5 \___|\___/|_| \_\_____|
9 Version 7.62.0 (30 Oct 2018)
11 Daniel Stenberg (30 Oct 2018)
12 - RELEASE-NOTES: 7.62.0
14 - THANKS: 7.62.0 status
16 Daniel Gustafsson (30 Oct 2018)
17 - vtls: add MesaLink to curl_sslbackend enum
19 MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the
20 backend was never added to the curl_sslbackend enum in curl/curl.h.
21 This adds the new backend to the enum and updates the relevant docs.
24 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
26 Daniel Stenberg (30 Oct 2018)
27 - [Ruslan Baratov brought this change]
29 cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable
33 - test2080: verify the fix for CVE-2018-16842
35 - voutf: fix bad arethmetic when outputting warnings to stderr
38 Reported-by: Brian Carpenter
39 Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
41 - [Tuomo Rinne brought this change]
43 cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in
47 - [Tuomo Rinne brought this change]
49 cmake: add find_dependency call for ZLIB to CMake config file
51 - [Tuomo Rinne brought this change]
53 cmake: add support for transitive ZLIB target
55 - unit1650: fix "null pointer passed as argument 1 to memcmp"
57 Detected by UndefinedBehaviorSanitizer
61 - travis: add a "make tidy" build that runs clang-tidy
65 - unit1300: fix stack-use-after-scope AddressSanitizer warning
69 - Curl_auth_create_plain_message: fix too-large-input-check
72 Reported-by: Harry Sintonen
73 Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
75 - Curl_close: clear data->multi_easy on free to avoid use-after-free
77 Regression from b46cfbc068 (7.59.0)
79 Reported-by: Brian Carpenter (Geeknik Labs)
81 Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
83 - [randomswdev brought this change]
85 system.h: use proper setting with Sun C++ as well
87 system.h selects the proper Sun settings when __SUNPRO_C is defined. The
88 Sun compiler does not define it when compiling C++ files. I'm adding a
89 check also on __SUNPRO_CC to allow curl to work properly also when used
90 in a C++ project on Sun Solaris.
94 - rand: add comment to skip a clang-tidy false positive
96 - test1651: unit test Curl_extract_certinfo()
98 The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.
100 - x509asn1: always check return code from getASN1Element()
102 - Makefile: add 'tidy' target that runs clang-tidy
104 Available in the root, src and lib dirs.
108 - RELEASE-PROCEDURE: adjust the release dates
110 See: https://curl.haxx.se/mail/lib-2018-10/0107.html
112 Patrick Monnerat (27 Oct 2018)
113 - x509asn1: suppress left shift on signed value
115 Use an unsigned variable: as the signed operation behavior is undefined,
116 this change silents clang-tidy about it.
118 Ref: https://github.com/curl/curl/pull/3163
119 Reported-By: Daniel Stenberg
121 Michael Kaufmann (27 Oct 2018)
122 - multi: Fix error handling in the SENDPROTOCONNECT state
124 If Curl_protocol_connect() returns an error code,
125 handle the error instead of switching to the next state.
129 Daniel Stenberg (27 Oct 2018)
130 - RELEASE-NOTES: synced
132 - openssl: output the correct cipher list on TLS 1.3 error
134 When failing to set the 1.3 cipher suite, the wrong string pointer would
135 be used in the error message. Most often saying "(nil)".
137 Reported-by: Ricky-Tigg on github
141 - docs/CIPHERS: fix the TLS 1.3 cipher names
143 ... picked straight from the OpenSSL man page:
144 https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
146 Reported-by: Ricky-Tigg on github
149 Marcel Raad (27 Oct 2018)
150 - travis: install gnutls-bin package
152 This is required for gnutls-serv, which enables a few more tests.
154 Closes https://github.com/curl/curl/pull/2958
156 Daniel Gustafsson (26 Oct 2018)
157 - ssh: free the session on init failures
159 Ensure to clear the session object in case the libssh2 initialization
162 It could be argued that the libssh2 error function should be called to
163 get a proper error message in this case. But since the only error path
164 in libssh2_knownhost_init() is memory a allocation failure it's safest
165 to avoid since the libssh2 error handling allocates memory.
168 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
170 Daniel Stenberg (26 Oct 2018)
171 - docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date
173 ... I'm moving it up one week due to travels. The rest stays.
175 - [Daniel Gustafsson brought this change]
177 openssl: make 'done' a proper boolean
181 - gtls: Values stored to but never read
183 Detected by clang-tidy
187 - [Alexey Eremikhin brought this change]
189 curl.1: --ipv6 mutexes ipv4 (fixed typo)
194 - tool_main: make TerminalSettings static
196 Reported-by: Gisle Vanem
197 Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819
200 - curl-config.in: remove dependency on bc
202 Reported-by: Dima Pasechnik
206 - [Gisle Vanem brought this change]
208 rtmp: fix for compiling with lwIP
210 Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
211 curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt'
212 setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
214 curl_rtmp.c(41,32): note: expanded from macro 'setsockopt'
215 #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
219 - configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
221 Follow-up to #3166 which did the cmake part of this. This type/define is
226 - [Ruslan Baratov brought this change]
228 cmake: remove unused variables
232 * CURL_SIZEOF_CURL_SOCKLEN_T
233 * CURL_TYPEOF_CURL_SOCKLEN_T
237 Michael Kaufmann (25 Oct 2018)
238 - urldata: Fix comment in header
240 The "connecting" function is used by multiple protocols, not only FTP
242 - netrc: free temporary strings if memory allocation fails
244 - Change the inout parameters after all needed memory has been
245 allocated. Do not change them if something goes wrong.
246 - Free the allocated temporary strings if strdup() fails.
250 Daniel Stenberg (24 Oct 2018)
251 - [Ruslan Baratov brought this change]
253 config: Remove unused SIZEOF_VOIDP
257 - RELEASE-NOTES: synced
260 - [Gisle Vanem brought this change]
262 Fix for compiling with lwIP (3)
264 lwIP on Windows does not have a WSAIoctl() function.
265 But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
267 Daniel Stenberg (23 Oct 2018)
268 - Curl_follow: return better errors on URL problems
270 ... by making the converter function global and accessible.
274 - Curl_follow: remove remaining free(newurl)
276 Follow-up to 05564e750e8f0c. This function no longer frees the passed-in
279 Reported-by: Michael Kaufmann
280 Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm
283 Daniel Gustafsson (23 Oct 2018)
284 - headers: end all headers with guard comment
286 Most headerfiles end with a /* <headerguard> */ comment, but it was
287 missing from some. The comment isn't the most important part of our
288 code documentation but consistency has an intrinsic value in itself.
289 This adds header guard comments to the files that were lacking it.
292 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
293 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
295 Jay Satiro (23 Oct 2018)
296 - CIPHERS.md: Mention the options used to set TLS 1.3 ciphers
298 Closes https://github.com/curl/curl/pull/3159
300 Daniel Stenberg (20 Oct 2018)
301 - docs/BUG-BOUNTY: the sponsors actually decide the amount
303 Retract the previous approach as the sponsors will be the ones to set the
309 - multi: avoid double-free
311 Curl_follow() no longer frees the string. Make sure it happens in the
312 caller function, like we normally handle allocations.
314 This bug was introduced with the use of the URL API internally, it has
315 never been in a release version
317 Reported-by: Dario Weißer
320 - multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
322 Otherwise, closing that handle can still cause surprises!
324 Reported-by: Martin Ankerl
328 Marcel Raad (19 Oct 2018)
329 - VS projects: add USE_IPV6
331 The Visual Studio builds didn't use IPv6. Add it to all projects since
332 Visual Studio 2008, which is verified to build via AppVeyor.
334 Closes https://github.com/curl/curl/pull/3137
336 - config_win32: enable LDAPS
338 As done in the autotools and CMake builds by default.
340 Closes https://github.com/curl/curl/pull/3137
342 Daniel Stenberg (18 Oct 2018)
343 - travis: add build for "configure --disable-verbose"
347 Kamil Dudka (17 Oct 2018)
348 - tool_cb_hdr: handle failure of rename()
350 Detected by Coverity.
353 Reviewed-by: Jay Satiro
355 Daniel Stenberg (17 Oct 2018)
356 - RELEASE-NOTES: synced
358 - docs/SECURITY-PROCESS: the hackerone IBB program drops curl
360 ... now there's only BountyGraph.
362 Jay Satiro (16 Oct 2018)
363 - [Matthew Whitehead brought this change]
365 x509asn1: Fix SAN IP address verification
367 For IP addresses in the subject alternative name field, the length
368 of the IP address (and hence the number of bytes to perform a
369 memcmp on) is incorrectly calculated to be zero. The code previously
370 subtracted q from name.end. where in a successful case q = name.end
371 and therefore addrlen equalled 0. The change modifies the code to
372 subtract name.beg from name.end to calculate the length correctly.
374 The issue only affects libcurl with GSKit SSL, not other SSL backends.
375 The issue is not a security issue as IP verification would always fail.
380 Daniel Gustafsson (15 Oct 2018)
381 - INSTALL: mention mesalink in TLS section
383 Commit 57348eb97d1b8fc3742e02c6587d2d02ff592da5 added support for the
384 MesaLink vtls backend, but missed updating the TLS section containing
385 supported backends in the docs.
388 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
390 Marcel Raad (14 Oct 2018)
391 - nonblock: fix unused parameter warning
393 If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
396 Michael Kaufmann (13 Oct 2018)
397 - Curl_follow: Always free the passed new URL
401 Viktor Szakats (12 Oct 2018)
402 - replace rawgit links [ci skip]
404 Ref: https://rawgit.com/ "RawGit has reached the end of its useful life"
405 Ref: https://news.ycombinator.com/item?id=18202481
406 Closes https://github.com/curl/curl/pull/3131
408 Daniel Stenberg (12 Oct 2018)
409 - docs/BUG-BOUNTY.md: for vulns published since Aug 1st 2018
413 - travis: make distcheck scan for BOM markers
415 and remove BOM from projects/wolfssl_override.props
419 Marcel Raad (11 Oct 2018)
422 Accidentally aded in commit 1bb86057ff07083deeb0b00f8ad35879ec4d03ea.
424 Reported-by: Viktor Szakats
425 Ref: https://github.com/curl/curl/pull/3120#issuecomment-428673136
427 Daniel Gustafsson (10 Oct 2018)
428 - transfer: fix typo in comment
430 Michael Kaufmann (10 Oct 2018)
431 - docs: add "see also" links for SSL options
433 - link TLS 1.2 and TLS 1.3 options
434 - link proxy and non-proxy options
438 Marcel Raad (10 Oct 2018)
439 - AppVeyor: remove BDIR variable that sneaked in again
441 Removed in ae762e1abebe3a5fe75658583c85059a0957ef6e, accidentally added
442 again in 9f3be5672dc4dda30ab43e0152e13d714a84d762.
444 - CMake: disable -Wpedantic-ms-format
446 As done in the autotools build. This is required for MinGW, which
447 supports only %I64 for printing 64-bit values, but warns about it.
449 Closes https://github.com/curl/curl/pull/3120
451 Viktor Szakats (9 Oct 2018)
452 - ldap: show precise LDAP call in error message on Windows
454 Also add a unique but common text ('bind via') to make it
455 easy to grep this specific failure regardless of platform.
457 Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
458 Closes https://github.com/curl/curl/pull/3118
459 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
460 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
462 Daniel Stenberg (9 Oct 2018)
463 - docs/DEPRECATE: minor reformat to render nicer on web
465 Daniel Gustafsson (9 Oct 2018)
466 - CURLOPT_SSL_VERIFYSTATUS: Fix typo
468 Changes s/OSCP/OCSP/ and bumps the copyright year due to the change.
470 Marcel Raad (9 Oct 2018)
471 - curl_setup: define NOGDI on Windows
473 This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
476 Closes https://github.com/curl/curl/pull/3113
478 - Windows: fixes for MinGW targeting Windows Vista
480 Classic MinGW has neither InitializeCriticalSectionEx nor
481 GetTickCount64, independent of the target Windows version.
483 Closes https://github.com/curl/curl/pull/3113
485 Daniel Stenberg (8 Oct 2018)
486 - TODO: fixed 'API for URL parsing/splitting'
488 Daniel Gustafsson (8 Oct 2018)
489 - KNOWN_BUGS: Fix various typos
492 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
494 Viktor Szakats (8 Oct 2018)
495 - spelling fixes [ci skip]
497 as detected by codespell 1.14.0
499 Closes https://github.com/curl/curl/pull/3114
500 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
502 Daniel Stenberg (8 Oct 2018)
503 - RELEASE-NOTES: synced
505 - curl_ntlm_wb: check aprintf() return codes
507 ... when they return NULL we're out of memory and MUST return failure.
511 - docs/BUG-BOUNTY: proposed additional docs
513 Bug bounty explainer. See https://bountygraph.com/programs/curl
517 - [Rick Deist brought this change]
519 hostip: fix check on Curl_shuffle_addr return value
523 - FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
525 Now FILE transfers send headers to the header callback like HTTP and
526 other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
527 work for FILE in the callbacks.
529 Makes "curl -i file://.." and "curl -I file://.." work like before
530 again. Applied the bold header logic to them too.
532 Regression from c1c2762 (7.61.0)
534 Reported-by: Shaun Jackman
538 Daniel Gustafsson (7 Oct 2018)
539 - gskit: make sure to terminate version string
541 In case a very small buffer was passed to the version function, it could
542 result in the buffer not being NULL-terminated since strncpy() doesn't
543 guarantee a terminator on an overflowed buffer. Rather than adding code
544 to terminate (and handle zero-sized buffers), move to using snprintf()
545 instead like all the other vtls backends.
548 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
549 Reviewed-by: Viktor Szakats <commit@vszakats.net>
551 - TODO: add LD_PRELOAD support on macOS
553 Add DYLD_INSERT_LIBRARIES support to the TODO list. Reported in #2394.
555 - runtests: skip ld_preload tests on macOS
557 The LD_PRELOAD functionality doesn't exist on macOS, so skip any tests
562 Reported-by: Github user @jakirkham
563 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
565 Marcel Raad (7 Oct 2018)
566 - AppVeyor: use Debug builds to run tests
568 This enables more tests.
570 Closes https://github.com/curl/curl/pull/3104
572 - AppVeyor: add HTTP_ONLY build
574 Closes https://github.com/curl/curl/pull/3104
576 - AppVeyor: add WinSSL builds
578 Use the oldest and latest Windows SDKs for them.
579 Also, remove all but one OpenSSL build.
581 Closes https://github.com/curl/curl/pull/3104
583 - AppVeyor: add remaining Visual Studio versions
585 This adds Visual Studio 9 and 10 builds.
586 There's no 64-bit VC9 compiler on AppVeyor, so use it as the Win32
587 build. Also, VC9 cannot be used for running the test suite.
589 Closes https://github.com/curl/curl/pull/3104
591 - AppVeyor: break long line
593 Closes https://github.com/curl/curl/pull/3104
595 - AppVeyor: remove unused BDIR variable
597 Closes https://github.com/curl/curl/pull/3104
599 Daniel Stenberg (6 Oct 2018)
600 - test2100: test DoH using IPv4-only
602 To make it only send one DoH request and avoid the race condition that
603 could lead to the requests getting sent in reversed order and thus
604 making it hard to compare in the test case.
609 - tests/FILEFORMAT: mention how to use <fileN> and <stripfileN> too
613 - RELEASE-NOTES: synced
615 - [Dmitry Kostjuchenko brought this change]
617 timeval: fix use of weak symbol clock_gettime() on Apple platforms
621 - doh: keep the IPv4 address in (original) network byte order
623 Ideally this will fix the reversed order shown in SPARC tests:
625 resp 8: Expected 127.0.0.1 got 1.0.0.127
629 Jay Satiro (5 Oct 2018)
630 - INTERNALS.md: wrap lines longer than 79
632 Daniel Gustafsson (5 Oct 2018)
633 - INTERNALS: escape reference to parameter
635 The parameter reference <string> was causing rendering issues in the
636 generated HTML page, as <string> isn't a valid HTML tag. Fix by back-
640 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
641 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
643 - checksrc: handle zero scoped ignore commands
645 If a !checksrc! disable command specified to ignore zero errors, it was
646 still added to the ignore block even though nothing was ignored. While
647 there were no blocks ignored that shouldn't be ignored, the processing
648 ended with with a warning:
650 <filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
651 /* !checksrc! disable LONGLINE 0 */
653 Fix by instead treating a zero ignore as a a badcommand and throw a
654 warning for that one.
657 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
659 - checksrc: enable strict mode and warnings
661 Enable strict and warnings mode for checksrc to ensure we aren't missing
662 anything due to bugs in the checking code. This uncovered a few things
663 which are all fixed in this commit:
665 * several variables were used uninitialized
666 * several variables were not defined in the correct scope
667 * the whitelist filehandle was read even if the file didn't exist
668 * the enable_warn() call when a disable counter had expired was passing
669 incorrect variables, but since the checkwarn() call is unlikely to hit
670 (the counter is only decremented to zero on actual ignores) it didn't
674 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
675 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
677 Marcel Raad (5 Oct 2018)
678 - CMake: suppress MSVC warning C4127 for libtest
680 It's issued by older Windows SDKs (prior to version 8.0).
682 Sergei Nikulov (5 Oct 2018)
683 - Merge branch 'dmitrykos-fix_missing_CMake_defines'
685 - [Dmitry Kostjuchenko brought this change]
687 cmake: test and set missed defines during configuration
689 Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.
693 Marcel Raad (5 Oct 2018)
694 - AppVeyor: disable test 500
696 It almost always results in
697 "starttransfer vs total: 0.000001 0.000000".
698 I cannot reproduce this locally, so disable it for now.
700 Closes https://github.com/curl/curl/pull/3100
702 - AppVeyor: set custom install prefix
704 CMake's default has spaces and in 32-bit mode parentheses, which result
705 in syntax errors in curl-config.
707 Closes https://github.com/curl/curl/pull/3100
709 - AppVeyor: Remove non-SSL non-test builds
711 They don't add much value.
713 Closes https://github.com/curl/curl/pull/3100
715 - AppVeyor: run test suite
717 Use the preinstalled MSYS2 bash for that.
718 Disable test 1139 as the CMake build doesn't generate curl.1.
720 Ref: https://github.com/curl/curl/issues/3070#issuecomment-425922224
721 Closes https://github.com/curl/curl/pull/3100
723 - AppVeyor: use in-tree build
725 Required to run the tests.
727 Closes https://github.com/curl/curl/pull/3100
729 Daniel Stenberg (4 Oct 2018)
730 - doh: make sure TTL isn't re-inited by second (discarded?) response
734 - test320: strip out more HTML when comparing
736 To make the test case work with different gnutls-serv versions better.
738 Reported-by: Kamil Dudka
742 Marcel Raad (4 Oct 2018)
743 - runtests: use Windows paths for Windows curl
745 curl generated by CMake's Visual Studio generator has "Windows" in the
748 Daniel Stenberg (4 Oct 2018)
749 - [Colin Hogben brought this change]
751 tests/negtelnetserver.py: fix Python2-ism in neg TELNET server
753 Fix problems caused by differences in treatment of bytes objects between
759 Daniel Gustafsson (3 Oct 2018)
760 - memory: ensure to check allocation results
762 The result of a memory allocation should always be checked, as we may
763 run under memory pressure where even a small allocation can fail. This
764 adds checking and error handling to a few cases where the allocation
765 wasn't checked for success. In the ftp case, the freeing of the path
766 variable is moved ahead of the allocation since there is little point
767 in keeping it around across the strdup, and the separation makes for
768 more readable code. In nwlib, the lock is aslo freed in the error path.
770 Also bumps the copyright years on affected files.
773 Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
774 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
776 - comment: Fix multiple typos in function parameters
778 Ensure that the parameters in the comment match the actual names in the
782 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
784 - CURLOPT_SSLVERSION.3: fix typos and consistent spelling
786 Use TLS vX.Y throughout the document, instead of TLS X.Y, as that was
787 already done in all but a few cases. Also fix a few typos.
790 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
791 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
793 - SECURITY-PROCESS: make links into hyperlinks
795 Use proper Markdown hyperlink format for the Bountygraph links in order
796 for the generated website page to be more user friendly. Also link to
797 the sponsors to give them a little extra credit.
