head 1.13; access; symbols pkgsrc-2013Q2:1.13.0.8 pkgsrc-2013Q2-base:1.13 pkgsrc-2012Q4:1.13.0.6 pkgsrc-2012Q4-base:1.13 pkgsrc-2011Q4:1.13.0.4 pkgsrc-2011Q4-base:1.13 pkgsrc-2011Q2:1.13.0.2 pkgsrc-2011Q2-base:1.13 pkgsrc-2009Q4:1.11.0.30 pkgsrc-2009Q4-base:1.11 pkgsrc-2008Q4:1.11.0.28 pkgsrc-2008Q4-base:1.11 pkgsrc-2008Q3:1.11.0.26 pkgsrc-2008Q3-base:1.11 cube-native-xorg:1.11.0.24 cube-native-xorg-base:1.11 pkgsrc-2008Q2:1.11.0.22 pkgsrc-2008Q2-base:1.11 pkgsrc-2008Q1:1.11.0.20 pkgsrc-2008Q1-base:1.11 pkgsrc-2007Q4:1.11.0.18 pkgsrc-2007Q4-base:1.11 pkgsrc-2007Q3:1.11.0.16 pkgsrc-2007Q3-base:1.11 pkgsrc-2007Q2:1.11.0.14 pkgsrc-2007Q2-base:1.11 pkgsrc-2007Q1:1.11.0.12 pkgsrc-2007Q1-base:1.11 pkgsrc-2006Q4:1.11.0.10 pkgsrc-2006Q4-base:1.11 pkgsrc-2006Q3:1.11.0.8 pkgsrc-2006Q3-base:1.11 pkgsrc-2006Q2:1.11.0.6 pkgsrc-2006Q2-base:1.11 pkgsrc-2006Q1:1.11.0.4 pkgsrc-2006Q1-base:1.11 pkgsrc-2005Q4:1.11.0.2 pkgsrc-2005Q4-base:1.11 pkgsrc-2005Q3:1.9.0.12 pkgsrc-2005Q3-base:1.9 pkgsrc-2005Q2:1.9.0.10 pkgsrc-2005Q2-base:1.9 pkgsrc-2005Q1:1.9.0.8 pkgsrc-2005Q1-base:1.9 pkgsrc-2004Q4:1.9.0.6 pkgsrc-2004Q4-base:1.9 pkgsrc-2004Q3:1.9.0.4 pkgsrc-2004Q3-base:1.9 pkgsrc-2004Q2:1.9.0.2 pkgsrc-2004Q2-base:1.9 pkgsrc-2004Q1:1.8.0.2 pkgsrc-2004Q1-base:1.8 pkgsrc-2003Q4:1.6.0.2 pkgsrc-2003Q4-base:1.6 netbsd-1-6-1:1.4.0.2 netbsd-1-6-1-base:1.4 buildlink2-base:1.2 buildlink2:1.2.0.4 netbsd-1-6:1.2.0.6 netbsd-1-6-RELEASE-base:1.2 pkgviews:1.2.0.2 pkgviews-base:1.2; locks; strict; comment @# @; 1.13 date 2010.02.16.12.51.44; author wiz; state dead; branches; next 1.12; 1.12 date 2010.02.09.16.05.38; author drochner; state Exp; branches; next 1.11; 1.11 date 2005.12.10.17.57.29; author salo; state dead; branches 1.11.28.1; next 1.10; 1.10 date 2005.10.20.16.25.15; author minskim; state Exp; branches; next 1.9; 1.9 date 2004.03.28.20.47.05; author xtraeme; state dead; branches 1.9.12.1; next 1.8; 1.8 date 2004.01.23.22.52.29; author recht; state Exp; branches; next 1.7; 1.7 date 2003.12.07.13.28.33; author wiz; state Exp; branches; next 1.6; 1.6 date 2003.07.30.10.29.03; author wiz; state Exp; branches; next 1.5; 1.5 date 2003.05.20.11.54.13; author wiz; state Exp; branches; next 1.4; 1.4 date 2003.02.09.08.46.36; author shell; state Exp; branches; next 1.3; 1.3 date 2002.08.25.21.52.05; author jlam; state Exp; branches; next 1.2; 1.2 date 2002.07.19.04.25.18; author mycroft; state Exp; branches 1.2.4.1; next 1.1; 1.1 date 2002.07.19.04.23.48; author mycroft; state Exp; branches; next ; 1.11.28.1 date 2009.03.15.15.07.23; author tron; state Exp; branches; next ; 1.9.12.1 date 2005.10.30.13.33.19; author salo; state Exp; branches; next 1.9.12.2; 1.9.12.2 date 2005.12.10.22.35.42; author snj; state dead; branches; next ; 1.2.4.1 date 2002.07.19.04.25.18; author jlam; state dead; branches; next 1.2.4.2; 1.2.4.2 date 2002.08.25.21.22.22; author jlam; state Exp; branches; next ; desc @@ 1.13 log @Update to 7.20.0: Version 7.20.0 (9 February 2010) Daniel Stenberg (9 Feb 2010) - When downloading compressed content over HTTP and the app asked libcurl to automatically uncompress it with the CURLOPT_ENCODING option, libcurl could wrongly provide the callback with more data than the maximum documented amount. An application could thus get tricked into badness if the maximum limit was trusted to be enforced by libcurl itself (as it is documented). This is further detailed and explained in the libcurl security advisory 20100209 at http://curl.haxx.se/docs/adv_20100209.html Daniel Fandrich (3 Feb 2010) - Changed the Watcom makefiles to make them easier to keep in sync with Makefile.inc since that can't be included directly. Yang Tse (2 Feb 2010) - Symbol CURL_FORMAT_OFF_T now obsoleted, will be removed in a future release, symbol will not be available when building with CURL_NO_OLDIES defined. Use of CURL_FORMAT_CURL_OFF_T is preferred since 7.19.0 Daniel Stenberg (1 Feb 2010) - Using the multi_socket API, it turns out at times it seemed to "forget" connections (which caused a hang). It turned out to be an existing (7.19.7) bug in libcurl (that's been around for a long time) and it happened like this: The app calls curl_multi_add_handle() to add a new easy handle, libcurl will then set it to timeout in 1 millisecond so libcurl will tell the app about it. The app's timeout fires off that there's a timeout, the app calls libcurl as we so often document it: do { res = curl_multi_socket_action(... TIMEOUT ...); } while(CURLM_CALL_MULTI_PERFORM == res); And this is the problem number one: When curl_multi_socket_action() is called with no specific handle, but only a timeout-action, it will *only* perform actions within libcurl that are marked to run at this time. In this case, the request would go from INIT to CONNECT and return CURLM_CALL_MULTI_PERFORM. When the app then calls libcurl again, there's no timer set for this handle so it remains in the CONNECT state. The CONNECT state is a transitional state in libcurl so it reports no sockets there, and thus libcurl never tells the app anything more about that easy handle/connection. libcurl _does_ set a 1ms timeout for the handle at the end of multi_runsingle() if it returns CURLM_CALL_MULTI_PERFORM, but since the loop is instant the new job is not ready to run at that point (and there's no code that makes libcurl call the app to update the timout for this new timeout). It will simply rely on that some other timeout will trigger later on or that something else will update the timeout callback. This makes the bug fairly hard to repeat. The fix made to adress this issue: We introduce a loop in lib/multi.c around all calls to multi_runsingle() and simply check for CURLM_CALL_MULTI_PERFORM internally. This has the