libcurl-tutorial.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head> <title>libcurl - programming tutorial</title>
<meta content="text/html; charset=utf8" http-equiv="Content-Type">
<!--
<link rel="STYLESHEET" type="text/css" href="libcurl-tutorial_files/curl.css">
<link rel="shortcut icon" href="http://curl.haxx.se/favicon.ico">
<link rel="STYLESHEET" type="text/css" href="libcurl-tutorial_files/manpage.css">
-->
<style>

P.level0 {
 padding-left: 2em;
}

P.level1 {
 padding-left: 4em;
}

P.level2 {
 padding-left: 6em;
}

span.emphasis {
 font-style: italic;
}

span.bold {
 font-weight: bold;
}

span.manpage {
 font-weight: bold;
}

h2.nroffsh {
 background-color: #e0e0e0;
}

span.nroffip {
 font-weight: bold;
 font-size: 120%;
 font-family: monospace;
}

p.roffit {
 text-align: center;
 font-size: 80%;
}

<!--
BODY {
  background-color: white; 
  font-family: arial, helvetica, ariel, sans-serif;
  font-size: 90%;
  color: black;
}

/* the curl-style blue main page titles */
.pagetitle, h1.libtitle, .newstitle {
  border-style: solid;
  border-width: thin;
  border-color: black;

  background-color: #e0e0ff; 
  font-family: arial, helvetica, ariel, sans-serif;
  color: #0000ff;

  font-size: 150%;
  font-weight: bold;
  padding: 0px 4px 0px 4px;
}

.title {
  color: #000000;
  background-color: #f0f0ff; 
  font-family: arial, helvetica, ariel, sans-serif;
  font-size: 120%;
}

h2 {
  font-family: arial, helvetica, ariel, sans-serif;
  background-color: #f0f0ff;
}

.subtitle {
  font-weight: bold;
}

tr.tabletop {
  font-size: 120%;
  font-family: sans-serif;
  color: #ffffff;
  background-color: #0000ff;
}

.tabletop a {
  color: #ffffff;
}

.buildfail {
  color: #000000;
  background-color: #ff8080;
}

.buildserverprob {
  color: #000000;
  background-color: #ffff00;
}

.buildfine {
  color: #000000;
  background-color: #00ff00;
}

.compile, .changetable {
  border: outset 2px #ffffff;
}

table.news {
  border: outset 2px #8080ff;
}

table.secbox {
  border: outset 2px #8080ff;
  background-color: #e0e0ff;
}

table.latestmail {
  border: outset 2px #8080ff;
  font-size: 100%;
}

/*
.newstitle {
  font-size: 120%;
  white-space: nowrap;
  background-color: #0000ff;
  color: #ffffff;
}

*/
td.newsdate {
  text-align: right;
}

.mini {
  font-size: 8pt;
  font-family: monospace;
}

.warning {
  font-size: 9pt;
  color: #000000;
  background-color: #ff8080;
}

/* like used for important news items */
.alert {
  font-size: 120%;
  color: #ffffff;
  background-color: #f00000;
  padding: 4px 4px 4px 4px;
}

/* the one in the download database */
td.desc {
  color: #000000;
  background: #e0e0ff;
}

/* used in the download table for a single OS */
.ostitleleft {
  color: #000000;
  background-color: #ffffff; 
  font-family: arial, helvetica, ariel, sans-serif;
  font-size: 120%;
  font-weight: bold;
  padding: 4px 4px 4px 4px;
  border-top: 1px solid black;
  border-left: 1px solid black;
  border-right: none;
}
.ostitleright {
  color: #000000;
  background-color: #ffffff; 
  font-family: arial, helvetica, ariel, sans-serif;
  font-size: 120%;
  font-weight: bold;
  padding: 4px 4px 4px 4px;
  border-top: 1px solid black;
  border-right: 1px solid black;
  border-left: none;
}
td.ostitle {
  color: #000000;
  background-color: #ffffff; 
  font-family: arial, helvetica, ariel, sans-serif;
  font-size: 120%;
  font-weight: bold;
  padding: 4px 4px 4px 4px;
  margin: 0px 0px 0px 0px;
  border-top: 1px solid black;
  border-left: 1px solid black;
  border-right: 1px solid black;
}

/* download page */
.latest2 {
  color: #000000;
  background-color: #ffff44;
  border-left: 1px solid black;
  border-right: 1px solid black;
  margin: 0px 0px 0px 0px;
  padding: 1px 0px 1px 0px;
}
/* download page */
.older2 {
  color: #000000;
  background-color: #ffffff;
  border-left: 1px solid black;
  border-right: 1px solid black;
  margin: 0px 0px 0px 0px;
  padding: 1px 0px 1px 0px;
}

.col1 {
  border-left: 1px solid black;
  margin: 0px 0px 0px 0px;
  border-bottom: none;
  border-top: none;
}

.col7 {
  margin: 0px 0px 0px 0px;
  border-right: 1px solid black;
  border-bottom: none;
  border-top: none;
}

.col2, .col3, .col4, .col5, .col6 {
  margin: 0px 0px 0px 0px;
  padding: 0px 4px 0px 4px;
}

.osend {
  border-top: 1px solid black;
  margin: 0px 0px 10px 0px;
}

.download2 {
  background-color: #e0e0e0;
  padding: 10px 10px 10px 10px;
}

/* used on the version number lines in the verdiff.cgi script */
span.version {
  font-weight: bold;
  font-size: 120%;
  border-style: solid;
  border-width: thin;
  border-color: black;
  padding: 4px 4px 4px 4px;
}

/* used on the who/date lines in the verdiff.cgi script */
span.whodate {
  font-weight: bold;
}

tr.odd {
  color: #000000;
  background-color: #e0e0e0;
}

/* used for Metalink download links */
span.metalink {
  font-weight: bold;
  font-family: helvetica narrow, arial narrow, sans-serif;
}

/* a non-selected item in the main menu */
.menuitem, .libitem {
  text-decoration: none;
  color: #ffffff;
  background-color: #4040ff;
  white-space: nowrap;
  padding: 0px 0px 0px 0px;
  font-family: sans-serif;
}

/* a non-selected item in the main menu, with the mouse hovering */
.menuitem:hover, .libitem:hover {
  text-decoration: none;
  color: #ffffff;
  background-color: #202080;
  white-space: nowrap;
  padding: 0px 0px 0px 0px;
  font-family: sans-serif;
}

/* a selected item in the main menu */
.itemselect, .libselect {
  font-family: sans-serif;
  text-decoration: none;
  background-color: white;
  font-weight: bold;
  color: black;
  white-space: nowrap;
  padding: 0px 2px 0px 2px;
}

/* the main curl site left-side menu box */
.mainmenu, .libmenu {
  color: #ffffff;
  background-color: #4040ff;
  padding: 8px 4px 8px 2px;
}

/* the about infobox in the right-bottom */
.aboutbox {
  border-color: black;
  border-width: 2px;
  border-style: solid;
  background-color: #e0e0ff;
  color: #000000;
  font-size: 80%;
  float: right;
  text-align: left;
  width: 15em;
  padding: 2px 2px 2px 2px;
}

/* the toplevel centered links */
.ad a {
  border-color: #c0c0ff;
  border-style: outset;
  text-align: center;
  text-decoration: none;
  color: #ffffff;
  background-color: #4040ff;
  margin: 0px 8px 0px 8px;
  padding: 0px 3px 0px 3px;
}

.relatedbox {
  border-color: black;
  border-width: 1px;
  border-style: solid;
  color: #000000;
  float: right;
  text-align: left;
  padding: 2px 2px 2px 2px;
  margin: 4px 4px 4px 4px;
  background: white;
}

div.oslinks {
  clear: right;
  border-color: black;
  border-width: 1px;
  border-style: outset;
  color: #000000;
  float: right;
  text-align: right;
  padding: 2px 2px 2px 2px;
  background: white;
  font-size: 80%;
}


div.pollbox {
  border-color: black;
  border-width: 2px;
  border-style: outset;
  font-size: 80%;
  color: #000000;
  float: right;
  text-align: left;
  padding: 0px 2px 0px 2px;
  background: #ffffe0;
}

p.ingres {
  width: 80%;
  font-family: arial, helvetica, ariel, sans-serif;
  font-style: italic;
  margin-left: auto;
  margin-right: auto;
}

div.quote {
  border-style: solid;
  border-width: thin;
  border-color: black;
  padding: 2px 2px 2px 2px;

  background-color: #f0f0ff; 
  width: 90%;
  margin-left: 5%;
  margin-right: 5%;
}

/* yellow box */
div.yellowbox {
  border-style: outset;
  border-width: 3px;
  border-color: black;
  padding: 2px 2px 2px 2px;

  background-color: #fffff0; 
/*
  width: 90%;
  margin-left: 5%; */
}

.mirrorlinks {
  font-size: 8pt;
}

.phpbox {
  background-color: #ffe0e0; 
  color: #0000ff;
  border: solid 1px #000000;
  padding: 4px 4px 4px 4px;
  font-size: 120%;
}

.bindingbox {
  float: right;
  border: solid 1px #000000;
  background-color: #ffffff; 
  padding: 2px 2px 2px 2px;
}

.bottomad {
  border: solid 1px #000000;
  background-color: #e0e0e0; 
  padding: 5px 5px 5px 5px;
  margin-left: auto;
  margin-right: auto;
}
-->
</style>


</head>
<body alink="red" bgcolor="#ffffff" link="#0000ff" text="#000000" vlink="#808080">
<!-- first-line-in-body -->
<table cellpadding="5" cellspacing="0"><tbody><tr>