800 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
802 Jay Satiro (3 Oct 2018)
803 - CURLOPT_HEADER.3: fix typo
805 - nss: fix nssckbi module loading on Windows
807 - Use .DLL extension instead of .so to load modules on Windows.
809 Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
810 Reported-by: Maxime Legros
812 Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442
814 Closes https://github.com/curl/curl/pull/3086
816 - data-binary.d: clarify default content-type is x-www-form-urlencoded
818 - Advise user that --data-binary sends a default content type of
819 x-www-form-urlencoded, and to have the data treated as arbitrary
820 binary data by the server set the content-type header to octet-stream.
822 Ref: https://github.com/curl/curl/pull/2852#issuecomment-426465094
824 Closes https://github.com/curl/curl/pull/3085
826 Marcel Raad (2 Oct 2018)
827 - test1299: use single quotes around asterisk
829 Ref: https://github.com/curl/curl/issues/1751#issuecomment-321522580
831 Daniel Stenberg (2 Oct 2018)
832 - docs/CIPHERS: mention the colon separation for OpenSSL
836 - runtests: ignore disabled even when ranges are given
838 runtests.pl support running a range of tests, like "44 to 127". Starting
839 now, the code makes sure that even such given ranges will ignore tests
840 that are marked as disabled.
842 Disabled tests can still be run by explictly specifying that test
847 - urlapi: starting with a drive letter on win32 is not an abs url
849 ... and libcurl doesn't support any single-letter URL schemes (if there
850 even exist any) so it should be fairly risk-free.
852 Reported-by: Marcel Raad
857 Marcel Raad (2 Oct 2018)
858 - doh: fix curl_easy_setopt argument type
860 CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
863 Daniel Stenberg (2 Oct 2018)
864 - RELEASE-NOTES: synced
866 Jay Satiro (1 Oct 2018)
867 - [Ruslan Baratov brought this change]
869 CMake: Improve config installation
871 Use 'GNUInstallDirs' standard module to set destinations of installed
874 Use uppercase "CURL" names instead of lowercase "curl" to match standard
875 'FindCURL.cmake' CMake module:
876 * https://cmake.org/cmake/help/latest/module/FindCURL.html
879 * Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
880 * User should call 'find_package(CURL)' instead of 'find_package(curl)'
882 Use 'configure_package_config_file' function to generate
883 'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
884 file smaller and handle components better. E.g. current configuration
885 report no error if user specified unknown components (note: new
886 configuration expects no components, report error if user will try to
889 Closes https://github.com/curl/curl/pull/2849
891 Daniel Stenberg (1 Oct 2018)
892 - test1650: make it depend on http/2
894 Follow-up to 570008c99da0ccbb as it gets link errors.
896 Reported-by: Michael Kaufmann
899 - [Nate Prewitt brought this change]
901 MANUAL: minor grammar fix
903 Noticed a typo reading through the docs.
907 - doh: only build if h2 enabled
909 The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
910 of HTTP for use with DoH".
912 Reported-by: Marcel Raad
915 - test2100: require http2 to run
917 Reported-by: Marcel Raad
921 - multi: fix memory leak in content encoding related error path
923 ... a missing multi_done() call.
926 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
929 - travis: bump the Secure Transport build to use xcode 10
931 Due to an issue with travis
932 (https://github.com/travis-ci/travis-ci/issues/9956) we've been using
933 Xcode 9.2 for darwinssl builds for a while. Now xcode 10 is offered as
934 an alternative and as it builds curl+darwinssl fine that seems like a
939 - [Rich Turner brought this change]
941 curl: enabled Windows VT Support and UTF-8 output
943 Enabled Console VT support (if running OS supports VT) in tool_main.c.
948 - multi: fix location URL memleak in error path
950 Follow-up to #3044 - fix a leak OSS-Fuzz detected
953 Sergei Nikulov (28 Sep 2018)
954 - cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...)
956 - [Brad King brought this change]
958 cmake: Backport to work with CMake 3.0 again
960 Changes in commit 7867aaa9a0 (cmake: link curl to the OpenSSL targets
961 instead of lib absolute paths, 2018-07-17) and commit f826b4ce98 (cmake:
962 bumped minimum version to 3.4, 2018-07-19) required CMake 3.4 to fix
963 issue #2746. This broke support for users on older versions of CMake
964 even if they just want to build curl and do not care whether transitive
967 Backport the logic to work with CMake 3.0 again by implementing the
968 fix only when the version of CMake is at least 3.4.
970 Marcel Raad (27 Sep 2018)
971 - curl_threads: fix classic MinGW compile break
973 Classic MinGW still has _beginthreadex's return type as unsigned long
974 instead of uintptr_t [0]. uintptr_t is not even defined because of [1].
976 [0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
977 [1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90
979 Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
980 Closes https://github.com/curl/curl/pull/3051
982 Daniel Stenberg (26 Sep 2018)
983 - configure: s/AC_RUN_IFELSE/CURL_RUN_IFELSE
990 - [Doron Behar brought this change]
992 example/htmltidy: fix include paths of tidy libraries
996 - RELEASE-NOTES: synced
998 - Curl_http2_done: fix memleak in error path
1000 Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
1003 Detected by OSS-Fuzz
1005 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
1008 - http: fix memleak in rewind error path
1010 If the rewind would fail, a strdup() would not get freed.
1012 Detected by OSS-Fuzz
1014 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
1017 Viktor Szakats (24 Sep 2018)
1018 - test320: fix regression in [ci skip]
1020 The value in question is coming directly from `gnutls-serv`, so it cannot
1023 Reported-by: Marcel Raad
1024 Ref: https://github.com/curl/curl/commit/6ae6b2a533e8630afbb21f570305bd4ceece6348#commitcomment-30621004
1026 Daniel Stenberg (24 Sep 2018)
1027 - Curl_retry_request: fix memory leak
1029 Detected by OSS-Fuzz
1031 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
1034 - openssl: load built-in engines too
1036 Regression since 38203f1
1038 Reported-by: Jean Fabrice
1042 - [Christian Heimes brought this change]
1044 OpenSSL: enable TLS 1.3 post-handshake auth
1046 OpenSSL 1.1.1 requires clients to opt-in for post-handshake
1049 Fixes: https://github.com/curl/curl/issues/3026
1050 Signed-off-by: Christian Heimes <christian@python.org>
1052 Closes https://github.com/curl/curl/pull/3027
1054 - [Even Rouault brought this change]
1056 Curl_dedotdotify(): always nul terminate returned string.
1058 This fixes potential out-of-buffer access on "file:./" URL
1060 $ valgrind curl "file:./"
1061 ==24516== Memcheck, a memory error detector
1062 ==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
1063 ==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
1064 ==24516== Command: /home/even/install-curl-git/bin/curl file:./
1066 ==24516== Conditional jump or move depends on uninitialised value(s)
1067 ==24516== at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
1068 ==24516== by 0x4EBB315: seturl (urlapi.c:801)
1069 ==24516== by 0x4EBB568: parseurl (urlapi.c:861)
1070 ==24516== by 0x4EBC509: curl_url_set (urlapi.c:1199)
1071 ==24516== by 0x4E644C6: parseurlandfillconn (url.c:2044)
1072 ==24516== by 0x4E67AEF: create_conn (url.c:3613)
1073 ==24516== by 0x4E68A4F: Curl_connect (url.c:4119)
1074 ==24516== by 0x4E7F0A4: multi_runsingle (multi.c:1440)
1075 ==24516== by 0x4E808E5: curl_multi_perform (multi.c:2173)
1076 ==24516== by 0x4E7558C: easy_transfer (easy.c:686)
1077 ==24516== by 0x4E75801: easy_perform (easy.c:779)
1078 ==24516== by 0x4E75868: curl_easy_perform (easy.c:798)
1080 Was originally spotted by
1081 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
1086 Viktor Szakats (23 Sep 2018)
1087 - update URLs in tests
1089 - and one in docs/MANUAL as well
1091 Closes https://github.com/curl/curl/pull/3038
1095 - replace tabs with spaces where possible
1096 - remove line ending spaces
1097 - remove double/triple newlines at EOF
1098 - fix a non-UTF-8 character
1099 - cleanup a few indentations/line continuations
1102 Closes https://github.com/curl/curl/pull/3037
1104 Daniel Stenberg (23 Sep 2018)
1105 - http: add missing return code check
1107 Detected by Coverity. CID 1439610.
1109 Follow-up from 46e164069d1a523
1113 - ftp: don't access pointer before NULL check
1115 Detected by Coverity. CID 1439611.
1117 Follow-up from 46e164069d1a523
1119 - unit1650: fix out of boundary access
1124 Viktor Szakats (23 Sep 2018)
1125 - docs/examples: URL updates
1127 - also update two URLs outside of docs/examples
1128 - fix spelling of filename persistant.c
1129 - fix three long lines that started failing checksrc.pl
1131 Closes https://github.com/curl/curl/pull/3036
1133 - examples/Makefile.m32: sync with core [ci skip]
1136 - fix two warnings in synctime.c (one of them Windows-specific)
1137 - upgrade URLs in synctime.c and remove a broken one
1139 Closes https://github.com/curl/curl/pull/3033
1141 Daniel Stenberg (22 Sep 2018)
1142 - examples/parseurl.c: show off the URL API a bit
1146 - SECURITY-PROCESS: mention the bountygraph program [ci skip]
1150 - url: use the URL API internally as well
1152 ... to make it a truly unified URL parser.
1156 Viktor Szakats (22 Sep 2018)
1157 - URL and mailmap updates, remove an obsolete directory [ci skip]
1159 Closes https://github.com/curl/curl/pull/3031
1161 Daniel Stenberg (22 Sep 2018)
1162 - RELEASE-NOTES: synced
1164 - configure: force-use -lpthreads on HPUX
1166 When trying to detect pthreads use on HPUX the checks will succeed
1167 without the correct -l option but then end up failing at run-time.
1169 Reported-by: Eason-Yu on github
1173 - [Erik Minekus brought this change]
1175 Curl_saferealloc: Fixed typo in docblock
1179 - urlapi: fix support for address scope in IPv6 numerical addresses
1183 - [Loganaden Velvindron brought this change]
1185 GnutTLS: TLS 1.3 support
1189 - TODO: c-ares and CURLOPT_OPENSOCKETFUNCTION
1195 Jay Satiro (20 Sep 2018)
1196 - vtls: fix ssl version "or later" behavior change for many backends
1198 - Treat CURL_SSLVERSION_MAX_NONE the same as
1199 CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
1200 the minimum version also as the maximum.
1202 This is a follow-up to 6015cef which changed the behavior of setting
1203 the SSL version so that the requested version would only be the minimum
1204 and not the maximum. It appears it was (mostly) implemented in OpenSSL
1205 but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
1206 mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.
1208 - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.
1210 Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
1211 erroneously treated as always TLS 1.3, and would cause an error if
1212 OpenSSL was built without TLS 1.3 support.
1214 Co-authored-by: Daniel Gustafsson
1216 Fixes https://github.com/curl/curl/issues/2969
1217 Closes https://github.com/curl/curl/pull/3012
1219 Daniel Stenberg (20 Sep 2018)
1220 - certs: generate tests certs with sha256 digest algorithm
1222 As OpenSSL 1.1.1 starts to complain and fail on sha1 CAs:
1224 "SSL certificate problem: CA signature digest algorithm too weak"
1228 - urlapi: document the error codes, remove two unused ones
1230 Assisted-by: Daniel Gustafsson
1233 - urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance
1235 In order for this API to fully work for libcurl itself, it now offers a
1236 CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
1237 name prefix just like libcurl always did. If there's no known prefix, it
1238 will guess "http://".
1240 Separately, it relaxes the check of the host name so that IDN host names
1241 can be passed in as well.
1243 Both these changes are necessary for libcurl itself to use this API.
1245 Assisted-by: Daniel Gustafsson
1248 Kamil Dudka (19 Sep 2018)
1249 - nss: try to connect even if libnssckbi.so fails to load
1251 One can still use CA certificates stored in NSS database.
1253 Reported-by: Maxime Legros
1254 Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
1258 Daniel Gustafsson (19 Sep 2018)
1259 - urlapi: don't set value which is never read
1261 In the CURLUPART_URL case, there is no codepath which invokes url
1262 decoding so remove the assignment of the urldecode variable. This
1263 fixes the deadstore bug-report from clang static analysis.
1266 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1268 - todo: Update reference to already done item
1270 TODO item 1.1 was implemented in commit 946ce5b61f, update reference
1271 to it with instead referencing the implemented option.
1274 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1276 Daniel Stenberg (18 Sep 2018)
1277 - RELEASE-NOTES: synced
1279 - [slodki brought this change]
1281 cmake: don't require OpenSSL if USE_OPENSSL=OFF
1283 User must have OpenSSL installed even if not used by libcurl at all
1284 since 7.61.1 release. Broken at
1285 7867aaa9a01decf93711428462335be8cef70212
1287 Reviewed-by: Sergei Nikulov
1290 - curl_multi_wait: call getsock before figuring out timeout
1292 .... since getsock may update the expiry timer.
1297 - examples/http2-pushinmemory: receive HTTP/2 pushed files in memory
1301 Daniel Gustafsson (18 Sep 2018)
1302 - darwinssl: Fix realloc memleak
1304 The reallocation was using the input pointer for the return value, which
1305 leads to a memory leak on reallication failure. Fix by instead use the
1306 safe internal API call Curl_saferealloc().
1309 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1310 Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
1312 - [Kruzya brought this change]
1314 examples: Fix memory leaks from realloc errors
1316 Make sure to not overwrite the reallocated pointer in realloc() calls
1317 to avoid a memleak on memory errors.
1319 - memory: add missing curl_printf header
1321 ftp_send_command() was using vsnprintf() without including the libcurl
1322 *rintf() replacement header. Fix by including curl_printf.h and also
1323 add curl_memory.h while at it since memdebug.h depends on it.
1326 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1328 Daniel Stenberg (16 Sep 2018)
1329 - [Si brought this change]
1331 curl: update --tlsv* descriptions in --help output
1335 - http: made Curl_add_buffer functions take a pointer-pointer
1337 ... so that they can clear the original pointer on failure, which makes
1338 the error-paths and their cleanups easier.
1342 - http2: fix memory leaks on error-path
1344 - [Rikard Falkeborn brought this change]
1346 libtest: Add chkdecimalpoint to .gitignore
1350 Viktor Szakats (14 Sep 2018)
1351 - secure Openwall URLs
1353 Daniel Stenberg (14 Sep 2018)
1354 - openssl: show "proper" version number for libressl builds
1358 - [Rainer Jung brought this change]
1360 openssl: assume engine support in 0.9.8 or later
1365 Daniel Gustafsson (13 Sep 2018)
1366 - sendf: use failf() rather than Curl_failf()
1368 The failf() macro is the name used for invoking Curl_failf(). While
1369 there isn't a way to turn off failf like there is for infof, but it's
1370 still a good idea to use the macro.
1372 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1374 - sendf: Fix whitespace in infof/failf concatenation
1376 Strings broken on multiple rows in the .c file need to have appropriate
1377 whitespace padding on either side of the concatenation point to render
1378 a correct amalgamated string. Fix by adding a space at the occurrences
1382 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1384 - krb5: fix memory leak in krb_auth
1386 The FTP command allocated by aprintf() must be freed after usage.
1388 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1390 - ftp: include command in Curl_ftpsend sendbuffer
1392 Commit 8238ba9c5f10414a88f502bf3f5d5a42d632984c inadvertently removed
1393 the actual command to be sent from the send buffer in a refactoring.
1394 Add back copying the command into the buffer. Also add more guards
1395 against malformed input while at it.
1398 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1400 - ntlm_wb: Fix memory leaks in ntlm_wb_response
1402 When erroring out on a request being too large, the existing buffer was
1403 leaked. Fix by explicitly freeing on the way out.
1406 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1408 Daniel Stenberg (13 Sep 2018)
1409 - [Yiming Jing brought this change]
1411 travis: build the MesaLink vtls backend with MesaLink 0.7.1
1413 - [Yiming Jing brought this change]
1415 runtests.pl: run tests against the MesaLink vtls backend
1417 - [Yiming Jing brought this change]
1419 vtls: add a MesaLink vtls backend
1423 - [Yiming Jing brought this change]
1425 configure.ac: add a MesaLink vtls backend
1427 - [Dave Reisner brought this change]
1429 curl_url_set.3: properly escape \n in example code
1433 "the scheme is %s\n"
1441 - [Dave Reisner brought this change]
1443 curl_url_set.3: fix typo in reference to CURLU_APPENDQUERY
1445 - urlglob: improve error message
1447 to help user understand what the problem is
1449 Reported-by: Daniel Shahaf
1454 - [Yiming Jing brought this change]
1456 tests/certs: rebuild certs with 2048-bit RSA keys
1458 The previous test certificates contained RSA keys of only 1024 bits.
1459 However, RSA claims that 1024-bit RSA keys are likely to become
1460 crackable some time before 2010. The NIST recommends at least 2048-bit
1461 keys for RSA for now.
1463 Better use full 2048 also for testing.
1467 Daniel Gustafsson (12 Sep 2018)
1468 - TODO: fix typo in item
1471 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
1473 Marcel Raad (12 Sep 2018)
1474 - anyauthput: fix compiler warning on 64-bit Windows
1476 On Windows, the read function from <io.h> is used, which has its byte
1477 count parameter as unsigned int instead of size_t.
1479 Closes https://github.com/curl/curl/pull/2972
1481 Viktor Szakats (12 Sep 2018)
1482 - lib: fix gcc8 warning on Windows
1484 Closes https://github.com/curl/curl/pull/2979
1486 Jay Satiro (12 Sep 2018)
1487 - openssl: fix gcc8 warning
1489 - Use memcpy instead of strncpy to copy a string without termination,
1490 since gcc8 warns about using strncpy to copy as many bytes from a
1491 string as its length.
1493 Suggested-by: Viktor Szakats
1495 Closes https://github.com/curl/curl/issues/2980
1497 Daniel Stenberg (10 Sep 2018)
1498 - libcurl-url.3: overview man page for the URL API
1502 - example/asiohiper: insert warning comment about its status
1504 This example is simply not working correctly but there's nobody around
1505 with the skills and energy to fix it.
1509 Kamil Dudka (10 Sep 2018)
1510 - docs/cmdline-opts: update the documentation of --tlsv1.0
1512 ... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
1516 - docs/examples: do not wait when no transfers are running
1520 Daniel Stenberg (10 Sep 2018)
1521 - [Daniel Gustafsson brought this change]
1523 cookies: Move failure case label to end of function
1525 Rather than jumping backwards to where failure cleanup happens
1526 to be performed, move the failure case to end of the function
1527 where it is expected per existing coding convention.
1531 - [Daniel Gustafsson brought this change]
1533 misc: fix typos in comments
1537 - [Daniel Gustafsson brought this change]
1539 cookies: fix leak when writing cookies to file
1541 If the formatting fails, we error out on a fatal error and
1542 clean up on the way out. The array was however freed within
1543 the wrong scope and was thus never freed in case the cookies
1544 were written to a file instead of STDOUT.
1548 - [Daniel Gustafsson brought this change]
1550 cookies: Remove redundant expired check
1552 Expired cookies have already been purged at a later expiration time
1553 before this check, so remove the redundant check.
1557 - ntlm_wb: bail out if the response gets overly large
1559 Exit the realloc() loop if the response turns out ridiculously large to
1560 avoid worse problems.
1562 Reported-by: Harry Sintonen
1565 - [Daniel Gustafsson brought this change]
1567 url.c: fix comment typo and indentation
1571 - urlapi: avoid derefencing a possible NULL pointer
1573 Coverity CID 1439134
1575 - RELEASE-NOTES: synced
1577 Marcel Raad (8 Sep 2018)
1578 - test324: fix after 3f3b26d6feb0667714902e836af608094235fca2
1580 The expected error code is now 60. 51 is dead.
1582 Daniel Stenberg (8 Sep 2018)
1583 - curl_url_set.3: correct description
1585 - curl_url-docs: fix AVAILABILITY as Added in curl 7.62.0
1589 See header file and man pages for API. All documented API details work
1590 and are tested in the 1560 test case.
1594 - curl_easy_upkeep: removed 'conn' from the name
1596 ... including the associated option.
1601 - [Max Dymond brought this change]
1603 upkeep: add a connection upkeep API: curl_easy_conn_upkeep()
1605 Add functionality so that protocols can do custom keepalive on their
1606 connections, when an external API function is called.