added benefit that this goes in line with my long-term wishes to get rid of the CURLM_CALL_MULTI_PERFORM all together from the public API. The downside of this fix, is that the counter we return in 'running_handles' in several of our public functions then gets a slightly new and possibly confusing behavior during times: If an app adds a handle that fails to connect (very quickly) it may just as well never appear as a 'running_handle' with this fix. Previously it would first bump the counter only to get it decreased again at next call. Even I have used that change in handle counter to signal "end of a transfer". The only *good* way to find the end of a individual transfer is calling curl_multi_info_read() to see if it returns one. Of course, if the app previously did the looping before it checked the counter, it really shouldn't be any new effect. Yang Tse (26 Jan 2010) - Constantine Sapuntzakis' and Joshua Kwan's work done in the last four months relative to the asynchronous DNS lookups, along with with some integration adjustments I have done are finally committed to CVS. Currently these enhancements will benefit builds done using c-ares on any platform as well as Windows builds using the default threaded resolver. This release does not make generally available POSIX threaded DNS lookups yet. There is no configure option to enable this feature yet. It is possible to experimantally try this feature running configure with compiler flags that make simultaneous definition of preprocessor symbols USE_THREADS_POSIX and HAVE_PTHREAD_H, as well as whatever reentrancy compiler flags and linker ones are required to link and properly use pthread_* functions on each platform. Daniel Stenberg (26 Jan 2010) - Mike Crowe made libcurl return CURLE_COULDNT_RESOLVE_PROXY when it is the proxy that cannot be resolved when using c-ares. This matches the behaviour when not using c-ares. Bj - Added a new flag: -J/--remote-header-name. This option tells the -O/--remote-name option to use the server-specified Content-Disposition filename instead of extracting a filename from the URL. Daniel Stenberg (21 Jan 2010) - Chris Conroy brought support for RTSP transfers, and with it comes 8(!) new libcurl options for controlling what to get and how to receive posssibly interleaved RTP data. Daniel Stenberg (20 Jan 2010) - As was pointed out on the http-state mailing list, the order of cookies in a HTTP Cookie: header _needs_ to be sorted on the path length in the cases where two cookies using the same name are set more than once using (overlapping) paths. Realizing this, identically named cookies must be sorted correctly. But detecting only identically named cookies and take care of them individually is harder than just to blindly and unconditionally sort all cookies based on their path lengths. All major browsers also already do this, so this makes our behavior one step closer to them in the cookie area. Test case 8 was the only one that broke due to this change and I updated it accordingly. Daniel Stenberg (19 Jan 2010) - David McCreedy brought a fix and a new test case (129) to make libcurl work again when downloading files over FTP using ASCII and it turns out that the final size of the file is not the same as the initial size the server reported. This is very common since servers don't take the newline conversions into account. Kamil Dudka (14 Jan 2010) - Suppressed side effect of OpenSSL configure checks, which prevented NSS from being properly detected under certain circumstances. It had been caused by strange behavior of pkg-config when handling PKG_CONFIG_LIBDIR. pkg-config distinguishes among empty and non-existent environment variable in that case. Daniel Stenberg (12 Jan 2010) - Gil Weber reported a peculiar flaw with the multi interface when doing SFTP transfers: curl_multi_fdset() would return -1 and not set and file descriptors several times during a transfer of a single file. It turned out to be due to two different flaws now fixed. Gil's excellent recipe helped me nail this. Daniel Stenberg (11 Jan 2010) - Made sure that the progress callback is repeatedly called at a regular interval even during very slow connects. - The tests/runtests.pl script now checks to see if the test case that runs is present in the tests/data/Makefile.am and outputs a notice message on the screen if not. Each test file has to be included in that Makefile.am to get included in release archives and forgetting to add files there is a common mistake. This is an attempt to make it harder to forget. Daniel Stenberg (9 Jan 2010) - Johan van Selst found and fixed a OpenSSL session ref count leak: ossl_connect_step3() increments an SSL session handle reference counter on each call. When sessions are re-used this reference counter may be incremented many times, but it will be decremented only once when done (by Curl_ossl_session_free()); and the internal OpenSSL data will not be freed if this reference count remains positive. When a session is re-used the reference counter should be corrected by explicitly calling SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid introducing a memory leak. (http://curl.haxx.se/bug/view.cgi?id=2926284) Daniel Stenberg (7 Jan 2010) - Make sure the progress callback is called repeatedly even during very slow name resolves when c-ares is used for resolving. Claes Jakobsson (6 Jan 2010) - Julien Chaffraix fixed so that the fragment part in an URL is not sent to the server anymore. Kamil Dudka (3 Jan 2010) - Julien Chaffraix eliminated a duplicated initialization in singlesocket(). Daniel Stenberg (2 Jan 2010) - Make curl support --ssl and --ssl-reqd instead of the previous FTP-specific versions --ftp-ssl and --ftp-ssl-reqd as