<td align="left" valign="top" width="90%">
<a href="http://curl.haxx.se/">cURL</a> >> <a href="http://curl.haxx.se/libcurl/">libcurl</a> >> <a href="http://curl.haxx.se/libcurl/c/">API</a> >> <b>programming with libcurl</b>
<h1 class="pagetitle"> libcurl-tutorial.3 -- man page </h1>
<div class="relatedbox">
<b>Related:</b>
<br><a href="http://curl.haxx.se/libcurl/c/example.html">示例</a>
<br><a href="http://curl.haxx.se/libcurl/c/">API</a>
</div>
<!-- generated with roffit 0.7 -->
<p class="level0"><a name="NAME"></a></p><h2 class="nroffsh">题目</h2>
<p class="level0">libcurl-教程 - libcurl编程指南    <span class="emphasis">原文<a href="http://curl.haxx.se/libcurl/c/libcurl-tutorial.html">http://curl.haxx.se/libcurl/c/libcurl-tutorial.html</a> </span> <a name="Objective"></a></p><h2 class="nroffsh">目标</h2>
<p class="level0">这篇文档试图讲述在使用libcurl编程时的一些通用原理和基本方法。本文以C语言接口讲解为主，也适用于与C语言风格相近的语言。
</p><p class="level0">文档中用“用户”一词指代使用libcurl的开发人员。文中的“程序”一词泛指用libcurl写的代码。
</p><p class="level0">更多关于libcurl选项和函数的细节，请参考官方的参考手册。
</p><p class="level0"><a name="Building"></a></p><h2 class="nroffsh">编译源码</h2>
<p class="level0">开发C程序有很多方式，本文假定你使用Unix风格的环境。如果你使用不同的开发环境，你仍然可以从本文中获得适合于你的一些通用信息。
</p><p class="level0"><a name="Compiling"></a><span class="nroffip">编译</span>
</p><p class="level1">你的编译器需要知道libcurl的头文件在哪里。因此，你必须将libcurl的安装路径放到编译器的头文件搜索路径里。curl-config工具可以获得libcurl安装的一些信息。
</p><p class="level1">$ curl-config --cflags
</p><p class="level1">
</p><p class="level0"><a name="Linking"></a><span class="nroffip">链接</span>
</p><p class="level1">完成程序的编译后，你需要将目标文件链接到一起，形成单一的可执行文件。你需要链接libcurl，可能还要链接libcurl本身依赖的库文件，比如OpenSSL库。当然，还可能要链接一些操作系统的库文件。要弄清楚到底使用哪些编译选项，再一次请出我们的curl-config工具。
</p><p class="level1">$ curl-config --libs
</p><p class="level1">
</p><p class="level0"><a name="SSL"></a><span class="nroffip">是否支持SSL</span>
</p><p class="level1">libcurl可以有多种形式的定制编译，其中之一就是是否支持SSL，比如HTTPS和FTPS。编译libcurl过程中检测到有支持的SSL库时，就会启用SSL支持。要判断当前的libcurl库是否支持SSL，使用：
</p><p class="level1">$ curl-config --feature
</p><p class="level1">如果支持SSL，则会打出“SSL”的关键字，同时还会有一些其它可定制属性。
</p><p class="level1">也可以参考下文“libcurl提供的属性”。
</p><p class="level0"><a name="autoconf"></a><span class="nroffip">autoconf 宏</span>
</p><p class="level1">如果你要自己写配置脚本来检测libcurl和设置选项，我们提供了一个预先写好的宏，基本能完成你需要的一切。请参考docs/libcurl/libcurl.m4文件，它会告诉你如何使用这个宏。
</p><p class="level1"><a name="Portable"></a></p><h2 class="nroffsh">可移植代码</h2>
<p class="level0">libcurl的幕后工作者花了很精力使libcurl能在很多系统和环境中工作。
</p><p class="level0">你可以在各种各样的平台上用同样的方式编写libcurl程序，只需要考虑非常少的一些差异。只要保证你写的代码有很好的移植性，最后程序则能具备良好的跨平台能力。libcurl不会拖你的后腿
</p><p class="level0"><a name="Global"></a></p><h2 class="nroffsh">全局初始化</h2>
<p class="level0">在使用libcurl前，必须先做一次libcurl的全局初始化。不管程序中多少次使用libcurl，只需要做一次这样的初始化。使用：
</p><p class="level0">&nbsp;curl_global_init()
</p><p class="level0">curl_global_init()带一个位匹配的参数，指定libcurl初始化选项。
<span class="emphasis">CURL_GLOBAL_ALL</span>
 会初始化所有已知子模块，是较好的默认选择。另外两个可指定的位是：
</p><p class="level1">
</p><p class="level0"><a name="CURLGLOBALWIN32"></a><span class="nroffip">CURL_GLOBAL_WIN32</span>
</p><p class="level1">将会在windows环境里初始化libcurl，实质上就是初始化win32  socket库。如果不指定这个位，你的程序就不能正常使用socket。同样，你只需要为你的程序做一次wine32 socket的初始化，如果你自己的代码或者其它模块已经做了这一步，那不应该在libcurl初始化时指定这个位。
</p><p class="level0"><a name="CURLGLOBALSSL"></a><span class="nroffip">CURL_GLOBAL_SSL</span>
</p><p class="level1">如果libcurl编译时启用了SSL，指定这个位会初始化SSL模块。同理，SSL只需要在程序中初始化一次，如果你的代码或者其它库已经做了这一步，就不应该再libcurl初始化时指定这个位。
</p><p class="level0">
</p><p class="level0">libcurl有一个默认的保障机制：如果你调用<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>时还没有做<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_global_init.html">curl_global_init(3)</a>
libcurl会使用默认的参数自动执行一次<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_global_init.html">curl_global_init(3)</a>。注意，这不是一种好的选择。
</p><p class="level0">当你的程序不在需要libcurl时，应该调用<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_global_cleanup.html">curl_global_cleanup(3)</a>,与init函数相反，它会释放和清理掉相关资源。
</p><p class="level0">要尽量避免在程序中多次使用<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_global_init.html">curl_global_init(3)</a> 和<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_global_cleanup.html">curl_global_cleanup(3)</a>，它们应该被各调用一次。
</p><p class="level0"><a name="Features"></a></p><h2 class="nroffsh">libcurl提供的属性</h2>
<p class="level0">判断libcurl支持属性的最恰当的方式是在运行时，而不是在编译阶段。调用<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_version_info.html">curl_version_info(3)</a>并检查它返回的结构，可以准确的知道当前使用的libcurl支持的属性。
</p><p class="level0"><a name="Handle"></a></p><h2 class="nroffsh">使用Easy libcurl</h2>
<p class="level0">
libcurl最先引入的是称为“easy interface”的接口，它们都以“curl_easy”开头。
</p><p class="level0">较新版本的libcurl也提供称为“multi interface”的接口。关于multi interface的作用与使用将在下文单独阐述。在那之前，需要先理解easy interface。
</p><p class="level0">要使用easy interface，需要先创建一个easy handle。每个HTTP会话都应该对应一个easy handle。每个线程都应该独立的使用handle，一定不要在多线程中共享同一个handle。
</p><p class="level0">使用下面的函数来创建一个handle：
</p><p class="level0">&nbsp;easyhandle = curl_easy_init();
</p><p class="level0">它会返回一个easy handle。拿到handle，下一步就是设定你要完成的动作。这里的handle是为接下来的数据传输而定义一个逻辑体。
</p><p class="level0">使用<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_setopt.html">curl_easy_setopt(3)</a>来给handle设置操作和属性。它们控制接下来的数据传输的行为。这些设置会一直保持在 handle里，直到你下一次设置它。多个网络传输请求在使用同一个handle时，会共享同样的属性。
</p><p class="level0">很多handle的选项都是以\0结束的字符串。使用 <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_setopt.html">curl_easy_setopt(3)</a> 设置下去的值在libcurl内有一个拷贝，不必在你的代码中保留。[4]
</p><p class="level0">最常见最基本的handle选项就是URL，使用类似下面的方法来设置handle的URL:
</p><p class="level0"></p><pre><p class="level0">&nbsp;curl_easy_setopt(handle, CURLOPT_URL, "<a href="http://domain.com/">http://domain.com/</a>");
 </p></pre>
<p class="level0">
</p><p class="level0">
假设你需要拿到这个URL指向的远程资源，然后用libcurl写了一段程序来实现数据获取。你可能希望数据能直接传送到你的手中，而不是输出到stdout，那么，你可以写一个这样的回调函数(callback function)。

</p><p class="level0">&nbsp;size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp);
</p><p class="level0">
然后用下面的方式，告诉libcurl将数据通过这个函数传送给你。
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_WRITEFUNCTION, write_data);
</p><p class="level0">你还用下面的方式设定callback的参数，libcurl会在调用callback函数时带上它（即前面write_data的第四个参数）。
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_WRITEDATA, &amp;internal_struct);
</p><p class="level0">利用这一点，我们可以很轻松的在程序和libcurl的回调中传递一些信息。libcurl不会碰你用<span class="emphasis">CURLOPT_WRITEDATA</span>设定的数据，而是原封不动地传递给callback函数。
</p><p class="level0">如果你没有用<span class="emphasis">CURLOPT_WRITEFUNCTION</span>指定callback函数，libcurl会默认用它自己的callback函数。 默认的callback函数只是简单的将接收到的数据写到stdout。你可以用<span class="emphasis">CURLOPT_WRITEDATA</span>方式传递一个可写的“FILE*”指针给默认callback，让callback把数据写入该文件。
</p><p class="level0">现在，让我们退一步，做一个深呼息，因为我们马上就会遇上前面提到的第一个平台差异问题。
在一些平台上，libcurl无法操作程序里打开的文件，因此，如果你使用了默认的callback，并用<span class="emphasis">CURLOPT_WRITEDATA</span>传递一个打开的文件指针，程序可能会崩溃。因此你应该尽量避免这种用法，以使你的代码有更好的移植性。

</p><p class="level0">(<span class="emphasis">CURLOPT_WRITEDATA</span> 正式地也被称为 <span class="emphasis">CURLOPT_FILE</span>. 这两个名字都有效，并且功能一样。)
</p><p class="level0">如果你是以win32 DLL的方式使用libcurl，那么在使用<span class="emphasis">CURLOPT_WRITEDATA</span>时，则必须同时使用<span class="emphasis">CURLOPT_WRITEFUNCTION</span> 注册回调函数。- 否则你会遇到程序崩溃。
</p><p class="level0">当然libcurl还有很多选项可供设置，我们稍后再看。接下来我们先执行数据传输工作：
</p><p class="level0">&nbsp;success = curl_easy_perform(easyhandle);
</p><p class="level0"><a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>
 
