Commit 903070df authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import curl-7.61.1-18.el8

parent 0c0965c2
From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 16 Aug 2020 11:34:35 +0200
Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
CVE-2020-8231
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
Reported-by: Marc Aldorasi
Closes #5824
Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/connect.c | 19 ++++++++++---------
lib/easy.c | 3 +--
lib/multi.c | 5 +++--
lib/url.c | 2 +-
lib/urldata.h | 2 +-
5 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/lib/connect.c b/lib/connect.c
index 41f2202..f724646 100644
--- a/lib/connect.c
+++ b/lib/connect.c
@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
}
struct connfind {
- struct connectdata *tofind;
- bool found;
+ long id_tofind;
+ struct connectdata *found;
};
static int conn_is_conn(struct connectdata *conn, void *param)
{
struct connfind *f = (struct connfind *)param;
- if(conn == f->tofind) {
- f->found = TRUE;
+ if(conn->connection_id == f->id_tofind) {
+ f->found = conn;
return 1;
}
return 0;
@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
* - that is associated with a multi handle, and whose connection
* was detached with CURLOPT_CONNECT_ONLY
*/
- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
- struct connectdata *c = data->state.lastconnect;
+ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
+ struct connectdata *c;
struct connfind find;
- find.tofind = data->state.lastconnect;
- find.found = FALSE;
+ find.id_tofind = data->state.lastconnect_id;
+ find.found = NULL;
Curl_conncache_foreach(data, data->multi_easy?
&data->multi_easy->conn_cache:
&data->multi->conn_cache, &find, conn_is_conn);
if(!find.found) {
- data->state.lastconnect = NULL;
+ data->state.lastconnect_id = -1;
return CURL_SOCKET_BAD;
}
+ c = find.found;
if(connp) {
/* only store this if the caller cares for it */
*connp = c;
diff --git a/lib/easy.c b/lib/easy.c
index 027d0be..fe61cdd 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
/* the connection cache is setup on demand */
outcurl->state.conn_cache = NULL;
-
- outcurl->state.lastconnect = NULL;
+ outcurl->state.lastconnect_id = -1;
outcurl->progress.flags = data->progress.flags;
outcurl->progress.callback = data->progress.callback;
diff --git a/lib/multi.c b/lib/multi.c
index 0caf943..0f57fd5 100644
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
data->state.conn_cache = &data->share->conn_cache;
else
data->state.conn_cache = &multi->conn_cache;
+ data->state.lastconnect_id = -1;
#ifdef USE_LIBPSL
/* Do the same for PSL. */
@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
/* the connection is no longer in use by this transfer */
if(Curl_conncache_return_conn(conn)) {
/* remember the most recently used connection */
- data->state.lastconnect = conn;
+ data->state.lastconnect_id = conn->connection_id;
infof(data, "%s\n", buffer);
}
else
- data->state.lastconnect = NULL;
+ data->state.lastconnect_id = -1;
}
*connp = NULL; /* to make the caller of this function better detect that
diff --git a/lib/url.c b/lib/url.c
index dcc6cc8..d65d17d 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
Curl_initinfo(data);
/* most recent connection is not yet defined */
- data->state.lastconnect = NULL;
+ data->state.lastconnect_id = -1;
data->progress.flags |= PGRS_HIDE;
data->state.current_speed = -1; /* init to negative == impossible */
diff --git a/lib/urldata.h b/lib/urldata.h
index 67db3b2..4b70cc5 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1219,7 +1219,7 @@ struct UrlState {
/* buffers to store authentication data in, as parsed from input options */
struct curltime keeps_speed; /* for the progress meter really */
- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
+ long lastconnect_id; /* The last connection, -1 if undefined */
char *headerbuff; /* allocated buffer to store headers in */
size_t headersize; /* size of the allocation */
--
2.25.4
From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Dec 2019 10:45:55 +0100
Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.
Other TLS backends already accept partial chains.
Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index d8bcc4f..8e791b9 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
infof(data, " CRLfile: %s\n", ssl_crlfile);
}
- /* Try building a chain using issuers in the trusted store first to avoid
- problems with server-sent legacy intermediates.
- Newer versions of OpenSSL do alternate chain checking by default which
- gives us the same fix without as much of a performance hit (slight), so we
- prefer that if available.
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
- */
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
if(verifypeer) {
+ /* Try building a chain using issuers in the trusted store first to avoid
+ problems with server-sent legacy intermediates. Newer versions of
+ OpenSSL do alternate chain checking by default which gives us the same
+ fix without as much of a performance hit (slight), so we prefer that if
+ available.
