Pullup ticket 2722 - requested by bouyer

curl: build fix

Revisions pulled up:
- www/curl/Makefile				patch
- www/curl/distinfo				patch
- www/curl/patches/patch-ab			patch
- www/curl/patches/patch-ac			patch
- www/curl/patches/patch-ad			patch
- www/curl/patches/patch-ae			patch
- www/curl/patches/patch-af			patch
---
The security patch for CVE-2009-0037 has changed on the master site which
changed the checksum and size of "curl-7.18.1-CVE-2009-0037.patch".
Update to the latest version and integrate it directly to avoid further
build breaks.

7 files changed, 238 insertions, 9 deletions

diff --git a/www/curl/Makefile b/www/curl/Makefile
index 8c7432beba0..d3c31f4ae56 100644
--- a/www/curl/Makefile
+++ b/www/curl/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.85.4.1 2009/03/13 04:51:54 rtr Exp $
+# $NetBSD: Makefile,v 1.85.4.2 2009/03/15 15:07:22 tron Exp $
 
 DISTNAME=	curl-7.18.0
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	www
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/
@@ -11,9 +11,6 @@ MAINTAINER=	recht@NetBSD.org
 HOMEPAGE=	http://curl.haxx.se/
 COMMENT=	Client that groks URLs
 
-PATCH_SITES=	http://curl.haxx.se/CVE-2009-0037/
-PATCHFILES=	curl-7.18.1-CVE-2009-0037.patch
-
 PKG_INSTALLATION_TYPES=	overwrite pkgviews
 PKG_DESTDIR_SUPPORT=	user-destdir
 
diff --git a/www/curl/distinfo b/www/curl/distinfo
index 5461e82008b..ff476d41918 100644
--- a/www/curl/distinfo
+++ b/www/curl/distinfo
@@ -1,9 +1,11 @@
-$NetBSD: distinfo,v 1.55.10.1 2009/03/13 04:51:54 rtr Exp $
+$NetBSD: distinfo,v 1.55.10.2 2009/03/15 15:07:22 tron Exp $
 
