[curl] fixes for #723075, #730444, and #728562
Kamil Dudka
kdudka at fedoraproject.org
Mon Aug 15 20:37:29 UTC 2011
commit 7293378155bef9cbe9d25a21c8aec850fb9b9ade
Author: Kamil Dudka <kdudka at redhat.com>
Date: Mon Aug 15 22:11:51 2011 +0200
fixes for #723075, #730444, and #728562
- fix SIGSEGV of curl -O -J given more than one URLs (#723075)
- introduce the --delegation option of curl (#730444)
- initialize NSS with no database if the selected database is broken (#728562)
0002-curl-7.21.7-5eb2396.patch | 30 +++++++++
0003-curl-7.21.7-5538904.patch | 131 ++++++++++++++++++++++++++++++++++++++++
0004-curl-7.21.7-d6f319f.patch | 118 ++++++++++++++++++++++++++++++++++++
curl.spec | 19 ++++++-
4 files changed, 297 insertions(+), 1 deletions(-)
---
diff --git a/0002-curl-7.21.7-5eb2396.patch b/0002-curl-7.21.7-5eb2396.patch
new file mode 100644
index 0000000..e104e3a
--- /dev/null
+++ b/0002-curl-7.21.7-5eb2396.patch
@@ -0,0 +1,30 @@
+From 5eb2396cd15cbbf73b02ad6bbcc313167330c2b5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Thu, 4 Aug 2011 23:22:48 +0200
+Subject: [PATCH] segfault fixed
+
+When using both -J and a single -O with multiple URLs, a missing init
+could cause badness.
+
+Bug: http://curl.haxx.se/mail/lib-2011-07/0126.html and
+ http://bugzilla.redhat.com/723075
+Reported by: Paul Howarth and Garrett Holmstrom
+---
+ src/main.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index 6dcf333..eae45de 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -4898,6 +4898,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
+ outs.stream = stdout;
+ outs.config = config;
+ outs.bytes = 0; /* nothing written yet */
++ outs.filename = NULL;
+
+ /* save outfile pattern before expansion */
+ if(urlnode->outfile) {
+--
+1.7.4.4
+
diff --git a/0003-curl-7.21.7-5538904.patch b/0003-curl-7.21.7-5538904.patch
new file mode 100644
index 0000000..1374ad8
--- /dev/null
+++ b/0003-curl-7.21.7-5538904.patch
@@ -0,0 +1,131 @@
+From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Fri, 12 Aug 2011 14:48:32 +0200
+Subject: [PATCH 1/2] added --delegation
+
+Using this option with an argument being set to one of
+none/policy/always instructs libcurl how to deal with GSS
+credentials. Or rather how it tells the server that delegation is fine
+or not.
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ src/main.c | 29 ++++++++++++++++++++++++++---
+ 1 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/src/main.c b/src/main.c
+index d85bf62..3a2595c 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -659,6 +659,7 @@ struct Configurable {
+ basically each given URL to transfer */
+ struct OutStruct *outs;
+ bool xattr; /* store metadata in extended attributes */
++ long gssapi_delegation;
+ };
+
+ #define WARN_PREFIX "Warning: "
+@@ -817,6 +818,7 @@ static void help(void)
+ " --data-binary <data> HTTP POST binary data (H)",
+ " --data-urlencode <name=data/name at filename> "
+ "HTTP POST data url encoded (H)",
++ " --delegation STRING GSS-API delegation permission",
+ " --digest Use HTTP Digest Authentication (H)",
+ " --disable-eprt Inhibit using EPRT or LPRT (F)",
+ " --disable-epsv Inhibit using EPSV (F)",
+@@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd,
+ return 0;
+ }
+
++static long delegation(struct Configurable *config,
++ char *str)
++{
++ if(curlx_raw_equal("none", str))
++ return CURLGSSAPI_DELEGATION_NONE;
++ if(curlx_raw_equal("policy", str))
++ return CURLGSSAPI_DELEGATION_POLICY_FLAG;
++ if(curlx_raw_equal("always", str))
++ return CURLGSSAPI_DELEGATION_FLAG;
++ warnf(config, "unrecognized delegation method '%s', using none\n", str);
++ return CURLGSSAPI_DELEGATION_NONE;
++}
+
+ static ParameterError getparameter(char *flag, /* f or -long-flag */
+ char *nextarg, /* NULL if unset */
+@@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
+ {"$D", "proto", TRUE},
+ {"$E", "proto-redir", TRUE},
+ {"$F", "resolve", TRUE},
++ {"$G", "delegation", TRUE},
+ {"0", "http1.0", FALSE},
+ {"1", "tlsv1", FALSE},
+ {"2", "sslv2", FALSE},
+@@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
+ if(err)
+ return err;
+ break;
++ case 'G': /* --delegation LEVEL */
++ config->gssapi_delegation = delegation(config, nextarg);
++ break;
+ }
+ break;
+ case '#': /* --progress-bar */
+@@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
+ /* new in 7.21.3 */
+ my_setopt(curl, CURLOPT_RESOLVE, config->resolve);
+
+- /* TODO: new in ### */
+- curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);
+- curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);
++ /* new in 7.21.4 */
++ my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);
++ my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);
++
++ /* new in 7.22.0 */
++ if(config->gssapi_delegation)
++ my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
++ config->gssapi_delegation);
+
+ retry_numretries = config->req_retry;
+
+--
+1.7.4.4
+
+
+From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel at haxx.se>
+Date: Fri, 12 Aug 2011 23:51:41 +0200
+Subject: [PATCH 2/2] docs: --delegation
+
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ docs/curl.1 | 12 ++++++++++++
+ 1 files changed, 12 insertions(+), 0 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index 812b2eb..eee3481 100644
+--- a/docs/curl.1
++++ b/docs/curl.1
+@@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal
+ sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the
+ name is expected to be URL-encoded already.