these options are now used to control SSL/TLS for IMAP, POP3 and SMTP as well in addition to FTP. The old option names are still working but the new ones are the ones listed and documented. Daniel Stenberg (1 Jan 2010) - Ingmar Runge enhanced libcurl's FTP engine to support the PRET command. This command is a special "hack" used by the drftpd server, but even though it is a custom extension I've deemed it fine to add to libcurl since this server seems to survive and people keep using it and want libcurl to support it. The new libcurl option is named CURLOPT_FTP_USE_PRET, and it is also usable from the curl tool with --ftp-pret. Using this option on a server that doesn't support this command will make libcurl fail. I added test cases 1107 and 1108 to verify the functionality. The PRET command is documented at http://www.drftpd.org/index.php/Distributed_PASV Yang Tse (30 Dec 2009) - Steven M. Schweda improved VMS build system, and Craig A. Berry helped with the patch and testing. Daniel Stenberg (26 Dec 2009) - Renato Botelho and Peter Pentchev brought a patch that makes the libcurl headers work correctly even on FreeBSD systems before v8. (http://curl.haxx.se/bug/view.cgi?id=2916915) Daniel Stenberg (17 Dec 2009) - David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when available. - Follow-up fix for the proxy fix I did for Jon Nelson's bug. It turned out I was a bit too quick and broke test case 1101 with that change. The order of some of the setups is sensitive. I now changed it slightly again to make sure we do them in this order: 1 - parse URL and figure out what protocol is used in the URL 2 - prepend protocol:// to URL if missing 3 - parse name+password off URL, which needs to know what protocol is used (since only some allows for name+password in the URL) 4 - figure out if a proxy should be used set by an option 5 - if no proxy option, check proxy environment variables 6 - run the protocol-specific setup function, which needs to have the proxy already set Daniel Stenberg (15 Dec 2009) - Jon Nelson found a regression that turned out to be a flaw in how libcurl detects and uses proxies based on the environment variables. If the proxy was given as an explicit option it worked, but due to the setup order mistake proxies would not be used fine for a few protocols when picked up from '[protocol]_proxy'. Obviously this broke after 7.19.4. I now also added test case 1106 that verifies this functionality. (http://curl.haxx.se/bug/view.cgi?id=2913886) Daniel Stenberg (12 Dec 2009) - IMAP, POP3 and SMTP support and their TLS versions (including IMAPS, POP3S and SMTPS) are now supported. The current state may not yet be solid, but the foundation is in place and the test suite has some initial support for these protocols. Work will now persue to make them nice libcurl citizens until release. The work with supporting these new protocols was sponsored by networking4all.com - thanks! Daniel Stenberg (10 Dec 2009) - Siegfried Gyuricsko found out that the curl manual said --retry would retry on FTP errors in the transient 5xx range. Transient FTP errors are in the 4xx range. The code itself only tried on 5xx errors that occured _at login_. Now the retry code retries on all FTP transfer failures that ended with a 4xx response. (http://curl.haxx.se/bug/view.cgi?id=2911279) - Constantine Sapuntzakis figured out a case which would lead to libcurl accessing alredy freed memory and thus crash when using HTTPS (with OpenSSL), multi interface and the CURLOPT_DEBUGFUNCTION and a certain order of cleaning things up. I fixed it. (http://curl.haxx.se/bug/view.cgi?id=2905220) Daniel Stenberg (7 Dec 2009) - Martin Storsjo made libcurl use the Expect: 100-continue header for posts with unknown size. Previously it was only used for posts with a known size larger than 1024 bytes. Daniel Stenberg (1 Dec 2009) - If the Expect: 100-continue header has been set by the application through curl_easy_setopt with CURLOPT_HTTPHEADER, the library should set data->state.expect100header accordingly - the current code (in 7.19.7 at least) doesn't handle this properly. Martin Storsjo provided the fix! Yang Tse (28 Nov 2009) - Added Diffie-Hellman parameters to several test harness certificate files in PEM format. Required by several stunnel versions used by our test harness. Daniel Stenberg (28 Nov 2009) - Markus Koetter provided a polished and updated version of Chad Monroe's TFTP rework patch that now integrates TFTP properly into libcurl so that it can be used non-blocking with the multi interface and more. BLKSIZE also works. The --tftp-blksize option was added to allow setting the TFTP BLKSIZE from the command line. Daniel Stenberg (26 Nov 2009) - Extended and fixed the change I did on Dec 11 for the the progress meter/callback during FTP command/response sequences. It turned out it was really lame before and now the progress meter SHOULD get called at least once per second. Daniel Stenberg (23 Nov 2009) - Bjorn Augustsson reported a bug which made curl not report any problems even though it failed to write a very small download to disk (done in a single fwrite call). It turned out to be because fwrite() returned success, but there was insufficient error-checking for the fclose() call which tricked curl to believe things were fine. Yang Tse (23 Nov 2009) - David Byron modified Makefile.dist vc8 and vc9 targets in order to allow finer granularity control when generating src and lib makefiles. Yang Tse (22 Nov 2009) - I modified configure to force removal of the curlbuild.h file included in distribution tarballs for use by non-configure systems. As intended, this would get overwriten when doing in-tree builds. But VPATH builds would end having two