 SHA1 (curl-7.18.0.tar.bz2) = f561a6a1f285c22d1f6a54b4dfa19b6cb9362c2a
 RMD160 (curl-7.18.0.tar.bz2) = f25ec844e7ef6221719439b3214fd3c3a42f5604
 Size (curl-7.18.0.tar.bz2) = 1779421 bytes
-SHA1 (curl-7.18.1-CVE-2009-0037.patch) = d29ad61313f884a6e973612868b40cadc918a455
-RMD160 (curl-7.18.1-CVE-2009-0037.patch) = 05b91a9f07b8ac35fe6db4ad83c6660e0e0f91f4
-Size (curl-7.18.1-CVE-2009-0037.patch) = 9332 bytes
 SHA1 (patch-aa) = e9bf335832b55aa3a0ff12fa6a958594c961b3ad
+SHA1 (patch-ab) = f7bd7038ff19ba06a6ef3d5449d438c6b7771a3b
+SHA1 (patch-ac) = 6091842001ef3f9dafd4ad73302f05db9f560e56
+SHA1 (patch-ad) = ebd5a7e6b237f1e42c4fd351eb04778adaf96fda
+SHA1 (patch-ae) = f0afde3a632d0a11cb67a2e6eab4d490a9b8cda2
+SHA1 (patch-af) = a54ee40178e093dddd7e5a765b82513e46d82a05
diff --git a/www/curl/patches/patch-ab b/www/curl/patches/patch-ab
new file mode 100644
index 00000000000..c233ada8130
--- /dev/null
+++ b/www/curl/patches/patch-ab
@@ -0,0 +1,44 @@
+$NetBSD: patch-ab,v 1.11.28.1 2009/03/15 15:07:23 tron Exp $
+
+Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch
+
+--- docs/libcurl/curl_easy_setopt.3.orig
++++ docs/libcurl/curl_easy_setopt.3
+@@ -432,6 +432,26 @@ The string given to CURLOPT_URL must be
+ 
+ \fICURLOPT_URL\fP is the only option that \fBmust\fP be set before
+ \fIcurl_easy_perform(3)\fP is called.
++
++\fICURLOPT_PROTOCOLS\fP can be used to limit what protocols libcurl will use
++for this transfer, independent of what libcurl has been compiled to
++support. That may be useful if you accept the URL from an external source and
++want to limit the accessibility.
++.IP CURLOPT_PROTOCOLS
++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
++limits what protocols libcurl may use in the transfer. This allows you to have
++a libcurl built to support a wide range of protocols but still limit specific
++transfers to only be allowed to use a subset of them. By default libcurl will
++accept all protocols it supports. See also
++\fICURLOPT_REDIR_PROTOCOLS\fP. (Added in 7.19.4)
++.IP CURLOPT_REDIR_PROTOCOLS
++Pass a long that holds a bitmask of CURLPROTO_* defines. If used, this bitmask
++limits what protocols libcurl may use in a transfer that it follows to in a
++redirect when \fICURLOPT_FOLLOWLOCATION\fP is enabled. This allows you to
++limit specific transfers to only be allowed to use a subset of protocols in
++redirections. By default libcurl will allow all protocols except for FILE and
++SCP. This is a difference compared to pre-7.19.4 versions which
++unconditionally would follow to all protocols supported. (Added in 7.19.4)
+ .IP CURLOPT_PROXY
+ Set HTTP proxy to use. The parameter should be a char * to a zero terminated
+ string holding the host name or dotted IP address. To specify port number in
+@@ -671,6 +691,10 @@ This means that the library will re-send
+ and follow new Location: headers all the way until no more such headers are
+ returned. \fICURLOPT_MAXREDIRS\fP can be used to limit the number of redirects
+ libcurl will follow.
++
++NOTE: since 7.19.4, libcurl can limit to what protocols it will automatically
++follow. The accepted protocols are set with \fICURLOPT_REDIR_PROTOCOLS\fP and
++it excludes the FILE protocol by default.
+ .IP CURLOPT_UNRESTRICTED_AUTH
+ A non-zero parameter tells the library it can continue to send authentication
+ (user+password) when following locations, even when hostname changed. This
diff --git a/www/curl/patches/patch-ac b/www/curl/patches/patch-ac
new file mode 100644
index 00000000000..713c16dba79
--- /dev/null
+++ b/www/curl/patches/patch-ac
@@ -0,0 +1,47 @@
+$NetBSD: patch-ac,v 1.4.26.1 2009/03/15 15:07:23 tron Exp $
+
+Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch
+
+--- include/curl/curl.h.orig
++++ include/curl/curl.h
+@@ -580,6 +580,21 @@ typedef enum {