1608 Add docs for the new options in 7.62.0
1612 - [Philipp Waehnert brought this change]
1614 configure: add option to disable automatic OpenSSL config loading
1616 Sometimes it may be considered a security risk to load an external
1617 OpenSSL configuration automatically inside curl_global_init(). The
1618 configuration option --disable-ssl-auto-load-config disables this
1619 automatism. The Windows build scripts winbuild/Makefile.vs provide a
1620 corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
1623 Setting neither of these options corresponds to the previous behavior
1624 loading the external OpenSSL configuration automatically.
1629 - doh: minor edits to please Coverity
1631 The gcc typecheck macros and coverity combined made it warn on the 2nd
1632 argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it.
1634 Coverity CID 1439115 and CID 1439114.
1636 - schannel: avoid switch-cases that go to default anyway
1638 SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
1639 mingw and would require an ifdef otherwise.
1641 Reported-by: Thomas Glanzmann
1642 Approved-by: Marc Hörsken
1643 Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html
1646 - [Nicklas Avén brought this change]
1648 imap: change from "FETCH" to "UID FETCH"
1650 ... and add "MAILINDEX".
1652 As described in #2789, this is a suggested solution. Changing UID=xx to
1653 actually get mail with UID xx and add "MAILINDEX" to get a mail with a
1654 special index in the mail box (old behavior). So MAILINDEX=1 gives the
1655 first non deleted mail in the mail box.
1660 - CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size
1662 This is step 3 of #2888.
1667 - travis: add the DOH tests to the torture testing
1669 - DOH: add test case 1650 and 2100
1671 - curl: --doh-url added
1673 - setopt: add CURLOPT_DOH_URL
1677 - [Han Han brought this change]
1679 ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code
1681 Long live CURLE_PEER_FAILED_VERIFICATION
1683 - [Han Han brought this change]
1685 x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse cert
1687 CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509
1688 does not allocate memory internally as its first argument is a pointer
1689 to the certificate structure. The same error code is also returned by
1690 Curl_verifyhost when its call to Curl_parseX509 fails so the change
1691 makes error handling more consistent.
1693 - [Han Han brought this change]
1695 openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuer
1697 Failure to extract the issuer name from the server certificate should
1698 return a more specific error code like on other TLS backends.
1700 - [Han Han brought this change]
1702 schannel: unified error code handling
1706 - [Han Han brought this change]
1708 darwinssl: more specific and unified error codes
1712 - CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated
1714 Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for
1715 deprecation and complete removal in six months.
1717 Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html
1720 - url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled
1724 - multiplex: enable by default
1726 Starting 7.62.0, multiplexing is enabled by default in multi handles.
1728 - [Jim Fuller brought this change]
1730 tests: add unit tests for url.c
1732 Approved-by: Daniel Gustafsson
1735 - test1452: mark as flaky
1737 makes it not run in the CI builds
1741 - pipelining: deprecated
1743 Transparently. The related curl_multi_setopt() options all still returns
1744 OK when pipelining is selected.
1746 To re-enable the support, the single line change in lib/multi.c needs to
1749 See docs/DEPRECATE.md
1753 - RELEASE-NOTES: start working on 7.62.0
1755 Version 7.61.1 (4 Sep 2018)
1757 Daniel Stenberg (4 Sep 2018)
1758 - THANKS: 7.61.1 status
1760 - RELEASE-NOTES: 7.61.1
1762 - Curl_getoff_all_pipelines: ignore unused return values
1764 Since scan-build would warn on the dead "Dead store/Dead increment"
1766 Viktor Szakats (4 Sep 2018)
1767 - sftp: fix indentation
1769 Daniel Stenberg (4 Sep 2018)
1770 - [Przemysław Tomaszewski brought this change]
1772 sftp: don't send post-qoute sequence when retrying a connection
1777 Kamil Dudka (3 Sep 2018)
1778 - url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work
1780 This is a follow-up to PR #2607 and PR #2926.
1784 Daniel Stenberg (3 Sep 2018)
1785 - [Jay Satiro brought this change]
1787 tool_operate: Add http code 408 to transient list for --retry
1789 - Treat 408 request timeout as transient so that curl will retry the
1790 request if --retry was used.
1794 - [Jay Satiro brought this change]
1796 openssl: Fix setting TLS 1.3 cipher suites
1798 The flag indicating TLS 1.3 cipher support in the OpenSSL backend was
1801 Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187
1802 Reported-by: Kamil Dudka
1806 - Curl_ntlm_core_mk_nt_hash: return error on too long password
1808 ... since it would cause an integer overflow if longer than (max size_t
1811 This is CVE-2018-14618
1813 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
1815 Reported-by: Zhaoyang Wu
1817 - [Rikard Falkeborn brought this change]
1819 http2: Use correct format identifier for stream_id
1823 Marcel Raad (2 Sep 2018)
1824 - test1148: fix precheck output
1826 "precheck command error" is not very helpful.
1828 Daniel Stenberg (1 Sep 2018)
1829 - all: s/int/size_t cleanup
1831 Assisted-by: Rikard Falkeborn
1835 - ssh-libssh: use FALLTHROUGH to silence gcc8
1837 Jay Satiro (31 Aug 2018)
1838 - tool_operate: Fix setting proxy TLS 1.3 ciphers
1840 Daniel Stenberg (31 Aug 2018)
1841 - [Daniel Gustafsson brought this change]
1843 cookies: support creation-time attribute for cookies
1845 According to RFC6265 section 5.4, cookies with equal path lengths
1846 SHOULD be sorted by creation-time (earlier first). This adds a
1847 creation-time record to the cookie struct in order to make cookie
1848 sorting more deterministic. The creation-time is defined as the
1849 order of the cookies in the jar, the first cookie read fro the
1850 jar being the oldest. The creation-time is thus not serialized
1851 into the jar. Also remove the strcmp() matching in the sorting as
1852 there is no lexicographic ordering in RFC6265. Existing tests are
1857 Marcel Raad (31 Aug 2018)
1858 - Don't use Windows path %PWD for SSH tests
1860 All these tests failed on Windows because something like
1861 sftp://%HOSTIP:%SSHPORT%PWD/
1863 sftp://127.0.0.1:1234c:/msys64/home/bla/curl
1864 and then curl complained about the port number ending with a letter.
1866 Use the original POSIX path instead of the Windows path created in
1867 checksystem to fix this.
1869 Closes https://github.com/curl/curl/pull/2920
1871 Jay Satiro (29 Aug 2018)
1872 - CURLOPT_SSL_CTX_FUNCTION.3: clarify connection reuse warning
1874 Reported-by: Daniel Stenberg
1876 Closes https://github.com/curl/curl/issues/2916
1878 Daniel Stenberg (28 Aug 2018)
1879 - THANKS-filter: dedup Daniel Jeliński
1881 - RELEASE-NOTES: synced
1883 - CURLOPT_ACCEPT_ENCODING.3: list them comma-separated [ci skip]
1885 - CURLOPT_SSL_CTX_FUNCTION.3: might cause unintended connection reuse [ci skip]
1891 - curl: fix time-of-check, time-of-use race in dir creation
1893 Patch-by: Jay Satiro
1894 Detected by Coverity
1898 - cmdline-opts/page-footer: fix edit mistake
1900 There was a missing newline.
1902 follow-up to a7ba60bb7250
1904 - docs: clarify NO_PROXY env variable functionality
1906 Reported-by: Kirill Marchuk
1910 Marcel Raad (24 Aug 2018)
1911 - lib1522: fix curl_easy_setopt argument type
1913 CURLOPT_POSTFIELDSIZE is a long option.
1915 - curl_threads: silence bad-function-cast warning
1917 As uintptr_t and HANDLE are always the same size, this warning is
1918 harmless. Just silence it using an intermediate uintptr_t variable.
1920 Closes https://github.com/curl/curl/pull/2908
1922 Daniel Stenberg (24 Aug 2018)
1923 - README: add appveyor build badge [ci skip]
1927 - [Ihor Karpenko brought this change]
1929 schannel: client certificate store opening fix
1931 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
1932 while opening certificate store would be sufficient in this scenario and
1933 less-demanding in sense of required user credentials ( for example,
1934 IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore
1935 call without any of flags mentioned above ),
1937 2) as 'cert_store_name' is a DWORD, attempt to format its value like a
1938 string ( in "Failed to open cert store" error message ) will throw null
1941 3) adding GetLastError(), in my opinion, will make error message more
1944 Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html
1948 - [Leonardo Taccari brought this change]
1950 gopher: Do not translate `?' to `%09'
1952 Since GOPHER support was added in curl `?' character was automatically
1953 translated to `%09' (`\t').
1955 However, this behaviour does not seems documented in RFC 4266 and for
1956 search selectors it is documented to directly use `%09' in the URL.
1957 Apart that several gopher servers in the current gopherspace have CGI
1958 support where `?' is used as part of the selector and translating it to
1959 `%09' often leads to surprising results.
1963 Marcel Raad (23 Aug 2018)
1964 - cookie tests: treat files as text
1966 Fixes test failures because of wrong line endings on Windows.
1968 Daniel Stenberg (23 Aug 2018)
1969 - libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation
1971 Multi-threaded applictions basically MUST set CURLOPT_NO_SIGNAL to 1L to
1972 avoid the risk of getting a SIGPIPE.
1974 Either way, a multi-threaded application that uses libcurl/openssl needs
1975 to have a signhandler for or ignore SIGPIPE on its own.
1977 Based on discussions in #2800
1980 - RELEASE-NOTES: synced
1982 Marcel Raad (22 Aug 2018)
1983 - Tests: fixes for Windows
1985 - test 1268 requires unix sockets
1986 - test 2072 must be disabled also for MSYS/MinGW
1988 Daniel Stenberg (22 Aug 2018)
1989 - http2: abort the send_callback if not setup yet
1991 When Curl_http2_done() gets called before the http2 data is setup all
1992 the way, we cannot send anything and this should just return an error.
1994 Detected by OSS-Fuzz
1995 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10012
1997 - http2: remove four unused nghttp2 callbacks
2001 - x509asn1: use FALLTHROUGH
2003 ... as no other comments are accepted since 014ed7c22f51463
2005 Marcel Raad (21 Aug 2018)
2006 - test1148: disable if decimal separator is not point
2008 Modifying the locale with environment variables doesn't work for native
2009 Windows applications. Just disable the test in this case if the decimal
2010 separator is something different than a point. Use a precheck with a
2011 small C program to achieve that.
2013 Closes https://github.com/curl/curl/pull/2786
2015 - Enable more GCC warnings
2017 This enables the following additional warnings:
2018 -Wold-style-definition
2019 -Warray-bounds=2 instead of the default 1
2020 -Wformat=2, but only for GCC 4.8+ as Wno-format-nonliteral is not
2021 respected for older versions
2022 -Wunused-const-variable, which enables level 2 instead of the default 1
2023 -Warray-bounds also in debug mode through -ftree-vrp
2024 -Wnull-dereference also in debug mode through
2025 -fdelete-null-pointer-checks
2027 Closes https://github.com/curl/curl/pull/2747
2029 - curl-compilers: enable -Wimplicit-fallthrough=4 for GCC
2031 This enables level 4 instead of the default level 3, which of the
2032 currently used comments only allows /* FALLTHROUGH */ to silence the
2035 Closes https://github.com/curl/curl/pull/2747
2037 - curl-compilers: enable -Wbad-function-cast on GCC
2039 This warning used to be enabled only for clang as it's a bit stricter
2040 on GCC. Silence the remaining occurrences and enable it on GCC too.
2042 Closes https://github.com/curl/curl/pull/2747
2044 - configure: conditionally enable pedantic-errors
2046 Enable pedantic-errors for GCC >= 5 with --enable-werror. Before GCC 5,
2047 pedantic-errors was synonymous to -Werror=pedantic [0], which is still
2048 the case for clang [1]. With GCC 5, it became complementary [2].
2050 Also fix a resulting error in acinclude.m4 as main's return type was
2051 missing, which is illegal in C99.
2053 [0] https://gcc.gnu.org/onlinedocs/gcc-4.9.0/gcc/Warning-Options.html
2054 [1] https://clang.llvm.org/docs/UsersManual.html#options-to-control-error-and-warning-messages
2055 [2] https://gcc.gnu.org/onlinedocs/gcc-5.1.0/gcc/Warning-Options.html
2057 Closes https://github.com/curl/curl/pull/2747
2059 - Remove unused definitions
2061 Closes https://github.com/curl/curl/pull/2747
2063 Daniel Stenberg (21 Aug 2018)
2064 - x509asn1: make several functions static
2066 and remove the private SIZE_T_MAX define and use the generic one.
2070 - INTERNALS: require GnuTLS >= 2.11.3
2072 Since the public pinning support was brought in e644866caf4. GnuTLS
2073 2.11.3 was released in October 2010.
2075 Figured out in #2890
2077 - http2: avoid set_stream_user_data() before stream is assigned
2079 ... before the stream is started, we have it set to -1.
2084 - SSLCERTS: improve the openssl command line
2086 ... for extracting certs from a live HTTPS server to make a cacerts.pem
2089 - docs/SECURITY-PROCESS: now we name the files after the CVE id
2091 - RELEASE-NOTES: synced
2093 - upload: change default UPLOAD_BUFSIZE to 64KB
2095 To make uploads significantly faster in some circumstances.
2100 - upload: allocate upload buffer on-demand
2102 Saves 16KB on the easy handle for operations that don't need that
2107 - [Laurent Bonnans brought this change]
2109 vtls: reinstantiate engine on duplicated handles
2111 Handles created with curl_easy_duphandle do not use the SSL engine set
2112 up in the original handle. This fixes the issue by storing the engine
2113 name in the internal url state and setting the engine from its name
2114 inside curl_easy_duphandle.
2116 Reported-by: Anton Gerasimov
2117 Signed-of-by: Laurent Bonnans
2121 - http2: make sure to send after RST_STREAM
2123 If this is the last stream on this connection, the RST_STREAM might not
2124 get pushed to the wire otherwise.
2128 Researched-by: Michael Kaufmann
2130 - test1268: check the stderr output as "text"
2132 Follow-up to 099f37e9c57
2134 Pointed-out-by: Marcel Raad
2136 - urldata: remove unused pipe_broke struct field
2138 This struct field is never set TRUE in any existing code path. This
2139 change removes the field completely.
2143 - curl: warn the user if a given file name looks like an option
2145 ... simply because this is usually a sign of the user having omitted the
2146 file name and the next option is instead "eaten" by the parser as a file
2149 Add test1268 to verify
2153 - http2: check nghttp2_session_set_stream_user_data return code
2155 Might help bug #2688 debugging
2159 - travis: revert back to gcc-7 for coverage builds
2161 ... since the gcc-8 ones seem to fail frequently.
2163 Follow-up from b85207199544ca
2167 - RELEASE-NOTES: synced
2169 ... and now listed in alphabetical order!
2171 - [Adrien brought this change]
2173 CMake: CMake config files are defining CURL_STATICLIB for static builds
2175 This change allows to use the CMake config files generated by Curl's
2176 CMake scripts for static builds of the library.
2177 The symbol CURL_STATIC lib must be defined to compile downstream,
2178 thus the config package is the perfect place to do so.
2182 Reported-by: adnn on github
2183 Reviewed-by: Sergei Nikulov
2185 - TODO: host name sections in config files
2187 Kamil Dudka (14 Aug 2018)
2188 - ssh-libssh: fix infinite connect loop on invalid private key
2190 Added test 656 (based on test 604) to verify the fix.
2192 Bug: https://bugzilla.redhat.com/1595135
2196 - ssh-libssh: reduce excessive verbose output about pubkey auth
2198 The verbose message "Authentication using SSH public key file" was
2199 printed each time the ssh_userauth_publickey_auto() was called, which
2200 meant each time a packet was transferred over network because the API
2201 operates in non-blocking mode.
2203 This patch makes sure that the verbose message is printed just once
2204 (when the authentication state is entered by the SSH state machine).
2206 Daniel Stenberg (14 Aug 2018)
2207 - travis: disable h2 torture tests for "coverage"
2209 Since they started to fail almost 100% since a few days.
2213 Marcel Raad (14 Aug 2018)
2214 - travis: update to GCC 8
2216 Closes https://github.com/curl/curl/pull/2869
2218 Daniel Stenberg (13 Aug 2018)
2219 - http: fix for tiny "HTTP/0.9" response
2221 Deal with tiny "HTTP/0.9" (header-less) responses by checking the
2222 status-line early, even before a full "HTTP/" is received to allow
2223 detecting 0.9 properly.
2225 Test 1266 and 1267 added to verify.
2230 Kamil Dudka (13 Aug 2018)
2231 - docs: add disallow-username-in-url.d and haproxy-protocol.d on the list
2233 ... to make make the files appear in distribution tarballs
2237 - .travis.yml: verify that man pages can be regenerated
2239 ... when curl is built from distribution tarball
2243 Marcel Raad (11 Aug 2018)
2244 - Split non-portable part off test 1133
2246 Split off testing file names with double quotes into new test 1158.
2247 Disable it for MSYS using a precheck as it doesn't support file names
2248 with double quotes (but Cygwin does, for example).
2250 Fixes https://github.com/curl/curl/issues/2796
2251 Closes https://github.com/curl/curl/pull/2854
2253 Jay Satiro (11 Aug 2018)
2254 - projects: Improve Windows perl detection in batch scripts
2256 - Determine if perl is in the user's PATH by running perl.exe.
2258 Prior to this change detection was done by checking the PATH for perl/
2259 but that did not work in all cases (eg git install includes perl but
2262 Bug: https://github.com/curl/curl/pull/2865
2263 Reported-by: Daniel Jeliński
2265 - [Michael Kaufmann brought this change]
2267 docs: Improve the manual pages of some callbacks
2269 - CURLOPT_HEADERFUNCTION: add newlines
2270 - CURLOPT_INTERLEAVEFUNCTION: fix the description of 'userdata'
2271 - CURLOPT_READDATA: mention crashes, same as in CURLOPT_WRITEDATA
2272 - CURLOPT_READFUNCTION: rename 'instream' to 'userdata' and explain
2275 Closes https://github.com/curl/curl/pull/2868
2277 Marcel Raad (11 Aug 2018)
2278 - GCC: silence -Wcast-function-type uniformly
2280 Pointed-out-by: Rikard Falkeborn
2281 Closes https://github.com/curl/curl/pull/2860
2283 - Silence GCC 8 cast-function-type warnings
2285 On Windows, casting between unrelated function types is fine and
2286 sometimes even necessary, so just use an intermediate cast to
2287 (void (*) (void)) to silence the warning as described in [0].
2289 [0] https://gcc.gnu.org/onlinedocs/gcc-8.1.0/gcc/Warning-Options.html
2291 Closes https://github.com/curl/curl/pull/2860
2293 Daniel Stenberg (11 Aug 2018)
2294 - CURLINFO_SIZE_UPLOAD: fix missing counter update
2296 Adds test 1522 for verification.
2298 Reported-by: cjmsoregan
2302 - [Daniel Jelinski brought this change]
2304 Documentation: fix CURLOPT_SSH_COMPRESSION copy/paste bug
2308 - RELEASE-NOTES: synced
2310 - openssl: fix potential NULL pointer deref in is_pkcs11_uri
2312 Follow-up to 298d2565e
2313 Coverity CID 1438387
2315 Marcel Raad (10 Aug 2018)
2316 - travis: execute "set -eo pipefail" for coverage build
2318 Follow-up to 2de63ab179eb78630ee039ad94fb2a5423df522d and
2319 0b87c963252d3504552ee0c8cf4402bd65a80af5.
2321 Closes https://github.com/curl/curl/pull/2862
2323 Daniel Stenberg (10 Aug 2018)
2324 - lib1502: fix memory leak in torture test
2326 Reported-by: Marcel Raad
2330 - docs: mention NULL is fine input to several functions
2334 Reported-by: Markus Elfring
2336 - [Bas van Schaik brought this change]
2338 README.md: add LGTM.com code quality grade for C/C++
2342 - [Rikard Falkeborn brought this change]
2344 test1531: Add timeout
2346 Previously, the macro TEST_HANG_TIMEOUT was unused, but since there is
2347 looping going on, we might as well add timing instead of removing it.
2351 - [Rikard Falkeborn brought this change]
2353 test1540: Remove unused macro TEST_HANG_TIMEOUT
2355 The macro has never been used, and it there is not really any place
2356 where it would make sense to add timing checks.
