| Date | Commit message (Collapse) |
|---|
|
sysread may call SSL_read, and SSL_read may buffer extra
data in userspace which can be returned via sysread without
making another read(2) syscall. This makes it it possible for
select() to block indefinitely since select() only knows about
buffers in the kernel, not userspace.
This problem was exposed by a forthcoming patch to support NNTP
compression, but it is theoretically possible to trigger with
use of TLS alone, especially if compression is done by the TLS
layer.
Fortunately for existing users, TLS compression isn't widely
used anymore because of CRIME and other vulnerabilities.
So, flip the socket to non-blocking, perform the sysread, using
select() to wait only if the kernel requires it, and reset the
original blocking state of the socket when done to maintain
compatibility with existing users.
Thread-safety with flipping the O_NONBLOCK flag like this should
not be a concern, because any application sharing connected TCP
sockets across threads is buggy, anyways.
|
|
sysread allow an offset argument to insert new data at a certain
place, use it to simplify our code, slightly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Treat FTP MLSD commands case-insensitively
|
|
|
|
RFC 3659 states that MLSD fact names and facts are case-insensitive.
While most FTP servers prefer lowercase, some choose to use mixed-case,
so match MLSD data case-insensitively.
|
|
|
|
(Perl can be built on Windows with "gmake" as well as "dmake" these days,
and doubtless other make programs exist on other systems.)
|
|
|
|
|
|
|
|
|
|
CVE-2016-1238: avoid loading Net::LocalCfg from default .
|
|
This accidentally overrode the timeout() in Net::FTP's $IOCLASS. Instead,
we now document that timeout() needs to be provided by the Net::Cmd
sub-class (normally by inheriting from IO::Socket::INET or similar (which
in turn inherit from IO::Socket, which provides timeout()), which most
users seem to do anyway).
Similarly, document that close() most also be provided (normally by
inheriting from IO::Handle, which IO::Socket::INET or similar also do, via
IO::Socket).
This fixes CPAN RT#116345. Thanks to ppisar@redhat.com for the analysis.
|
|
Net::Cfg treats Net::LocalCfg as an optional load, if a site does not
have Net::LocalCfg in the standard places perl will attempt to load
it from the . entry in @INC.
If the current directory happens to be world writable (like /tmp) an
attacker can create Net/LocalCfg.pm to run code as any user that
runs code that loads Net::Cfg in that directory.
This patch temporarily removes the default . entry from @INC when
loading Net::LocalCfg to prevent that.
|
|
|
|
|
|
|
|
Previuosly, subclasses were required to provide a timeout() function, but
this was not documented anywhere!
Fixes CPAN RT#110978.
|
|
See https://rt.cpan.org/Ticket/Display.html?id=104545
|
|
Include decoded (from base64) negotiation for SASL.
|
|
Adapted from PR#26.
|
|
Correct innd/nnrpd confusion in relation to Reader option
|
|
Adapt tests to Test2 revision of Test::More::note().
|
|
In each of the three t/*_ipv6.t test files, a helper subroutine was defined
whose last statement was an invocation of Test::More::note(). Under the old
Test::Builder framework, note() would always have returned a defined value of
0. However, in the Test2 framework -- which is in Perl 5 blead as of 5.25.2
-- note() calls the release() method from lib/Test2/API/Context.pm -- and
release() has a bare return, which is treated as 'undef' in scalar context.
Perl's exit function wants to return a non-negative integer value. Hence, we
should guarantee that these helper subroutines -- which are invoked by exit()
calls in each of the three files -- explicitly return 0 upon success.
|
|
Text is prefixed with (decoded) and appears before on sends and after
on receives.
|
|
In the 'Reader' paragraph of the 'Constructor' section, the text has
nnrpd and innd the wrong way round
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=51962
|
|
|
|
|
|
|
|
|
|
Fix syswrite in Net::Cmd
|
|
POD fix escape of > character
|
|
fix pop3 demo program
|
|
minor POD error
|
|
fix smtp demo program
|
|
|
|
Two other methods in Net::Cmd did syswrite() calls, both
without a loop or timeout. This replaces those with a call
to the new, common _syswrite_with_timeout() method, which
does both correctly and restarts after EINTR.
|
|
|
|
C<Debug => 1> doesn't render correctly because of the embedded ">".
|
|
Getopt::Long requires that implicit option variables ($opt_XXX) be declared with "our" and not "my". At least using Getopt::Long 2.38 / perl 5.14, this results in the $opt_* never getting any values filled in.
|
|
should close an =over with a =back before starting a new =head1, or you get the following errors from perldoc:
POD ERRORS
Hey! The above document had some coding errors, which are explained below:
Around line 36:
You forgot a '=back' before '=head1'
Around line 42:
=back without =over
|
|
Getopt::Long requires that implicit option variables ($opt_XXX) be declared with "our" and not "my".
|
|
|
|
Based on a patch by Jan Viktorin <viktorin@rehivetech.com>. Fixes CPAN
RT#106183.
|