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ */
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_TRUSTED_FIRST);
- }
#endif
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+ only, instead of needing the whole chain. */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+ }
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
--
2.26.2
From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Dec 2019 10:55:33 +0100
Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
cert chains
Closes #4655
Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
docs/libcurl/symbols-in-versions | 1 +
include/curl/curl.h | 4 +++
lib/setopt.c | 1 +
lib/urldata.h | 1 +
lib/vtls/openssl.c | 14 +++++----
6 files changed, 36 insertions(+), 25 deletions(-)
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
index d781434..6286a64 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
.SH DESCRIPTION
-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
-
-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
-workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this
-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
-work-around for this flaw although it might cause interoperability problems
-with some (older) SSL implementations. WARNING: avoiding this work-around
-lessens the security, and by setting this option to 1 you ask for exactly that.
-This option is only supported for DarwinSSL, NSS and OpenSSL.
-
-Added in 7.44.0:
-
-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
-checks for those SSL backends where such behavior is present. \fBCurrently this
-option is only supported for WinSSL (the native Windows SSL library), with an
-exception in the case of Windows' Untrusted Publishers blacklist which it seems
-can't be bypassed.\fP This option may have broader support to accommodate other
-SSL backends in the future.
-https://curl.haxx.se/docs/ssl-compared.html
+Pass a long with a bitmask to tell libcurl about specific SSL
+behaviors. Available bits:
+.IP CURLSSLOPT_ALLOW_BEAST
+Tells libcurl to not attempt to use any workarounds for a security flaw in the
+SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
+the SSL layer libcurl uses may use a work-around for this flaw although it
+might cause interoperability problems with some (older) SSL
+implementations. WARNING: avoiding this work-around lessens the security, and
+by setting this option to 1 you ask for exactly that. This option is only
+supported for DarwinSSL, NSS and OpenSSL.
+.IP CURLSSLOPT_NO_REVOKE
+Tells libcurl to disable certificate revocation checks for those SSL backends
+where such behavior is present. This option is only supported for Schannel
+(the native Windows SSL library), with an exception in the case of Windows'
+Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
+7.44.0)
+.IP CURLSSLOPT_NO_PARTIALCHAIN
+Tells libcurl to not accept "partial" certificate chains, which it otherwise
+does by default. This option is only supported for OpenSSL and will fail the
+certificate verification if the chain ends with an intermediate certificate
+and not with a root cert. (Added in 7.68.0)
.SH DEFAULT
0
.SH PROTOCOLS
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 3b3861f..54923d0 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL 7.34.0 - 7.38.1
CURLSSLBACKEND_SCHANNEL 7.34.0
CURLSSLBACKEND_WOLFSSL 7.49.0
CURLSSLOPT_ALLOW_BEAST 7.25.0
+CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
CURLSSLOPT_NO_REVOKE 7.44.0
CURLSSLSET_NO_BACKENDS 7.56.0
CURLSSLSET_OK 7.56.0
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 8f473e2..75f9384 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -795,6 +795,10 @@ typedef enum {
SSL backends where such behavior is present. */
#define CURLSSLOPT_NO_REVOKE (1<<1)
+/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
+ if possible. The OpenSSL backend has this ability. */
+#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
+
/* The default connection attempt delay in milliseconds for happy eyeballs.
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
this value, keep them in sync. */
diff --git a/lib/setopt.c b/lib/setopt.c
index 5c5f4b3..4f04962 100644
--- a/lib/setopt.c
+++ b/lib/setopt.c
@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
arg = va_arg(param, long);
data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
+ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
break;
case CURLOPT_PROXY_SSL_OPTIONS:
diff --git a/lib/urldata.h b/lib/urldata.h
index 4b70cc5..c70290a 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -235,6 +235,7 @@ struct ssl_config_data {
bool enable_beast; /* especially allow this flaw for interoperability's
sake*/
bool no_revoke; /* disable SSL certificate revocation checks */
+ bool no_partialchain; /* don't accept partial certificate chains */
long certverifyresult; /* result from the certificate verification */
char *CRLfile; /* CRL to check certificate revocation */
char *issuercert;/* optional issuer certificate filename */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 8e791b9..87f6c4c 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
X509_V_FLAG_TRUSTED_FIRST);
#endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
- /* Have intermediate certificates in the trust store be treated as
- trust-anchors, in the same way as self-signed root CA certificates
- are. This allows users to verify servers using the intermediate cert
- only, instead of needing the whole chain. */
- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
- X509_V_FLAG_PARTIAL_CHAIN);
+ if(!SSL_SET_OPTION(no_partialchain)) {
+ /* Have intermediate certificates in the trust store be treated as
+ trust-anchors, in the same way as self-signed root CA certificates
+ are. This allows users to verify servers using the intermediate cert
+ only, instead of needing the whole chain. */
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
+ X509_V_FLAG_PARTIAL_CHAIN);
+ }
#endif
}
--
2.26.2
From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 May 2020 23:00:31 +0200
Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
lib/vtls/openssl.c | 8 ++++++--
2 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
index 080caa7..f111585 100644
--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
+++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
occurs during the SSL exchange.
