|
Revision tags: curl-7_39_0, curl-7_38_0 |
|
| #
a76825a5 |
| 19-Aug-2014 |
Daniel Stenberg |
cookies: reject incoming cookies set for TLDs
Test 61 was modified to verify this.
CVE-2014-3620
Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.ht
cookies: reject incoming cookies set for TLDs
Test 61 was modified to verify this.
CVE-2014-3620
Reported-by: Tim Ruehsen
URL: http://curl.haxx.se/docs/adv_20140910B.html
show more ...
|
| #
8a75dbeb |
| 19-Aug-2014 |
Tim Ruehsen |
cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies,
cookies: only use full host matches for hosts used as IP address
By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.
CVE-2014-3613
Bug: http://curl.haxx.se/docs/adv_20140910A.html
show more ...
|
|
Revision tags: curl-7_37_1, curl-7_37_0, curl-7_36_0, curl-7_35_0 |
|
| #
ecaf2f02 |
| 16-Jan-2014 |
Daniel Stenberg |
cookie: max-age fixes
1 - allow >31 bit max-age values
2 - don't overflow on extremely large max-age values when we add the
value to the current time
3 - make sure max-
cookie: max-age fixes
1 - allow >31 bit max-age values
2 - don't overflow on extremely large max-age values when we add the
value to the current time
3 - make sure max-age takes precedence over expires as dictated by
RFC6265
Bug: http://curl.haxx.se/mail/lib-2014-01/0130.html
Reported-by: Chen Prog
show more ...
|
| #
7b774482 |
| 16-Jan-2014 |
Daniel Stenberg |
Curl_cookie_add: remove 'now' from curl_getdate() call
The now argument is unused by curl_getdate()
|
| #
60bd2262 |
| 31-Dec-2013 |
Steve Holme |
mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU
Following commit 0aafd77fa4c6f2, replaced the internal usage of
FORMAT_OFF_T and FORMAT_OFF_TU with the external versio
mprintf: Replaced internal usage of FORMAT_OFF_T and FORMAT_OFF_TU
Following commit 0aafd77fa4c6f2, replaced the internal usage of
FORMAT_OFF_T and FORMAT_OFF_TU with the external versions that we
expect API programmers to use.
This negates the need for separate definitions which were subtly
different under different platforms/compilers.
show more ...
|
|
Revision tags: curl-7_34_0, curl-7_33_0 |
|
| #
4cfbb201 |
| 17-Sep-2013 |
YAMADA Yasuharu |
cookies: add expiration
Implement: Expired Cookies These following situation, curl removes
cookie(s) from struct CookieInfo if the cookie expired.
- Curl_cookie_add()
- Curl_co
cookies: add expiration
Implement: Expired Cookies These following situation, curl removes
cookie(s) from struct CookieInfo if the cookie expired.
- Curl_cookie_add()
- Curl_cookie_getlist()
- cookie_output()
show more ...
|
|
Revision tags: curl-7_32_0 |
|
| #
964a7600 |
| 15-Jul-2013 |
Patrick Monnerat |
slist.c, slist.h, cookie.c: new internal procedure Curl_slist_append_nodup()
|
|
Revision tags: curl-7_31_0 |
|
| #
f24dc09d |
| 12-Jun-2013 |
YAMADA Yasuharu |
cookies: follow-up fix for path checking
The initial fix to only compare full path names were done in commit
04f52e9b4db0 but found out to be incomplete. This takes should make the
c
cookies: follow-up fix for path checking
The initial fix to only compare full path names were done in commit
04f52e9b4db0 but found out to be incomplete. This takes should make the
change more complete and there's now two additional tests to verify
(test 31 and 62).
show more ...
|
| #
85b9dc80 |
| 21-May-2013 |
Daniel Stenberg |
Curl_cookie_add: handle IPv6 hosts
1 - don't skip host names with a colon in them in an attempt to bail out
on HTTP headers in the cookie file parser. It was only a shortcut anyway
a
Curl_cookie_add: handle IPv6 hosts
1 - don't skip host names with a colon in them in an attempt to bail out
on HTTP headers in the cookie file parser. It was only a shortcut anyway
and trying to parse a file with HTTP headers will still be handled, only
slightly slower.
2 - don't skip domain names based on number of dots. The original
netscape cookie spec had this oddity mentioned and while our code
decreased the check to only check for two, the existing cookie spec has
no such dot counting required.
Bug: http://curl.haxx.se/bug/view.cgi?id=1221
Reported-by: Stefan Neis
show more ...
|
| #
04f52e9b |
| 18-May-2013 |
YAMADA Yasuharu |
cookies: only consider full path matches
I found a bug which cURL sends cookies to the path not to aim at.
For example:
- cURL sends a request to http://example.fake/hoge/
- serv
cookies: only consider full path matches
I found a bug which cURL sends cookies to the path not to aim at.
For example:
- cURL sends a request to http://example.fake/hoge/
- server returns cookie which with path=/hoge;
the point is there is NOT the '/' end of path string.
- cURL sends a request to http://example.fake/hogege/ with the cookie.
The reason for this old "feature" is because that behavior is what is
described in the original netscape cookie spec:
http://curl.haxx.se/rfc/cookie_spec.html
The current cookie spec (RFC6265) clarifies the situation:
http://tools.ietf.org/html/rfc6265#section-5.2.4
show more ...
|
|
Revision tags: curl-7_30_0 |
|
| #
2eb8dcf2 |
| 10-Apr-2013 |
YAMADA Yasuharu |
cookie: fix tailmatching to prevent cross-domain leakage
Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first doma
cookie: fix tailmatching to prevent cross-domain leakage
Cookies set for 'example.com' could accidentaly also be sent by libcurl
to the 'bexample.com' (ie with a prefix to the first domain name).
