Revision tags: curl-7_39_0, curl-7_38_0 |
|
#
a76825a5 |
| 19-Aug-2014 |
Daniel Stenberg |
cookies: reject incoming cookies set for TLDs Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.ht
cookies: reject incoming cookies set for TLDs Test 61 was modified to verify this. CVE-2014-3620 Reported-by: Tim Ruehsen URL: http://curl.haxx.se/docs/adv_20140910B.html
show more ...
|
#
8a75dbeb |
| 19-Aug-2014 |
Tim Ruehsen |
cookies: only use full host matches for hosts used as IP address By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies,
cookies: only use full host matches for hosts used as IP address By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both send cookies to wrong sites and to allow arbitrary sites to set cookies for others. CVE-2014-3613 Bug: http://curl.haxx.se/docs/adv_20140910A.html
show more ...
|
Revision tags: curl-7_37_1, curl-7_37_0, curl-7_36_0, curl-7_35_0 |
|
#
ecaf2f02 |
| 16-Jan-2014 |
Daniel Stenberg |
cookie: max-age fixes 1 - allow >31 bit max-age values 2 - don't overflow on extremely large max-age values when we add the value to the current time 3 - make sure max-
cookie: max-age fixes 1 - allow >31 bit max-age values 2 - don't overflow on extremely large max-age values when we add the value to the current time 3 - make sure max-age takes precedence over expires as dictated by RFC6265 Bug: http://curl.haxx.se/mail/lib-2014-01/0130.html Reported-by: Chen Prog
show more ...
|
#
7b774482 |
| 16-Jan-2014 |
Daniel Stenberg |
Curl_cookie_add: remove 'now' from curl_getdate() call The now argument is unused by curl_getdate()
|
#
60bd2262 |
| 31-Dec-2013 |
Steve Holme |
mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU Following commit 0aafd77fa4c6f2, replaced the internal usage of FORMAT_OFF_T and FORMAT_OFF_TU with the external versio
mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU Following commit 0aafd77fa4c6f2, replaced the internal usage of FORMAT_OFF_T and FORMAT_OFF_TU with the external versions that we expect API programmers to use. This negates the need for separate definitions which were subtly different under different platforms/compilers.
show more ...
|
Revision tags: curl-7_34_0, curl-7_33_0 |
|
#
4cfbb201 |
| 17-Sep-2013 |
YAMADA Yasuharu |
cookies: add expiration Implement: Expired Cookies These following situation, curl removes cookie(s) from struct CookieInfo if the cookie expired. - Curl_cookie_add() - Curl_co
cookies: add expiration Implement: Expired Cookies These following situation, curl removes cookie(s) from struct CookieInfo if the cookie expired. - Curl_cookie_add() - Curl_cookie_getlist() - cookie_output()
show more ...
|
Revision tags: curl-7_32_0 |
|
#
964a7600 |
| 15-Jul-2013 |
Patrick Monnerat |
slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
|
Revision tags: curl-7_31_0 |
|
#
f24dc09d |
| 12-Jun-2013 |
YAMADA Yasuharu |
cookies: follow-up fix for path checking The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the c
cookies: follow-up fix for path checking The initial fix to only compare full path names were done in commit 04f52e9b4db0 but found out to be incomplete. This takes should make the change more complete and there's now two additional tests to verify (test 31 and 62).
show more ...
|
#
85b9dc80 |
| 21-May-2013 |
Daniel Stenberg |
Curl_cookie_add: handle IPv6 hosts 1 - don't skip host names with a colon in them in an attempt to bail out on HTTP headers in the cookie file parser. It was only a shortcut anyway a
Curl_cookie_add: handle IPv6 hosts 1 - don't skip host names with a colon in them in an attempt to bail out on HTTP headers in the cookie file parser. It was only a shortcut anyway and trying to parse a file with HTTP headers will still be handled, only slightly slower. 2 - don't skip domain names based on number of dots. The original netscape cookie spec had this oddity mentioned and while our code decreased the check to only check for two, the existing cookie spec has no such dot counting required. Bug: http://curl.haxx.se/bug/view.cgi?id=1221 Reported-by: Stefan Neis
show more ...