 函数会连接到远程站点，发送一些必要的命令，并接收数据传输。收到数据时，libcurl会调用我们前面设置的callback函数。该函数可能一次拿到一个字节，也可能一次拿到若干K字节。libcurl会尽可能多尽可能快的传递数据。你的callback应该返回已经被处理过的字节数，如果返回值 不等于传递给它的字节数，libcurl会中止操作，并返回一个错误码。
</p><p class="level0">传输完成时，<a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>的返回值会通知你传输任务成功与否。如果返回值不够直观，你也可以用CURLOPT_ERRORBUFFER来设置一个buffer，libcurl会在里面写入许多可读的错误信息。
</p><p class="level0">一个任务结束后，handle可以被再次使用。推荐重用已经存在的handle来进行下一个传输，libcurl会尝试重用先前的连接。
</p><p class="level0">对某些协议来说，下载一个文件可能涉及到复杂的流程，比如登录，设置传输模式，改变当前目录等，最后再到传输数据。libcurl会为你搞定这些复杂的流程，只需要简单的给libcurl一个URL，它就会自动完成剩下的工作。
</p><p class="level0"><a name="Multi-threading"></a></p><h2 class="nroffsh">多线程问题</h2>
<p class="level0">第一个基本原则是<span class="bold">绝对不要</span>在线程之间共享同一个libcurl handle，不管是easy handle还是multi handle。一个线程每次只能使用一个handle。 
</p><p class="level0">
除开信号和SSL/TLS处理器两种情况，libcurl都是线程安全的。在非windows环境下，如果libcurl没有把c-ares库编译进来，则会用信号的方式来指示域名解析超时。
</p><p class="level0">

