerned internal cookie expirations etc.
433
- Andrew Bushnell provided enough info for me to tell that we badly needed to
434
fix the CONNECT authentication code with multi-pass auth methods (such as
435
NTLM) as it didn't previously properly ignore response-bodies - in fact it
436
stopped reading after all response headers had been received. This could
437
lead to libcurl sending the next request and reading the body from the first
438
request as response to the second request. (I also renamed the function,
439
which wasn't strictly necessary but...)
441
The best fix would to once and for all make the CONNECT code use the
442
ordinary request sending/receiving code, treating it as any ordinary request
443
instead of the special-purpose function we have now. It should make it
444
better for multi-interface too. And possibly lead to less code...
446
Added test case 265 for this. It doesn't work as a _really_ good test case
447
since the test proxy is too stupid, but the test case helps when running the
450
Daniel (30 June 2005)
451
- Dan Fandrich improved the configure script's ability to figure out what kind
452
of strerror_r() API that is used when cross-compiling. If __GLIB__ is
453
defined, it assumes the glibc API. If not, it issues a notice as before that
454
the user needs to manually edit lib/config.h for this.
456
Daniel (23 June 2005)
457
- David Shaw's fix that unifies proxy string treatment so that a proxy given
458
with CURLOPT_PROXY can use a http:// prefix and user + password. The user
459
and password fields are now also URL decoded properly. Test case 264 added
462
Daniel (22 June 2005)
463
- David Shaw updated libcurl.m4
465
Daniel (14 June 2005)
466
- Gisle Vanem fixed a potential thread handle leak. Bug report #1216500
467
(http://curl.haxx.se/bug/view.cgi?id=1216500). Comment in
468
http://curl.haxx.se/mail/lib-2005-06/0059.html
470
Daniel (13 June 2005)
471
- Made buildconf run libtoolize in the ares dir too (inspired by Tupone's
475
- Incorporated Tupone's findtool fix in buildconf (slightly edited)
477
- Incorporated Tupone's head -n fix in buildconf.
480
- Reverted Tupone's patch again, it broke numerous autobuilds. Let's apply it
481
in pieces, one by one and see what we need to adjust to work all over.
484
- Tupone Alfredo fixed three problems in buildconf:
486
1) findtool does look per tool in PATH and think ./perl is the perl
487
executable, while is just a local directory (I have . in the PATH)
489
2) I got several warning for head -1 deprecated in favour of head -n 1
491
3) ares directory is missing some file (missing is missing :-) ) because
492
automake and friends is not run.
495
- Added docs/libcurl/getinfo-times, based on feedback from 'Edi':
496
http://curl.haxx.se/feedback/display.cgi?id=11178325798299&support=yes
498
- Andres Garcia provided yet another text mode patch for several test cases so
499
that they do text comparisions better on Windows (newline-wise).
502
- The configure check for c-ares now adds the cares lib before the other libs,
503
to make it build fine with mingw. Inspired by Tupone Alfredo's bug report
504
and patch: http://curl.haxx.se/bug/view.cgi?id=1212940
507
- Todd Kulesza reported a flaw in the proxy option, since a numerical IPv6
508
address was not possible to use. It is now, but requires it written
509
RFC2732-style, within brackets - which incidently is how you enter numerical
510
IPv6 addresses in URLs. Test case 263 added to verify.
513
- Eric Cooper reported about a problem with HTTP servers that responds with
514
binary zeroes within the headers. They confused libcurl to do wrong so the
515
downloaded headers become incomplete. The fix is now verified with test case
516
262. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310948
519
- Fixed problems with the test suite, and in particular the FTP test cases
520
since it previously was failing every now and then in a nonsense manner.
522
- --trace-time now outputs the full microsecond, all 6 digits.
525
- Andres Garcia provided a text mode patch for several test cases so that they
526
do text comparisions better on Windows (newline-wise).
528
- Any 2xx response (and not just 200) is now considered a fine response to
529
TYPE, as some servers obviously sends a 226 there. Added test case 261 to
530
verify. Based on a question/report by Georg Wicherski.
533
- Improved runtests.pl to allow stdout tests to be mode=text as well, just
534
as file comparisons already supports. Added this info to the FILEFORMAT
538
- John McGowan identified a problem in bug report #1204435
539
(http://curl.haxx.se/bug/view.cgi?id=1204435) with malformed URLs like
540
"http://somehost?data" as it added a slash too much in the request ("GET
541
/?data/"...). Added test case 260 to verify.
543
- The configure check for strerror_r() failed to detect the proper API at
544
times, like on HP-UX 10.20. Then lib/strerror.c badly assumed the glibc
545
version if the posix define wasn't set (since it _had_ found a strerror_r).
548
- The gmtime_r() function in HP-UX 10.20 is broken. About 13 test cases fail
549
due to this. There's now a configure check that attempts to detect the bad
550
function and not use it on such systems.
10
552
Version 7.14.0 (16 May 2005)
12
554
Daniel (13 May 2005)