This is a security vulnerabilty, CVE-2013-1944.
Bug: http://curl.haxx.se/docs/adv_20130412.html
show more ...
|
| #
762961fe |
| 07-Apr-2013 |
Marc Hoersken |
cookie.c: Made cookie sort function more deterministic
Since qsort implementations vary with regards to handling the order
of similiar elements, this change makes the internal sort funct
cookie.c: Made cookie sort function more deterministic
Since qsort implementations vary with regards to handling the order
of similiar elements, this change makes the internal sort function
more deterministic by comparing path length first, then domain length
and finally the cookie name. Spotted with testcase 62 on Windows.
show more ...
|
| #
eb25dd3b |
| 02-Apr-2013 |
Yasuharu Yamada |
Curl_cookie_add: only increase numcookies for new cookies
Count up numcookies in Curl_cookie_add() only when cookie is new one
|
|
Revision tags: curl-7_29_0 |
|
| #
5a053ffe |
| 06-Jan-2013 |
Yang Tse |
build: fix circular header inclusion with other packages
This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.
Removes the n
build: fix circular header inclusion with other packages
This commit renames lib/setup.h to lib/curl_setup.h and
renames lib/setup_once.h to lib/curl_setup_once.h.
Removes the need and usage of a header inclusion guard foreign
to libcurl. [1]
Removes the need and presence of an alarming notice we carried
in old setup_once.h [2]
----------------------------------------
1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard
up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H,
this single inclusion guard is enough to ensure that inclusion of
lib/setup_once.h done from lib/setup.h is only done once.
Additionally lib/setup.h has always used __SETUP_ONCE_H macro to
protect inclusion of setup_once.h even after commit ec691ca3, this
was to avoid a circular header inclusion triggered when building a
c-ares enabled version with c-ares sources available which also has
a setup_once.h header. Commit ec691ca3 exposes the real nature of
__SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard
foreign to libcurl belonging to c-ares's setup_once.h
The renaming this commit does, fixes the circular header inclusion,
and as such removes the need and usage of a header inclusion guard
foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl.
2 - Due to the circular interdependency of old lib/setup_once.h and the
c-ares setup_once.h header, old file lib/setup_once.h has carried
back from 2006 up to now days an alarming and prominent notice about
the need of keeping libcurl's and c-ares's setup_once.h in sync.
Given that this commit fixes the circular interdependency, the need
and presence of mentioned notice is removed.
All mentioned interdependencies come back from now old days when
the c-ares project lived inside a curl subdirectory. This commit
removes last traces of such fact.
show more ...
|
| #
4a5aa668 |
| 04-Jan-2013 |
Yang Tse |
Revert changes relative to lib/*.[ch] recent renaming
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:
f871de0... build: make use
Revert changes relative to lib/*.[ch] recent renaming
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:
f871de0... build: make use of 76 lib/*.h renamed files
ffd8e12... build: rename 76 lib/*.h files
This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:
c087374... curl_setup.h: remove redundant include guard
This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:
13606bb... build: make use of 93 lib/*.c renamed files
5b6e792... build: rename 93 lib/*.c files
7d83dff... build: commit 13606bbfde follow-up 1
Start of related discussion thread:
http://curl.haxx.se/mail/lib-2013-01/0012.html
Asking for confirmation on pushing this revertion commit:
http://curl.haxx.se/mail/lib-2013-01/0048.html
Confirmation summary:
http://curl.haxx.se/mail/lib-2013-01/0079.html
NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.
lib/curl_imap.h
lib/curl_smtp.h
show more ...
|
| #
f871de00 |
| 28-Dec-2012 |
Yang Tse |
build: make use of 76 lib/*.h renamed files
76 private header files renamed to use our standard naming scheme.
This change affects 322 files in libcurl's source tree.
|
|
Revision tags: curl-7_28_1, curl-7_28_0, curl-7_27_0 |
|
| #
904346bf |
| 09-Jul-2012 |
Daniel Stenberg |
cookie: fixed typo in comment
|
| #
c75ece44 |
| 03-Jul-2012 |
Daniel Stenberg |
cookies: change the URL in the cookie jar file header
|
|
Revision tags: curl-7_26_0, curl-7_25_0, curl-7_24_0, curl-7_23_1, curl-7_23_0 |
|
| #
584dc8b8 |
| 11-Oct-2011 |
Yang Tse |
OOM handling/cleanup slight adjustments
|
| #
17f48fe8 |
| 07-Oct-2011 |
Yang Tse |
libcurl: some OOM handling fixes
|
|
Revision tags: curl-7_22_0 |
|
| #
a5021071 |
| 05-Sep-2011 |
Yang Tse |
fix bool variables checking and assignment
|
| #
7c21c1c4 |
| 09-Aug-2011 |
Daniel Stenberg |
cookie parser: handle 'secure='
There are two keywords in cookie headers that don't follow the regular
name=value style: secure and httponly. Still we must support that they
are writ
cookie parser: handle 'secure='
There are two keywords in cookie headers that don't follow the regular
name=value style: secure and httponly. Still we must support that they
are written like 'secure=' and then treat them as if they were written
'secure'. Test case 31 was much extended by Rob Ward to test this.
Bug: http://curl.haxx.se/bug/view.cgi?id=3349227
Reported by: "gnombat"
show more ...
|
| #
f1586cb4 |
| 26-Jul-2011 |
Yang Tse |
stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h
|
|
Revision tags: curl-7_21_7 |
|
| #
9776f344 |
| 03-Jun-2011 |
Daniel Stenberg |
cookie_output: made private
|
| #
65a9fa59 |
| 02-Jun-2011 |
Yang Tse |
Remove unnecessary typecast
|
