Daniel Stenberg | 30 May 08:32 2016
Picon
Gravatar

[RELEASE] curl and libcurl 7.49.1 is out!

Hi team!

We decided we needed to ship a patch release to fix some of the mistakes that 
slipped into the previous release, and when doing this we also include a 
security fix for CVE-2016-4802 so check that out!

As always, download curl from:

   https://curl.haxx.se/

Curl and libcurl 7.49.1

  Public curl releases:         155
  Command line options:         185
  curl_easy_setopt() options:   224
  Public functions in libcurl:  61
  Contributors:                 1404

This release includes the following bugfixes:

  o Windows: prevent DLL hijacking, CVE-2016-4802 [11]
  o dist: include manpage-scan.pl, nroff-scan.pl and CHECKSRC.md [1]
  o schannel: fix compile break with MSVC XP toolset [2]
  o curlbuild.h.dist: check __LP64__ as well to fix MIPS build [3]
  o dist: include curl_multi_socket_all.3 [4]
  o http2: use HTTP/2 in the HTTP/1.1-alike response
  o openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0
  o CURLOPT_CONNECT_TO.3: user must not free the list prematurely [5]
  o libcurl.m4: Avoid obsolete warning [6]
  o winbuild/Makefile.vc: Fix check on SSL, MBEDTLS, WINSSL exclusivity [7]
(Continue reading)

Sam Kuper | 28 May 18:36 2016
Picon
Gravatar

cURL and Iceweasel disagree about TLS certificate validity, despite same CA

Dear all,

I am new to this mailing list. I have a question, relating to cURL,
that I posted on the "Unix & Linux Stack Exchange":
https://unix.stackexchange.com/q/286122 . However, I think perhaps it
is also of interest to those on this mailing list, so I have copied it
below. If you disagree with my cross-posting, please tell me so, and
accept my apologies. Thank you!

- spk

On Debian Jessie 8.4 GNU/Linux, I am experiencing a certificate
validation inconsistency between
[Iceweasel](https://en.wikipedia.org/wiki/Iceweasel) (Debian's
derivative of Firefox) and [cURL](https://en.wikipedia.org/wiki/CURL)
in relation to the URL https://profile.mensa.org.uk/contact.aspx .

### Iceweasel

Visiting https://profile.mensa.org.uk/contact.aspx using Iceweasel
results in no errors or warnings. Clicking on the padlock icon at the
left of the address bar, and then clicking the "More Information..."
button, yields a window saying, among other things:

> **Web Site Identity**
> Web site: **profile.mensa.org.uk**
> Owner: **This web site does not supply ownership information.**
> Verified by: **GeoTrust Inc.**

Clicking the "View Certificate" button yields a window with two tabs,
(Continue reading)

魏春明 | 23 May 09:51 2016
Picon

Use curl --cookie-jar cookie.txt through command line will turn on CURLOPT_COOKIEFILE?

Hi curl-users,

I am new to curl. I have a question about --cookie-jar option. If I specify the following command line in a command line tool:
curl --cookie-jar cookie.txt http://example.com
Does it enable CURLOPT_COOKIEFILE in curl_easy_setop of libcurl?

Thanks,
Sam

--
Best Regards!
Chunming Wei
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Daniel Stenberg | 16 May 10:28 2016
Picon
Gravatar

curl user poll 2016

Hi friends.

It is time for our annual survey on how you use curl and libcurl. Your chance 
to tell us how you think we’ve done and what we should do next. The survey 
will close on midnight (central European time) May 27th, 2016.

If you use curl or libcurl from time to time, please consider helping us out 
with providing your feedback and opinions on a few things:

   http://goo.gl/forms/e4CoSDEKde

Thanks!

--

-- 

  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
d_rasal@sky.com | 11 May 19:35 2016

curl_multi_perform crash on dns_resolve_timeout

Hi
I am fairly new to this group but I have done some HTTP protocol work a way back. I am currently working on our legacy system which has fairly old Curl v7_26. It is a multithreaded system and one of the obvious problem which is discussed multiple times is discovered during testing - when network is unavailable, Dns resolution is taking longer or timing out and curl perform is crashing( stack trace is below).

As I read, I added code wherever curl_easy_init is called to 
curl_easy_setopt(handle, CURLOPT_NOSIGNAL, 1L);

This didn't resolve the issue. So just to be sure, I modified the curl_easy_init and added last line before return as  
data->set.no_signal = TRUE;

I expected this to take care of the problem; but still it exists. 