curlbuild.h files, one in the source tree and another in the build tree. With the modification I introduced 5 Nov 2009 this could become an issue when running libcurl's test suite. Daniel Stenberg (20 Nov 2009) - Constantine Sapuntzakis identified a write after close, as the sockets were closed by libcurl before the SSL lib were shutdown and they may write to its socket. Detected to at least happen with OpenSSL builds. - Jad Chamcham pointed out a bug with connection re-use. If a connection had CURLOPT_HTTPPROXYTUNNEL enabled over a proxy, a subsequent request using the same proxy with the tunnel option disabled would still wrongly re-use that previous connection and the outcome would only be badness. Yang Tse (18 Nov 2009) - I modified the memory tracking system to make it intolerant with zero sized malloc(), calloc() and realloc() function calls. Daniel Stenberg (17 Nov 2009) - Constantine Sapuntzakis provided another fix for the DNS cache that could end up with entries that wouldn't time-out: 1. Set up a first web server that redirects (307) to a http://server:port that's down 2. Have curl connect to the first web server using curl multi After the curl_easy_cleanup call, there will be curl dns entries hanging around with in_use != 0. (http://curl.haxx.se/bug/view.cgi?id=2891591) - Marc Kleine-Budde fixed: curl saved the LDFLAGS set during configure into its pkg-config file. So -Wl stuff ended up in the .pc file, which is really bad, and breaks if there are multiple -Wl in our LDFLAGS (which are in PTXdist). bug #2893592 (http://curl.haxx.se/bug/view.cgi?id=2893592) Kamil Dudka (15 Nov 2009) - David Byron improved the configure script to use pkg-config to find OpenSSL (and in particular the list of required libraries) even if a path is given as argument to --with-ssl Yang Tse (15 Nov 2009) - I removed enable-thread / disable-thread configure option. These were only placebo options. The library is always built as thread safe as possible on every system. Claes Jakobsson (14 Nov 2009) - curl-config now accepts '--configure' to see what arguments was passed to the configure script when building curl. Daniel Stenberg (14 Nov 2009) - Claes Jakobsson restored the configure functionality to detect NSS when --with-nss is set but not "yes". I think we can still improve that to check for pkg-config in that path etc, but at least this patch brings back the same functionality we had before. - Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for the client certificate. It also disable the key name test as some engines can select a private key/cert automatically (When there is only one key and/or certificate on the hardware device used by the engine) Yang Tse (14 Nov 2009) - Constantine Sapuntzakis provided the fix that ensures that an SSL connection won't be reused unless protection level for peer and host verification match. I refactored how preprocessor symbol _THREAD_SAFE definition is done. Kamil Dudka (12 Nov 2009) - Kevin Baughman provided a fix preventing libcurl-NSS from crash on doubly closed NSPR descriptor. The issue was hard to find, reported several times before and always closed unresolved. More info at the RH bug: https://bugzilla.redhat.com/534176 - libcurl-NSS now tries to reconnect with TLS disabled in case it detects a broken TLS server. However it does not happen if SSL version is selected manually. The approach was originally taken from PSM. Kaspar Brand helped me to complete the patch. Original bug reports: https://bugzilla.redhat.com/525496 https://bugzilla.redhat.com/527771 Yang Tse (12 Nov 2009) - I modified configure script to make the getaddrinfo function check also verify if the function is thread safe. Yang Tse (11 Nov 2009) - Marco Maggi reported that compilation failed when configured --with-gssapi and GNU GSS installed due to a missing mutual exclusion of header files in the Kerberos 5 code path. He also verified that my patch worked for him. Daniel Stenberg (11 Nov 2009) - Constantine Sapuntzakis posted bug #2891595 (http://curl.haxx.se/bug/view.cgi?id=2891595) which identified how an entry in the DNS cache would linger too long if the request that added it was in use that long. He also provided the patch that now makes libcurl capable of still doing a request while the DNS hash entry may get timed out. - Christian Schmitz noticed that the progress meter/callback was not properly used during the FTP connection phase (after the actual TCP connect), while it of course should be. I also made the speed check get called correctly so that really slow servers will trigger that properly too. Kamil Dudka (5 Nov 2009) - Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket works in non-blocking mode. Yang Tse (5 Nov 2009) - I removed leading 'curl' path on the 'curlbuild.h' include statement in curl.h, adjusting auto-makefiles include path, to enhance portability to OS's without an orthogonal directory tree structure such as OS/400. Daniel Stenberg (4 Nov 2009) - I fixed several problems with the transfer progress meter. It showed the wrong percentage for small files, most notable for <1000 bytes and could easily end up showing more than 100% at the end. It also didn't show any percentage, transfer size or estimated transfer times when transferring less than 100 bytes. @ text @$NetBSD: patch-ab,v 1.12 2010/02/09 16:05:38 drochner Exp $ http://curl.haxx.se/docs/adv_20100209.html --- lib/content_encoding.c.orig 2009-08-30 11:28:33.000000000 +0000 +++ lib/content_encoding.c @@@@ -40,7 +40,7 @@@@ (doing so will reduce code size slightly). */ #define OLD_ZLIB_SUPPORT 1 -#define DSIZ 0x10000 /* buffer size for decompressed data */ +#define DSIZ CURL_MAX_WRITE_SIZE /* buffer size for decompressed data */ #define GZIP_MAGIC_0 0x1f #define GZIP_MAGIC_1 0x8b @ 1.12 log @add a patch from upstream to fix "data callback excessive length" which is security critical @ text @d1 1 a1 1 $NetBSD$ @ 1.11 log @Update to version 7.15.1 Changes: - the libcurl.pc pkgconfig file now gets installed on make install - URL globbing now offers "range steps": [1-100:10] - LDAPv3 is now the preferred LDAP protocol version - --max-redirs and CURLOPT_MAXREDIRS set to 0 limits redirects - improved MSVC makefile Bugfixes: - URL buffer overflow problem (CVE-2005-4077) - using file:// on non-existing files are properly handled - builds fine on DJGPP - CURLOPT_ERRORBUFFER is now always filled in on errors - curl outputs error on bad --limit-rate units - fixed libcurl's use of poll() on cygwin - the GnuTLS code didn't support client certificates - TFTP over IPv6 works - no reverse lookups on IP addresses when ipv6-enabled - SSPI compatibility fix: using the proper DLLs - binary LDAP properties are now shown base64 encoded - Windows uploads from stdin using curl can now contain ctrl-Z bytes - -r [num] would produce an invalid HTTP Range: header - multi interface with multi IP hosts could leak socket descriptors - the GnuTLS code didn't handle rehandshakes - re-use of a dead FTP connection - name resolve error codes fixed for Windows builds - double WWW-Authenticate Digest headers are now handled - curl-config --vernum fixed @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.10 2005/10/20 16:25:15 minskim Exp $ d3 10 a12 10 --- include/curl/curlver.h.orig 2005-10-13 01:20:05.000000000 -0700 +++ include/curl/curlver.h @@@@ -51,8 +51,6 @@@@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBCURL_VERSION_NUM ((LIBCURL_VERSION_MAJOR << 16) | \ - (LIBCURL_VERSION_MINOR << 8) | \ - LIBCURL_VERSION_PATCH) +#define LIBCURL_VERSION_NUM 0x070f00 d14 2 a15 1 #endif /* __CURL_CURLVER_H */ @ 1.11.28.1 log @Pullup ticket 2722 - requested by bouyer curl: build fix Revisions pulled up: - www/curl/Makefile patch - www/curl/distinfo patch - www/curl/patches/patch-ab patch - www/curl/patches/patch-ac patch - www/curl/patches/patch-ad patch - www/curl/patches/patch-ae patch - www/curl/patches/patch-af patch --- The security patch for CVE-2009-0037 has changed on the master site which changed the checksum and size of "curl-7.18.1-CVE-2009-0037.patch". Update to the latest version and integrate it directly to avoid further build breaks. @ text @d1 1 a1 1 $NetBSD$ d3 10 a12 5 Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch --- docs/libcurl/curl_easy_setopt.3.orig +++ docs/libcurl/curl_easy_setopt.3 @@@@ -432,6 +432,26 @@@@ The string given to CURLOPT_URL must be d14 1 a14 36 \fICURLOPT_URL\fP is the only option that \fBmust\fP be set before \fIcurl_easy_perform(3)\fP is called. + +\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use +for this transfer, independent of what libcurl has been compiled to +support. That may be useful if you accept the URL from an external source and +want to limit the accessibility. +.IP CURLOPT_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in the transfer. This allows you to have +a libcurl built to support a wide range of protocols but still limit specific +transfers to only be allowed to use a subset of them. By default libcurl will +accept all protocols it supports. See also +\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4) +.IP CURLOPT_REDIR_PROTOCOLS +Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask +limits what protocols libcurl may use in a transfer that it follows to in a +redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to +limit specific transfers to only be allowed to use a subset of protocols in +redirections. By default libcurl will allow all protocols except for FILE and +SCP. This is a difference compared to pre-7.19.4 versions which +unconditionally would follow to all protocols supported. (Added in 7.19.4) .IP CURLOPT_PROXY Set HTTP proxy to use. The parameter should be a char * to a zero terminated string holding the host name or dotted IP address. To specify port number in @@@@ -671,6 +691,10 @@@@ This means that the library will re-send and follow new Location: headers all the way until no more such headers are returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects libcurl will follow. + +NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically +follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and +it excludes the FILE protocol by default. .IP CURLOPT_UNRESTRICTED_AUTH A non-zero parameter tells the library it can continue to send authentication (user+password) when following locations, even when hostname changed. This @ 1.10 log @Make "curl-config --vernum" work again. It was broken in 7.15.0. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.9 log @Update curl to 7.11.1, provided by Stefan Kruger in PR pkg/24916. This release includes the following changes: o CURLOPT_POSTFIELDSIZE_LARGE added to offer POSTs larger than 2GB o CURL_VERSION_LARGEFILE is a feature bit returned by libcurls that feature large file support o libcurl only requires winsock 1.1 on windows now o when doing FTP, curl now sends QUIT before disconnecting o name resolves can now timeout on windows too o $HOME is now recognized better when looking for .netrc files o now re-uses the ares handle when re-using curl handles o SO_BINDTODEVICE is used for network interface binding o configure --disable-manual disables the built-in huge manual from the command line tool o the default Accept: header used in HTTP requests changed o asynch dns lookups now require the c-ares library o curl --socks can be used to set a SOCKS5 proxy to use o response-headers received after a (proxy) CONNECT