2360 - [Rikard Falkeborn brought this change]
2362 asyn-thread: Remove unused macro
2364 The macro seems to never have been used.
2368 - [Rikard Falkeborn brought this change]
2370 http_proxy: Remove unused macro SELECT_TIMEOUT
2372 Usage was removed in 5113ad0424044458ac497fa1458ebe0101356b22.
2376 - [Rikard Falkeborn brought this change]
2378 formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT
2380 Its usage was removed in
2381 84ad1fd3047815f9c6e78728bb351b828eac10b1.
2385 - [Rikard Falkeborn brought this change]
2387 telnet: Remove unused macros TELOPTS and TELCMDS
2389 Their usage was removed in 3a145180cc754a5959ca971ef3cd243c5c83fc51.
2393 - [Daniel Jelinski brought this change]
2395 openssl: fix debug messages
2400 - configure: fix for -lpthread detection with OpenSSL and pkg-config
2402 ... by making sure it uses the -I provided by pkg-config!
2404 Reported-by: pszemus on github
2408 - RELEASE-NOTES: synced
2410 - windows: follow up to the buffer-tuning 1ba1dba7
2412 Somehow I didn't include the amended version of the previous fix. This
2413 is the missing piece.
2415 Pointed-out-by: Viktor Szakats
2417 - [Daniel Jelinski brought this change]
2419 windows: implement send buffer tuning
2421 Significantly enhances upload performance on modern Windows versions.
2423 Bug: https://curl.haxx.se/mail/lib-2018-07/0080.html
2427 - [Anderson Toshiyuki Sasaki brought this change]
2429 ssl: set engine implicitly when a PKCS#11 URI is provided
2431 This allows the use of PKCS#11 URI for certificates and keys without
2432 setting the corresponding type as "ENG" and the engine as "pkcs11"
2433 explicitly. If a PKCS#11 URI is provided for certificate, key,
2434 proxy_certificate or proxy_key, the corresponding type is set as "ENG"
2435 if not provided and the engine is set to "pkcs11" if not provided.
2437 Acked-by: Nikos Mavrogiannopoulos
2440 - [Ruslan Baratov brought this change]
2442 CMake: Respect BUILD_SHARED_LIBS
2444 Use standard CMake variable BUILD_SHARED_LIBS instead of introducing
2445 custom option CURL_STATICLIB.
2447 Use '-DBUILD_SHARED_LIBS=%SHARED%' in appveyor.yml.
2449 Reviewed-by: Sergei Nikulov
2452 - [John Butterfield brought this change]
2454 cmake: bumped minimum version to 3.4
2458 - [John Butterfield brought this change]
2460 cmake: link curl to the OpenSSL targets instead of lib absolute paths
2462 Reviewed-by: Jakub Zakrzewski
2463 Reviewed-by: Sergei Nikulov
2466 - travis: build darwinssl on macos 10.12
2468 ... as building on 10.13.x before 10.13.4 leads to link errors.
2470 Assisted-by: Nick Zitzmann
2474 - DEPRECATE: remove release date from 7.62.0
2476 Since it will slip and the version is the important part there, not the
2479 - lib/Makefile: only do symbol hiding if told to
2481 This restores the ability to build a static lib with
2482 --disable-symbol-hiding to keep non-curl_ symbols.
2484 Researched-by: Dan Fandrich
2485 Reported-by: Ran Mozes
2489 Marcel Raad (2 Aug 2018)
2490 - hostip: fix unused variable warning
2492 addresses is only used in an infof call, which is a macro expanding to
2493 nothing if CURL_DISABLE_VERBOSE_STRINGS is set.
2495 Daniel Stenberg (2 Aug 2018)
2496 - test1307: disabled
2498 Turns out that since we're using the native fnmatch function now when
2499 available, and they simply disagree on a huge number of test patterns
2500 that make it hard to test this function like this...
2504 - smb: don't mark it done in smb_do
2506 Follow-up to 09e401e01bf9. The SMB protocol handler needs to use its
2507 doing function too, which requires smb_do() to not mark itself as
2512 - [Rikard Falkeborn brought this change]
2514 general: fix printf specifiers
2518 - RELEASE-NOTES: synced
2520 - mailmap: Daniel Jelinski
2522 - [Harry Sintonen brought this change]
2524 HTTP: Don't attempt to needlessly decompress redirect body
2526 This change fixes a regression where redirect body would needlessly be
2527 decompressed even though it was to be ignored anyway. As it happens this
2528 causes secondary issues since there appears to be a bug in apache2 that
2529 it in certain conditions generates a corrupt zlib response. The
2530 regression was created by commit:
2531 dbcced8e32b50c068ac297106f0502ee200a1ebd
2533 Discovered-by: Harry Sintonen
2536 - curl: use Content-Disposition before the "URL end" for -OJ
2538 Regression introduced in 7.61.0
2540 Reported-by: Thomas Klausner
2544 - [Daniel Jelinski brought this change]
2546 retry: return error if rewind was necessary but didn't happen
2551 - http2: clear the drain counter in Curl_http2_done
2553 Reported-by: Andrei Virtosu
2557 - smb: fix memory leak on early failure
2559 ... by making sure connection related data (->share) is stored in the
2560 connection and not in the easy handle.
2562 Detected by OSS-fuzz
2563 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
2567 - travis: run a 'make checksrc' too
2569 ... to make sure the examples are all checked.
2573 Jay Satiro (29 Jul 2018)
2574 - examples/ephiperfifo: checksrc compliance
2576 - [Michael Kaufmann brought this change]
2578 sws: handle EINTR when calling select()
2580 Closes https://github.com/curl/curl/pull/2808
2582 Daniel Stenberg (29 Jul 2018)
2583 - test1157: follow-up to 35ecffb9
2585 Ignore the user-agent line.
2586 Pointed-out-by: Marcel Raad
2588 Michael Kaufmann (29 Jul 2018)
2589 - tests/http_pipe.py: Use /usr/bin/env to find python
2591 Daniel Stenberg (28 Jul 2018)
2592 - TODO: Support Authority Information Access certificate extension (AIA)
2596 - conn_free: updated comment to clarify
2598 Let's call it disassociate instead of disconnect since the latter term
2599 is used so much for (TCP) connections already.
2601 - test1157: test -H from empty file
2603 Verifies bugfix #2797
2605 - [Tobias Blomberg brought this change]
2607 curl: Fix segfault when -H @headerfile is empty
2609 The curl binary would crash if the -H command line option was given a
2610 filename to read using the @filename syntax but that file was empty.
2614 - mime: check Curl_rand_hex's return code
2616 Bug: https://curl.haxx.se/mail/archive-2018-07/0015.html
2617 Reported-by: Jeffrey Walton
2620 - [Josh Bialkowski brought this change]
2622 docs/examples: add hiperfifo example using linux epoll/timerfd
2626 - [Darío Hereñú brought this change]
2628 docs/INSTALL.md: minor formatting fixes
2632 - [Christopher Head brought this change]
2634 docs/CURLOPT_URL: fix indentation
2636 The statement, “The application does not have to keep the string around
2637 after setting this option,” appears to be indented under the RTMP
2638 paragraph. It actually applies to all protocols, not just RTMP.
2639 Eliminate the extra indentation.
2643 - [Christopher Head brought this change]
2645 docs/CURLOPT_WRITEFUNCTION: size is always 1
2647 For compatibility with `fwrite`, the `CURLOPT_WRITEFUNCTION` callback is
2648 passed two `size_t` parameters which, when multiplied, designate the
2649 number of bytes of data passed in. In practice, CURL always sets the
2650 first parameter (`size`) to 1.
2652 This practice is also enshrined in documentation and cannot be changed
2653 in future. The documentation states that the default callback is
2654 `fwrite`, which means `fwrite` must be a suitable function for this
2655 purpose. However, the documentation also states that the callback must
2656 return the number of *bytes* it successfully handled, whereas ISO C
2657 `fwrite` returns the number of items (each of size `size`) which it
2658 wrote. The only way these numbers can be equal is if `size` is 1.
2660 Since `size` is 1 and can never be changed in future anyway, document
2661 that fact explicitly and let users rely on it.
2665 - [Carie Pointer brought this change]
2667 wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random
2669 RNG structure must be freed by call to FreeRng after its use in
2670 Curl_cyassl_random. This call fixes Valgrind failures when running the
2671 test suite with wolfSSL.
2675 - [Even Rouault brought this change]
2677 reuse_conn(): free old_conn->options
2679 This fixes a memory leak when CURLOPT_LOGIN_OPTIONS is used, together with
2682 I found this with oss-fuzz on GDAL and curl master:
2683 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9582
2684 I couldn't reproduce with the oss-fuzz original test case, but looking
2685 at curl source code pointed to this well reproducable leak.
2689 Marcel Raad (25 Jul 2018)
2690 - [Daniel Jelinski brought this change]
2692 system_win32: fix version checking
2694 In the current version, VERSION_GREATER_THAN_EQUAL 6.3 will return false
2695 when run on windows 10.0. This patch addresses that error.
2697 Closes https://github.com/curl/curl/pull/2792
2699 Daniel Stenberg (24 Jul 2018)
2700 - [Johannes Schindelin brought this change]
2702 auth: pick Bearer authentication whenever a token is available
2704 So far, the code tries to pick an authentication method only if
2705 user/password credentials are available, which is not the case for
2706 Bearer authentictation...
2708 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2711 - [Johannes Schindelin brought this change]
2713 auth: only ever pick CURLAUTH_BEARER if we *have* a Bearer token
2715 The Bearer authentication was added to cURL 7.61.0, but there is a
2716 problem: if CURLAUTH_ANY is selected, and the server supports multiple
2717 authentication methods including the Bearer method, we strongly prefer
2718 that latter method (only CURLAUTH_NEGOTIATE beats it), and if the Bearer
2719 authentication fails, we will never even try to attempt any other
2722 This is particularly unfortunate when we already know that we do not
2723 have any Bearer token to work with.
2725 Such a scenario happens e.g. when using Git to push to Visual Studio
2726 Team Services (which supports Basic and Bearer authentication among
2727 other methods) and specifying the Personal Access Token directly in the
2728 URL (this aproach is frequently taken by automated builds).
2730 Let's make sure that we have a Bearer token to work with before we
2731 select the Bearer authentication among the available authentication
2734 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2737 Marcel Raad (22 Jul 2018)
2738 - test320: treat curl320.out file as binary
2740 Otherwise, LF line endings are converted to CRLF on Windows,
2741 but no conversion is done for the reply, so the test case fails.
2743 Closes https://github.com/curl/curl/pull/2776
2745 Daniel Stenberg (22 Jul 2018)
2746 - vtls: set conn->data when closing TLS
2748 Follow-up to 1b76c38904f0. The VTLS backends that close down the TLS
2749 layer for a connection still needs a Curl_easy handle for the session_id
2755 Marcel Raad (21 Jul 2018)
2756 - tests: fixes for Windows line endlings
2758 Set mode="text" when line endings depend on the system representation.
2760 Closes https://github.com/curl/curl/pull/2772
2762 - test214: disable MSYS2's POSIX path conversion for URL
2764 By default, the MSYS2 bash converts all backslashes to forward slashes
2765 in URLs. Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
2767 Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
2769 Daniel Stenberg (20 Jul 2018)
2770 - http2: several cleanups
2772 - separate easy handle from connections better
2773 - added asserts on a number of places
2774 - added sanity check of pipelines for debug builds
2778 - smb_getsock: always wait for write socket too
2780 ... the protocol is doing read/write a lot, so it needs to write often
2781 even when downloading. A more proper fix could check for eactly when it
2782 wants to write and only ask for it then.
2784 Without this fix, an SMB download could easily get stuck when the event-driven
2789 Marcel Raad (20 Jul 2018)
2790 - test1143: disable MSYS2's POSIX path conversion
2792 By default, the MSYS2 bash interprets http:/%HOSTIP:%HTTPPORT/want/1143
2793 as a POSIX file list and converts it to a Windows file list.
2794 Disable this with MSYS2_ARG_CONV_EXCL for the test to pass.
2796 Ref https://github.com/msys2/msys2/wiki/Porting#filesystem-namespaces
2797 Closes https://github.com/curl/curl/pull/2765
2799 Daniel Stenberg (18 Jul 2018)
2800 - RELEASE-NOTES: sync
2802 ... and work toward 7.61.1
2804 - [Ruslan Baratov brought this change]
2806 CMake: Update scripts to use consistent style
2809 Reviewed-by: Sergei Nikulov
2811 - header output: switch off all styles, not just unbold
2813 ... the "unbold" sequence doesn't work on the mac Terminal.
2815 Reported-by: Zero King
2819 Nick Zitzmann (14 Jul 2018)
2820 - [Rodger Combs brought this change]
2822 darwinssl: add support for ALPN negotiation
2824 Marcel Raad (14 Jul 2018)
2825 - test1422: add required file feature
2827 curl configured with --enable-debug --disable-file currently complains
2829 Info: Protocol "file" not supported or disabled in libcurl
2831 Make test1422 dependend on enabled FILE protocol to fix this.
2833 Fixes https://github.com/curl/curl/issues/2741
2834 Closes https://github.com/curl/curl/pull/2742
2836 Patrick Monnerat (12 Jul 2018)
2837 - content_encoding: accept up to 4 unknown trailer bytes after raw deflate data
2839 Some servers issue raw deflate data that may be followed by an undocumented
2840 trailer. This commit makes curl tolerate such a trailer of up to 4 bytes
2841 before considering the data is in error.
2843 Reported-by: clbr on github
2846 Daniel Stenberg (12 Jul 2018)
2847 - smb: fix memory-leak in URL parse error path
2849 Detected by OSS-Fuzz
2850 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9369
2853 Marcel Raad (12 Jul 2018)
2854 - schannel: enable CALG_TLS1PRF for w32api >= 5.1
2856 The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
2857 https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5
2859 Daniel Stenberg (12 Jul 2018)
2860 - docs/SECURITY-PROCESS: mention bounty, drop pre-notify
2862 + The hackerone bounty and its process
2864 - We don't and can't handle pre-notification
2866 - multi: always do the COMPLETED procedure/state
2868 It was previously erroneously skipped in some situations.
2870 libtest/libntlmconnect.c wrongly depended on wrong behavior (that it
2871 would get a zero timeout) when no handles are "running" in a multi
2872 handle. That behavior is no longer present with this fix. Now libcurl
2873 will always return a -1 timeout when all handles are completed.
2877 - Curl_getoff_all_pipelines: improved for multiplexed
2879 On multiplexed connections, transfers can be removed from anywhere not
2880 just at the head as for pipelines.
2882 - ares: check for NULL in completed-callback
2884 - conn: remove the boolean 'inuse' field
2886 ... as the usage needs to be counted.
2888 - [Paul Howarth brought this change]
2890 openssl: assume engine support in 1.0.0 or later
2892 Commit 38203f1585da changed engine detection to be version-based,
2893 with a baseline of openssl 1.0.1. This does in fact break builds
2894 with openssl 1.0.0, which has engine support - the configure script
2895 detects that ENGINE_cleanup() is available - but <openssl/engine.h>
2896 doesn't get included to declare it.
2898 According to upstream documentation, engine support was added to
2899 mainstream openssl builds as of version 0.9.7:
2900 https://github.com/openssl/openssl/blob/master/README.ENGINE
2902 This commit drops the version test down to 1.0.0 as version 1.0.0d
2903 is the oldest version I have to test with.
2907 Marcel Raad (11 Jul 2018)
2908 - schannel: fix MinGW compile break
2910 Original MinGW's w32api has a sytax error in its definition of
2911 CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
2912 until this bug [1] is fixed.
2914 [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h
2915 [1] https://osdn.net/projects/mingw/ticket/38391
2917 Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
2918 Closes https://github.com/curl/curl/pull/2728
2920 Daniel Stenberg (11 Jul 2018)
2921 - examples/crawler.c: move #ifdef to column 0
2923 Apparently the C => HTML converter on the web site doesn't quite like it
2926 Reported-by: Jeroen Ooms
2928 Version 7.61.0 (11 Jul 2018)
2930 Daniel Stenberg (11 Jul 2018)
2933 - TODO: Configurable loading of OpenSSL configuration file
2937 - post303.d: clarify that this is an RFC violation
2939 ... and not the other way around, which this previously said.
2941 Reported-by: Vasiliy Faronov
2945 - [Ruslan Baratov brought this change]
2947 CMake: remove redundant and old end-of-block syntax
2949 Reviewed-by: Jakub Zakrzewski
2952 Jay Satiro (9 Jul 2018)
2953 - lib/curl_setup.h: remove unicode character
2955 Follow-up to 82ce416.
2957 Ref: https://github.com/curl/curl/commit/8272ec5#commitcomment-29646818
2959 Daniel Stenberg (9 Jul 2018)
2960 - lib/curl_setup.h: remove unicode bom from 8272ec50f02
2962 Marcel Raad (9 Jul 2018)
2963 - schannel: fix -Wsign-compare warning
2966 /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
2967 conditional expression [-Wsign-compare]
2969 Fix this by casting the ptrdiff_t to size_t as we know it's positive.
2971 Closes https://github.com/curl/curl/pull/2721
2973 - schannel: workaround for wrong function signature in w32api
2975 Original MinGW's w32api has CryptHashData's second parameter as BYTE *
2976 instead of const BYTE *.
2978 Closes https://github.com/curl/curl/pull/2721
2980 - schannel: make more cipher options conditional
2982 They are not defined in the original MinGW's <wincrypt.h>.
2984 Closes https://github.com/curl/curl/pull/2721
2986 - curl_setup: include <winerror.h> before <windows.h>
2988 Otherwise, only part of it gets pulled in through <windows.h> on
2991 Fixes https://github.com/curl/curl/issues/2361
2992 Closes https://github.com/curl/curl/pull/2721
2994 - examples: fix -Wformat warnings
2996 When size_t is not a typedef for unsigned long (as usually the case on
2997 Windows), GCC emits -Wformat warnings when using lu and lx format
2998 specifiers with size_t. Silence them with explicit casts to
3001 Closes https://github.com/curl/curl/pull/2721
3003 Daniel Stenberg (9 Jul 2018)
3004 - smtp: use the upload buffer size for scratch buffer malloc
3006 ... not the read buffer size, as that can be set smaller and thus cause
3007 a buffer overflow! CVE-2018-0500
3009 Reported-by: Peter Wu
3010 Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
3012 - [Dave Reisner brought this change]
3014 scripts: include _curl as part of CLEANFILES
3018 - [Nick Zitzmann brought this change]
3020 darwinssl: allow High Sierra users to build the code using GCC
3022 ...but GCC users lose out on TLS 1.3 support, since we can't weak-link
3023 enumeration constants.
3028 - [Ruslan Baratov brought this change]
3030 CMake: Remove unused 'output_var' from 'collect_true'
3032 Variable 'output_var' is not used and can be removed.
3033 Function 'collect_true' renamed to 'count_true'.
3035 - [Ruslan Baratov brought this change]
3037 CMake: Remove unused functions
3041 - KNOWN_BUGS: Stick to same family over SOCKS proxy
3043 - libssh: goto DISCONNECT state on error, not SSH_SESSION_FREE
3045 ... because otherwise not everything get closed down correctly.
3050 - libssh: include line number in state change debug messages
3054 - KNOWN_BUGS: Borland support is dropped, AIX problem is too old
3056 - [Jeroen Ooms brought this change]
3058 example/crawler.c: simple crawler based on libxml2
3062 - RELEASE-NOTES: synced
3064 - DEPRECATE: include year when specifying date
3066 - DEPRECATE: linkified
3068 - DEPRECATE: mention the PR that disabled axTLS
3070 - docs/DEPRECATE.md: spelling and minor formatting
3072 - DEPRECATE: new doc describing planned item removals
3076 - [Gisle Vanem brought this change]
3078 telnet: fix clang warnings
3080 telnet.c(1401,28): warning: cast from function call of type 'int' to
3081 non-matching type 'HANDLE' (aka 'void *') [-Wbad-function-cast]
3086 - docs: fix missed option name markups
3088 - [Gaurav Malhotra brought this change]
3090 openssl: Remove some dead code
3094 - openssl: make the requested TLS version the *minimum* wanted
3096 The code treated the set version as the *exact* version to require in
3097 the TLS handshake, which is not what other TLS backends do and probably
3098 not what most people expect either.