Any ideas here please ? 
Regards 
Digam



I see there are multiple mails about this and I have similar 
#0  0x202c4c4c in ?? ()
#1  0x00240174 in showit (data=<optimized out>, type=<optimized out>, ptr=0xb608cb8c "Curl_getaddrinfo: getaddrinfo(3) failed for :80\n", size=48) at src/sendf.c:677
#2  0x0024038a in Curl_debug (data=data <at> entry=0xb538c838, type=type <at> entry=CURLINFO_TEXT, ptr=0xb608cb8c "Curl_getaddrinfo: getaddrinfo(3) failed for :80\n", ptr <at> entry=0xb608cb74 "\bE\223\254\070\310\070\265\323\003$", size=48, conn=conn <at> entry=0x0) at src/sendf.c:732
#3  0x002403d2 in Curl_infof (data=data <at> entry=0xb538c838, fmt=0xb88e53 "%s: getaddrinfo(3) failed for %s:%d\n") at src/sendf.c:153
#4  0x002427be in Curl_getaddrinfo (conn=conn <at> entry=0xac934508, hostname=hostname <at> entry=0xac94b634 "", port=port <at> entry=80, waitp=waitp <at> entry=0xb608d490) at src/hostip6.c:220
#5  0x0023e052 in Curl_resolv (conn=conn <at> entry=0xac934508, hostname=0xac94b634 "", port=80, entry=entry <at> entry=0xb608d7e8) at src/hostip.c:463
#6  0x0023e0de in Curl_resolv_timeout (conn=conn <at> entry=0xac934508, hostname=<optimized out>, port=<optimized out>, entry=entry <at> entry=0xb608d7e8, timeoutms=timeoutms <at> entry=300000) at src/hostip.c:641
#7  0x0023cdd4 in resolve_server (async=0xb608d944, conn=0xac934508, data=0xb538c838) at src/url.c:4785
#8  create_conn (data=data <at> entry=0xb538c838, in_connect=in_connect <at> entry=0xac9477dc, async=async <at> entry=0xb608d944) at src/url.c:5283
#9  0x0023d61e in Curl_connect (data=data <at> entry=0xb538c838, in_connect=in_connect <at> entry=0xac9477dc, asyncp=asyncp <at> entry=0xb608d944, protocol_done=protocol_done <at> entry=0xb608d941) at src/url.c:5445
#10 0x0023068c in multi_runsingle (multi=multi <at> entry=0xb605ce48, now=..., easy=easy <at> entry=0xac9477d0) at src/multi.c:1057
#11 0x00230e24 in curl_multi_perform (multi_handle=0xb605ce48, running_handles=running_handles <at> entry=0xb606a6d8) at src/multi.c:1753
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Rick Berge | 11 May 17:44 2016
Picon

for wildcard certificates, different platforms behaving differently

I’m using libcurl to connect to a site x.y.foo.net that has a wildcard certificate for *.foo.net.

 

On a Win8.1 PC with libcurl identifying itself as version "7.45.0", ssl_version "OpenSSL/1.0.1p" I see

curl: Info: Server certificate:

curl: Info:          subject: OU=Domain Control Validated; CN=*.foo.net

curl: Info:          subjectAltName does not match x.y.foo.net

curl: Info: SSL: no alternative certificate subject name matches target host name 'x.y.foo.net'

 

Ok, that’s about what I’d expect. * should only match a single hostname/domain-name component.

 

On a 10.11 Mac with version "7.43.0", ssl_version "SecureTransport" it just quietly, successfully connects.  Since this is my primary environment, I didn’t even realize there was a certificate problem.

 

From what I can tell, I don’t see any bugs reported on this. Should there be? And do the other vtls adapters need checking too?

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Sourin Maiti | 11 May 12:42 2016
Picon

Re: Enable javascript with curl

Hello Ray,

Thanks for your reqply but It didn't help, I ran a session which is still running and copied the cookie from there

curl --cookie "JSESSIONID=0000TKAoqeIkeu21-1eyOKL-8zq:180reu25m; path=/" --data-binary <at> postdata.txt -H "Content-Type: text/plain;charset=utf-8" --referer "http://xxxxxxxxx.yyyyy.net:xxxxx/AirShopMonitor/monitor" "http://xxxxxxxxx.yyyyy.net:xxxxx/AirShopMonitor/monitor/UIDL?repaintAll=1&sh=768&sw=1364&cw=1364&ch=629&vw=1364&vh=629&fr="

below is the response

for(;;);[{"changes":[], "meta" : {"appError": {"caption":"Communication problem","message" : "Take note of any unsaved data, and <u>click here<\/u> to continue.<br\/><br\/>Invalid security key.","url" : null}}, "resources": {}, "locales":[]}]

I tried different combination by removing sh sw cw strings, but result is same for all requests.

here postdata.txt has only "init"
 5 May 11 10:02 postdata.txt

Thanks,
Sourin

On 11 May 2016 at 00:29, Ray Satiro via curl-users <curl-users <at> cool.haxx.se> wrote:
On 5/8/2016 11:49 PM, Sourin Maiti wrote:

I am still not able to use the curl in correct way in my case. I have checked it in fiddler and can see the data is available on third request, will you be able to verify the fiddler and suggest me the correct steps to fetch the data?


see below


On 5/5/2016 6:57 AM, Sourin Maiti wrote:
The Raw fiddler entry is:

POST http://vhlxxxxxxxxx.xxxxxxx.xxx:00000/AirShopMonitor/monitor/UIDL?repaintAll=1&sh=768&sw=1364&cw=1364&ch=629&vw=1364&vh=629&fr= HTTP/1.1
Accept: */*
Content-Type: text/plain;charset=utf-8
Referer: http://vhlxxxxxxxxx.xxxxxxx.xxx:00000/AirShopMonitor/monitor
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: vhlxxxxxxxxx.xxxxxxx.xxx:00000
Content-Length: 5
Connection: Keep-Alive
Pragma: no-cache
Cookie: JSESSIONID=0000QLuOOXg2GAujSyot2ncD_Yf:180reu25m

init

I am able to see the required data in TEXT view and Syntax View but not in Raw response, I am not able to create the curl request with it.