如果你以多线程的方式访问HTTPS或者FTPS这类的URL，相应的你也在以多线程方式使用到底层的SSL库。各种SSL库对多线程使用也有自己的要求，具体可以参考：

</p><p class="level0">OpenSSL
</p><p class="level0">&nbsp;<a href="http://www.openssl.org/docs/crypto/threads.html">http://www.openssl.org/docs/crypto/threads.html</a>#DESCRIPTION
</p><p class="level0">GnuTLS
</p><p class="level0">&nbsp;<a href="http://www.gnu.org/software/gnutls/manual/html_node/">http://www.gnu.org/software/gnutls/manual/html_node/</a>Multi_002dthreaded-applications.html
</p><p class="level0">NSS
</p><p class="level0">&nbsp;宣称线程安全的，不需要额外工作。
</p><p class="level0">PolarSSL
</p><p class="level0">&nbsp;暂不清楚(Required actions unknown).
</p><p class="level0">yassl
</p><p class="level0">&nbsp;暂不清楚(Required actions unknown).
</p><p class="level0">axTLS
</p><p class="level0">&nbsp;暂不清楚(Required actions unknown).
</p><p class="level0">使用多线程时，你应该给每个handle设置CURLOPT_NOSIGNAL为1。该选项对libcurl的绝大部分工作无影响，除了一点：DNS查询时无法正常的超时。这个问题可以在编译时增加c-ares库以弥补。c-ares是一个提供异步域名解析的库。实际上，在某些平台上如果不具备c-ares，则libcurl是无法工作在多线程模式下的。
</p><p class="level0">另外要注意，使用CURLOPT_DNS_USE_GLOBAL_CACHE并不是线程安全的。
</p><p class="level0"><a name="When"></a></p><h2 class="nroffsh">当libcurl出问题时</h2>
<p class="level0">实际应用中总会遇到libcurl传输失败的情况，原因是多种多样的。可能你设置了错误的选项，或者没有理解选项的正确用法，或者远程服务器返回了不标准的回复让libcurl出错进而导致程序出问题。
</p><p class="level0">发生这些情况时，有一个黄金法则：把CURLOPT_VERBOSE选项设为1。这个选项使libcurl输出所有协议细节，包括发送的协议内容、libcurl内部信息以及接收到的协议数据（特别是FTP协议）等。
使用HTTP时，用这种方式来研究接收数据也是理解服务器端行为的一个很不错的方式。
</p><p class="level0">当然，libcurl也会有bug的。所以如果你发现了bug，请知会我们，以便我们修复它。当你发现了可能是bug的问题，请提供尽可能多的细节给我们：打开了CURLOPT_VERBOSE的libcurl输出，libcurl的版本，使用libcurl的代码，操作系统及其版本，编译器名字及版本，等等。
</p><p class="level0">如果CURLOPT_VERBOSE还不够，你可以用CURLOPT_DEBUGFUNCTION来提高debug信息的级别。
</p><p class="level0">深入理解相关协议总是好事，如果你研究过协议的RFC文档，你就能更好的要理解libcurl的原理，更好的使用它。
</p><p class="level0"><a name="Upload"></a></p><h2 class="nroffsh">上传数据到服务器</h2>
<p class="level0">对大多数工作来说，libcurl试图保持协议无关性。比如，上传数据到FTP跟用PUT方式发送数据到HTTP服务器，两者操作就非常相似。
</p><p class="level0">当然，一开始仍然需要创建一个easy handle，或者重用现存的handle。然后像之前一样指定一个URL，即我们要上传的URL。
</p><p class="level0">通常应用程序希望自己提供上传数据给libcurl，为此，我们可以设置一个读取的callback函数以及callback的参数。
该callback函数的原型应该像这样：
Since we write an application, we most likely want
 libcurl to get the upload data by asking us for it. To make it do that,
 we set the read callback and the custom pointer libcurl will pass to 
our read callback. The read callback should have a prototype similar to:
</p><p class="level0">&nbsp;size_t function(char *bufptr, size_t size, size_t nitems, void *userp);
</p><p class="level0">bufptr指向我们的要上传的数据，size*nitems是数据的大小，
同时也是该函数能交给libcurl的数据的最大值。userp则指向一个自定义的数据结构，
用来把私有数据传递给回调函数。here bufptr is the pointer to a buffer we fill in
 with data to upload and size*nitems is the size of the buffer and 
therefore also the maximum amount of data we can return to libcurl in 
this call. The 'userp' pointer is the custom pointer we set to point to a
 struct of ours to pass private data between the application and the 
callback.
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_READFUNCTION, read_function);
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_READDATA, &amp;filedata);
</p><p class="level0">告诉libcurl我们要上传：Tell libcurl that we want to upload:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_UPLOAD, 1L);
</p><p class="level0">在预先不知道要上传的文件的大小的话，某些协议会不能正常工作。
因此，用CURLOPT_INFILESIZE_LARGE设置文件大小。A few protocols won't behave properly when uploads
 are done without any prior knowledge of the expected file size. So, set
 the upload file size using the CURLOPT_INFILESIZE_LARGE for all known 
file sizes like this[1]:
</p><p class="level0"></p><pre><p class="level0">&nbsp;/* 在这个例子中，file_size必须是curl_off_t类型的变量。in this example, file_size must be an curl_off_t variable */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_INFILESIZE_LARGE, file_size);
 </p></pre>
<p class="level0">
</p><p class="level0">当你调用When you call <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>
 时，它先执行一些必要操作，然后会调用你提供的callback函数来读取待上传的数据。
 每次callback被调用时都应该尽可能多的把数据交给libcurl，以便数据尽可能快的传输。
callback应该返回写到buffer中的字节数，返回0时则表示上传已经完成。this time, it'll perform all the necessary operations and when it has 
invoked the upload it'll call your supplied callback to get the data to 
upload. The program should return as much data as possible in every 
invoke, as that is likely to make the upload perform as fast as 
possible. The callback should return the number of bytes it wrote in the
 buffer. Returning 0 will signal the end of the upload.
</p><p class="level0"><a name="Passwords"></a></p><h2 class="nroffsh">密码 Passwords</h2>
<p class="level0">
许多协议要求你在上传或者下载数据时提供用户名和密码。libcurl提供了多种方式来指定用户名和密码。
Many protocols use or even require that user name and 
password are provided to be able to download or upload the data of your 
choice. libcurl offers several ways to specify them.
</p><p class="level0">大多数的协议支持直接在URL中指定账号和密码，libcurl会检测并应用这种形式。就像这样：
Most protocols support that you specify the name 
and password in the URL itself. libcurl will detect this and use them 
accordingly. This is written like this:
</p><p class="level0">&nbsp;protocol://user:password@example.com/path/
</p><p class="level0">如果你在用户名或者密码中使用了一些不常见的字符，应该先把它们编码成形如%xx的URL，xx是一个2位的十六进制数字，If you need any odd letters in your user name or 
password, you should enter them URL encoded, as %XX where XX is a 
two-digit hexadecimal number.
</p><p class="level0">libcurl同时也提供选项来设置各种密码。出现在URL中的账号和密码可以用CURLOPT_USERPWD选项来设置。
相应的参数是一个“用户名：密码”形式的字符串。
libcurl also provides options to set various 
passwords. The user name and password as shown embedded in the URL can 
instead get set with the CURLOPT_USERPWD option. The argument passed to 
libcurl should be a char * to a string in the format "user:password". In
 a manner like this:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_USERPWD, "myname:thesecret");
</p><p class="level0">另一个需要账号密码的情况是需要获得代理服务器的授权，libcurl提供了另一个选项， CURLOPT_PROXYUSERPWD，用法跟CURLOPT_USERPWD非常相似。Another case where name and password might be 
needed at times, is for those users who need to authenticate themselves 
to a proxy they use. libcurl offers another option for this, the 
CURLOPT_PROXYUSERPWD. It is used quite similar to the CURLOPT_USERPWD 
option like this:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_PROXYUSERPWD, "myname:thesecret");
</p><p class="level0">
很长一段时间里，Unix存放FTP用户名和密码的“标准”方式是用$HOME/.netrc文件。
.netrc文件里的账号密码可能是明文存放的，所以这个文件通常被设置为私有，只有该用户能取（参考“安全考虑”这节）。
libcurl能够使用该文件找出对应某个主机的FTP账号和密码。作为一项扩展功能，libcurl也支持非FTP的协议使用这个文件，比如HTTP。
让libcurl使用该文件，可以设置CURLOPT_NETRC选项。
There's a long time UNIX "standard" way of storing
 ftp user names and passwords, namely in the $HOME/.netrc file. The file
 should be made private so that only the user may read it (see also the 
"Security Considerations" chapter), as it might contain the password in 
plain text. libcurl has the ability to use this file to figure out what 
set of user name and password to use for a particular host. As an 
extension to the normal functionality, libcurl also supports this file 
for non-FTP protocols such as HTTP. To make curl use this file, use the 
CURLOPT_NETRC option:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_NETRC, 1L);
</p><p class="level0">一个最基本的.netrc文件看起来像这样：And a very basic example of how such a .netrc file may look like:
</p><p class="level0"></p><pre><p class="level0">&nbsp;machine myhost.mydomain.com
 &nbsp;login userlogin
 &nbsp;password secretword
 </p></pre>
<p class="level0">
</p><p class="level0">以上的例子中，密码只是一个可选的配置，或者说，至少能让libcurl尝试在无密码的情况下工作。
但另一些情况下，密码是必需的，比如使用SSL私钥完成安全传输。
All these examples have been cases where the 
password has been optional, or at least you could leave it out and have 
libcurl attempt to do its job without it. There are times when the 
password isn't optional, like when you're using an SSL private key for 
secure transfers.
</p><p class="level0">将私钥密码传递给libcurl：To pass the known private key password to libcurl:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_KEYPASSWD, "keypassword");
</p><p class="level0"><a name="HTTP"></a></p><h2 class="nroffsh">HTTP Authentication</h2>
<p class="level0">The previous chapter showed how to set user name and 
password for getting URLs that require authentication. When using the 
HTTP protocol, there are many different ways a client can provide those 
credentials to the server and you can control which way libcurl will 
(attempt to) use them. The default HTTP authentication method is called 
'Basic', which is sending the name and password in clear-text in the 
HTTP request, base64-encoded. This is insecure.
</p><p class="level0">At the time of this writing, libcurl can be built 
to use: Basic, Digest, NTLM, Negotiate, GSS-Negotiate and SPNEGO. You 
can tell libcurl which one to use with CURLOPT_HTTPAUTH as in:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
</p><p class="level0">And when you send authentication to a proxy, you 
can also set authentication type the same way but instead with 
CURLOPT_PROXYAUTH:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_PROXYAUTH, CURLAUTH_NTLM);
</p><p class="level0">Both these options allow you to set multiple types
 (by ORing them together), to make libcurl pick the most secure one out 
of the types the server/proxy claims to support. This method does 
however add a round-trip since libcurl must first ask the server what it
 supports:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPAUTH, &nbsp;CURLAUTH_DIGEST|CURLAUTH_BASIC);
</p><p class="level0">For convenience, you can use the 'CURLAUTH_ANY' 
define (instead of a list with specific types) which allows libcurl to 
use whatever method it wants.
</p><p class="level0">When asking for multiple types, libcurl will pick the available one it considers "best" in its own internal order of preference.
</p><p class="level0"><a name="HTTP"></a></p><h2 class="nroffsh">HTTP POSTing</h2>
<p class="level0">We get many questions regarding how to issue HTTP 
POSTs with libcurl the proper way. This chapter will thus include 
examples using both different versions of HTTP POST that libcurl 
supports.
</p><p class="level0">The first version is the simple POST, the most 
common version, that most HTML pages using the &lt;form&gt; tag uses. We
 provide a pointer to the data and tell libcurl to post it all to the 
remote site:
</p><p class="level0"></p><pre><p class="level0">&nbsp;   char *data="name=daniel&amp;project=curl";
 &nbsp;   curl_easy_setopt(easyhandle, CURLOPT_POSTFIELDS, data);
 &nbsp;   curl_easy_setopt(easyhandle, CURLOPT_URL, "<a href="http://posthere.com/">http://posthere.com/</a>");
 </p><p class="level0">&nbsp;   curl_easy_perform(easyhandle); /* post away! */
 </p></pre>
<p class="level0">
</p><p class="level0">Simple enough, huh? Since you set the POST options
 with the CURLOPT_POSTFIELDS, this automatically switches the handle to 