request are now passed to the header callback just like other headers This release includes the following bugfixes: o builds and runs on Novell NetWare o Windows builds now report OS as "i386-pc-win32" o received signals during SSL connect is handled better o improved PUT/POST with NTLM/Digest authentication o following redirects and doing NTLM/Digest (where the first connection gets closed) with the multi interface work better now o file: progress meter and getinfo variables work now o CURLOPT_FRESH_CONNECT and CURLAUTH_NTLM now work when set together o share interface usage without (un)lock functions segfaulted o --limit-rate no longer cripples the --speed-limit feature o fixed verbose output problem with ipv6-enabled re-used connections o fixed the socks5 code to check version in the socks response properly o dns cache bug - fixed the 'inuse' counter o large file fix for Content-Length o better docs for the share interface o several configure fixes for mingw/msys o setting a Host: header is no longer affecting the Host: header used when libcurl follows a Location: o fixed numerous compiler warnings on several operating systems and compilers o PUTing from stdin couldn't disable chunked transfer-encoding o corrected the mingw makefiles o improved the configure libz detection o fixed EPRT/PORT use when doing FTP on ipv6-enabled AIX hosts o *nroff commands that only support -mandoc and not -man are now supported (for the built-in manual text in the command line tool) o fixed the unconditional #include of config.h in hugehelp.c o builds fine on MPE/iX o upload using chunked transfer-encoding now sends the last chunk properly teriminated with an extra CRLF o Fixed the progress meter display for files >2GB o persistant connections over a proxy messed up the proxy name/password o the socks5 code segfaulted if no username/password was set o the *_LARGE options now take curl_off_t types as parameters and this will make it possible to handle large files on windows too o builds with large file support even on systems without strtoll() @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.8 2004/01/23 22:52:29 recht Exp $ d3 12 a14 17 --- lib/ftp.c.orig 2004-01-21 17:50:05.000000000 +0100 +++ lib/ftp.c 2004-01-23 23:46:58.000000000 +0100 @@@@ -2210,11 +2210,12 @@@@ #ifdef HAVE_STRFTIME if(data->set.get_filetime && (data->info.filetime>=0) ) { struct tm *tm; + time_t filetime = data->info.filetime; #ifdef HAVE_GMTIME_R struct tm buffer; - tm = (struct tm *)gmtime_r((time_t *)&data->info.filetime, &buffer); + tm = (struct tm *)gmtime_r(&filetime, &buffer); #else - tm = gmtime((time_t *)&data->info.filetime); + tm = gmtime(&filetime); #endif /* format: "Tue, 15 Nov 1994 12:45:26" */ strftime(buf, BUFSIZE-1, "Last-Modified: %a, %d %b %Y %H:%M:%S GMT\r\n", @ 1.9.12.1 log @Pullup ticket 862 - requested by Min Sik Kim security update for curl Revisions pulled up: - pkgsrc/www/curl/Makefile 1.57, 1.58 - pkgsrc/www/curl/buildlink3.mk 1.9, 1.10 - pkgsrc/www/curl/distinfo 1.39, 1.40 - pkgsrc/www/curl/patches/patch-ab 1.40 Module Name: pkgsrc Committed By: reed Date: Sat Oct 15 15:37:16 UTC 2005 Modified Files: pkgsrc/www/curl: Makefile buildlink3.mk distinfo Log Message: Update to version 7.15.0. This is a security issue. http://curl.haxx.se/mail/lib-2005-10/0061.html Also update BUILDLINK_RECOMMENDED.curl. --- Module Name: pkgsrc Committed By: reed Date: Sat Oct 15 15:39:51 UTC 2005 Modified Files: pkgsrc/www/curl: buildlink3.mk Log Message: Change BUILDLINK_RECOMMENDED.curl from 7.15 to real 7.15.0. --- Module Name: pkgsrc Committed By: minskim Date: Thu Oct 20 16:25:15 UTC 2005 Modified Files: pkgsrc/www/curl: Makefile distinfo Added Files: pkgsrc/www/curl/patches: patch-ab Log Message: Make "curl-config --vernum" work again. It was broken in 7.15.0. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.10 2005/10/20 16:25:15 minskim Exp $ d3 17 a19 12 --- include/curl/curlver.h.orig 2005-10-13 01:20:05.000000000 -0700 +++ include/curl/curlver.h @@@@ -51,8 +51,6 @@@@ and it is always a greater number in a more recent release. It makes comparisons with greater than and less than work. */ -#define LIBCURL_VERSION_NUM ((LIBCURL_VERSION_MAJOR << 16) | \ - (LIBCURL_VERSION_MINOR << 8) | \ - LIBCURL_VERSION_PATCH) +#define LIBCURL_VERSION_NUM 0x070f00 #endif /* __CURL_CURLVER_H */ @ 1.9.12.2 log @Pullup ticket 949 - requested by Lubomir Sedlacik security update for curl Revisions pulled up: - pkgsrc/www/curl/Makefile 1.60 - pkgsrc/www/curl/PLIST 1.18 - pkgsrc/www/curl/distinfo 1.42 - pkgsrc/www/curl/patches/patch-ab removed Module Name: pkgsrc Committed By: salo Date: Sat Dec 10 17:57:29 UTC 2005 Modified Files: pkgsrc/www/curl: Makefile PLIST distinfo Removed Files: pkgsrc/www/curl/patches: patch-ab Log Message: Update to version 7.15.1 Changes: - the libcurl.pc pkgconfig file now gets installed on make install - URL globbing now offers "range steps": [1-100:10] - LDAPv3 is now the preferred LDAP protocol version - --max-redirs and CURLOPT_MAXREDIRS set to 0 limits redirects - improved MSVC makefile Bugfixes: - URL buffer overflow problem (CVE-2005-4077) - using file:// on non-existing files are properly handled - builds fine on DJGPP - CURLOPT_ERRORBUFFER is now always filled in on errors - curl outputs error on bad --limit-rate units - fixed libcurl's use of poll() on cygwin - the GnuTLS code didn't support client certificates - TFTP over IPv6 works - no reverse lookups on IP addresses when ipv6-enabled - SSPI compatibility fix: using the proper DLLs - binary LDAP properties are now shown base64 encoded - Windows uploads from stdin using curl can now contain ctrl-Z bytes - -r [num] would produce an invalid HTTP Range: header - multi