+   CURLFTPMETHOD_LAST       /* not an option, never use */
+ } curl_ftpmethod;
+ 
++/* CURLPROTO_ defines are for the CURLOPT_*PROTOCOLS options */
++#define CURLPROTO_HTTP   (1<<0)
++#define CURLPROTO_HTTPS  (1<<1)
++#define CURLPROTO_FTP    (1<<2)
++#define CURLPROTO_FTPS   (1<<3)
++#define CURLPROTO_SCP    (1<<4)
++#define CURLPROTO_SFTP   (1<<5)
++#define CURLPROTO_TELNET (1<<6)
++#define CURLPROTO_LDAP   (1<<7)
++#define CURLPROTO_LDAPS  (1<<8)
++#define CURLPROTO_DICT   (1<<9)
++#define CURLPROTO_FILE   (1<<10)
++#define CURLPROTO_TFTP   (1<<11)
++#define CURLPROTO_ALL    (~0) /* enable everything */
++
+ /* long may be 32 or 64 bits, but we should never depend on anything else
+    but 32 */
+ #define CURLOPTTYPE_LONG          0
+@@ -1188,6 +1203,18 @@ typedef enum {
+   CINIT(SEEKFUNCTION, FUNCTIONPOINT, 167),
+   CINIT(SEEKDATA, OBJECTPOINT, 168),
+ 
++  /* set the bitmask for the protocols that are allowed to be used for the
++     transfer, which thus helps the app which takes URLs from users or other
++     external inputs and want to restrict what protocol(s) to deal
++     with. Defaults to CURLPROTO_ALL. */
++  CINIT(PROTOCOLS, LONG, 181),
++
++  /* set the bitmask for the protocols that libcurl is allowed to follow to,
++     as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
++     to be set in both bitmasks to be allowed to get redirected to. Defaults
++     to CURLPROTO_ALL & ~CURLPROTO_FILE. */
++  CINIT(REDIR_PROTOCOLS, LONG, 182),
++
+   CURLOPT_LASTENTRY /* the last unused */
+ } CURLoption;
+ 
diff --git a/www/curl/patches/patch-ad b/www/curl/patches/patch-ad
new file mode 100644
index 00000000000..408c930e5e9
--- /dev/null
+++ b/www/curl/patches/patch-ad
@@ -0,0 +1,64 @@
+$NetBSD: patch-ad,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $
+
+Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch
+
+--- lib/url.c.orig
++++ lib/url.c
+@@ -734,6 +734,13 @@ CURLcode Curl_open(struct SessionHandle
+     data->set.new_file_perms = 0644;    /* Default permissions */
+     data->set.new_directory_perms = 0755; /* Default permissions */
+ 
++    /* for the *protocols fields we don't use the CURLPROTO_ALL convenience
++       define since we internally only use the lower 16 bits for the passed
++       in bitmask to not conflict with the private bits */
++    data->set.allowed_protocols = PROT_EXTMASK;
++    data->set.redir_protocols =
++      PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
++
+     /* most recent connection is not yet defined */
+     data->state.lastconnect = -1;
+ 
+@@ -2075,6 +2082,22 @@ CURLcode Curl_setopt(struct SessionHandl
+     }
+     break;
+ 
++  case CURLOPT_PROTOCOLS:
++    /* set the bitmask for the protocols that are allowed to be used for the
++       transfer, which thus helps the app which takes URLs from users or other
++       external inputs and want to restrict what protocol(s) to deal
++       with. Defaults to CURLPROTO_ALL. */
++    data->set.allowed_protocols = va_arg(param, long) & PROT_EXTMASK;
++    break;
++
++  case CURLOPT_REDIR_PROTOCOLS:
++    /* set the bitmask for the protocols that libcurl is allowed to follow to,
++       as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs
++       to be set in both bitmasks to be allowed to get redirected to. Defaults
++       to CURLPROTO_ALL & ~CURLPROTO_FILE. */
++    data->set.redir_protocols = va_arg(param, long) & PROT_EXTMASK;
++    break;
++
+   default:
+     /* unknown tag and its companion, just ignore: */
+     result = CURLE_FAILED_INIT; /* correct this */
+@@ -3128,7 +3151,19 @@ static CURLcode setup_connection_interna
+ 
+   for (pp = protocols; (p = *pp) != NULL; pp++)
+     if(strequal(p->scheme, conn->protostr)) {
+-      /* Protocol found in table. Perform setup complement if some. */