use POST in the upcoming request.
</p><p class="level0">Ok, so what if you want to post binary data that 
also requires you to set the Content-Type: header of the post? Well, 
binary posts prevent libcurl from being able to do strlen() on the data 
to figure out the size, so therefore we must tell libcurl the size of 
the post data. Setting headers in libcurl requests are done in a generic
 way, by building a list of our own headers and then passing that list 
to libcurl.
</p><p class="level0"></p><pre><p class="level0">&nbsp;struct curl_slist *headers=NULL;
 &nbsp;headers = curl_slist_append(headers, "Content-Type: text/xml");
 </p><p class="level0">&nbsp;/* post binary data */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_POSTFIELDS, binaryptr);
 </p><p class="level0">&nbsp;/* set the size of the postfields data */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_POSTFIELDSIZE, 23L);
 </p><p class="level0">&nbsp;/* pass our list of custom made headers */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPHEADER, headers);
 </p><p class="level0">&nbsp;curl_easy_perform(easyhandle); /* post away! */
 </p><p class="level0">&nbsp;curl_slist_free_all(headers); /* free the header list */
 </p></pre>
<p class="level0">
</p><p class="level0">While the simple examples above cover the majority
 of all cases where HTTP POST operations are required, they don't do 
multi-part formposts. Multi-part formposts were introduced as a better 
way to post (possibly large) binary data and were first documented in 
the RFC1867 (updated in RFC2388). They're called multi-part because 
they're built by a chain of parts, each part being a single unit of 
data. Each part has its own name and contents. You can in fact create 
and post a multi-part formpost with the regular libcurl POST support 
described above, but that would require that you build a formpost 
yourself and provide to libcurl. To make that easier, libcurl provides <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_formadd.html">curl_formadd(3)</a>. Using this function, you add parts to the form. When you're done adding parts, you post the whole form.
</p><p class="level0">The following example sets two simple text parts 
with plain textual contents, and then a file with binary contents and 
uploads the whole thing.
</p><p class="level0"></p><pre><p class="level0">&nbsp;struct curl_httppost *post=NULL;
 &nbsp;struct curl_httppost *last=NULL;
 &nbsp;curl_formadd(&amp;post, &amp;last,
 &nbsp;             CURLFORM_COPYNAME, "name",
 &nbsp;             CURLFORM_COPYCONTENTS, "daniel", CURLFORM_END);
 &nbsp;curl_formadd(&amp;post, &amp;last,
 &nbsp;             CURLFORM_COPYNAME, "project",
 &nbsp;             CURLFORM_COPYCONTENTS, "curl", CURLFORM_END);
 &nbsp;curl_formadd(&amp;post, &amp;last,
 &nbsp;             CURLFORM_COPYNAME, "logotype-image",
 &nbsp;             CURLFORM_FILECONTENT, "curl.png", CURLFORM_END);
 </p><p class="level0">&nbsp;/* Set the form info */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPPOST, post);
 </p><p class="level0">&nbsp;curl_easy_perform(easyhandle); /* post away! */
 </p><p class="level0">&nbsp;/* free the post data again */
 &nbsp;curl_formfree(post);
 </p></pre>
<p class="level0">
</p><p class="level0">Multipart formposts are chains of parts using 
MIME-style separators and headers. It means that each one of these 
separate parts get a few headers set that describe the individual 
content-type, size etc. To enable your application to handicraft this 
formpost even more, libcurl allows you to supply your own set of custom 
headers to such an individual form part. You can of course supply 
headers to as many parts as you like, but this little example will show 
how you set headers to one specific part when you add that to the post 
handle:
</p><p class="level0"></p><pre><p class="level0">&nbsp;struct curl_slist *headers=NULL;
 &nbsp;headers = curl_slist_append(headers, "Content-Type: text/xml");
 </p><p class="level0">&nbsp;curl_formadd(&amp;post, &amp;last,
 &nbsp;             CURLFORM_COPYNAME, "logotype-image",
 &nbsp;             CURLFORM_FILECONTENT, "curl.xml",
 &nbsp;             CURLFORM_CONTENTHEADER, headers,
 &nbsp;             CURLFORM_END);
 </p><p class="level0">&nbsp;curl_easy_perform(easyhandle); /* post away! */
 </p><p class="level0">&nbsp;curl_formfree(post); /* free post */
 &nbsp;curl_slist_free_all(headers); /* free custom header list */
 </p></pre>
<p class="level0">
</p><p class="level0">Since all options on an easyhandle are "sticky", they remain the same until changed even if you do call <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>,
 you may need to tell curl to go back to a plain GET request if you 
intend to do one as your next request. You force an easyhandle to go 
back to GET by using the CURLOPT_HTTPGET option:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPGET, 1L);
</p><p class="level0">Just setting CURLOPT_POSTFIELDS to "" or NULL will
 *not* stop libcurl from doing a POST. It will just make it POST without
 any data to send!
</p><p class="level0"><a name="Showing"></a></p><h2 class="nroffsh">Showing Progress</h2>
<p class="level0">
</p><p class="level0">For historical and traditional reasons, libcurl 
has a built-in progress meter that can be switched on and then makes it 
present a progress meter in your terminal.
</p><p class="level0">Switch on the progress meter by, oddly enough, setting CURLOPT_NOPROGRESS to zero. This option is set to 1 by default.
</p><p class="level0">For most applications however, the built-in 
progress meter is useless and what instead is interesting is the ability
 to specify a progress callback. The function pointer you pass to 
libcurl will then be called on irregular intervals with information 
about the current transfer.
</p><p class="level0">Set the progress callback by using CURLOPT_PROGRESSFUNCTION. And pass a pointer to a function that matches this prototype:
</p><p class="level0"></p><pre><p class="level0">&nbsp;int progress_callback(void *clientp,
 &nbsp;                      double dltotal,
 &nbsp;                      double dlnow,
 &nbsp;                      double ultotal,
 &nbsp;                      double ulnow);
 </p></pre>
<p class="level0">
</p><p class="level0">If any of the input arguments is unknown, a 0 will
 be passed. The first argument, the 'clientp' is the pointer you pass to
 libcurl with CURLOPT_PROGRESSDATA. libcurl won't touch it.
</p><p class="level0"><a name="libcurl"></a></p><h2 class="nroffsh">libcurl with C++</h2>
<p class="level0">
</p><p class="level0">There's basically only one thing to keep in mind when using C++ instead of C when interfacing libcurl:
</p><p class="level0">The callbacks CANNOT be non-static class member functions
</p><p class="level0">Example C++ code:
</p><p class="level0"></p><pre><p class="level0">class AClass {
 &nbsp;   static size_t write_data(void *ptr, size_t size, size_t nmemb,
 &nbsp;                            void *ourpointer)
 &nbsp;   {
 &nbsp;     /* do what you want with the data */
 &nbsp;   }
 &nbsp;}
 </p></pre>
<p class="level0">
</p><p class="level0"><a name="Proxies"></a></p><h2 class="nroffsh">Proxies</h2>
<p class="level0">
</p><p class="level0">What "proxy" means according to Merriam-Webster: 
"a person authorized to act for another" but also "the agency, function,
 or office of a deputy who acts as a substitute for another".
</p><p class="level0">Proxies are exceedingly common these days. 
Companies often only offer Internet access to employees through their 
proxies. Network clients or user-agents ask the proxy for documents, the
 proxy does the actual request and then it returns them.
</p><p class="level0">libcurl supports SOCKS and HTTP proxies. When a 
given URL is wanted, libcurl will ask the proxy for it instead of trying
 to connect to the actual host identified in the URL.
</p><p class="level0">If you're using a SOCKS proxy, you may find that libcurl doesn't quite support all operations through it.
</p><p class="level0">For HTTP proxies: the fact that the proxy is a 
HTTP proxy puts certain restrictions on what can actually happen. A 
requested URL that might not be a HTTP URL will be still be passed to 
the HTTP proxy to deliver back to libcurl. This happens transparently, 
and an application may not need to know. I say "may", because at times 
it is very important to understand that all operations over a HTTP proxy
 use the HTTP protocol. For example, you can't invoke your own custom 
FTP commands or even proper FTP directory listings.
</p><p class="level0">
</p><p class="level0"><a name="Proxy"></a><span class="nroffip">Proxy Options</span>
</p><p class="level1">
</p><p class="level1">To tell libcurl to use a proxy at a given port number:
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_PROXY, "proxy-host.com:8080");
</p><p class="level1">Some proxies require user authentication before allowing a request, and you pass that information similar to this:
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_PROXYUSERPWD, "user:password");
</p><p class="level1">If you want to, you can specify the host name only
 in the CURLOPT_PROXY option, and set the port number separately with 
CURLOPT_PROXYPORT.
</p><p class="level1">Tell libcurl what kind of proxy it is with CURLOPT_PROXYTYPE (if not, it will default to assume a HTTP proxy):
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS4);
</p><p class="level1">
</p><p class="level0"><a name="Environment"></a><span class="nroffip">Environment Variables</span>
</p><p class="level1">
</p><p class="level1">libcurl automatically checks and uses a set of 
environment variables to know what proxies to use for certain protocols.
 The names of the variables are following an ancient de facto standard 
and are built up as "[protocol]_proxy" (note the lower casing). Which 
makes the variable 'http_proxy' checked for a name of a proxy to use 
when the input URL is HTTP. Following the same rule, the variable named 
'ftp_proxy' is checked for FTP URLs. Again, the proxies are always HTTP 
proxies, the different names of the variables simply allows different 
HTTP proxies to be used.
</p><p class="level1">The proxy environment variable contents should be 
in the format "[protocol://][user:password@]machine[:port]". Where the 
protocol:// part is simply ignored if present (so <a href="http://proxy/">http://proxy</a>
 and bluerk://proxy will do the same) and the optional port number 
specifies on which port the proxy operates on the host. If not 
specified, the internal default port number will be used and that is 
most likely *not* the one you would like it to be.
</p><p class="level1">There are two special environment variables. 
