Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: surprising call of pop3_done() when doing http fuzzing
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 23 Sep 2019 09:10:58 +0200 (CEST)
Date: Mon, 23 Sep 2019 09:10:58 +0200 (CEST)
On Mon, 23 Sep 2019, Paul Dreik via curl-library wrote:
> The decoded contents of the test data means this is what happens:
> - set hostname to "A"
> - set doh url to "pop3:/tA"
> - start transferring
Ah, this a bug but a pretty harmless one:
The code:
https://github.com/curl/curl/blob/41db01a39f88d05f43344d0ea1d1b588b3441403/lib/doh.c#L261-L264
It disables the HTTPS-enforcement for debug-builds (meant to allow plain HTTP
as well for running tests and debug the protocol easier) - and the fuzzer
builds and uses debug builds. I'll change that to only allow HTTP + HTTPS in
the debug case.
PR coming up.
--
/ daniel.haxx.se | Get the best commercial curl support there is - from me
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-09-23