3100 Reported-by: Andreas Olsson
3101 Assisted-by: Gaurav Malhotra
3105 - RELEASE-NOTES: synced
3107 - openssl: allow TLS 1.3 by default
3109 Reported-by: Andreas Olsson
3113 - [Adrian Peniak brought this change]
3115 CURLINFO_TLS_SSL_PTR.3: improve the example
3117 The previous example was a little bit confusing, because SSL* structure
3118 (or other "in use" SSL connection pointer) is not accessible after the
3119 transfer is completed, therefore working with the raw TLS library
3120 specific pointer needs to be done during transfer.
3124 - travis: add a build using the synchronous name resolver
3126 ... since default uses the threaded one and we test the c-ares build
3131 - configure: remove CURL_CHECK_NI_WITHSCOPEID too
3133 Since it isn't used either and requires the getnameinfo check
3135 Follow-up to 0aeca41702d2
3137 - getnameinfo: not used
3141 - easy_perform: use *multi_timeout() to get wait times
3143 ... and trim the threaded Curl_resolver_getsock() to return zero
3144 millisecond wait times during the first three milliseconds so that
3145 localhost or names in the OS resolver cache gets detected and used
3150 Max Dymond (27 Jun 2018)
3151 - configure: Add dependent libraries after crypto
3153 The linker is pretty dumb and processes things left to right, keeping a
3154 tally of symbols it hasn't resolved yet. So, we need -ldl to appear
3155 after -lcrypto otherwise the linker won't find the dl functions.
3159 Daniel Stenberg (27 Jun 2018)
3160 - GOVERNANCE: linkify, changed some titles
3162 - GOVERNANCE: add maintainer details/duties
3164 - url: check Curl_conncache_add_conn return code
3166 ... it was previously unchecked in two places and thus errors could
3167 remain undetected and cause trouble.
3171 - include/README: remove "hacking" advice, not the right place
3173 - RELEASE-NOTES: synced
3175 - CURLOPT_SSL_VERIFYPEER.3: fix syntax mistake
3177 Follow-up to b6a16afa0aa5
3179 - netrc: use a larger buffer
3181 ... to work with longer passwords etc. Grow it from a 256 to a 4096
3184 Reported-by: Dario Nieuwenhuis
3188 - [Patrick Schlangen brought this change]
3190 CURLOPT_SSL_VERIFYPEER.3: Add performance note
3194 - [Javier Blazquez brought this change]
3196 multi: fix crash due to dangling entry in connect-pending list
3201 - ConnectionExists: make sure conn->data is set when "taking" a connection
3203 Follow-up to 2c15693.
3208 - [Kevin R. Bulgrien brought this change]
3210 system.h: fix for gcc on 32 bit OpenServer
3212 Bug: https://curl.haxx.se/mail/lib-2018-06/0100.html
3214 - [Raphael Gozzo brought this change]
3216 cmake: allow multiple SSL backends
3218 This will make possible to select the SSL backend (using
3219 curl_global_sslset()) even when the libcurl is built using CMake
3223 - url: fix dangling conn->data pointer
3225 By masking sure to use the *current* easy handle with extracted
3226 connections from the cache, and make sure to NULLify the ->data pointer
3227 when the connection is put into the cache to make this mistake easier to
3228 detect in the future.
3230 Reported-by: Will Dietz
3234 - CURLOPT_INTERFACE.3: interface names not supported on Windows
3236 - travis: run more tests for coverage check
3238 ... run a few more tortured based and run all tests event-based.
3242 - multi: fix memory leak when stopped during name resolve
3244 When the application just started the transfer and then stops it while
3245 the name resolve in the background thread hasn't completed, we need to
3246 wait for the resolve to complete and then cleanup data accordingly.
3248 Enabled test 1553 again and added test 1590 to also check when the host
3249 name resolves successfully.
3251 Detected by OSS-fuzz.
3254 Viktor Szakats (15 Jun 2018)
3255 - maketgz: delete .bak files, fix indentation
3257 Ref: https://github.com/curl/curl/pull/2660
3259 Closes https://github.com/curl/curl/pull/2662
3261 Daniel Stenberg (15 Jun 2018)
3262 - runtests.pl: remove debug leftover from bb9a340c73f3
3264 - curl-confopts.m4: fix typo from ed224f23d5beb
3266 Fixes my local configure to detect a custom installed c-ares without
3269 - docs/RELEASE-PROCEDURE.md: renamed to use .md extension
3273 - RELEASE-PROCEDURE: gpg sign the tags
3275 - RELEASE-NOTES: synced
3277 - CURLOPT_HTTPAUTH.3: CURLAUTH_BEARER was added in 7.61.0
3279 - [Mamta Upadhyay brought this change]
3281 maketgz: fix sed issues on OSX
3283 maketgz creates release tarballs and removes the -DEV string in curl
3284 version (e.g. 7.58.0-DEV), else -DEV shows up on command line when curl
3285 is run. maketgz works fine on linux but fails on OSX. Problem is with
3286 the sed commands that use option -i without an extension. Maketgz
3287 expects GNU sed instead of BSD and this simply won't work on OSX. Adding
3288 a backup extension .bak after -i fixes this issue
3290 Running the script as if on OSX gives this error:
3292 sed: -e: No such file or directory
3294 Adding a .bak extension resolves it
3298 - configure: enhance ability to detect/build with static openssl
3300 Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for
3301 building with static libs without pkg-config.
3303 Reported-by: Marcel Raad
3307 - configure: use pkg-config for c-ares detection
3309 First check if there's c-ares information given as pkg-config info and use
3310 that as first preference.
3312 Reported-by: pszemus on github
3316 - GOVERNANCE.md: explains how this project is run
3320 - KNOWN_BUGS: NTLM doen't support password with § character
3324 - KNOWN_BUGS: slow connect to localhost on Windows
3328 - [Matteo Bignotti brought this change]
3330 mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
3332 certdata.txt should be deleted also when the process is interrupted by
3333 "same certificate downloaded, exiting"
3335 The certdata.txt is currently kept on disk even if you give the -u
3340 - progress: remove a set of unused defines
3342 Reported-by: Peter Wu
3345 - TODO: "Option to refuse usernames in URLs" done
3347 Implemented by Björn in 946ce5b61f
3349 - [Lyman Epp brought this change]
3351 Curl_init_do: handle NULL connection pointer passed in
3355 - runtests: support variables in <strippart>
3357 ... and make use of that to make 1455 work better without using a fixed
3363 - Curl_debug: remove dead printhost code
3365 The struct field is never set (since 5e0d9aea3) so remove the use of it
3366 and remove the connectdata pointer from the prototype.
3369 Bug: https://curl.haxx.se/mail/lib-2018-06/0054.html
3372 Viktor Szakats (12 Jun 2018)
3373 - schannel: avoid incompatible pointer warning
3377 vtls/schannel_verify.c: In function 'add_certs_to_store':
3378 vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types]
3381 In file included from /usr/share/mingw-w64/include/schannel.h:10:0,
3382 from /usr/share/mingw-w64/include/schnlsp.h:9,
3383 from vtls/schannel.h:29,
3384 from vtls/schannel_verify.c:40:
3385 /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}'
3386 WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags,
3389 Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264
3391 Closes https://github.com/curl/curl/pull/2648
3393 Daniel Stenberg (12 Jun 2018)
3394 - [Robert Prag brought this change]
3396 schannel: support selecting ciphers
3398 Given the contstraints of SChannel, I'm exposing these as the algorithms
3399 themselves instead; while replicating the ciphersuite as specified by
3400 OpenSSL would have been preferable, I found no way in the SChannel API
3403 To use this from the commandline, you need to pass the names of contants
3404 defining the desired algorithms. For example, curl --ciphers
3405 "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM"
3406 https://github.com The specific names come from wincrypt.h
3410 - [Bernhard M. Wiedemann brought this change]
3412 test 46: make test pass after 2025
3414 shifting the expiry date to 2037 for now
3415 to be before the possibly problematic year 2038
3417 similar in spirit to commit e6293cf8764e9eecb
3421 - [Marian Klymov brought this change]
3423 cppcheck: fix warnings
3425 - Get rid of variable that was generating false positive warning
3428 - Fix issues in tests
3430 - Reduce scope of several variables all over
3436 - openssl: assume engine support in 1.0.1 or later
3438 Previously it was checked for in configure/cmake, but that would then
3439 leave other build systems built without engine support.
3441 While engine support probably existed prior to 1.0.1, I decided to play
3442 safe. If someone experience a problem with this, we can widen the
3448 - RELEASE-NOTES: synced
3450 - RELEASE-PROCEDURE: update the release calendar for 2019
3452 - [Gisle Vanem brought this change]
3454 boringssl + schannel: undef X509_NAME in lib/schannel.h
3456 Fixes the build problem when both boringssl and schannel are enabled.
3461 - [Vladimir Kotal brought this change]
3463 mk-ca-bundle.pl: leave certificate name untouched in decode()
3467 - [Rikard Falkeborn brought this change]
3469 tests/libtests/Makefile.am: Add lib1521.c to CLEANFILES
3471 This removes the generated lib1521.c when running make clean.
3475 - [Rikard Falkeborn brought this change]
3477 tests/libtest: Add lib1521 to nodist_SOURCES
3479 Since 467da3af0, lib1521.c is generated instead of checked in. According
3480 to the commit message, the intention was to remove it from the tarball
3481 as well. However, it is still present when running make dist. To remove
3482 it, add it to nodist_lib1521_SOURCES. This also means there is no need
3483 for the manually added dist-rule in the Makefile.
3485 Also update CMakelists.txt to handle the fact that we now may have
3488 - [Stephan Mühlstrasser brought this change]
3490 system.h: add support for IBM xlc C compiler
3492 Added a section to system.h guarded with __xlc__ for the IBM xml C
3493 compiler. Before this change the section titled 'generic "safe guess" on
3494 old 32 bit style' was used, which resulted in a wrong definition of
3495 CURL_TYPEOF_CURL_SOCKLEN_T, and for 64-bit also CURL_TYPEOF_CURL_OFF_T
3498 Compilation warnings fixed with this change:
3500 CC libcurl_la-ftp.lo
3501 "ftp.c", line 290.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3502 "ftp.c", line 293.48: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3503 "ftp.c", line 1070.49: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3504 "ftp.c", line 1154.53: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3505 "ftp.c", line 1187.51: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3506 CC libcurl_la-connect.lo
3507 "connect.c", line 448.56: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3508 "connect.c", line 516.66: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3509 "connect.c", line 687.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3510 "connect.c", line 696.55: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3511 CC libcurl_la-tftp.lo
3512 "tftp.c", line 1115.33: 1506-280 (W) Function argument assignment between types "unsigned long* restrict" and "int*" is not allowed.
3516 - cmdline-opts/cert-type.d: mention "p12" as a recognized type as well
3518 Viktor Szakats (3 Jun 2018)
3521 Detected using the `codespell` tool (version 1.13.0).
3523 Also secure and fix an URL.
3525 Daniel Stenberg (2 Jun 2018)
3526 - axtls: follow-up spell fix of comment
3528 - axTLS: not considered fit for use
3530 URL: https://curl.haxx.se/mail/lib-2018-06/0000.html
3532 This is step one. It adds #error statements that require source edits to
3533 make curl build again if asked to use axTLS. At a later stage we might
3534 remove the axTLS specific code completely.
3538 - build: remove the Borland specific makefiles
3540 According to the user survey 2018, not even one out of 670 users use
3541 them. Nobody on the mailing list spoke up for them either.
3545 - curl_addrinfo: use same #ifdef conditions in source as header
3547 ... for curl_dofreeaddrinfo
3549 - multi: remove a DEBUGF()
3551 ... it might call infof() with a NULL first argument that isn't harmful
3552 but makes it not do anything. The infof() line is not very useful
3553 anymore, it has served it purpose. Good riddance!
3557 - [Alibek.Jorajev brought this change]
3559 CURLOPT_RESOLVE: always purge old entry first
3561 If there's an existing entry using the selected name.
3565 - fnmatch: use the system one if available
3567 If configure detects fnmatch to be available, use that instead of our
3568 custom one for FTP wildcard pattern matching. For standard compliance,
3569 to reduce our footprint and to use already well tested and well
3572 A POSIX fnmatch behaves slightly different than the internal function
3573 for a few test patterns currently and the macOS one yet slightly
3574 different. Test case 1307 is adjusted for these differences.
3578 Patrick Monnerat (31 May 2018)
3579 - os400: add new option in ILE/RPG binding
3581 Follow-up to commit 946ce5b
3583 Daniel Stenberg (31 May 2018)
3584 - tests/libtest/.gitignore: follow-up fix to ignore lib5* too
3586 - KNOWN_BUGS: CURL_GLOBAL_SSL
3590 - [Bernhard Walle brought this change]
3592 configure: check for declaration of getpwuid_r
3594 On our x86 Android toolchain, getpwuid_r is implemented but the header
3597 netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration]
3599 Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved
3600 the prototype to curl_setup.h.
3602 Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
3605 - [Rikard Falkeborn brought this change]
3607 tests: update .gitignore for libtests
3611 - [Rikard Falkeborn brought this change]
3613 strictness: correct {infof, failf} format specifiers
3617 - [Björn Stenberg brought this change]
3619 option: disallow username in URL
3621 Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes
3622 libcurl reject URLs with a username in them.
3626 - libcurl-security.3: improved layout for two rememdy lists
3628 - libcurl-security.3: refer to URL instead of in-source markdown file
3630 Viktor Szakats (30 May 2018)
3631 - curl.rc: embed manifest for correct Windows version detection
3633 * enable it in `src/Makefile.m32`
3634 * enable it in `winbuild/MakefileBuild.vc` if a custom manifest is
3635 _not_ enabled via the existing `EMBED_MANIFEST` option
3636 * enable it for all Windows CMake builds (also disable the built-in
3637 minimal manifest, added by CMake by default.)
3639 For other build systems, add the `-DCURL_EMBED_MANIFEST` option to
3640 the list of RC (Resource Compiler) flags to enable the manifest
3641 included in `src/curl.rc`. This may require to disable whatever
3642 automatic or other means in which way another manifest is added to
3645 Notice that Borland C doesn't support this method due to a
3646 long-pending resource compiler bug. Watcom C may also not handle
3647 it correctly when the `-zm` `wrc` option is used (this option may
3648 be unnecessary though) and regardless of options in certain earlier
3649 revisions of the 2.0 beta version.
3651 Closes https://github.com/curl/curl/pull/1221
3652 Fixes https://github.com/curl/curl/issues/2591
3654 Patrick Monnerat (30 May 2018)
3655 - os400: sync EBCDIC wrappers and ILE/RPG binding with latest options
3657 - os400: implement mime api EBCDIC wrappers
3659 Also sync ILE/RPG binding to define the new functions.
3661 Daniel Stenberg (29 May 2018)
3662 - setopt: add TLS 1.3 ciphersuites
3664 Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS.
3666 curl: added --tls13-ciphers and --proxy-tls13-ciphers
3669 Reported-by: zzq1015 on github
3672 - configure: override AR_FLAGS to silence warning
3674 The automake default ar flags are 'cru', but the 'u' flag in there
3675 causes warnings on many modern Linux distros. Removing 'u' may have a
3676 minor performance impact on older distros but should not cause harm.
3678 Explained on the automake mailing list already back in April 2015:
3680 https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html
3682 Reported-by: elephoenix on github
3686 Sergei Nikulov (29 May 2018)
3687 - cmake: fixed comments in compile checks code
3689 Daniel Stenberg (29 May 2018)
3690 - INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
3692 ... the older description doesn't work
3694 Reported-by: Peter Varga
3698 - [Will Dietz brought this change]
3700 KNOWN_BUGS: restore text regarding #2101.
3702 This was added earlier but appears to have been removed accidentally.
3704 AFAICT this is very much still an issue.
3708 I say "accidentally" because the text seems to have harmlessly snuck
3709 into [1] (which makes no mention of it). [1] was later reverted for
3710 unspecified reasons in [2], presumably because the mentioned issue was
3713 [1] de9fac00c40db321d44fa6fbab6eb62ec4c83998
3714 [2] 16d1f369403cbb04bd7b085eabbeebf159473fc2
3718 - fnmatch: insist on escaped bracket to match
3720 A non-escaped bracket ([) is for a character group - as documented. It
3721 will *not* match an individual bracket anymore. Test case 1307 updated
3722 accordingly to match.
3724 Problem detected by OSS-Fuzz, although this fix is probably not a final
3725 fix for the notorious timeout issues.
3727 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525
3730 Patrick Monnerat (28 May 2018)
3731 - psl: use latest psl and refresh it periodically
3733 The latest psl is cached in the multi or share handle. It is refreshed
3734 before use after 72 hours.
3735 New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing.
3736 If the latest psl is not available, the builtin psl is used.
3738 Reported-by: Yaakov Selkowitz
3742 Daniel Stenberg (28 May 2018)
3743 - [Fabrice Fontaine brought this change]
3745 configure: fix ssh2 linking when built with a static mbedtls
3747 The ssh2 pkg-config file could contain the following lines when build
3748 with a static version of mbedtls:
3749 Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
3750 Libs.private: /xxx/libmbedcrypto.a
3752 This static mbedtls library must be used to correctly detect ssh2
3753 support and this library must be copied in libcurl.pc otherwise
3754 compilation of any application (such as upmpdcli) with libcurl will fail
3755 when trying to found mbedtls functions included in libssh2. So, replace
3756 pkg-config --libs-only-l by pkg-config --libs.
3759 - http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a
3761 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
3764 - RELEASE-NOTES: synced
3766 - [Bernhard Walle brought this change]
3768 cmake: check for getpwuid_r
3770 The autotools-based build system does it, so we do it also in CMake.
3773 Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
3775 - cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
3777 - [Frank Gevaerts brought this change]
3779 curl.1: Fix cmdline-opts reference errors.
3781 --data, --form, and --ntlm were declared to be mutually exclusive with
3782 non-existing options. --data and --form referred to --upload (which is
3783 short for --upload-file and therefore did work, so this one was merely
3784 a bit confusing), --ntlm referred to --negotiated instead of --negotiate.
3788 - [Frank Gevaerts brought this change]
3790 docs: fix cmdline-opts metadata headers case consistency.
3792 Almost all headers start with an uppercase letter, but some didn't.
3794 - mailmap: Max Savenkov
3796 Sergei Nikulov (28 May 2018)
3797 - [Max Savenkov brought this change]
3799 Fix the test for fsetxattr and strerror_r tests in CMake to work without compiling
3801 Daniel Stenberg (27 May 2018)
3802 - mailmap: a Richard Alcock fixup
3804 - [Richard Alcock brought this change]
3806 schannel: add failf calls for client certificate failures
3810 - [Richard Alcock brought this change]
3812 winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
3814 Change requirement from $(DISTDIR) to $(DIRDIST)
3818 - [Richard Alcock brought this change]
3820 winbuild: only delete OUTFILE if it exists
3822 This removes the slightly annoying "Could not file LIBCURL_OBJS.inc" and
3823 "Could not find CURL_OBJS.inc.inc" message when building into a clean
3828 - [Alejandro R. Sedeño brought this change]
3830 content_encoding: handle zlib versions too old for Z_BLOCK
3832 Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available.
3837 - multi: provide a socket to wait for in Curl_protocol_getsock
3839 ... even when there's no protocol specific handler setup.
3841 Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html
3842 Reported-by: Sean Miller
3845 - [Linus Lewandowski brought this change]
3847 httpauth: add support for Bearer tokens
3851 - TODO: CURLINFO_PAUSE_STATE
3855 Sergei Nikulov (24 May 2018)
3856 - cmake: set -d postfix for debug builds if not specified
3857 using -DCMAKE_DEBUG_POSTFIX explicitly
3859 fixes #2121, obsoletes #2384
3861 Daniel Stenberg (23 May 2018)
3862 - configure: add basic test of --with-ssl prefix
3864 When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or
3865 $PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an
3866 error. Helps users detect when giving configure the wrong path.
3868 Reported-by: Oleg Pudeyev
3869 Assisted-by: Per Malmberg
3872 Patrick Monnerat (22 May 2018)
3873 - http resume: skip body if http code 416 (range error) is ignored.