++      /* Protocol found in table. Check if allowed */
++      if(!(data->set.allowed_protocols & p->protocol))
++        /* nope, get out */
++        break;
++
++      /* it is allowed for "normal" request, now do an extra check if this is
++         the result of a redirect */
++      if(data->state.this_is_a_follow &&
++         !(data->set.redir_protocols & p->protocol))
++        /* nope, get out */
++        break;
++
++      /* Perform setup complement if some. */
+       conn->handler = p;
+ 
+       if(p->setup_connection) {
diff --git a/www/curl/patches/patch-ae b/www/curl/patches/patch-ae
new file mode 100644
index 00000000000..bf5001b9d3b
--- /dev/null
+++ b/www/curl/patches/patch-ae
@@ -0,0 +1,55 @@
+$NetBSD: patch-ae,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $
+
+Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch
+
+--- lib/urldata.h.orig
++++ lib/urldata.h
+@@ -863,19 +863,26 @@ struct connectdata {
+   long connectindex; /* what index in the connection cache connects index this
+                         particular struct has */
+   long protocol; /* PROT_* flags concerning the protocol set */
+-#define PROT_MISSING (1<<0)
+-#define PROT_HTTP    (1<<2)
+-#define PROT_HTTPS   (1<<3)
+-#define PROT_FTP     (1<<4)
+-#define PROT_TELNET  (1<<5)
+-#define PROT_DICT    (1<<6)
+-#define PROT_LDAP    (1<<7)
+-#define PROT_FILE    (1<<8)
+-#define PROT_FTPS    (1<<9)
+-#define PROT_SSL     (1<<10) /* protocol requires SSL */
+-#define PROT_TFTP    (1<<11)
+-#define PROT_SCP     (1<<12)
+-#define PROT_SFTP    (1<<13)
++#define PROT_HTTP    CURLPROTO_HTTP
++#define PROT_HTTPS   CURLPROTO_HTTPS
++#define PROT_FTP     CURLPROTO_FTP
++#define PROT_TELNET  CURLPROTO_TELNET
++#define PROT_DICT    CURLPROTO_DICT
++#define PROT_LDAP    CURLPROTO_LDAP
++#define PROT_FILE    CURLPROTO_FILE
++#define PROT_FTPS    CURLPROTO_FTPS
++#define PROT_TFTP    CURLPROTO_TFTP
++#define PROT_SCP     CURLPROTO_SCP
++#define PROT_SFTP    CURLPROTO_SFTP
++
++/* CURLPROTO_TFTP (1<<11) is currently the highest used bit in the public
++   bitmask. We make sure we use "private bits" above the first 16 to make
++   things easier. */
++
++#define PROT_EXTMASK 0xffff
++
++#define PROT_SSL     (1<<22) /* protocol requires SSL */
++#define PROT_MISSING (1<<23)
+ 
+ #define PROT_CLOSEACTION PROT_FTP /* these ones need action before socket
+                                      close */
+@@ -1467,6 +1474,8 @@ struct UserDefined {
+   bool proxy_transfer_mode; /* set transfer mode (;type=<a|i>) when doing FTP
+                                via an HTTP proxy */
+   char *str[STRING_LAST]; /* array of strings, pointing to allocated memory */
++  long allowed_protocols;
++  long redir_protocols;
+ };
+ 
+ struct Names {
diff --git a/www/curl/patches/patch-af b/www/curl/patches/patch-af
new file mode 100644
index 00000000000..0486921ad29
--- /dev/null
+++ b/www/curl/patches/patch-af
@@ -0,0 +1,20 @@
+$NetBSD: patch-af,v 1.1.2.1 2009/03/15 15:07:23 tron Exp $
+
+Taken from http://curl.haxx.se/CVE-2009-0037/curl-7.18.1-CVE-2009-0037.patch
+
+--- lib/easy.c.orig
++++ lib/easy.c
+@@ -756,6 +756,13 @@ void curl_easy_reset(CURL *curl)
+                                                       type */
+   data->set.new_file_perms = 0644;    /* Default permissions */
+   data->set.new_directory_perms = 0755; /* Default permissions */
++
++  /* for the *protocols fields we don't use the CURLPROTO_ALL convenience
++     define since we internally only use the lower 16 bits for the passed
++     in bitmask to not conflict with the private bits */
++  data->set.allowed_protocols = PROT_EXTMASK;
++  data->set.redir_protocols =
++    PROT_EXTMASK & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
+ }
+ 
+ /*