head	1.1;
access;
symbols
	pkgsrc-2013Q2:1.1.0.12
	pkgsrc-2013Q2-base:1.1
	pkgsrc-2012Q4:1.1.0.10
	pkgsrc-2012Q4-base:1.1
	pkgsrc-2011Q4:1.1.0.8
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q2:1.1.0.6
	pkgsrc-2011Q2-base:1.1
	pkgsrc-2009Q4:1.1.0.4
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2008Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2009.03.15.15.07.23;	author tron;	state dead;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2009.03.15.15.07.23;	author tron;	state Exp;
branches;
next	;


desc
@@


1.1
log
@file patch-ad was initially added on branch pkgsrc-2008Q4.
@
text
@@


1.1.2.1
log
@Pullup ticket 2722 - requested by bouyer
curl: build fix

Revisions pulled up:
- www/curl/Makefile				patch
- www/curl/distinfo				patch
- www/curl/patches/patch-ab			patch
- www/curl/patches/patch-ac			patch
- www/curl/patches/patch-ad			patch
- www/curl/patches/patch-ae			patch
- www/curl/patches/patch-af			patch
---
The security patch for CVE-2009-0037 has changed on the master site which
changed the checksum and size of "curl-7.18.1-CVE-2009-0037.patch".
Update to the latest version and integrate it directly to avoid further
build breaks.
@
text
@a0 64
$NetBSD$

Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch

--- lib/url.c.orig
+++ lib/url.c
@@@@ -734,6 +734,13 @@@@ CURLcode Curl_open(struct SessionHandle
     data->set.new_file_perms = 0644;    /* Default permissions */
     data->set.new_directory_perms = 0755; /* Default permissions */
 
+    /* for the *protocols fields we don't use the CURLPROTO_ALL convenience
+       define since we internally only use the lower 16 bits for the passed
+       in bitmask to not conflict with the private bits */
+    data->set.allowed_protocols = PROT_EXTMASK;
+    data->set.redir_protocols =
+      PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
+
     /* most recent connection is not yet defined */
     data->state.lastconnect = -1;
 
@@@@ -2075,6 +2082,22 @@@@ CURLcode Curl_setopt(struct SessionHandl
     }
     break;
 
+  case CURLOPT_PROTOCOLS:
+    /* set the bitmask for the protocols that are allowed to be used for the
+       transfer, which thus helps the app which takes URLs from users or other
+       external inputs and want to restrict what protocol(s) to deal
+       with. Defaults to CURLPROTO_ALL. */
+    data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK;
+    break;
+
+  case CURLOPT_REDIR_PROTOCOLS:
+    /* set the bitmask for the protocols that libcurl is allowed to follow to,
+       as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
+       to be set in both bitmasks to be allowed to get redirected to. Defaults
+       to CURLPROTO_ALL & ~CURLPROTO_FILE. */
+    data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK;
+    break;
+
   default:
     /* unknown tag and its companion, just ignore: */
     result = CURLE_FAILED_INIT; /* correct this */
@@@@ -3128,7 +3151,19 @@@@ static CURLcode setup_connection_interna
 
   for (pp = protocols; (p = *pp) != NULL; pp++)
     if(strequal(p->scheme, conn->protostr)) {
-      /* Protocol found in table. Perform setup complement if some. */
+      /* Protocol found in table. Check if allowed */
+      if(!(data->set.allowed_protocols & p->protocol))
+        /* nope, get out */
+        break;
+
+      /* it is allowed for "normal" request, now do an extra check if this is
+         the result of a redirect */
+      if(data->state.this_is_a_follow &&
+         !(data->set.redir_protocols & p->protocol))
+        /* nope, get out */
+        break;
+
+      /* Perform setup complement if some. */
       conn->handler = p;
 
       if(p->setup_connection) {
@