Did you write the company to find out if they have an API or any advice for you? The request will look like:

curl -b cookies.txt -c cookies.txt --data-binary <at> postdata.txt -H "Content-Type: text/plain;charset=utf-8" --referer "http://vhlxxxxxxxxx.xxxxxxx.xxx:00000/AirShopMonitor/monitor" "http://vhlxxxxxxxxx.xxxxxxx.xxx:00000/AirShopMonitor/monitor/UIDL?repaintAll=1&sh=768&sw=1364&cw=1364&ch=629&vw=1364&vh=629&fr="

In postdata.txt you should put the request body. Right-click on the POST session in Fiddler and Save > Request > Request Body. The file should contain 5 bytes, the first four 'init'.

In cookies.txt it should contain your JSESSIONID. You will have to login to get the ID. That is likely another POST which comes first, or you could try exporting cookies from an already logged in session. How well that works depends on how long it keeps you logged in.

Look at the URL you are posting to, there is a lot of uniqueness there, sh sw cw, I don't know what any of that is. You may end up initializing some old test and not the one you want.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html



--
with regards,
Sourin Maiti
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Jason W. Lewis | 10 May 22:38 2016

Getting SSL or TLS?

Hello all,

I’m working on upgrading curl on some old HP-UX boxes.  I’m testing the install of curl 7.34 on one of them and getting the following protocol info from curl –v.  Can someone tell me if this thing is successfully negotiating TLS (and reporting it as SSLv3) or if it really is just getting SSLv3?

* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSLv2, Unknown (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-SHA

I’ve noticed that v1.4x much more clearly shows a TLS connection, and I’m not sure if it’s just a difference in the way to the two versions report TLS, or if I really am getting SSL here.

Thank you,

Jason Lewis
Unix Administrator <at> Micro Electronics, Inc.

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
bruce | 6 May 00:22 2016
Picon

trying to get/generate cookies

Hi.

Targeting a given site. I do two (2) curls in the hopes of generating cookies with the 1st curl, that would then drive the 2nd curl.

However, I can't seem to generate cookies at all.

On a clean FF, Ie, delete cookies, using Firebug, I can use the 1st url, which generates cookies, and can then use the 2nd url to get the page..

Any pointers on what's wrong????

Thanks

running centos 6.5

echo "" > aa.lwp
curl  -vvv  -A 'Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0'   -H 'Host: www.bkstr.com' -H -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5'  -H 'Connection: keep-alive'    --cookie-jar aa.lwp --cookie aa.lwp   -L 'http://www.bkstr.com/missouristatestore/home'

curl  -vvv  -A 'Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0'   -H 'Host: www.bkstr.com' -H -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5'  -H 'Connection: keep-alive'    --cookie-jar aa.lwp --cookie aa.lwp   -L 'http://www.bkstr.com/webapp/wcs/stores/servlet/CourseMaterialsResultsView?catalogId=10001&categoryId=9604&storeId=10875&langId=-1&programId=529&termId=21601&divisionDisplayName=%20&departmentDisplayName=ACC&courseDisplayName=109&sectionDisplayName=701&demoKey=d&purpose=browse'


-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Sourin Maiti | 4 May 10:56 2016
Picon

Enable javascript with curl

Hi Curl Users,

What option to choose to get the real contect of a page in curl? I get below in return:

<noscript>You have to enable javascript in your browser to use an application built with Vaadin.</noscript>.

Note: I am able to see same message in view source as well.

I tried to get the cookie from website then used that cookie to get the content but still getting same response. I do not have root access to the server so I am not able to install lynx or w3m.

--
with regards,
Sourin Maiti
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html
bruce | 4 May 08:45 2016
Picon

weird issue.. simple get not running..

Hi

Running curl/centos 6.5 doing a basic Curl/Get. The prob I'm having, the following curl command seems to split on the '&' as opposed to the url running as a single/long url.


curl -vvv  -k  -A  "Mozilla/5.0 (Windows; U; Windows NT 6.1; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4"   --cookie-jar aa.lwp --cookie aa.lwp    -L "http://www.bkstr.com/webapp/wcs/stores/servlet/CourseMaterialsResultsView?catalogId=10001&categoryId=9604&storeId=10715&langId=-1&programId=249&termId=100040157&divisionDisplayName=%20&departmentDisplayName=ACCT&courseDisplayName=200&sectionDisplayName=01&demoKey=d&purpose=browse"

I've tried single/double quotes around the url with no effect.. I've tried using & as well as &amp;

The exact same URL works from the browser..

pointers/thoughts would be good.

thanks



-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ:        https://curl.haxx.se/docs/faq.html
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Gmane