When curl is built to use NSS or GnuTLS, there is no way to influence the use
-of CRL passed to help in the verification process. When libcurl is built with
-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
-set, requiring CRL check against all the elements of the certificate chain if
-a CRL file is passed.
+of CRL passed to help in the verification process.
+
+When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
+X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
+elements of the certificate chain if a CRL file is passed. Also note that
+\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
+\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
This option makes sense only when used in combination with the
\fICURLOPT_SSL_VERIFYPEER(3)\fP option.
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 87f6c4c..9476773 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
X509_V_FLAG_TRUSTED_FIRST);
#endif
#ifdef X509_V_FLAG_PARTIAL_CHAIN
- if(!SSL_SET_OPTION(no_partialchain)) {
+ if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
/* Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
- only, instead of needing the whole chain. */
+ only, instead of needing the whole chain.
+
+ Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
+ cannot do partial chains with CRL check.
+ */
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
X509_V_FLAG_PARTIAL_CHAIN);
}
--
2.26.2
From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 24 Nov 2020 14:56:57 +0100
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
The command line tool also independently sets --ftp-skip-pasv-ip by
default.
Ten test cases updated to adapt the modified --libcurl output.
Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284
Reported-by: Varnavas Papaioannou
Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
lib/url.c | 1 +
src/tool_cfgable.c | 1 +
tests/data/test1400 | 1 +
tests/data/test1401 | 1 +
tests/data/test1402 | 1 +
tests/data/test1403 | 1 +
tests/data/test1404 | 1 +
tests/data/test1405 | 1 +
tests/data/test1406 | 1 +
tests/data/test1407 | 1 +
tests/data/test1420 | 1 +
13 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
index da6ab11..4be8b43 100644
--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
will re-use the same IP address it already uses for the control
connection.
+Since curl 7.74.0 this option is enabled by default.
+
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
index 4d3026a..4227ed6 100644
--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
number from the 227-response.
This option thus allows libcurl to work around broken server installations
-that due to NATs, firewalls or incompetence report the wrong IP address back.
+that due to NATs, firewalls or incompetence report the wrong IP address
+back. Setting the option also reduces the risk for various sorts of client
+abuse by malicious servers.
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
.SH DEFAULT
-0
+1 since 7.74.0, was 0 before then.
.SH PROTOCOLS
FTP
.SH EXAMPLE
diff --git a/lib/url.c b/lib/url.c
index e77f391..b18db25 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
set->ftp_filemethod = FTPFILE_MULTICWD;
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
index 81e16c1..110191e 100644
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
config->proto_default = NULL;
config->tcp_nodelay = TRUE; /* enabled by default */
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
+ config->ftp_skip_ip = TRUE;
}
static void free_config_fields(struct OperationConfig *config)
diff --git a/tests/data/test1400 b/tests/data/test1400
index 10faef3..9d18a30 100644
--- a/tests/data/test1400
+++ b/tests/data/test1400
@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
diff --git a/tests/data/test1401 b/tests/data/test1401
index f330931..99cb0cb 100644
--- a/tests/data/test1401
+++ b/tests/data/test1401
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
(long)CURLPROTO_FTP |
diff --git a/tests/data/test1402 b/tests/data/test1402
index 9a94283..ef55bd6 100644
--- a/tests/data/test1402
+++ b/tests/data/test1402
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
diff --git a/tests/data/test1403 b/tests/data/test1403
index 79cdf49..78932c2 100644
--- a/tests/data/test1403
+++ b/tests/data/test1403
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
diff --git a/tests/data/test1404 b/tests/data/test1404
index 9c6f2e7..8ea5e04 100644
--- a/tests/data/test1404
+++ b/tests/data/test1404
@@ -144,6 +144,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
diff --git a/tests/data/test1405 b/tests/data/test1405
index 73769ee..5a83b6e 100644
--- a/tests/data/test1405
+++ b/tests/data/test1405
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
diff --git a/tests/data/test1406 b/tests/data/test1406
index 796dd22..c941e00 100644
--- a/tests/data/test1406
+++ b/tests/data/test1406
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
diff --git a/tests/data/test1407 b/tests/data/test1407
index 9800eee..ddba7b7 100644
--- a/tests/data/test1407
+++ b/tests/data/test1407
@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);