interface with multi IP hosts could leak socket descriptors - the GnuTLS code didn't handle rehandshakes - re-use of a dead FTP connection - name resolve error codes fixed for Windows builds - double WWW-Authenticate Digest headers are now handled - curl-config --vernum fixed @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.9.12.1 2005/10/30 13:33:19 salo Exp $ @ 1.8 log @update to curl-7.11.0 Fixed in 7.11.0 Changes: - allows the URL to be set by a callback when using the multi interface - large file support was added. Use one of the new options: INFILESIZE_LARGE, RESUME_FROM_LARGE and MAXFILESIZE_LARGE - the new --ftp-pasv overrides a previous --ftpport - CURLOPT_FTPSSL and ftps:// now do ssl over FTP "The Right Way" (the curl tool now features the --ftp-ssl option) - The Windows DLLs are built with an added "resource file" - New LIBCURL_VERSION_* defines for easier checking version number - Included Mac OS X 'framework' makefile in the release archive - Removed the TRUE and FALSE #defines from the public curl header file - Added CURLOPT_NETRC_FILE For a complete list see the Changelog at http://curl.haxx.se/changes.html @ text @d1 1 a1 1 $NetBSD$ @ 1.7 log @Update to 7.10.8: 7.10.8 SPNEGO support, Negotiate support, multiple -T flags work, IPv6 support on Windows, and more were added. More than 40 bugs were fixed. 7.10.7 This release supports NTLM for proxies, --ftp-create-dirs, and optional support for asynchronous name-resolving calls. It fixes an information leak, minor memory leaks, a 64bit problem, two cookie-related problems, URL globbing output using -o #[num], and more. @ text @d3 3 a5 3 --- lib/ftp.c.orig Fri Oct 31 22:36:43 2003 +++ lib/ftp.c @@@@ -2097,11 +2097,12 @@@@ CURLcode ftp_perform(struct connectdata @ 1.6 log @Update to 7.10.6: Changes: * CURLOPT_SSL_CTX_FUNCTION allows a custom callback for SSL connections * multiple patches lets curl build and run on DOS * libcurl now deals with spaces in Location: redirects and URLifies them * curl --version shows more detailed info * curl_version_info() now returns info on NTLM, GSS-Negotiate and Debug * curl_version() includes "GSS" in the string if built with GSSAPI available * Pick-best-authentication option added (--anyauth, using the CURLOPT_HTTPAUTH set to CURLAUTH_ANY) * NTLM authentication support (--ntlm and CURLAUTH_NTLM) * GSS-Negotiate authentication support (--negotiate and CURLAUTH_GSSNEGOTIATE) * Digest authentication support added (--digest and CURLAUTH_DIGEST) * Allow curl to switch (back to) to Basic authentication (--basic) * libcurl supports name and password in proxy environment variables Bugs: * double slash after the host name on a FTP URL again points out the root dir * obscure and rare DNS cache problem was fixed * multiple FTP connections to the same host with different user names didn't work properly * no more CWD commands without arguments for ftp connections * curl no longer uses setvbuf() due to portability problems * VMS build fixes * the curl tool has the -M manual compressed internally if built with libz * url globbing syntax error could cause segfault * Huge (>40-60KB) GET requests over HTTPS failed. * Content-Length now overrides socket-closed as a means of knowing when the response body is complete. * --progress-bar takes the initial size into account when doing resumed downloads * work around SSL bugs better * libcurl typically issues POST requests with less send() calls * better main makefile * external headers improved portability * Listing FTP directories without contents could leak a socket * Getting HTTP contents in one line without headers failed * bugfixed the socks5-proxy usage (twice) * h_aliases name-lookup rare crash fixed * improved curl -M output * curl_unescape() now only unescapes valid %HH codes @ text @d3 1 a3 1 --- lib/ftp.c.orig Mon Jul 28 10:50:02 2003 d5 1 a5 2 @@@@ -2056,12 +2056,13 @@@@ CURLcode ftp_perform(struct connectdata d8 1 d10 1 a10 2 struct tm *tm; #ifdef HAVE_LOCALTIME_R d12 2 a13 2 - tm = (struct tm *)localtime_r(&data->info.filetime, &buffer); + tm = (struct tm *)localtime_r(&filetime, &buffer); d15 2 a16 2 - tm = localtime(&data->info.filetime); + tm = localtime(&filetime); d18 1 a18 1 /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */ @ 1.5 log @Update to 7.10.5. Extract of changes: - Changed the order for the in_addr_t testing, as 'unsigned long' seems to be a very common type inet_addr() returns. - George Comninos provided a fix that calls the progress meter when waiting for FTP command responses take >1 second. It'll make applications more "responsive" even when dealing with very slow ftp servers. - George Comninos pointed out that libcurl uploads had two quirks: o when using FTP PORT command, it used blocking sockets! o it could loop a long time without doing progress meter updates Both items are fixed now. - Dan Fandrich changed CURLOPT_ENCODING to select all supported encodings if set to "". This frees the application from having to know which encodings the library supports. - Avery Fay found out that the CURLOPT_INTERFACE way of first checking if the given name is a network interface gave a real performance penalty on Linux, so now we more appropriately first check if it is an IP number and if so we don't check for a network interface with that name. - CURLOPT_FTP_USE_EPRT added. Set this to FALSE to disable libcurl's attempts to use EPRT and LPRT before the traditional PORT command. The command line tool sets this option with '--disable-eprt'. - Added test case 62 and fixed some more on the cookie sending with a custom Host: header set. - Made the "SSL read error: 5" error message more verbose, by adding code that queries the OpenSSL library to fill in the error