+ .RE
++.IP "--delegation LEVEL"
++Set \fILEVEL\fP to tell the server what it is allowed to delegate when it
++comes to user credentials. Used with GSS/kerberos.
++.RS
++.IP "none"
++Don't allow any delegation.
++.IP "policy"
++Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos
++service ticket, which is a matter of realm policy.
++.IP "always"
++Unconditionally allow the server to delegate.
++.RE
+ .IP "--digest"
+ (HTTP) Enables HTTP Digest authentication. This is a authentication that
+ prevents the password from being sent over the wire in clear text. Use this in
+--
+1.7.4.4
+
diff --git a/0004-curl-7.21.7-d6f319f.patch b/0004-curl-7.21.7-d6f319f.patch
new file mode 100644
index 0000000..33f430d
--- /dev/null
+++ b/0004-curl-7.21.7-d6f319f.patch
@@ -0,0 +1,118 @@
+From 857fed6e245a9620b0f25a2f4ca6d6dc01584674 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Mon, 15 Aug 2011 13:48:45 +0200
+Subject: [PATCH] nss: start with no database if the selected database is
+ broken
+
+Bug: https://bugzilla.redhat.com/728562
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/nss.c | 63 +++++++++++++++++++++++++++++++++++++-----------------------
+ 1 files changed, 39 insertions(+), 24 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 3dc0ba6..94a530b 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -898,10 +898,42 @@ isTLSIntoleranceError(PRInt32 err)
+ }
+ }
+
+-static CURLcode init_nss(struct SessionHandle *data)
++static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
++{
++ if(NSS_IsInitialized())
++ return CURLE_OK;
++
++ if(cert_dir) {
++ SECStatus rv;
++ const bool use_sql = NSS_VersionCheck("3.12.0");
++ char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
++ if(!certpath)
++ return CURLE_OUT_OF_MEMORY;
++
++ infof(data, "Initializing NSS with certpath: %s\n", certpath);
++ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
++ free(certpath);
++
++ if(rv == SECSuccess)
++ return CURLE_OK;
++
++ infof(data, "Unable to initialize NSS database\n");
++ }
++
++ infof(data, "Initializing NSS with certpath: none\n");
++ if(NSS_NoDB_Init(NULL) == SECSuccess)
++ return CURLE_OK;
++
++ infof(data, "Unable to initialize NSS\n");
++ return CURLE_SSL_CACERT_BADFILE;
++}
++
++static CURLcode nss_init(struct SessionHandle *data)
+ {
+ char *cert_dir;
+ struct_stat st;
++ CURLcode rv;
++
+ if(initialized)
+ return CURLE_OK;
+
+@@ -922,31 +954,14 @@ static CURLcode init_nss(struct SessionHandle *data)
+ }
+ }
+
+- if(!NSS_IsInitialized()) {
+- SECStatus rv;
+- initialized = 1;
+- infof(data, "Initializing NSS with certpath: %s\n",
+- cert_dir ? cert_dir : "none");
+- if(!cert_dir) {
+- rv = NSS_NoDB_Init(NULL);
+- }
+- else {
+- char *certpath =
+- PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "",
+- cert_dir);
+- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
+- PR_smprintf_free(certpath);
+- }
+- if(rv != SECSuccess) {
+- infof(data, "Unable to initialize NSS database\n");
+- initialized = 0;
+- return CURLE_SSL_CACERT_BADFILE;
+- }
+- }
++ rv = nss_init_core(data, cert_dir);
++ if(rv)
++ return rv;
+
+ if(num_enabled_ciphers() == 0)
+ NSS_SetDomesticPolicy();
+
++ initialized = 1;
+ return CURLE_OK;
+ }
+
+@@ -981,7 +996,7 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data)
+ }
+
+ PR_Lock(nss_initlock);
+- rv = init_nss(data);
++ rv = nss_init(data);
+ PR_Unlock(nss_initlock);
+ return rv;
+ }
+@@ -1184,7 +1199,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+
+ /* FIXME. NSS doesn't support multiple databases open at the same time. */
+ PR_Lock(nss_initlock);
+- curlerr = init_nss(conn->data);
++ curlerr = nss_init(conn->data);
+ if(CURLE_OK != curlerr) {
+ PR_Unlock(nss_initlock);
+ goto error;
+--
+1.7.4.4
+
diff --git a/curl.spec b/curl.spec
index 5e50e51..b03c307 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.21.7
-Release: 2%{?dist}
+Release: 3%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -11,6 +11,15 @@ Source3: hide_selinux.c
# add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
Patch1: 0001-curl-7.21.7-a7864c4.patch
+# fix SIGSEGV of curl -O -J given more than one URLs (#723075)
+Patch2: 0002-curl-7.21.7-5eb2396.patch
+
+# introduce the --delegation option of curl (#730444)
+Patch3: 0003-curl-7.21.7-5538904.patch
+
+# initialize NSS with no database if the selected database is broken (#728562)
+Patch4: 0004-curl-7.21.7-d6f319f.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.21.1-multilib.patch
@@ -111,6 +120,9 @@ done
# upstream patches (already applied)
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
# Fedora patches
%patch101 -p1
@@ -224,6 +236,11 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Mon Aug 15 2011 Kamil Dudka <kdudka at redhat.com> 7.21.7-3
+- fix SIGSEGV of curl -O -J given more than one URLs (#723075)
+- introduce the --delegation option of curl (#730444)
+- initialize NSS with no database if the selected database is broken (#728562)
+
* Wed Aug 03 2011 Kamil Dudka <kdudka at redhat.com> 7.21.7-2
- add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
More information about the scm-commits
mailing list