3875 This avoids appending error data to already existing good data.
3877 Test 92 is updated to match this change.
3878 New test 1156 checks all combinations of --range/--resume, --fail,
3879 Content-Range header and http status code 200/416.
3882 Reported-By: Ithubg on github
3885 Daniel Stenberg (22 May 2018)
3886 - tftp: make sure error is zero terminated before printfing it
3888 - configure: add missing m4/ax_compile_check_sizeof.m4
3890 follow-up to mistake in 6876ccf90b4
3892 Jay Satiro (22 May 2018)
3893 - [Johannes Schindelin brought this change]
3895 schannel: make CAinfo parsing resilient to CR/LF
3897 OpenSSL has supported --cacert for ages, always accepting LF-only line
3898 endings ("Unix line endings") as well as CR/LF line endings ("Windows
3901 When we introduced support for --cacert also with Secure Channel (or in
3902 cURL speak: "WinSSL"), we did not take care to support CR/LF line
3903 endings, too, even if we are much more likely to receive input in that
3904 form when using Windows.
3908 Happily, CryptQueryObject(), the function we use to parse the ca-bundle,
3909 accepts CR/LF input already, and the trailing LF before the END
3910 CERTIFICATE marker catches naturally any CR/LF line ending, too. So all
3911 we need to care about is the BEGIN CERTIFICATE marker. We do not
3912 actually need to verify here that the line ending is CR/LF. Just
3913 checking for a CR or an LF is really plenty enough.
3915 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
3917 Closes https://github.com/curl/curl/pull/2592
3919 Daniel Stenberg (22 May 2018)
3920 - CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
3922 - RELEASE-NOTES: synced
3924 - KNOWN_BUGS: mention the -O with %-encoded file names
3928 - checksrc: make sure sizeof() is used *with* parentheses
3930 ... and unify the source code to adhere.
3934 - curl: added --styled-output
3936 It is enabled by default, so --no-styled-output will switch off the
3937 detection/use of bold headers.
3941 - curl: show headers in bold
3943 The feature is only enabled if the output is believed to be a tty.
3945 -J: There's some minor differences and improvements in -J handling, as
3946 now J should work with -i and it actually creates a file first using the
3947 initial name and then *renames* that to the one found in
3948 Content-Disposition (if any).
3950 -i: only shows headers for HTTP transfers now (as documented).
3951 Previously it would also show for pieces of the transfer that were HTTP
3952 (for example when doing FTP over a HTTP proxy).
3954 -i: now shows trailers as well. Previously they were not shown at all.
3956 --libcurl: the CURLOPT_HEADER is no longer set, as the header output is
3957 now done in the header callback.
3959 - configure: compile-time SIZEOF checks
3961 ... instead of exeucting code to get the size. Removes the use of
3962 LD_LIBRARY_PATH for this.
3966 Reported-by: Bernhard Walle
3968 - configure: replace AC_TRY_RUN with CURL_RUN_IFELSE
3970 ... and export LD_LIBRARY_PATH properly. This is a follow-up from
3974 Reported-by: Bernhard Walle
3976 - docs: clarify CURLOPT_HTTPGET somewhat
3978 Reported-by: bsammon on github
3981 - curl_fnmatch: only allow two asterisks for matching
3983 The previous limit of 5 can still end up in situation that takes a very
3984 long time and consumes a lot of CPU.
3986 If there is still a rare use case for this, a user can provide their own
3987 fnmatch callback for a version that allows a larger set of wildcards.
3989 This commit was triggered by yet another OSS-Fuzz timeout due to this.
3990 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369
3994 - checksrc: fix too long line
3996 follow-up to e05ad5d
3998 - [Aleks brought this change]
4000 docs: mention HAproxy protocol "version 1"
4002 ...as there's also a version 2.
4006 - examples/progressfunc: make it build on older libcurls
4008 This example was changed in ce2140a8c1 to use the new microsecond based
4009 getinfo option. This change makes it conditionally keep using the older
4010 option so that the example still builds with older libcurl versions.
4014 - stub_gssapi: fix numerous 'unused parameter' warnings
4016 follow-up to d9e92fd9fd1d
4018 - [Philip Prindeville brought this change]
4020 getinfo: add microsecond precise timers for various intervals
4022 Provide a set of new timers that return the time intervals using integer
4023 number of microseconds instead of floats.
4025 The new info names are as following:
4027 CURLINFO_APPCONNECT_TIME_T
4028 CURLINFO_CONNECT_TIME_T
4029 CURLINFO_NAMELOOKUP_TIME_T
4030 CURLINFO_PRETRANSFER_TIME_T
4031 CURLINFO_REDIRECT_TIME_T
4032 CURLINFO_STARTTRANSFER_TIME_T
4033 CURLINFO_TOTAL_TIME_T
4037 - openssl: acknowledge --tls-max for default version too
4039 ... previously it only used the max setting if a TLS version was also
4040 explicitly asked for.
4042 Reported-by: byte_bucket
4046 - bump: start working on the pending 7.61.0
4048 - [Dagobert Michelsen brought this change]
4050 tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
4052 The warning flag leads e.g. Sun Studio compiler to bail out.
4056 - schannel_verify: fix build for non-schannel
4058 Jay Satiro (16 May 2018)
4061 - schannel: disable manual verify if APIs not available
4063 .. because original MinGW and old compilers do not have the Windows API
4064 definitions needed to support manual verification.
4066 - [Archangel_SDY brought this change]
4068 schannel: disable client cert option if APIs not available
4070 Original MinGW targets Windows 2000 by default, which lacks some APIs and
4071 definitions for this feature. Disable it if these APIs are not available.
4073 Closes https://github.com/curl/curl/pull/2522
4075 Version 7.60.0 (15 May 2018)
4077 Daniel Stenberg (15 May 2018)
4078 - RELEASE-NOTES: 7.60.0 release
4080 - THANKS: added people from the curl 7.60.0 release
4082 - docs/libcurl/index.html: removed
4084 The HTML files are long gone from the dist, now remove the last HTML
4085 file pointing to those missing files.
4089 - [steini2000 brought this change]
4091 http2: remove unused variable
4095 - [steini2000 brought this change]
4097 http2: use easy handle of stream for logging
4099 - gcc: disable picky gcc-8 function pointer warnings in two places
4101 Reported-by: Rikard Falkeborn
4105 - http2: use the correct function pointer typedef
4107 Fixes gcc-8 picky compiler warnings
4108 Reported-by: Rikard Falkeborn
4112 - CODE_STYLE: mention return w/o parens, but sizeof with
4114 ... and remove the github markdown syntax so that it renders better on
4115 the web site. Also, don't use back-ticks inlined to allow the CSS to
4116 highlight source code better.
4118 - [Rikard Falkeborn brought this change]
4120 examples: Fix format specifiers
4124 - [Rikard Falkeborn brought this change]
4126 tool: Fix format specifiers
4128 - [Rikard Falkeborn brought this change]
4130 ntlm: Fix format specifiers
4132 - [Rikard Falkeborn brought this change]
4134 tests: Fix format specifiers
4136 - [Rikard Falkeborn brought this change]
4138 lib: Fix format specifiers
4140 - contributors.sh: use "on github", not at
4142 - http2: getsock fix for uploads
4144 When there's an upload in progress, make sure to wait for the socket to
4147 Detected-by: steini2000 on github
4151 - pingpong: fix response cache memcpy overflow
4153 Response data for a handle with a large buffer might be cached and then
4154 used with the "closure" handle when it has a smaller buffer and then the
4155 larger cache will be copied and overflow the new smaller heap based
4158 Reported-by: Dario Weisser
4159 CVE: CVE-2018-1000300
4160 Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
4162 - http: restore buffer pointer when bad response-line is parsed
4164 ... leaving the k->str could lead to buffer over-reads later on.
4166 CVE: CVE-2018-1000301
4167 Assisted-by: Max Dymond
4169 Detected by OSS-Fuzz.
4170 Bug: https://curl.haxx.se/docs/adv_2018-b138.html
4171 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
4173 Patrick Monnerat (13 May 2018)
4174 - cookies: do not take cookie name as a parameter
4176 RFC 6265 section 4.2.1 does not set restrictions on cookie names.
4177 This is a follow-up to commit 7f7fcd0.
4178 Also explicitly check proper syntax of cookie name/value pair.
4180 New test 1155 checks that cookie names are not reserved words.
4182 Reported-By: anshnd at github
4186 Daniel Stenberg (12 May 2018)
4187 - smb: reject negative file sizes
4189 Assisted-by: Max Dymond
4191 Detected by OSS-Fuzz
4192 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
4194 - setup_transfer: deal with both sockets being -1
4196 Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would
4197 index the array with -1 if neither index was a socket.
4199 - travis: add build using NSS
4203 - [Sunny Purushe brought this change]
4205 openssl: change FILE ops to BIO ops
4207 To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
4208 handling is causing problems. This fix changes the OpenSSL backend code
4209 to use BIO functions instead of FILE I/O functions to circumvent those
4214 - travis: add a build using WolfSSL
4216 Assisted-by: Dan Fandrich
4220 - RELEASE-NOTES: typo
4222 - RELEASE-NOTES: synced
4224 - [Daniel Gustafsson brought this change]
4226 URLs: fix one more http url
4228 This file wasn't included in commit 4af40b3646d3b09 which updated all
4229 haxx.se http urls to https. The file was committed prior to that update,
4230 but may have been merged after it and hence didn't get updated.
4234 - github/lock: auto-lock closed issues after 90 days of inactivity
4236 - vtls: fix missing commas
4238 follow-up to e66cca046cef
4240 - vtls: use unified "supports" bitfield member in backends
4242 ... instead of previous separate struct fields, to make it easier to
4243 extend and change individual backends without having to modify them all.
4247 - transfer: don't unset writesockfd on setup of multiplexed conns
4249 Curl_setup_transfer() can be called to setup a new individual transfer
4250 over a multiplexed connection so it shouldn't unset writesockfd.
4255 - [Frank Gevaerts brought this change]
4257 configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
4259 They are removed from the compiler flags.
4261 This ensures that make dependency tracking will force a rebuild whenever
4262 configure --enable-debug or --enable-curldebug changes.
4266 - http: don't set the "rewind" flag when not uploading anything
4268 It triggers an assert.
4270 Detected by OSS-Fuzz
4271 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
4274 - travis: add an mbedtls build
4278 - configure: only check for CA bundle for file-using SSL backends
4280 When only building with SSL backends that don't use the CA bundle file
4281 (by default), skip the check.
4287 - ssh-libssh.c: fix left shift compiler warning
4289 ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
4290 represent, but 'int' only has 32 bits [-Wshift-overflow=]
4292 'len' will never be that big anyway so I converted the run-time check to
4295 - [Stephan Mühlstrasser brought this change]
4297 URL: fix ASCII dependency in strcpy_url and strlen_url
4299 Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the
4300 changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of
4301 the problem that strcpy_url() was modified unilaterally without also
4302 modifying strlen_url(). As a consequence strcpy_url() was again
4303 depending on ASCII encoding.
4305 This change fixes strlen_url() and strcpy_url() in parallel to use a
4306 common host-encoding independent criterion for deciding whether an URL
4307 character must be %-escaped.
4311 - [Denis Ollier brought this change]
4313 docs: remove extraneous commas in man pages
4317 - RELEASE-NOTES: synced
4319 - Revert "TODO: remove configure --disable-pthreads"
4321 This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3.
4323 --disable-pthreads can be used to disable pthreads and get the threaded
4324 resolver to use the windows threading when building with mingw.
4326 - vtls: don't define MD5_DIGEST_LENGTH for wolfssl
4328 ... as it defines it (too)
4330 - TODO: remove configure --disable-pthreads
4332 Jay Satiro (2 May 2018)
4333 - [David Garske brought this change]
4335 wolfssl: Fix non-blocking connect
4337 Closes https://github.com/curl/curl/pull/2542
4339 Daniel Stenberg (30 Apr 2018)
4340 - CURLOPT_URL.3: add ENCODING section [ci skip]
4342 Feedback-by: Michael Kilburn
4344 - KNOWN_BUGS: Client cert with Issuer DN differs between backends
4348 - KNOWN_BUGS: Passive transfer tries only one IP address
4352 - KNOWN_BUGS: --upload-file . hang if delay in STDIN
4356 - KNOWN_BUGS: Connection information when using TCP Fast Open
4360 - travis: enable libssh2 on both macos and Linux
4362 It seems to not be detected by default anymore (which is a bug I
4367 - TODO: Support the clienthello extension
4375 - tests: provide 'manual' as a feature to optionally require
4377 ... and make test 1026 rely on that feature so that --disable-manual
4378 builds don't cause test failures.
4380 Reported-by: Max Dymond and Anders Roxell
4384 - CURLINFO_PROTOCOL.3: mention the existing defined names
4386 Jay Satiro (27 Apr 2018)
4387 - [Daniel Gustafsson brought this change]
4389 cookies: remove unused macro
4391 Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
4392 so remove as it's not part of the published API.
4394 Closes https://github.com/curl/curl/pull/2537
4396 Daniel Stenberg (27 Apr 2018)
4397 - [Daniel Gustafsson brought this change]
4399 checksrc: force indentation of lines after an else
4401 This extends the INDENTATION case to also handle 'else' statements
4402 and require proper indentation on the following line. Also fixes the
4403 offending cases found in the codebase.
4407 - http2: fix null pointer dereference in http2_connisdead
4409 This function can get called on a connection that isn't setup enough to
4410 have the 'recv_underlying' function pointer initialized so it would try
4411 to call the NULL pointer.
4413 Reported-by: Dario Weisser
4415 Follow-up to db1b2c7fe9b093f8 (never shipped in a release)
4418 - http2: get rid of another strstr()
4420 Follow-up to 1514c44655e12e: replace another strstr() call done on a
4421 buffer that might not be zero terminated - with a memchr() call, even if
4422 we know the substring will be found.
4424 Assisted-by: Max Dymond
4426 Detected by OSS-Fuzz
4427 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021
4431 - cyassl: adapt to libraries without TLS 1.0 support built-in
4433 WolfSSL doesn't enable it by default anymore
4435 - configure: provide --with-wolfssl as an alias for --with-cyassl
4437 - RELEASE-NOTES: synced
4439 - [Daniel Gustafsson brought this change]
4441 os400.c: fix ASSIGNWITHINCONDITION checksrc warnings
4443 All occurrences of assignment within conditional expression in
4444 os400sys.c rewritten into two steps: first assignment and then the check
4445 on the success of the assignment. Also adjust related incorrect brace
4446 positions to match project indentation style.
4448 This was spurred by seeing "if((inp = input_token))", but while in there
4449 all warnings were fixed.
4451 There should be no functional change from these changes.
4455 - [Daniel Gustafsson brought this change]
4457 cookies: ensure that we have cookies before writing jar
4459 The jar should be written iff there are cookies, so ensure that we still
4460 have cookies after expiration to avoid creating an empty file.
4464 - strcpy_url: only %-encode values >= 0x80
4468 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000
4470 Broke in dd7521bcc1b7
4472 - mime: avoid NULL pointer dereference risk
4474 Coverity detected, CID 1435120
4478 - [Stephan Mühlstrasser brought this change]
4480 ctype: restore character classification for non-ASCII platforms
4482 With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic
4483 character classification macros and functions were introduced in
4484 curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
4485 non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
4486 of character classification macros when CURL_DOES_CONVERSIONS is
4491 - ftplistparser: keep state between invokes
4493 Fixes FTP wildcard parsing when done over a number of read buffers.
4495 Regression from f786d1f14
4497 Reported-by: wncboy on github
4501 - examples/http2-upload: expand buffer to avoid silly warning
4503 http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated
4504 writing between 2 and 11 bytes into a region of size between 8 and 17
4506 - examples/sftpuploadresume: typecast fseek argument to long
4508 /docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long
4509 int' from 'curl_off_t {aka long long int}' may alter its value
4511 - Revert "ftplistparser: keep state between invokes"
4513 This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934.
4515 Caused fuzzer problems on travis not seen when this was a PR!
4517 - Curl_memchr: zero length input can't match
4519 Avoids undefined behavior.
4521 Reported-by: Geeknik Labs
4523 - ftplistparser: keep state between invokes
4525 Fixes FTP wildcard parsing when doing over a number of read buffers.
4527 Regression from f786d1f14
4529 Reported-by: wncboy on github
4533 - ftplistparser: renamed some members and variables
4535 ... to make them better spell out what they're for.
4537 - RELEASE-NOTES: synced
4539 - [Christian Schmitz brought this change]
4541 curl_global_sslset: always provide available backends
4545 - http2: convert an assert to run-time check
4547 Fuzzing has proven we can reach code in on_frame_recv with status_code
4548 not having been set, so let's detect that in run-time (instead of with
4549 assert) and error error accordingly.
4551 (This should no longer happen with the latest nghttp2)
4553 Detected by OSS-Fuzz
4554 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
4557 - curl.1: clarify that options and URLs can be mixed
4562 Jay Satiro (23 Apr 2018)
4563 - [Archangel_SDY brought this change]
4565 CURLOPT_SSLCERT.3: improve WinSSL-specific usage info
4567 Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780
4569 Closes https://github.com/curl/curl/pull/2504
4571 - [Archangel_SDY brought this change]
4573 schannel: fix build error on targets <= XP
4575 - Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
4578 Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668
4580 Closes https://github.com/curl/curl/pull/2504
4582 Daniel Stenberg (23 Apr 2018)
4583 - Revert "ftplistparser: keep state between invokes"
4585 This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9.
4587 Unfortunately this fix introduces memory leaks I've not been able to fix
4588 in several days. Reverting this for now to get the leaks fixed.
4590 Jay Satiro (21 Apr 2018)
4591 - tool_help: clarify --max-time unit of time is seconds
4594 -m, --max-time <time> Maximum time allowed for the transfer
4597 -m, --max-time <seconds> Maximum time allowed for the transfer
4599 Daniel Stenberg (20 Apr 2018)
4600 - http2: handle GOAWAY properly
4602 When receiving REFUSED_STREAM, mark the connection for close and retry
4603 streams accordingly on another/fresh connection.
4605 Reported-by: Terry Wu
4610 - http2: clear the "drain counter" when a stream is closed
4612 This fixes the notorious "httpc->drain_total >= data->state.drain"
4615 Reported-by: Anders Bakken
4620 - http2: avoid strstr() on data not zero terminated
4622 It's not strictly clear if the API contract allows us to call strstr()
4623 on a string that isn't zero terminated even when we know it will find
4624 the substring, and clang's ASAN check dislikes us for it.
4626 Also added a check of the return code in case it fails, even if I can't
4627 think of a situation how that can trigger.
4629 Detected by OSS-Fuzz
4631 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760
4633 - [Stephan Mühlstrasser brought this change]
4635 openssl: fix subjectAltName check on non-ASCII platforms
4637 Curl_cert_hostcheck operates with the host character set, therefore the
4638 ASCII subjectAltName string retrieved with OpenSSL must be converted to
4639 the host encoding before comparison.
4643 Jay Satiro (20 Apr 2018)
4644 - openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
4646 - Support handling verbose-mode trace messages of type
4647 SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
4648 SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
4649 SSL3_MT_MESSAGE_HASH
4651 Reported-by: iz8mbw@users.noreply.github.com
4653 Fixes https://github.com/curl/curl/issues/2403
4655 Daniel Stenberg (19 Apr 2018)
4656 - ftplistparser: keep state between invokes
4658 Regression from f786d1f14
4660 Reported-by: wncboy on github
4664 - detect_proxy: only show proxy use if it had contents
4666 - http2: handle on_begin_headers() called more than once
4668 This triggered an assert if called more than once in debug mode (and a
4669 memory leak if not debug build). With the right sequence of HTTP/2
4670 headers incoming it can happen.
4672 Detected by OSS-Fuzz
4675 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
4677 Jay Satiro (18 Apr 2018)
4678 - [Dan McNulty brought this change]
4680 schannel: add support for CURLOPT_CAINFO
4682 - Move verify_certificate functionality in schannel.c into a new
4683 file called schannel_verify.c. Additionally, some structure defintions
4684 from schannel.c have been moved to schannel.h to allow them to be
4685 used in schannel_verify.c.
4687 - Make verify_certificate functionality for Schannel available on
4688 all versions of Windows instead of just Windows CE. verify_certificate
4689 will be invoked on Windows CE or when the user specifies
4690 CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
4692 - In verify_certificate, create a custom certificate chain engine that
4693 exclusively trusts the certificate store backed by the CURLOPT_CAINFO
4696 - doc updates of --cacert/CAINFO support for schannel
4698 - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
4699 when available. This implements a TODO in schannel.c to improve
4700 handling of multiple SANs in a certificate. In particular, all SANs
4701 will now be searched instead of just the first name.