'all_proxy' is what sets proxy for any URL in case the protocol specific
 variable wasn't set, and 'no_proxy' defines a list of hosts that should
 not use a proxy even though a variable may say so. If 'no_proxy' is a 
plain asterisk ("*") it matches all hosts.
</p><p class="level1">To explicitly disable libcurl's checking for and 
using the proxy environment variables, set the proxy name to "" - an 
empty string - with CURLOPT_PROXY.
</p><p class="level0"><a name="SSL"></a><span class="nroffip">SSL and Proxies</span>
</p><p class="level1">
</p><p class="level1">SSL is for secure point-to-point connections. This
 involves strong encryption and similar things, which effectively makes 
it impossible for a proxy to operate as a "man in between" which the 
proxy's task is, as previously discussed. Instead, the only way to have 
SSL work over a HTTP proxy is to ask the proxy to tunnel trough 
everything without being able to check or fiddle with the traffic.
</p><p class="level1">Opening an SSL connection over a HTTP proxy is 
therefor a matter of asking the proxy for a straight connection to the 
target host on a specified port. This is made with the HTTP request 
CONNECT. ("please mr proxy, connect me to that remote host").
</p><p class="level1">Because of the nature of this operation, where the
 proxy has no idea what kind of data that is passed in and out through 
this tunnel, this breaks some of the very few advantages that come from 
using a proxy, such as caching.  Many organizations prevent this kind of
 tunneling to other destination port numbers than 443 (which is the 
default HTTPS port number).
</p><p class="level1">
</p><p class="level0"><a name="Tunneling"></a><span class="nroffip">Tunneling Through Proxy</span>
</p><p class="level1">As explained above, tunneling is required for SSL to work and often even restricted to the operation intended for SSL; HTTPS.
</p><p class="level1">This is however not the only time proxy-tunneling might offer benefits to you or your application.
</p><p class="level1">As tunneling opens a direct connection from your 
application to the remote machine, it suddenly also re-introduces the 
ability to do non-HTTP operations over a HTTP proxy. You can in fact use
 things such as FTP upload or FTP custom commands this way.
</p><p class="level1">Again, this is often prevented by the administrators of proxies and is rarely allowed.
</p><p class="level1">Tell libcurl to use proxy tunneling like this:
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPPROXYTUNNEL, 1L);
</p><p class="level1">In fact, there might even be times when you want 
to do plain HTTP operations using a tunnel like this, as it then enables
 you to operate on the remote server instead of asking the proxy to do 
so. libcurl will not stand in the way for such innovative actions 
either!
</p><p class="level1">
</p><p class="level0"><a name="Proxy"></a><span class="nroffip">Proxy Auto-Config</span>
</p><p class="level1">
</p><p class="level1">Netscape first came up with this. It is basically a
 web page (usually using a .pac extension) with a Javascript that when 
executed by the browser with the requested URL as input, returns 
information to the browser on how to connect to the URL. The returned 
information might be "DIRECT" (which means no proxy should be used), 
"PROXY host:port" (to tell the browser where the proxy for this 
particular URL is) or "SOCKS host:port" (to direct the browser to a 
SOCKS proxy).
</p><p class="level1">libcurl has no means to interpret or evaluate 
Javascript and thus it doesn't support this. If you get yourself in a 
position where you face this nasty invention, the following advice have 
been mentioned and used in the past:
</p><p class="level1">- Depending on the Javascript complexity, write up a script that translates it to another language and execute that.
</p><p class="level1">- Read the Javascript code and rewrite the same logic in another language.
</p><p class="level1">- Implement a Javascript interpreter; people have successfully used the Mozilla Javascript engine in the past.
</p><p class="level1">- Ask your admins to stop this, for a static proxy setup or similar.
</p><p class="level1"><a name="Persistence"></a></p><h2 class="nroffsh">Persistence Is The Way to Happiness</h2>
<p class="level0">
</p><p class="level0">Re-cycling the same easy handle several times when doing multiple requests is the way to go.
</p><p class="level0">After each single <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_perform.html">curl_easy_perform(3)</a>
 operation, libcurl will keep the connection alive and open. A 
subsequent request using the same easy handle to the same host might 
just be able to use the already open connection! This reduces network 
impact a lot.
</p><p class="level0">Even if the connection is dropped, all connections
 involving SSL to the same host again, will benefit from libcurl's 
session ID cache that drastically reduces re-connection time.
</p><p class="level0">FTP connections that are kept alive save a lot of 
time, as the command- response round-trips are skipped, and also you 
don't risk getting blocked without permission to login again like on 
many FTP servers only allowing N persons to be logged in at the same 
time.
</p><p class="level0">libcurl caches DNS name resolving results, to make lookups of a previously looked up name a lot faster.
</p><p class="level0">Other interesting details that improve performance for subsequent requests may also be added in the future.
</p><p class="level0">Each easy handle will attempt to keep the last few
 connections alive for a while in case they are to be used again. You 
can set the size of this "cache" with the CURLOPT_MAXCONNECTS option. 
Default is 5. There is very seldom any point in changing this value, and
 if you think of changing this it is often just a matter of thinking 
again.
</p><p class="level0">To force your upcoming request to not use an 
already existing connection (it will even close one first if there 
happens to be one alive to the same host you're about to operate on), 
you can do that by setting CURLOPT_FRESH_CONNECT to 1. In a similar 
spirit, you can also forbid the upcoming request to be "lying" around 
and possibly get re-used after the request by setting 
CURLOPT_FORBID_REUSE to 1.
</p><p class="level0"><a name="HTTP"></a></p><h2 class="nroffsh">HTTP Headers Used by libcurl</h2>
<p class="level0">When you use libcurl to do HTTP requests, it'll pass 
along a series of headers automatically. It might be good for you to 
know and understand these. You can replace or remove them by using the 
CURLOPT_HTTPHEADER option.
</p><p class="level0">
</p><p class="level0"><a name="Host"></a><span class="nroffip">Host</span>
</p><p class="level1">This header is required by HTTP 1.1 and even many 
1.0 servers and should be the name of the server we want to talk to. 
This includes the port number if anything but default.
</p><p class="level1">
</p><p class="level0"><a name="Pragma"></a><span class="nroffip">Pragma</span>
</p><p class="level1">"no-cache". Tells a possible proxy to not grab a copy from the cache but to fetch a fresh one.
</p><p class="level1">
</p><p class="level0"><a name="Accept"></a><span class="nroffip">Accept</span>
</p><p class="level1">"*/*". 
</p><p class="level1">
</p><p class="level0"><a name="Expect"></a><span class="nroffip">Expect</span> 
</p><p class="level1">When doing POST requests, libcurl sets this header
 to "100-continue" to ask the server for an "OK" message before it 
proceeds with sending the data part of the post. If the POSTed data 
amount is deemed "small", libcurl will not use this header. 
</p><p class="level1"><a name="Customizing"></a></p><h2 class="nroffsh">Customizing Operations</h2>
<p class="level0">There is an ongoing development today where more and 
more protocols are built upon HTTP for transport. This has obvious 
benefits as HTTP is a tested and reliable protocol that is widely 
deployed and has excellent proxy-support. 
</p><p class="level0">When you use one of these protocols, and even when
 doing other kinds of programming you may need to change the traditional
 HTTP (or FTP or...) manners. You may need to change words, headers or 
various data. 
</p><p class="level0">libcurl is your friend here too. 
</p><p class="level0">
</p><p class="level0"><a name="CUSTOMREQUEST"></a><span class="nroffip">CUSTOMREQUEST</span> 
</p><p class="level1">If just changing the actual HTTP request keyword 
is what you want, like when GET, HEAD or POST is not good enough for 
you, CURLOPT_CUSTOMREQUEST is there for you. It is very simple to use: 
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_CUSTOMREQUEST, "MYOWNREQUEST"); 
</p><p class="level1">When using the custom request, you change the 
request keyword of the actual request you are performing. Thus, by 
default you make a GET request but you can also make a POST operation 
(as described before) and then replace the POST keyword if you want to. 
You're the boss. 
</p><p class="level1">
</p><p class="level0"><a name="Modify"></a><span class="nroffip">Modify Headers</span> 
</p><p class="level1">HTTP-like protocols pass a series of headers to 
the server when doing the request, and you're free to pass any amount of
 extra headers that you think fit. Adding headers is this easy: 
</p><p class="level1"></p><pre><p class="level1">&nbsp;struct curl_slist *headers=NULL; /* init to NULL is important */
 </p><p class="level1">&nbsp;headers = curl_slist_append(headers, "Hey-server-hey: how are you?");
 &nbsp;headers = curl_slist_append(headers, "X-silly-content: yes");
 </p><p class="level1">&nbsp;/* pass our list of custom made headers */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTPHEADER, headers);
 </p><p class="level1">&nbsp;curl_easy_perform(easyhandle); /* transfer http */
 </p><p class="level1">&nbsp;curl_slist_free_all(headers); /* free the header list */
 </p></pre>
<p class="level1">
</p><p class="level1">... and if you think some of the internally 
generated headers, such as Accept: or Host: don't contain the data you 
want them to contain, you can replace them by simply setting them too:
</p><p class="level1"></p><pre><p class="level1">&nbsp;headers = curl_slist_append(headers, "Accept: Agent-007");
 &nbsp;headers = curl_slist_append(headers, "Host: munged.host.line");
 </p></pre>
<p class="level1">
</p><p class="level1">
</p><p class="level0"><a name="Delete"></a><span class="nroffip">Delete Headers</span>
</p><p class="level1">If you replace an existing header with one with no
 contents, you will prevent the header from being sent. For instance, if
 you want to completely prevent the "Accept:" header from being sent, 
you can disable it with code similar to this:
</p><p class="level1">&nbsp;headers = curl_slist_append(headers, "Accept:");