buffer. - Added sys/select.h include in the curl/multi.h file, after having been reminded about this by Rich Gray. - I made each test set its own server requirements, thus abandoning the previous system where the test number implied what server(s) to use for a specific test. - David Balazic made curl more RFC1738-compliant for FTP URLs, by fixing so that libcurl now uses one CWD command for each path part. A bunch of test cases were fixed to work accordingly. - Cookie fixes. - Peter Kovacs provided a patch that makes the CURLINFO_CONNECT_TIME work fine when using the multi interface (too). - Peter Sylvester pointed out that curl_easy_setopt() will always (wrongly) return CURLE_OK no matter what happens. - Dan Fandrich fixed some gzip decompression bugs and flaws. - Formposting a file using a .html suffix is now properly set to Content-Type: text/html. - Fixed the SSL error handling to return proper SSL error messages again, they broke in 7.10.4. I also attempt to track down CA cert problems and then return the CURLE_SSL_CACERT error code. - The curl tool now intercepts the CURLE_SSL_CACERT error code and displays a fairly big and explanatory error message. Kevin Roth helped me out with the wording. - Nic Hines provided a second patch for gzip decompression, and fixed a bug when deflate or gzip contents were downloaded using chunked encoding. - Dan Fandrich made libcurl support automatic decompression of gzip contents (as an addition to the previous deflate support). - I made the CWD command during FTP session consider all 2xy codes to be OK responses. - Vlad Krupin fixed a URL parsing issue. URLs that were not using a slash after the host name, but still had "?" and parameters appended, as in "http://hostname.com?foobar=moo", were not properly parsed by libcurl. - Made CURLOPT_TIMECONDITION work for FTP transfers, using the same syntax as for HTTP. This then made -z work for ftp transfers too. Added test case 139 and 140 for verifying this. - Getting the file date of an ftp file used the wrong time zone when displayed. It is supposedly always GMT. Added test case 141 for this. - Made the test suite's FTP server support MDTM. - The default DEBUGFUNCTION, as enabled with CURLOPT_VERBOSE now outputs CURLINFO_HEADER_IN data as well. The most notable effect from this is that using curl -v, you get to see the incoming "headers" as well. This is perhaps most useful when doing ftp. - James Bursa fixed a flaw in the Content-Type extraction code, which missed the first letter if no space followed the colon. - Martijn Broenland found another cases where a server application didn't like the boundary string used by curl when foing a multi-part/formpost. We modified the boundary string to look like the one IE uses, as this is probably gonna make curl work with more applications. @ text @d3 1 a3 1 --- lib/ftp.c.orig Wed May 14 08:31:00 2003 d5 1 a5 1 @@@@ -2050,12 +2050,13 @@@@ CURLcode ftp_perform(struct connectdata d16 1 a16 1 - tm = localtime((unsigned long *)&data->info.filetime); @ 1.4 log @Updated to curl-7.10.3 Patches by Adrian Portelli (PR#20142) Changes : - Steve Oliphant pointed out that test case 105 did not work anymore and this was due to a missing fix for the password prompting. - Bryan Kemp pointed out that curl -u could not provide a blank password without prompting the user. It can now. -u username: makes the password empty, while -u username makes curl prompt the user for a password. - Kjetil Jacobsen found a remaining connect problem in the multi interface on ipv4 systems (Linux only?), that I fixed and Kjetil verified that it fixed his problems. - memanalyze.pl now reads a file name from the command line, and no longer takes the data on stdin as before. - Fixed tests/memanalyze.pl to work with file names that contain colons (as on Windows). - Kjetil Jacobsen quickly pointed out that lib/share.h was missing... * For more, see CHANGES. @ text @d3 1 a3 1 --- lib/ftp.c.orig Sun Feb 9 16:35:53 2003 d5 1 a5 1 @@@@ -1998,12 +1998,13 @@@@ CURLcode ftp_perform(struct connectdata d20 1 a20 1 strftime(buf, BUFSIZE-1, "Last-Modified: %a, %d %b %Y %H:%M:%S %Z\r\n", @ 1.3 log @Merge packages from the buildlink2 branch back into the main trunk that have been converted to USE_BUILDLINK2. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.2.4.1 2002/08/25 21:22:22 jlam Exp $ d3 3 a5 3 --- lib/ftp.c.orig Mon Apr 29 11:57:25 2002 +++ lib/ftp.c Fri Jul 19 04:22:35 2002 @@@@ -1576,12 +1576,13 @@@@ d8 1 a8 1 if(data->set.get_filetime && data->info.filetime) { @ 1.2 log @Gr, fix path again. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.1 2002/07/19 04:23:48 mycroft Exp $ @ 1.2.4.1 log @file patch-ab was added on branch buildlink2 on 2002-08-25 21:22:22 +0000 @ text @d1 20 @ 1.2.4.2 log @Merge changes in the main trunk into the buildlink2 branch for those packages that have been converted to USE_BUILDLINK2. @ text @a0 20 $NetBSD: patch-ab,v 1.2.4.1 2002/08/25 21:22:22 jlam Exp $ --- lib/ftp.c.orig Mon Apr 29 11:57:25 2002 +++ lib/ftp.c Fri Jul 19 04:22:35 2002 @@@@ -1576,12 +1576,13 @@@@ #ifdef HAVE_STRFTIME if(data->set.get_filetime && data->info.filetime) { + time_t filetime = data->info.filetime; struct tm *tm; #ifdef HAVE_LOCALTIME_R struct tm buffer; - tm = (struct tm *)localtime_r(&data->info.filetime, &buffer); + tm = (struct tm *)localtime_r(&filetime, &buffer); #else - tm = localtime((unsigned long *)&data->info.filetime); + tm = localtime(&filetime); #endif /* format: "Tue, 15 Nov 1994 12:45:26 GMT" */ strftime(buf, BUFSIZE-1, "Last-Modified: %a, %d %b %Y %H:%M:%S %Z\r\n", @ 1.1 log @Fix LP64 botch. @ text @d1 1 a1 1 $NetBSD$ d3 2 a4 2 --- ftp.c.orig Mon Apr 29 11:57:25 2002 +++ ftp.c Fri Jul 19 04:22:35 2002 @