4703 - Update tool_operate.c to not search for the curl-ca-bundle.crt file
4704 when using Schannel to maintain backward compatibility. Previously,
4705 any curl-ca-bundle.crt file found in that search would have been
4706 ignored by Schannel. But, with CAINFO support, the file found by
4707 that search would have been used as the certificate store and
4708 could cause issues for any users that have curl-ca-bundle.crt in
4711 - Update url.c to not set the build time CURL_CA_BUNDLE if the selected
4712 SSL backend is Schannel. We allow setting CA location for schannel
4713 only when explicitly specified by the user via CURLOPT_CAINFO /
4716 - Add new test cases 3000 and 3001. These test cases check that the first
4717 and last SAN, respectively, matches the connection hostname. New test
4718 certificates have been added for these cases. For 3000, the certificate
4719 prefix is Server-localhost-firstSAN and for 3001, the certificate
4720 prefix is Server-localhost-secondSAN.
4722 - Remove TODO 15.2 (Add support for custom server certificate
4723 validation), this commit addresses it.
4725 Closes https://github.com/curl/curl/pull/1325
4727 - schannel: fix warning
4729 - Fix warning 'integer from pointer without a cast' on 3rd arg in
4730 CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
4731 type of the same size.
4733 Follow-up to e35b025.
4735 Caught by Marc's CI builds.
4737 - [Jakub Wilk brought this change]
4741 Closes https://github.com/curl/curl/pull/2503
4743 Daniel Stenberg (17 Apr 2018)
4744 - RELEASE-NOTES: synced
4746 Jay Satiro (17 Apr 2018)
4747 - [Kees Dekker brought this change]
4749 winbuild: Support custom devel paths for each dependency
4751 - Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
4752 OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
4753 NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
4755 - Use lib.exe for making the static library instead of link.exe /lib.
4756 The latter is undocumented and could cause problems as noted in the
4759 - Remove a dangling URL that no longer worked. (I was not able to find
4760 the IDN download at MSDN/microsoft.com, so it seems to be removed.)
4762 - Remove custom override for release-ssh2-ssl-dll-zlib configuration.
4763 Nobody knows why it was there and as far as we can see is unnecessary.
4765 Closes https://github.com/curl/curl/pull/2474
4767 Daniel Stenberg (17 Apr 2018)
4768 - [Jess brought this change]
4770 README.md: add backers and sponsors
4774 - [Archangel_SDY brought this change]
4776 schannel: add client certificate authentication
4778 Users can now specify a client certificate in system certificates store
4779 explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
4783 Marcel Raad (16 Apr 2018)
4784 - [toughengineer brought this change]
4786 ntlm_sspi: fix authentication using Credential Manager
4788 If you pass empty user/pass asking curl to use Windows Credential
4789 Storage (as stated in the docs) and it has valid credentials for the
4791 curl -v -u : --ntlm example.com
4792 currently authentication fails.
4793 This change fixes it by providing proper SPN string to the SSPI API
4796 Fixes https://github.com/curl/curl/issues/1622
4797 Closes https://github.com/curl/curl/pull/1660
4799 Daniel Stenberg (16 Apr 2018)
4800 - configure: keep LD_LIBRARY_PATH changes local
4802 ... only set it when we actually have to run tests to reduce its impact
4803 on for example build commands etc.
4808 Reported-by: Dmitry Mikhirev
4810 Marcel Raad (16 Apr 2018)
4811 - urldata: make service names unconditional
4813 The ifdefs have become quite long. Also, the condition for the
4814 definition of CURLOPT_SERVICE_NAME and for setting it from
4815 CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
4816 options for NTLM, at least when using SSPI, for
4817 https://github.com/curl/curl/pull/1660.
4818 Just make the definitions unconditional to make that easier.
4820 Closes https://github.com/curl/curl/pull/2479
4822 Daniel Stenberg (16 Apr 2018)
4823 - test1148: tolerate progress updates better
4828 - [Christian Schmitz brought this change]
4830 ssh: show libSSH2 error code when closing fails
4834 Jay Satiro (15 Apr 2018)
4835 - [Daniel Gustafsson brought this change]
4839 Address various spellings of "credentials".
4841 Closes https://github.com/curl/curl/pull/2496
4843 - [Dagobert Michelsen brought this change]
4845 system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
4847 With specific compiler options selecting the arch like -xarch=sparc on
4848 newer compilers like Oracle Studio 12.4 there is no definition of
4849 __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
4850 32ÎíÎñbit subset defined by the V8plus ISA specification, without the
4851 Visual Instruction Set (VIS), and without other implementation-specific
4852 ISA extensions. So it should be the same as __sparcv8.
4854 Closes https://github.com/curl/curl/pull/2491
4856 - [Daniel Gustafsson brought this change]
4860 Fix typo in "semicolon" spelling and remove stray tab character.
4862 Closes https://github.com/curl/curl/pull/2498
4864 - [Daniel Gustafsson brought this change]
4866 all: Refactor malloc+memset to use calloc
4868 When a zeroed out allocation is required, use calloc() rather than
4869 malloc() followed by an explicit memset(). The result will be the
4870 same, but using calloc() everywhere increases consistency in the
4871 codebase and avoids the risk of subtle bugs when code is injected
4872 between malloc and memset by accident.
4874 Closes https://github.com/curl/curl/pull/2497
4876 Daniel Stenberg (12 Apr 2018)
4877 - duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
4879 Verified in test 1502 now
4883 Reported-by: Ernst Sjöstrand
4885 - mailmap: add a monnerat fixup [ci skip]
4887 - proxy: show getenv proxy use in verbose output
4889 ... to aid debugging etc as it sometimes isn't immediately obvious why
4890 curl uses or doesn't use a proxy.
4896 - travis: build libpsl and make builds use it
4900 - travis: bump to clang 6 and gcc 7
4902 Extra-eye-on-this-by: Marcel Raad
4906 Marcel Raad (10 Apr 2018)
4907 - travis: use trusty for coverage build
4909 This works now and precise is in the process of being decommissioned.
4911 Closes https://github.com/curl/curl/pull/2476
4913 - lib: silence null-dereference warnings
4915 In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
4916 when dereferencing pointers after DEBUGASSERT-ing that they are not
4918 Fix this by removing the DEBUGASSERTs.
4920 Suggested-by: Daniel Stenberg
4921 Ref: https://github.com/curl/curl/pull/2463
4923 - [Kees Dekker brought this change]
4927 Follow up on https://github.com/curl/curl/pull/2472.
4928 Now using en-us instead of nl-nl as language code in the URL.
4930 Closes https://github.com/curl/curl/pull/2475
4932 Daniel Stenberg (9 Apr 2018)
4933 - [Kees Dekker brought this change]
4935 winbuild: updated the documentation
4937 The setenv command no longer exists and visual studio build prompts got
4938 changed. Used Visual Studio 2015/2017 as reference.
4942 - test1136: fix cookie order after commit c990eadd1277
4944 - build: cleanup to fix clang warnings/errors
4946 unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
4947 cast from integer to pointer is a GNU extension
4949 Reported-by: Rikard Falkeborn
4954 Jay Satiro (7 Apr 2018)
4955 - examples/sftpuploadresmue: Fix Windows large file seek
4957 - Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.
4959 - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
4962 Caught by Marc's CI builds.
4964 Daniel Stenberg (7 Apr 2018)
4965 - curl_setup: provide a CURL_SA_FAMILY_T type if none exists
4967 ... and use this type instead of 'sa_family_t' in the code since several
4968 platforms don't have it.
4972 - [Eric Gallager brought this change]
4974 build: add picky compiler warning flags for gcc 6 and 7
4976 - configure: detect sa_family_t
4978 Jay Satiro (7 Apr 2018)
4979 - [Stefan Agner brought this change]
4981 tool_operate: Fix retry on FTP 4xx to ignore other protocols
4983 Only treat response code as FTP response codes in case the
4984 protocol type is FTP.
4986 This fixes an issue where an HTTP download was treated as FTP
4987 in case libcurl returned with 33. This happens when the
4988 download has already finished and the server responses 416:
4989 HTTP/1.1 416 Requested Range Not Satisfiable
4991 This should not be treated as an FTP error.
4996 Daniel Stenberg (6 Apr 2018)
4997 - hash: calculate sizes with size_t instead of longs
4999 ... since they return size_t anyway!
5003 - RELEASE-NOTES: synced
5005 - [Jay Satiro brought this change]
5007 build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
5009 .. and do the same for build-wolfssl.bat.
5011 Because MS calls it VC14.1.
5013 Closes https://github.com/curl/curl/pull/2189
5015 - [Kees Dekker brought this change]
5017 winbuild: make the clean target work without build-type
5019 Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
5020 be invoked unless a build-type was specified. However, a clean target
5021 only existed when a build type was specified. As a result, the clean
5022 target was unreachable. Made clean target unconditional.
5026 - [patelvivekv1993 brought this change]
5028 build-openssl.bat: allow custom paths for VS and perl
5033 - [Laurie Clark-Michalek brought this change]
5035 FTP: allow PASV on IPv6 connections when a proxy is being used
5037 In the situation of a client connecting to an FTP server using an IPv6
5038 tunnel proxy, the connection info will indicate that the connection is
5039 IPv6. However, because the server behing the proxy is IPv4, it is
5040 permissable to attempt PSV mode. In the case of the FTP server being
5041 IPv4 only, EPSV will always fail, and with the current logic curl will
5042 be unable to connect to the server, as the IPv6 fwdproxy causes curl to
5043 think that EPSV is impossible.
5047 - [Jon DeVree brought this change]
5049 file: restore old behavior for file:////foo/bar URLs
5051 curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
5052 8089 but then returns an error saying this is unimplemented. This is
5053 actually a regression in behavior on both Windows and Unix.
5055 Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
5056 then passed to the relevant OS API. This means that the behavior of this
5057 case is actually OS dependent.
5059 The Unix path resolution rules say that the OS must handle swallowing
5060 the extra "/" and so this path is the same as "/foo/bar"
5062 The Windows path resolution rules say that this is a UNC path and
5063 automatically handles the SMB access for the program. So curl on Windows
5064 was already doing Appendix E.3.2 without any special code in curl.
5070 - [Gaurav Malhotra brought this change]
5072 Revert "openssl: Don't add verify locations when verifypeer==0"
5074 This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
5076 libcurl (with the OpenSSL backend) performs server certificate verification
5077 even if verifypeer == 0 and the verification result is available using
5078 CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
5079 CURLINFO_SSL_VERIFYRESULT to not have useful information for the
5080 verifypeer == 0 use case (it would always have
5081 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
5085 - [Wyatt O'Day brought this change]
5087 tls: fix mbedTLS 2.7.0 build + handle sha256 failures
5089 (mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)
5093 - [Lauri Kasanen brought this change]
5095 cookie: case-insensitive hashing for the domains
5099 Patrick Monnerat (4 Apr 2018)
5100 - cookie: fix and optimize 2nd top level domain name extraction
5102 This fixes a segfault occurring when a name of the (invalid) form "domain..tld"
5105 test46 updated to cover this case.
5107 Follow-up to commit c990ead.
5109 Ref: https://github.com/curl/curl/pull/2440
5111 Daniel Stenberg (4 Apr 2018)
5112 - openssl: provide defines for argument typecasts to build warning-free
5114 ... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
5116 - [Bernard Spil brought this change]
5118 openssl: fix build with LibreSSL 2.7
5120 - LibreSSL 2.7 implements (most of) OpenSSL 1.1 API
5126 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
5128 - [Lauri Kasanen brought this change]
5130 cookie: store cookies per top-level-domain-specific hash table
5132 This makes libcurl handle thousands of cookies much better and speedier.
5136 - [Lauri Kasanen brought this change]
5138 cookies: when reading from a file, only remove_expired once
5140 This drops the cookie load time for 8k cookies from 178ms to 15ms.
5144 - test1148: set a fixed locale for the test
5146 ...as otherwise it might use a different decimal sign.
5149 Reported-by: Oumph on github
5151 Jay Satiro (31 Mar 2018)
5152 - docs: fix CURLINFO_*_T examples use of CURL_FORMAT_CURL_OFF_T
5154 - Put a percent sign before each CURL_FORMAT_CURL_OFF_T in printf.
5156 For example "%" CURL_FORMAT_CURL_OFF_T becomes %lld or similar.
5158 Bug: https://curl.haxx.se/mail/lib-2018-03/0140.html
5159 Reported-by: David L.
5161 Sergei Nikulov (27 Mar 2018)
5162 - [Michał Janiszewski brought this change]
5164 cmake: Add advapi32 as explicit link library for win32
5166 ARM targets need advapi32 explicitly.
5170 Daniel Stenberg (27 Mar 2018)
5171 - TODO: connection cache sharing is now supporte
5173 Jay Satiro (26 Mar 2018)
5174 - travis: enable apt retry on fail
5176 This is a workaround for an unsolved travis issue that is causing CI
5177 instances to sporadically fail due to 'unable to connect' issues during
5180 Ref: https://github.com/travis-ci/travis-ci/issues/8507
5181 Ref: https://github.com/travis-ci/travis-ci/issues/9112#issuecomment-376305909
5183 Michael Kaufmann (26 Mar 2018)
5184 - runtests.pl: fix warning 'use of uninitialized value'
5186 follow-up to a9a7b60
5190 Daniel Stenberg (24 Mar 2018)
5191 - gitignore: ignore more generated files
5193 - threaded resolver: track resolver time and set suitable timeout values
5195 In order to make curl_multi_timeout() return suitable "sleep" times even
5196 when there's no socket to wait for while the name is being resolved in a
5199 It will increases the timeouts as time passes.
5203 - [Howard Chu brought this change]
5205 openldap: fix for NULL return from ldap_get_attribute_ber()
5209 GitHub (22 Mar 2018)
5210 - [Sergei Nikulov brought this change]
5212 travis-ci: enable -Werror for CMake builds (#2418)
5214 - [Sergei Nikulov brought this change]
5216 cmake: avoid warn-as-error during config checks (#2411)
5218 - Move the CURL_WERROR option processing after the configuration checks
5219 to avoid failures in case of warnings during the configuration checks.
5221 This is a partial fix for #2358
5223 - [Sergei Nikulov brought this change]
5225 timeval: remove compilation warning by casting (#2417)
5229 Daniel Stenberg (22 Mar 2018)
5230 - http2: read pending frames (including GOAWAY) in connection-check
5232 If a connection has received a GOAWAY frame while not being used, the
5233 function now reads frames off the connection before trying to reuse it
5234 to avoid reusing connections the server has told us not to use.
5236 Reported-by: Alex Baines
5240 - [Bas van Schaik brought this change]
5242 CI: add lgtm.yml for tweaking lgtm.com analysis
5246 - CURLINFO_SSL_VERIFYRESULT.3: fix the example, add some text
5248 Reported-by: Michal Trybus
5252 - TODO: expand ~/ in config files
5256 - cookie.d: mention that "-" as filename means stdin
5258 Reported-by: Dongliang Mu
5261 - CURLINFO_COOKIELIST.3: made the example not leak memory
5263 Reported-by: Muz Dima
5265 - vauth/cleartext: fix integer overflow check
5267 Make the integer overflow check not rely on the undefined behavior that
5268 a size_t wraps around on overflow.
5270 Detected by lgtm.com
5273 - lib/curl_path.h: add #ifdef header guard
5275 Detected by lgtm.com
5277 - vauth/ntlm.h: fix the #ifdef header guard
5279 Detected by lgtm.com
5281 Jay Satiro (20 Mar 2018)
5282 - examples/hiperfifo: checksrc compliance
5284 Daniel Stenberg (19 Mar 2018)
5285 - [Nikos Tsipinakis brought this change]
5287 parsedate: support UT timezone
5289 RFC822 section 5.2 mentions Universal Time, 'UT', to be synonymous with
5294 - RELEASE-NOTES: synced
5296 - [Don brought this change]
5298 cmake: add support for brotli
5300 Currently CMake cannot detect Brotli support. This adds detection of the
5301 libraries and associated header files. It also adds this to the
5306 - [Chris Araman brought this change]
5308 darwinssl: fix iOS build
5310 Patrick Monnerat (18 Mar 2018)
5311 - ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES
5313 Daniel Stenberg (17 Mar 2018)
5314 - [Rick Deist brought this change]
5316 resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES
5318 This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request
5319 shuffling of IP addresses returned for a hostname when there is more
5320 than one. This is useful when the application knows that a round robin
5321 approach is appropriate and is willing to accept the consequences of
5322 potentially discarding some preference order returned by the system's
5327 - add_handle/easy_perform: clear errorbuffer on start if set
5329 To offer applications a more defined behavior, we clear the buffer as
5332 Assisted-by: Jay Satiro
5337 - [Lawrence Matthews brought this change]
5339 CURLOPT_HAPROXYPROTOCOL: support the HAProxy PROXY protocol
5341 Add --haproxy-protocol for the command line tool
5345 - curl_version_info.3: fix ssl_version description
5347 Reported-by: Vincas Razma
5350 - multi: improved pending transfers handling => improved performance
5352 When a transfer is requested to get done and it is put in the pending
5353 queue when limited by number of connections, total or per-host, libcurl
5354 would previously very aggressively retry *ALL* pending transfers to get
5355 them transferring. That was very time consuming.
5357 By reducing the aggressiveness in how pending are being retried, we
5358 waste MUCH less time on putting transfers back into pending again.
5360 Some test cases got a factor 30(!) speed improvement with this change.
5362 Reported-by: Cyril B
5366 - pause: when changing pause state, update socket state
5368 Especially unpausing a transfer might have to move the socket back to the
5369 "currently used sockets" hash to get monitored. Otherwise it would never get
5370 any more data and get stuck. Easily triggered with pausing using the
5373 Reported-by: Philip Prindeville
5374 Bug: https://curl.haxx.se/mail/lib-2018-03/0048.html
5378 - [Philip Prindeville brought this change]
5380 examples/hiperfifo.c: improved
5382 * use member struct event’s instead of pointers to alloc’d struct
5385 * simplify the cases for the mcode_or_die() function via macros;
5387 * make multi_timer_cb() actually do what the block comment says it
5390 * accept a “stop” command on the FIFO to shut down the service;
5392 * use cleaner notation for unused variables than the (void) hack;
5394 * allow following redirections (304’s);
5396 - rate-limit: use three second window to better handle high speeds
5398 Due to very frequent updates of the rate limit "window", it could
5399 attempt to rate limit within the same milliseconds and that then made
5400 the calculations wrong, leading to it not behaving correctly on very
5403 This new logic updates the rate limit "window" to be no shorter than the
5404 last three seconds and only updating the timestamps for this when
5405 switching between the states TOOFAST/PERFORM.
5411 - [luz.paz brought this change]
5413 cleanup: misc typos in strings and comments
5415 Found via `codespell`
5419 - RELEASE-NOTES: toward 7.60.0
5421 - [Kobi Gurkan brought this change]
5427 - user-agent.d:: mention --proxy-header as well
5429 Bug: https://github.com/curl/curl/issues/2381
5431 - transfer: make HTTP without headers count correct body size
5433 This is what "HTTP/0.9" basically looks like.
5439 - test1208: marked flaky
5441 It fails somewhere between every 3rd to 10th travis-CI run
5443 - SECURITY-PROCESS: mention how we write/add advisories
5445 - [dasimx brought this change]
5447 FTP: fix typo in recursive callback detection for seeking
5451 Version 7.59.0 (13 Mar 2018)
5453 Daniel Stenberg (13 Mar 2018)
5456 Kamil Dudka (13 Mar 2018)
5457 - tests/.../spnego.py: fix identifier typo
5459 Detected by Coverity Analysis:
5461 Error: IDENTIFIER_TYPO:
5462 curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: identifier_typo: Using "SuportedMech" appears to be a typo:
5463 * Identifier "SuportedMech" is only known to be referenced here, or in copies of this code.
5464 * Identifier "SupportedMech" is referenced elsewhere at least 4 times.
5465 curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2651: identifier_use: Example 1: Using identifier "SupportedMech".
5466 curl-7.58.0/tests/python_dependencies/impacket/smbserver.py:2308: identifier_use: Example 2: Using identifier "SupportedMech".