</p><p class="level1">Both replacing and canceling internal headers 
should be done with careful consideration and you should be aware that 
you may violate the HTTP protocol when doing so.
</p><p class="level1">
</p><p class="level0"><a name="Enforcing"></a><span class="nroffip">Enforcing chunked transfer-encoding</span>
</p><p class="level1">
</p><p class="level1">By making sure a request uses the custom header 
"Transfer-Encoding: chunked" when doing a non-GET HTTP operation, 
libcurl will switch over to "chunked" upload, even though the size of 
the data to upload might be known. By default, libcurl usually switches 
over to chunked upload automatically if the upload data size is unknown.
</p><p class="level1">
</p><p class="level0"><a name="HTTP"></a><span class="nroffip">HTTP Version</span>
</p><p class="level1">
</p><p class="level1">All HTTP requests includes the version number to 
tell the server which version we support. libcurl speaks HTTP 1.1 by 
default. Some very old servers don't like getting 1.1-requests and when 
dealing with stubborn old things like that, you can tell libcurl to use 
1.0 instead by doing something like this:
</p><p class="level1">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
</p><p class="level1">
</p><p class="level0"><a name="FTP"></a><span class="nroffip">FTP Custom Commands</span>
</p><p class="level1">
</p><p class="level1">Not all protocols are HTTP-like, and thus the 
above may not help you when you want to make, for example, your FTP 
transfers to behave differently.
</p><p class="level1">Sending custom commands to a FTP server means that
 you need to send the commands exactly as the FTP server expects them 
(RFC959 is a good guide here), and you can only use commands that work 
on the control-connection alone. All kinds of commands that require data
 interchange and thus need a data-connection must be left to libcurl's 
own judgement. Also be aware that libcurl will do its very best to 
change directory to the target directory before doing any transfer, so 
if you change directory (with CWD or similar) you might confuse libcurl 
and then it might not attempt to transfer the file in the correct remote
 directory.
</p><p class="level1">A little example that deletes a given file before an operation:
</p><p class="level1"></p><pre><p class="level1">&nbsp;headers = curl_slist_append(headers, "DELE file-to-remove");
 </p><p class="level1">&nbsp;/* pass the list of custom commands to the handle */
 &nbsp;curl_easy_setopt(easyhandle, CURLOPT_QUOTE, headers);
 </p><p class="level1">&nbsp;curl_easy_perform(easyhandle); /* transfer ftp data! */
 </p><p class="level1">&nbsp;curl_slist_free_all(headers); /* free the header list */
 </p></pre>
<p class="level1">
</p><p class="level1">If you would instead want this operation (or chain of operations) to happen _after_ the data transfer took place the option to <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_setopt.html">curl_easy_setopt(3)</a> would instead be called CURLOPT_POSTQUOTE and used the exact same way.
</p><p class="level1">The custom FTP command will be issued to the 
server in the same order they are added to the list, and if a command 
gets an error code returned back from the server, no more commands will 
be issued and libcurl will bail out with an error code 
(CURLE_QUOTE_ERROR). Note that if you use CURLOPT_QUOTE to send commands
 before a transfer, no transfer will actually take place when a quote 
command has failed.
</p><p class="level1">If you set the CURLOPT_HEADER to 1, you will tell 
libcurl to get information about the target file and output "headers" 
about it. The headers will be in "HTTP-style", looking like they do in 
HTTP.
</p><p class="level1">The option to enable headers or to run custom FTP 
commands may be useful to combine with CURLOPT_NOBODY. If this option is
 set, no actual file content transfer will be performed.
</p><p class="level1">
</p><p class="level0"><a name="FTP"></a><span class="nroffip">FTP Custom CUSTOMREQUEST</span>
</p><p class="level1">If you do want to list the contents of a FTP 
directory using your own defined FTP command, CURLOPT_CUSTOMREQUEST will
 do just that. "NLST" is the default one for listing directories but 
you're free to pass in your idea of a good alternative.
</p><p class="level1"><a name="Cookies"></a></p><h2 class="nroffsh">Cookies Without Chocolate Chips</h2>
<p class="level0">In the HTTP sense, a cookie is a name with an 
associated value. A server sends the name and value to the client, and 
expects it to get sent back on every subsequent request to the server 
that matches the particular conditions set. The conditions include that 
the domain name and path match and that the cookie hasn't become too 
old.
</p><p class="level0">In real-world cases, servers send new cookies to 
replace existing ones to update them. Server use cookies to "track" 
users and to keep "sessions".
</p><p class="level0">Cookies are sent from server to clients with the 
header Set-Cookie: and they're sent from clients to servers with the 
Cookie: header.
</p><p class="level0">To just send whatever cookie you want to a server, you can use CURLOPT_COOKIE to set a cookie string like this:
</p><p class="level0">&nbsp;curl_easy_setopt(easyhandle, CURLOPT_COOKIE, "name1=var1; name2=var2;");
</p><p class="level0">In many cases, that is not enough. You might want 
to dynamically save whatever cookies the remote server passes to you, 
and make sure those cookies are then used accordingly on later requests.
</p><p class="level0">One way to do this, is to save all headers you 
receive in a plain file and when you make a request, you tell libcurl to
 read the previous headers to figure out which cookies to use. Set the 
header file to read cookies from with CURLOPT_COOKIEFILE.
</p><p class="level0">The CURLOPT_COOKIEFILE option also automatically 
enables the cookie parser in libcurl. Until the cookie parser is 
enabled, libcurl will not parse or understand incoming cookies and they 
will just be ignored. However, when the parser is enabled the cookies 
will be understood and the cookies will be kept in memory and used 
properly in subsequent requests when the same handle is used. Many times
 this is enough, and you may not have to save the cookies to disk at 
all. Note that the file you specify to CURLOPT_COOKIEFILE doesn't have 
to exist to enable the parser, so a common way to just enable the parser
 and not read any cookies is to use the name of a file you know doesn't 
exist.
</p><p class="level0">If you would rather use existing cookies that 
you've previously received with your Netscape or Mozilla browsers, you 
can make libcurl use that cookie file as input. The CURLOPT_COOKIEFILE 
is used for that too, as libcurl will automatically find out what kind 
of file it is and act accordingly.
</p><p class="level0">Perhaps the most advanced cookie operation libcurl
 offers, is saving the entire internal cookie state back into a 
Netscape/Mozilla formatted cookie file. We call that the cookie-jar. 
When you set a file name with CURLOPT_COOKIEJAR, that file name will be 
created and all received cookies will be stored in it when <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_cleanup.html">curl_easy_cleanup(3)</a> is called. This enables cookies to get passed on properly between multiple handles without any information getting lost.
</p><p class="level0"><a name="FTP"></a></p><h2 class="nroffsh">FTP Peculiarities We Need</h2>
<p class="level0">
</p><p class="level0">FTP transfers use a second TCP/IP connection for 
the data transfer. This is usually a fact you can forget and ignore but 
at times this fact will come back to haunt you. libcurl offers several 
different ways to customize how the second connection is being made.
</p><p class="level0">libcurl can either connect to the server a second 
time or tell the server to connect back to it. The first option is the 
default and it is also what works best for all the people behind 
firewalls, NATs or IP-masquerading setups. libcurl then tells the server
 to open up a new port and wait for a second connection. This is by 
default attempted with EPSV first, and if that doesn't work it tries 
PASV instead. (EPSV is an extension to the original FTP spec and does 
not exist nor work on all FTP servers.)
</p><p class="level0">You can prevent libcurl from first trying the EPSV command by setting CURLOPT_FTP_USE_EPSV to zero.
</p><p class="level0">In some cases, you will prefer to have the server 
connect back to you for the second connection. This might be when the 
server is perhaps behind a firewall or something and only allows 
connections on a single port. libcurl then informs the remote server 
which IP address and port number to connect to. This is made with the 
CURLOPT_FTPPORT option. If you set it to "-", libcurl will use your 
system's "default IP address". If you want to use a particular IP, you 
can set the full IP address, a host name to resolve to an IP address or 
even a local network interface name that libcurl will get the IP address
 from.
</p><p class="level0">When doing the "PORT" approach, libcurl will 
attempt to use the EPRT and the LPRT before trying PORT, as they work 
with more protocols. You can disable this behavior by setting 
CURLOPT_FTP_USE_EPRT to zero.
</p><p class="level0"><a name="Headers"></a></p><h2 class="nroffsh">Headers Equal Fun</h2>
<p class="level0">
</p><p class="level0">Some protocols provide "headers", meta-data 
separated from the normal data. These headers are by default not 
included in the normal data stream, but you can make them appear in the 
data stream by setting CURLOPT_HEADER to 1.
</p><p class="level0">What might be even more useful, is libcurl's 
ability to separate the headers from the data and thus make the 
callbacks differ. You can for example set a different pointer to pass to
 the ordinary write callback by setting CURLOPT_WRITEHEADER.
</p><p class="level0">Or, you can set an entirely separate function to receive the headers, by using CURLOPT_HEADERFUNCTION.
</p><p class="level0">The headers are passed to the callback function 
one by one, and you can depend on that fact. It makes it easier for you 
to add custom header parsers etc.
</p><p class="level0">"Headers" for FTP transfers equal all the FTP 
server responses. They aren't actually true headers, but in this case we
 pretend they are! ;-)
</p><p class="level0"><a name="Post"></a></p><h2 class="nroffsh">Post Transfer Information</h2>
<p class="level0">
</p><p class="level0">&nbsp;[ curl_easy_getinfo ]
</p><p class="level0"><a name="Security"></a></p><h2 class="nroffsh">安全考量Security Considerations</h2>
<p class="level0">
</p><p class="level0">libcurl对安全性有非常严肃的考量。