|
#
04f52e9b |
| 18-May-2013 |
YAMADA Yasuharu |
cookies: only consider full path matches I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - serv
cookies: only consider full path matches I found a bug which cURL sends cookies to the path not to aim at. For example: - cURL sends a request to http://example.fake/hoge/ - server returns cookie which with path=/hoge; the point is there is NOT the '/' end of path string. - cURL sends a request to http://example.fake/hogege/ with the cookie. The reason for this old "feature" is because that behavior is what is described in the original netscape cookie spec: http://curl.haxx.se/rfc/cookie_spec.html The current cookie spec (RFC6265) clarifies the situation: http://tools.ietf.org/html/rfc6265#section-5.2.4
show more ...
|
Revision tags: curl-7_30_0 |
|
#
2eb8dcf2 |
| 10-Apr-2013 |
YAMADA Yasuharu |
cookie: fix tailmatching to prevent cross-domain leakage Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first doma
cookie: fix tailmatching to prevent cross-domain leakage Cookies set for 'example.com' could accidentaly also be sent by libcurl to the 'bexample.com' (ie with a prefix to the first domain name). This is a security vulnerabilty, CVE-2013-1944. Bug: http://curl.haxx.se/docs/adv_20130412.html
show more ...
|
#
762961fe |
| 07-Apr-2013 |
Marc Hoersken |
cookie.c: Made cookie sort function more deterministic Since qsort implementations vary with regards to handling the order of similiar elements, this change makes the internal sort funct
cookie.c: Made cookie sort function more deterministic Since qsort implementations vary with regards to handling the order of similiar elements, this change makes the internal sort function more deterministic by comparing path length first, then domain length and finally the cookie name. Spotted with testcase 62 on Windows.
show more ...
|
#
eb25dd3b |
| 02-Apr-2013 |
Yasuharu Yamada |
Curl_cookie_add: only increase numcookies for new cookies Count up numcookies in Curl_cookie_add() only when cookie is new one
|
Revision tags: curl-7_29_0 |
|
#
5a053ffe |
| 06-Jan-2013 |
Yang Tse |
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the n
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
show more ...
|
#
4a5aa668 |
| 04-Jan-2013 |
Yang Tse |
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use
Revert changes relative to lib/*.[ch] recent renaming This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
show more ...
|
#
f871de00 |
| 28-Dec-2012 |
Yang Tse |
build: make use of 76 lib/*.h renamed files 76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
|
Revision tags: curl-7_28_1, curl-7_28_0, curl-7_27_0 |
|
#
904346bf |
| 09-Jul-2012 |
Daniel Stenberg |
cookie: fixed typo in comment
|
#
c75ece44 |
| 03-Jul-2012 |
Daniel Stenberg |
cookies: change the URL in the cookie jar file header
|
Revision tags: curl-7_26_0, curl-7_25_0, curl-7_24_0, curl-7_23_1, curl-7_23_0 |
|
#
584dc8b8 |
| 11-Oct-2011 |
Yang Tse |
OOM handling/cleanup slight adjustments
|
#
17f48fe8 |
| 07-Oct-2011 |
Yang Tse |
libcurl: some OOM handling fixes
|
Revision tags: curl-7_22_0 |
|
#
a5021071 |
| 05-Sep-2011 |
Yang Tse |
fix bool variables checking and assignment
|
#
7c21c1c4 |
| 09-Aug-2011 |
Daniel Stenberg |
cookie parser: handle 'secure=' There are two keywords in cookie headers that don't follow the regular name=value style: secure and httponly. Still we must support that they are writ
cookie parser: handle 'secure=' There are two keywords in cookie headers that don't follow the regular name=value style: secure and httponly. Still we must support that they are written like 'secure=' and then treat them as if they were written 'secure'. Test case 31 was much extended by Rob Ward to test this. Bug: http://curl.haxx.se/bug/view.cgi?id=3349227 Reported by: "gnombat"
show more ...
|
#
f1586cb4 |
| 26-Jul-2011 |
Yang Tse |
stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h
|
Revision tags: curl-7_21_7 |
|
#
9776f344 |
| 03-Jun-2011 |
Daniel Stenberg |
cookie_output: made private
|
#
65a9fa59 |
| 02-Jun-2011 |
Yang Tse |
Remove unnecessary typecast
|