The libcurl project takes security seriously.  The
 library is written with caution and precautions are taken to mitigate 
many kinds of risks encountered while operating with potentially 
malicious servers on the Internet.  It is a powerful library, however, 
which allows application writers to make trade offs between ease of 
writing and exposure to potential risky operations.  If used the right 
way, you can use libcurl to transfer data pretty safely.
</p><p class="level0">Many applications are used in closed networks 
where users and servers can be trusted, but many others are used on 
arbitrary servers and are fed input from potentially untrusted users.  
Following is a discussion about some risks in the ways in which 
applications commonly use libcurl and potential mitigations of those 
risks. It is by no means comprehensive, but shows classes of attacks 
that robust applications should consider. The Common Weakness 
Enumeration project at <a href="http://cwe.mitre.org/">http://cwe.mitre.org/</a> is a good reference for many of these and similar types of weaknesses of which application writers should be aware.
</p><p class="level0">
</p><p class="level0"><a name="Command"></a><span class="nroffip">Command Lines</span>
</p><p class="level1">如果你使用curl之类的命令行工具，你传递给它的参数可以被系统的其它用户读到，比如用ps命令来列出当前运行的进程。If you use a command line tool (such as curl) that
 uses libcurl, and you give options to the tool on the command line 
those options can very likely get read by other users of your system 
when they use 'ps' or other tools to list currently running processes.
</p><p class="level1">为了避免这个问题，记住，永远不要把敏感信息作为命令行参数传递给程序。可以把它们写到一个受保护的文件里，并用-k选项。
To avoid this problem, never feed sensitive things
 to programs using command line options. Write them to a protected file 
and use the -K option to avoid this.
</p><p class="level1">
</p><p class="level0"><a name="netrc"></a><span class="nroffip">.netrc</span>
</p><p class="level1">.netrc是个很好用的功能，能够让我们快速登录一些常访问的站点，同时也带来安全风险，因为.netrc文件使用明文存放密码。
有些情况下，你的.netrc文件也被存放在一个用NFS挂载的基于网络文件系统的目录下，然后你的密码就会在整个网络中传开了！
.netrc is a pretty handy file/feature that allows 
you to login quickly and automatically to frequently visited sites. The 
file contains passwords in clear text and is a real security risk. In 
some cases, your .netrc is also stored in a home directory that is NFS 
mounted or used on another network based file system, so the clear text 
password will fly through your network every time anyone reads that 
file!
</p><p class="level1">为避免这个问题，不要使用.netrc文件，并且永远不要在任何地方用明文存放密码！To avoid this problem, don't use .netrc files and never store passwords in plain text anywhere.
</p><p class="level1">
</p><p class="level0"><a name="Clear"></a><span class="nroffip">明文密码Clear Text Passwords</span>
</p><p class="level1">许多libcurl支持的协议都支持把账号和密码用明文传输（比如HTTP basic认证，FTP，TELNET等）。
同网络中或者相邻网络中的人可以很轻易的用网络分析工具看到你的密码。
不要被HTTP所谓的base64加密给蒙蔽了，尽管第一眼看上去它不可读，而实际上任何人都能在几秒钟内“解密”。
Many of the protocols libcurl supports send name 
and password unencrypted as clear text (HTTP Basic authentication, FTP, 
TELNET etc). It is very easy for anyone on your network or a network 
nearby yours to just fire up a network analyzer tool and eavesdrop on 
your passwords. Don't let the fact that HTTP Basic uses base64 encoded 
passwords fool you. They may not look readable at a first glance, but 
they very easily "deciphered" by anyone within seconds.
</p><p class="level1">为避免这个问题，使用HTTP认证机制，或者其它不至于让别人用心的人看到你密码的协议。
比如，带摘要算法的HTTP，NTLM或者GSS认证，HTTPS，FTPS，SCP，SFTP，FTP-kerberos等。
To avoid this problem, use HTTP authentication 
methods or other protocols that don't let snoopers see your password: 
HTTP with Digest, NTLM or GSS authentication, HTTPS, FTPS, SCP, SFTP and
 FTP-Kerberos are a few examples.
</p><p class="level1">
</p><p class="level0"><a name="Redirects"></a><span class="nroffip">重定向Redirects</span>
</p><p class="level1">CURLOpT_FOLLOWLOCATION选项会自动跟随服务器的重定向，这些重定向可能指向任何URL，而不只是HTTP。
比如，重定向到file:形式的URL会让libcurl去读某个本地的文件。
如果程序把文件数据返回给用户（一些CGI脚本可能会这么做），那么攻击者可以借此读到一些被禁止的文件，比如file://localhost/etc/passwd。。The CURLOPT_FOLLOWLOCATION option automatically 
follows HTTP redirects sent by a remote server.  These redirects can 
refer to any kind of URL, not just HTTP.  A redirect to a file: URL 
would cause the libcurl to read (or write) arbitrary files from the 
local filesystem.  If the application returns the data back to the user 
(as would happen in some kinds of CGI scripts), an attacker could 
leverage this to read otherwise forbidden data (e.g. 
file://localhost/etc/passwd).
</p><p class="level1">If authentication credentials are stored in the 
~/.netrc file, or Kerberos is in use, any other URL type (not just 
file:) that requires authentication is also at risk.  A redirect such as
 <a href="ftp://some-internal-server/private-file">ftp://some-internal-server/private-file</a> would then return data even when the server is password protected.
</p><p class="level1">In the same way, if an unencrypted SSH private key
 has been configured for the user running the libcurl application, SCP: 
or SFTP: URLs could access password or private-key protected resources, 
e.g. s<a href="ftp://user/">ftp://user</a>@some-internal-server/etc/passwd
</p><p class="level1">The CURLOPT_REDIR_PROTOCOLS and CURLOPT_NETRC options can be used to mitigate against this kind of attack.
</p><p class="level1">A redirect can also specify a location available 
only on the machine running libcurl, including servers hidden behind a 
firewall from the attacker. e.g. <a href="http://127.0.0.1/">http://127.0.0.1/</a> or <a href="http://intranet/delete-stuff.cgi">http://intranet/delete-stuff.cgi</a>?delete=all or t<a href="ftp://bootp-server/pc-config-data">ftp://bootp-server/pc-config-data</a>
</p><p class="level1">Apps can mitigate against this by disabling 
CURLOPT_FOLLOWLOCATION and handling redirects itself, sanitizing URLs as
 necessary. Alternately, an app could leave CURLOPT_FOLLOWLOCATION 
enabled but set CURLOPT_REDIR_PROTOCOLS and install a 
CURLOPT_OPENSOCKETFUNCTION callback function in which addresses are 
sanitized before use.
</p><p class="level1">
</p><p class="level0"><a name="Private"></a><span class="nroffip">Private Resources</span>
</p><p class="level1">A user who can control the DNS server of a domain 
being passed in within a URL can change the address of the host to a 
local, private address which the libcurl application will then use. e.g.
 The innocuous URL <a href="http://fuzzybunnies.example.com/">http://fuzzybunnies.example.com/</a>
 could actually resolve to the IP address of a server behind a firewall,
 such as 127.0.0.1 or 10.1.2.3 Apps can mitigate against this by setting
 a CURLOPT_OPENSOCKETFUNCTION and checking the address before a 
connection.
</p><p class="level1">All the malicious scenarios regarding redirected 
URLs apply just as well to non-redirected URLs, if the user is allowed 
to specify an arbitrary URL that could point to a private resource. For 
example, a web app providing a translation service might happily 
translate file://localhost/etc/passwd and display the result.  Apps can 
mitigate against this with the CURLOPT_PROTOCOLS option as well as by 
similar mitigation techniques for redirections.
</p><p class="level1">A malicious FTP server could in response to the 
PASV command return an IP address and port number for a server local to 
the app running libcurl but behind a firewall.  Apps can mitigate 
against this by using the CURLOPT_FTP_SKIP_PASV_IP option or 
CURLOPT_FTPPORT.
</p><p class="level1">
</p><p class="level0"><a name="Uploads"></a><span class="nroffip">Uploads</span>
</p><p class="level1">When uploading, a redirect can cause a local (or 
remote) file to be overwritten.  Apps must not allow any unsanitized URL
 to be passed in for uploads.  Also, CURLOPT_FOLLOWLOCATION should not 
be used on uploads. Instead, the app should handle redirects itself, 
sanitizing each URL first.
</p><p class="level1">
</p><p class="level0"><a name="Authentication"></a><span class="nroffip">Authentication</span>
</p><p class="level1">Use of CURLOPT_UNRESTRICTED_AUTH could cause 
authentication information to be sent to an unknown second server.  Apps
 can mitigate against this by disabling CURLOPT_FOLLOWLOCATION and 
handling redirects itself, sanitizing where necessary.
</p><p class="level1">Use of the CURLAUTH_ANY option to CURLOPT_HTTPAUTH
 could result in user name and password being sent in clear text to an 
HTTP server.  Instead, use CURLAUTH_ANYSAFE which ensures that the 
password is encrypted over the network, or else fail the request.
</p><p class="level1">Use of the CURLUSESSL_TRY option to 
CURLOPT_USE_SSL could result in user name and password being sent in 
clear text to an FTP server.  Instead, use CURLUSESSL_CONTROL to ensure 
that an encrypted connection is used or else fail the request.
</p><p class="level1">
</p><p class="level0"><a name="Cookies"></a><span class="nroffip">Cookies</span>
</p><p class="level1">If cookies are enabled and cached, then a user 
could craft a URL which performs some malicious action to a site whose 
authentication is already stored in a cookie. e.g. <a href="http://mail.example.com/delete-stuff.cgi">http://mail.example.com/delete-stuff.cgi</a>?delete=all Apps can mitigate against this by disabling cookies or clearing them between requests.
</p><p class="level1">
</p><p class="level0"><a name="Dangerous"></a><span class="nroffip">Dangerous URLs</span>
</p><p class="level1">SCP URLs can contain raw commands within the scp: 
URL, which is a side effect of how the SCP protocol is designed. e.g. 
scp://user:pass@host/a;date &gt;/tmp/test; Apps must not allow 
unsanitized SCP: URLs to be passed in for downloads.
</p><p class="level1">
</p><p class="level0"><a name="Denial"></a><span class="nroffip">Denial of Service</span>
</p><p class="level1">A malicious server could cause libcurl to 
effectively hang by sending a trickle of data through, or even no data 
at all but just keeping the TCP connection open.  This could result in a
 denial-of-service attack. The CURLOPT_TIMEOUT and/or 
CURLOPT_LOW_SPEED_LIMIT options can be used to mitigate against this.
</p><p class="level1">A malicious server could cause libcurl to 
effectively hang by starting to send data, then severing the connection 
without cleanly closing the TCP connection.  The app could install a 
CURLOPT_SOCKOPTFUNCTION callback function and set the TCP SO_KEEPALIVE 
option to mitigate against this. Setting one of the timeout options 
would also work against this attack.
</p><p class="level1">A malicious server could cause libcurl to download
 an infinite amount of data, potentially causing all of memory or disk 
to be filled. Setting the CURLOPT_MAXFILESIZE_LARGE option is not 
sufficient to guard against this. Instead, the app should monitor the 
amount of data received within the write or progress callback and abort 
once the limit is reached.
</p><p class="level1">A malicious HTTP server could cause an infinite 
redirection loop, causing a denial-of-service. This can be mitigated by 
using the CURLOPT_MAXREDIRS option.
</p><p class="level1">
</p><p class="level0"><a name="Arbitrary"></a><span class="nroffip">Arbitrary Headers</span>
</p><p class="level1">User-supplied data must be sanitized when used in 
options like CURLOPT_USERAGENT, CURLOPT_HTTPHEADER, CURLOPT_POSTFIELDS 
and others that are used to generate structured data. Characters like 
embedded carriage returns or ampersands could allow the user to create 
additional headers or fields that could cause malicious transactions.
</p><p class="level1">
</p><p class="level0"><a name="Server-supplied"></a><span class="nroffip">Server-supplied Names</span>
</p><p class="level1">A server can supply data which the application 
may, in some cases, use as a file name. The curl command-line tool does 
this with --remote-header-name, using the Content-disposition: header to
 generate a file name.  An application could also use 
CURLINFO_EFFECTIVE_URL to generate a file name from a server-supplied 
redirect URL. Special care must be taken to sanitize such names to avoid
 the possibility of a malicious server supplying one like "/etc/passwd",
 "autoexec.bat" or even ".bashrc".
</p><p class="level1">
</p><p class="level0"><a name="Server"></a><span class="nroffip">Server Certificates</span>
</p><p class="level1">A secure application should never use the 
CURLOPT_SSL_VERIFYPEER option to disable certificate validation. There 
are numerous attacks that are enabled by apps that fail to properly 
validate server TLS/SSL certificates, thus enabling a malicious server 
to spoof a legitimate one. HTTPS without validated certificates is 
potentially as insecure as a plain HTTP connection.
</p><p class="level1">
</p><p class="level0"><a name="Showing"></a><span class="nroffip">Showing What You Do</span>
</p><p class="level1">On a related issue, be aware that even in 
situations like when you have problems with libcurl and ask someone for 
help, everything you reveal in order to get best possible help might 
also impose certain security related risks. Host names, user names, 
paths, operating system specifics, etc (not to mention passwords of 
course) may in fact be used by intruders to gain additional information 
of a potential target.
</p><p class="level1">To avoid this problem, you must of course use your
 common sense. Often, you can just edit out the sensitive data or just 
search/replace your true information with faked data.
</p><p class="level1"><a name="Multiple"></a></p><h2 class="nroffsh">Multiple Transfers Using the multi Interface</h2>
<p class="level0">
</p><p class="level0">The easy interface as described in detail in this 
document is a synchronous interface that transfers one file at a time 
and doesn't return until it is done.
</p><p class="level0">The multi interface, on the other hand, allows 
your program to transfer multiple files in both directions at the same 
time, without forcing you to use multiple threads.  The name might make 
it seem that the multi interface is for multi-threaded programs, but the
 truth is almost the reverse.  The multi interface can allow a 
single-threaded application to perform the same kinds of multiple, 
simultaneous transfers that multi-threaded programs can perform.  It 
allows many of the benefits of multi-threaded transfers without the 
complexity of managing and synchronizing many threads.
</p><p class="level0">To use this interface, you are better off if you 
first understand the basics of how to use the easy interface. The multi 
interface is simply a way to make multiple transfers at the same time by
 adding up multiple easy handles into a "multi stack".
</p><p class="level0">You create the easy handles you want and you set 
all the options just like you have been told above, and then you create a
 multi handle with <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_init.html">curl_multi_init(3)</a> and add all those easy handles to that multi handle with <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_add_handle.html">curl_multi_add_handle(3)</a>.
</p><p class="level0">When you've added the handles you have for the 
moment (you can still add new ones at any time), you start the transfers
 by calling <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_perform.html">curl_multi_perform(3)</a>.
</p><p class="level0"><a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_perform.html">curl_multi_perform(3)</a>
 is asynchronous. It will only execute as little as possible and then 
return back control to your program. It is designed to never block. If 
it returns CURLM_CALL_MULTI_PERFORM you better call it again soon, as 
that is a signal that it still has local data to send or remote data to 
receive.
</p><p class="level0">The best usage of this interface is when you do a 
select() on all possible file descriptors or sockets to know when to 
call libcurl again. This also makes it easy for you to wait and respond 
to actions on your own application's sockets/handles. You figure out 
what to select() for by using <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_fdset.html">curl_multi_fdset(3)</a>, that fills in a set of fd_set variables for you with the particular file descriptors libcurl uses for the moment.
</p><p class="level0">When you then call select(), it'll return when one of the file handles signal action and you then call <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_perform.html">curl_multi_perform(3)</a>
 to allow libcurl to do what it wants to do. Take note that libcurl does
 also feature some time-out code so we advise you to never use very long
 timeouts on select() before you call <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_perform.html">curl_multi_perform(3)</a>,
 which thus should be called unconditionally every now and then even if 
none of its file descriptors have signaled ready. Another precaution you
 should use: always call <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_fdset.html">curl_multi_fdset(3)</a> immediately before the select() call since the current set of file descriptors may change when calling a curl function.
</p><p class="level0">If you want to stop the transfer of one of the easy handles in the stack, you can use <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_remove_handle.html">curl_multi_remove_handle(3)</a> to remove individual easy handles. Remember that easy handles should be <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_cleanup.html">curl_easy_cleanup(3)</a>ed.
</p><p class="level0">When a transfer within the multi stack has finished, the counter of running transfers (as filled in by <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_perform.html">curl_multi_perform(3)</a>) will decrease. When the number reaches zero, all transfers are done.
</p><p class="level0"><a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_multi_info_read.html">curl_multi_info_read(3)</a>
 can be used to get information about completed transfers. It then 
returns the CURLcode for each easy transfer, to allow you to figure out 
success on each individual transfer.
</p><p class="level0"><a name="SSL"></a></p><h2 class="nroffsh">SSL, Certificates and Other Tricks</h2>
<p class="level0">
</p><p class="level0">&nbsp;[ seeding, passwords, keys, certificates, ENGINE, ca certs ]
</p><p class="level0"><a name="Sharing"></a></p><h2 class="nroffsh">Sharing Data Between Easy Handles</h2>
<p class="level0">
</p><p class="level0">&nbsp;[ fill in ]
</p><p class="level0"><a name="Footnotes"></a></p><h2 class="nroffsh">Footnotes</h2>
<p class="level0">
</p><p class="level0">
</p><p class="level0"><a name="1"></a><span class="nroffip">[1]</span>
</p><p class="level1">libcurl 7.10.3 and later have the ability to 
switch over to chunked Transfer-Encoding in cases where HTTP uploads are
 done with data of an unknown size.
</p><p class="level0"><a name="2"></a><span class="nroffip">[2]</span>
</p><p class="level1">This happens on Windows machines when libcurl is 
built and used as a DLL. However, you can still do this on Windows if 
you link with a static library.
</p><p class="level0"><a name="3"></a><span class="nroffip">[3]</span>
</p><p class="level1">The curl-config tool is generated at build-time 
(on UNIX-like systems) and should be installed with the 'make install' 
or similar instruction that installs the library, header files, man 
pages etc.
</p><p class="level0"><a name="4"></a><span class="nroffip">[4]</span>
</p><p class="level1">This behavior was different in versions before 7.17.0, where strings had to remain valid past the end of the <a class="emphasis" href="http://curl.haxx.se/libcurl/c/curl_easy_setopt.html">curl_easy_setopt(3)</a> call. </p><p class="roffit">
 This HTML page was made with <a href="http://daniel.haxx.se/projects/roffit/">roffit</a>.
</p></td></tr></tbody></table>


</body></html>