5467 curl-7.58.0/tests/python_dependencies/impacket/spnego.py:252: identifier_use: Example 3: Using identifier "SupportedMech" (2 total uses in this function).
5468 curl-7.58.0/tests/python_dependencies/impacket/spnego.py:229: remediation: Should identifier "SuportedMech" be replaced by "SupportedMech"?
5472 Daniel Stenberg (13 Mar 2018)
5473 - CURLOPT_COOKIEFILE.3: "-" as file name means stdin
5475 Reported-by: Aron Bergman
5476 Bug: https://curl.haxx.se/mail/lib-2018-03/0049.html
5480 - Revert "hostip: fix compiler warning: 'variable set but not used'"
5482 This reverts commit a577059f92fc65bd6b81717f0737f897a5b34248.
5484 The assignment really needs to be there or we risk working with an
5485 uninitialized pointer.
5487 Michael Kaufmann (12 Mar 2018)
5488 - limit-rate: fix compiler warning
5490 follow-up to 72a0f62
5492 Viktor Szakats (12 Mar 2018)
5493 - checksrc.pl: add -i and -m options
5495 To sync it with changes made for the libssh2 project.
5496 Also cleanup some whitespace.
5498 - curl-openssl.m4: fix spelling [ci skip]
5500 - FAQ: fix a broken URL [ci skip]
5502 Daniel Stenberg (12 Mar 2018)
5503 - http2: mark the connection for close on GOAWAY
5505 ... don't consider it an error!
5507 Assisted-by: Jay Satiro
5508 Reported-by: Łukasz Domeradzki
5512 - credits: Viktor prefers without accent
5514 - openldap: white space changes, fixed up the copyright years
5516 - openldap: check ldap_get_attribute_ber() results for NULL before using
5519 Reported-by: Dario Weisser
5520 Bug: https://curl.haxx.se/docs/adv_2018-97a2.html
5522 - FTP: reject path components with control codes
5524 Refuse to operate when given path components featuring byte values lower
5527 Previously, inserting a %00 sequence early in the directory part when
5528 using the 'singlecwd' ftp method could make curl write a zero byte
5529 outside of the allocated buffer.
5531 Test case 340 verifies.
5534 Reported-by: Duy Phan Thanh
5535 Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
5537 - readwrite: make sure excess reads don't go beyond buffer end
5540 Bug: https://curl.haxx.se/docs/adv_2018-b047.html
5542 Detected by OSS-fuzz
5544 - BUGS: updated link to security process
5546 - limit-rate: kick in even before "limit" data has been received
5548 ... and make sure to avoid integer overflows with really large values.
5554 - docs/SECURITY.md -> docs/SECURITY-PROCESS.md
5556 - SECURITY.md: call it the security process
5558 Michael Kaufmann (11 Mar 2018)
5559 - Curl_range: fix FTP-only and FILE-only builds
5561 follow-up to e04417d
5563 - hostip: fix compiler warning: 'variable set but not used'
5565 Daniel Stenberg (11 Mar 2018)
5566 - HTTP: allow "header;" to replace an internal header with a blank one
5568 Reported-by: Michael Kaufmann
5572 - http2: verbose output new MAX_CONCURRENT_STREAMS values
5574 ... as it is interesting for many users.
5576 - SECURITY: distros' max embargo time is 14 days now
5578 Patrick Monnerat (8 Mar 2018)
5579 - curl tool: accept --compressed also if Brotli is enabled and zlib is not.
5581 Daniel Stenberg (5 Mar 2018)
5582 - THANKS + mailmap: remove duplicates, fixup full names
5584 - [sergii.kavunenko brought this change]
5586 WolfSSL: adding TLSv1.3
5590 - RELEASE-NOTES/THANKS: synced with cc1d4c505
5592 - [Richard Alcock brought this change]
5594 winbuild: prefer documented zlib library names
5596 Check for existence of import and static libraries with documented names
5597 and use them if they do. Fallback to previous names.
5600 https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
5601 Windows, the names of the import library is "zdll.lib" and static
5602 library is "zlib.lib".
5606 Marcel Raad (4 Mar 2018)
5607 - krb5: use nondeprecated functions
5609 gss_seal/gss_unseal have been deprecated in favor of
5610 gss_wrap/gss_unwrap with GSS-API v2 from January 1997 [1]. The first
5611 version of "The Kerberos Version 5 GSS-API Mechanism" [2] from June
5612 1996 already says "GSS_Wrap() (formerly GSS_Seal())" and
5613 "GSS_Unwrap() (formerly GSS_Unseal())".
5615 Use the nondeprecated functions to avoid deprecation warnings.
5617 [1] https://tools.ietf.org/html/rfc2078
5618 [2] https://tools.ietf.org/html/rfc1964
5620 Closes https://github.com/curl/curl/pull/2356
5622 Daniel Stenberg (4 Mar 2018)
5623 - curl.1: mention how to add numerical IP addresses in NO_PROXY
5625 - CURLOPT_NOPROXY.3: mention how to list numerical IPv6 addresses
5627 - NO_PROXY: fix for IPv6 numericals in the URL
5629 Added test 1265 that verifies.
5631 Reported-by: steelman on github
5635 - build: get CFLAGS (including -werror) used for examples and tests
5637 ... so that the CI and more detects compiler warnings/errors properly!
5641 Marcel Raad (3 Mar 2018)
5642 - curl_ctype: fix macro redefinition warnings
5644 On MinGW and Cygwin, GCC and clang have been complaining about macro
5645 redefinitions since 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2. Fix this
5646 by undefining the macros before redefining them as suggested in
5647 https://github.com/curl/curl/pull/2269.
5649 Suggested-by: Daniel Stenberg
5651 Dan Fandrich (2 Mar 2018)
5652 - unit1307: proper cleanup on OOM to fix torture tests
5654 Marcel Raad (28 Feb 2018)
5655 - unit1309: fix warning on Windows x64
5657 When targeting x64, MinGW-w64 complains about conversions between
5658 32-bit long and 64-bit pointers. Fix this by reusing the
5659 GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
5660 from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
5661 CURLX_INTEGER_TO_POINTER_CAST.
5663 Closes https://github.com/curl/curl/pull/2341
5665 - travis: update compiler versions
5667 Update clang to version 3.9 and GCC to version 6.
5669 Closes https://github.com/curl/curl/pull/2345
5671 Daniel Stenberg (26 Feb 2018)
5672 - docs/MANUAL: formfind.pl is not accessible on the site anymore
5676 Jay Satiro (24 Feb 2018)
5677 - curl-openssl.m4: Fix version check for OpenSSL 1.1.1
5679 - Add OpenSSL 1.1.1 to the header/library version lists.
5681 - Detect OpenSSL 1.1.1 library using its function ERR_clear_last_mark,
5682 which was added in that version.
5684 Prior to this change an erroneous header/library mismatch was caused by
5685 lack of OpenSSL 1.1.1 detection. I tested using openssl-1.1.1-pre1.
5687 Viktor Szakats (23 Feb 2018)
5688 - lib655: silence compiler warning
5690 Closes https://github.com/curl/curl/pull/2335
5694 Detected using the `codespell` tool.
5696 Also contains one URL protocol upgrade.
5698 Closes https://github.com/curl/curl/pull/2334
5700 Daniel Stenberg (24 Feb 2018)
5701 - projects/README: remove reference to dead IDN link/package
5703 Reported-by: Stefan Kanthak and Rod Widdowson
5707 Jay Satiro (23 Feb 2018)
5708 - [Rod Widdowson brought this change]
5710 winbuild: Use macros for the names of some build utilities
5712 - Add macros to the top of the makefile for rc and mt utilities so that
5713 it is easier to change their locations.
5715 Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
5716 Reported-by: Stefan Kanthak
5718 Closes https://github.com/curl/curl/issues/2329
5720 Daniel Stenberg (23 Feb 2018)
5721 - TODO: remove "sha-256 digest", added in 2b5b37cb9109e7c2
5723 - curl_share_setopt.3: connection cache is shared within multi handles
5725 Jay Satiro (22 Feb 2018)
5726 - [Rod Widdowson brought this change]
5728 winbuild: Use CALL to run batch scripts
5730 Co-authored-by: Stefan Kanthak
5732 Closes https://github.com/curl/curl/issues/2330
5733 Closes https://github.com/curl/curl/pull/2331
5735 Patrick Monnerat (22 Feb 2018)
5736 - os400: add curl_resolver_start_callback type to ILE/RPG binding
5738 Daniel Stenberg (22 Feb 2018)
5739 - form.d: rephrased somewhat, added two example command lines
5741 Jay Satiro (21 Feb 2018)
5742 - [Francisco Sedano brought this change]
5744 url: Add option CURLOPT_RESOLVER_START_FUNCTION
5746 - Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
5747 will be called every time before a new resolve request is started
5748 (ie before a host is resolved) with a pointer to backend-specific
5749 resolver data. Currently this is only useful for ares.
5751 - Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
5752 pass to the resolver start callback.
5754 Closes https://github.com/curl/curl/pull/2311
5756 - lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
5758 - In keeping with the naming of our other connect timeout options rename
5759 CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.
5761 This change adds the _MS suffix since the option expects milliseconds.
5762 This is more intuitive for our users since other connect timeout options
5763 that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
5764 CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.
5766 The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.
5768 Follow-up to 2427d94 which added the lib and tool option yesterday.
5770 Ref: https://github.com/curl/curl/pull/2260
5772 Patrick Monnerat (21 Feb 2018)
5773 - sasl: prefer PLAIN mechanism over LOGIN
5775 SASL PLAIN is a standard, LOGIN only a draft. The LOGIN draft says
5776 PLAIN should be used instead if available.
5778 Daniel Stenberg (21 Feb 2018)
5779 - RELEASE-NOTES: synced with 2427d94c6
5781 Jay Satiro (20 Feb 2018)
5782 - [Anders Bakken brought this change]
5784 url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
5786 - Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
5787 eyeball timeout value.
5789 - Add new optval macro CURL_HET_DEFAULT to represent the default happy
5790 eyeballs timeout value (currently 200 ms).
5792 - Add new tool option --happy-eyeballs-timeout-ms to expose
5793 CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
5794 other -timeout options in the tool expect seconds not milliseconds.
5796 Closes https://github.com/curl/curl/pull/2260
5798 - hostip: fix 'potentially uninitialized variable' warning
5800 Follow-up to 50d1b33.
5804 Daniel Stenberg (20 Feb 2018)
5805 - TODO: warning if curl version is not in sync with libcurl version
5807 Jay Satiro (20 Feb 2018)
5808 - [Anders Bakken brought this change]
5810 CURLOPT_RESOLVE: Add support for multiple IP addresses per entry
5812 This enables users to preresolve but still take advantage of happy
5813 eyeballs and trying multiple addresses if some are not connecting.
5815 Ref: https://github.com/curl/curl/pull/2260
5817 Daniel Stenberg (20 Feb 2018)
5818 - [Sergio Borghese brought this change]
5820 examples/sftpuploadresume: resume upload via CURLOPT_APPEND
5822 URL: https://curl.haxx.se/mail/lib-2018-02/0072.html
5824 - curl --version: show PSL if the run-time lib has it enabled
5826 ... not of the #define was set at build-time!
5828 - TODO: "Support in-memory certs/ca certs/keys"
5830 removed SSLKEYLOGFILE support (fixed)
5832 removed "consider SSL patches" (outdated)
5836 - CURLOPT_HEADER.3: clarify problems with different data sizes
5838 - test1556: verify >16KB headers to the header callback
5840 - header callback: don't chop headers into smaller pieces
5842 Reported-by: Guido Berhoerster
5846 - test1154: verify that long HTTP headers get rejected
5848 - http: fix the max header length detection logic
5850 Previously, it would only check for max length if the existing alloc
5851 buffer was to small to fit it, which often would make the header still
5854 Reported-by: Guido Berhoerster
5855 Bug: https://curl.haxx.se/mail/lib-2018-02/0056.html
5859 - CURLOPT_HEADERFUNCTION.3: fix typo from d939226813
5861 Reported-by: Erik Johansson
5862 Bug: https://github.com/curl/curl/commit/d9392268131c1b8d18dec3fa30e0bded833a5db7#commitcomment-27607495
5864 - CURLOPT_HEADERFUNCTION.3: mention folded headers
5866 - TODO: 1.1 Option to refuse usernames in URLs
5868 Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
5870 - TODO: 1.7 Support HTTP/2 for HTTP(S) proxies
5872 - ssh: add two missing state names
5874 The list of state names (used in debug builds) was out of sync in
5875 relation to the list of states (used in all builds).
5877 I now added an assert to make sure the sizes of the two lists match, to
5878 aid in detecting this mistake better in the future.
5880 Regression since c92d2e14cf, shipped in 7.58.0.
5882 Reported-by: Somnath Kundu
5887 - Revert "KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy"
5889 This reverts commit de9fac00c40db321d44fa6fbab6eb62ec4c83998.
5891 Reported-by: Jay Satiro
5893 Jay Satiro (15 Feb 2018)
5894 - non-ascii: fix implicit declaration warning
5896 Follow-up to b46cfbc.
5898 Caught by Travis CI.
5900 Daniel Stenberg (15 Feb 2018)
5901 - travis: add build with iconv enabled
5903 ... to verify it builds and works fine.
5905 Ref: https://curl.haxx.se/mail/lib-2017-09/0031.html
5909 - TODO: 18.18 retry on network is unreachable
5913 - KNOWN_BUGS: 2.5 curl should not offer "ALPN: h2" when using https-proxy
5917 Kamil Dudka (15 Feb 2018)
5918 - nss: use PK11_CreateManagedGenericObject() if available
5920 ... so that the memory allocated by applications using libcurl does not
5921 grow per each TLS connection.
5923 Bug: https://bugzilla.redhat.com/1510247
5927 Daniel Stenberg (15 Feb 2018)
5928 - [Björn Stenberg brought this change]
5930 TODO fixed: Detect when called from within callbacks
5934 - BINDINGS: fix curb link (and remove ruby-curl-multi)
5936 Reported-by: Klaus Stein
5938 - curl_gssapi: make sure this file too uses our *printf()
5940 - libcurl-security.3: separate file:// section
5942 ... just to make it more apparent. Even if it repeats
5943 some pieces of information.
5945 - libcurl-security.3: the http://192.168.0.1/my_router_config case
5947 Mentioned-By: Rich Moore
5949 - libcurl-security.3: mention the URL standards problems too
5951 - libcurl-security.3: split out from libcurl-tutorial.3
5953 To make more accessible.
5955 Merged in some new language from "URLs are dangerous things" as discussed on
5956 the mailing list a few days ago:
5958 Bug: https://curl.haxx.se/mail/lib-2018-02/0013.html
5960 - RELEASE-NOTES: synced with e551910f8
5962 Patrick Monnerat (13 Feb 2018)
5963 - tests: new tests for http raw mode
5965 Test 319 checks proper raw mode data with non-chunked gzip
5966 transfer-encoded server data.
5967 Test 326 checks raw mode with chunked server data.
5972 Kamil Dudka (12 Feb 2018)
5973 - tlsauthtype.d: works only if libcurl is built with TLS-SRP support
5975 Bug: https://bugzilla.redhat.com/1542256
5979 Patrick Monnerat (12 Feb 2018)
5980 - smtp: fix processing of initial dot in data
5982 RFC 5321 4.1.1.4 specifies the CRLF terminating the DATA command
5983 should be taken into account when chasing the <CRLF>.<CRLF> end marker.
5984 Thus a leading dot character in data is also subject to escaping.
5986 Tests 911 and test server are adapted to this situation.
5987 New tests 951 and 952 check proper handling of initial dot in data.
5991 Daniel Stenberg (12 Feb 2018)
5992 - sha256: avoid redefine
5994 - [Douglas Mencken brought this change]
5996 sha256: build with OpenSSL < 0.9.8 too
5998 support for SHA-2 was introduced in OpenSSL 0.9.8
6002 - [Bruno Grasselli brought this change]
6004 README: language fix
6010 Patrick Monnerat (12 Feb 2018)
6011 - http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on
6014 Reported-By: Henry Roeland
6016 Daniel Stenberg (9 Feb 2018)
6017 - get_posix_time: only check for overflows if they can happen!
6019 Michael Kaufmann (9 Feb 2018)
6020 - schannel: fix "no previous prototype" compiler warning
6022 Jay Satiro (9 Feb 2018)
6023 - [Mohammad AlSaleh brought this change]
6025 content_encoding: Add "none" alias to "identity"
6027 Some servers return a "content-encoding" header with a non-standard
6030 Add "none" as an alias to "identity" as a work-around, to avoid
6031 unrecognised content encoding type errors.
6033 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
6035 Closes https://github.com/curl/curl/pull/2298
6037 Steve Holme (8 Feb 2018)
6038 - build-openssl.bat: Follow up to 648679ab8e to suppress copy/move output
6040 - build-openssl.bat: Fixed incorrect move if destination build folder exists
6042 Michael Kaufmann (8 Feb 2018)
6043 - schannel: fix compiler warnings
6047 Steve Holme (7 Feb 2018)
6048 - curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows
6050 Windows 10.0.17061 SDK introduces support for Unix Domain Sockets.
6051 Added the necessary include file to curl_addrinfo.c.
6053 Note: The SDK (which is considered beta) has to be installed, VS 2017
6054 project file has to be re-targeted for Windows 10.0.17061 and #define
6055 enabled in config-win32.h.
6057 Patrick Monnerat (7 Feb 2018)
6058 - fnmatch: optimize processing of consecutive *s and ?s pattern characters
6060 Reported-By: Daniel Stenberg
6064 Steve Holme (6 Feb 2018)
6065 - build-openssl.bat/build-wolfssl.bat: Build platform is optional
6067 Whilst the compiler parameter is mandatory, platform is optional as it
6068 is automatically calculated by the :configure section.
6070 This partially reverts commit 6d62d2c55d.
6072 Daniel Stenberg (6 Feb 2018)
6073 - [Patrick Schlangen brought this change]
6075 openssl: Don't add verify locations when verifypeer==0
6077 When peer verification is disabled, calling
6078 SSL_CTX_load_verify_locations is not necessary. Only call it when
6079 verification is enabled to save resources and increase performance.
6083 Steve Holme (5 Feb 2018)
6084 - build-wolfssl.bat: Extend VC15 support to include Enterprise and Professional
6086 ...and not just the Community Edition.
6088 - build-openssl.bat: Extend VC15 support to include Enterprise and Professional
6090 ...and not just the Community Edition.
6092 Michael Kaufmann (5 Feb 2018)
6093 - time-cond: fix reading the file modification time on Windows
6095 On Windows, stat() may adjust the unix file time by a daylight saving time
6096 offset. Avoid this by calling GetFileTime() instead.
6101 Daniel Stenberg (5 Feb 2018)
6102 - formdata: use the mime-content type function
6104 Reduce code duplication by making Curl_mime_contenttype available and
6105 used by the formdata function. This also makes the formdata function
6106 recognize a set of more file extensions by default.
6108 PR #2280 brought this to my attention.
6112 - getdate: return -1 for out of range
6114 ...as that's how the function is documented to work.
6116 Reported-by: Michael Kaufmann
6117 Bug found in an autobuild with 32 bit time_t
6121 - [Ben Greear brought this change]
6123 build: fix termios issue on android cross-compile
6125 Bug: https://curl.haxx.se/mail/lib-2018-01/0122.html
6126 Signed-off-by: Ben Greear <greearb@candelatech.com>
6128 - time_t-fixes: remove typecasts to 'long' for info.filetime
6132 Reported-by: Michael Kaufmann
6136 - curl_setup: move the precautionary define of SIZEOF_TIME_T
6138 ... up to before it may be used for the TIME_T_MAX/MIN logic.
6140 Reported-by: Michael Kaufmann
6142 - parsedate: s/#if/#ifdef
6144 Reported-by: Michael Kaufmann
6145 Bug: https://github.com/curl/curl/commit/1c39128d974666107fc6d9ea15f294036851f224#commitcomment-27246479
6147 Patrick Monnerat (31 Jan 2018)
6148 - fnmatch: pattern syntax can no longer fail
6150 Whenever an expected pattern syntax rule cannot be matched, the
6151 character starting the rule loses its special meaning and the parsing
6153 - backslash at the end of pattern string matches itself.
6154 - Error in [:keyword:] results in set containing :\[dekorwy.
6156 Unit test 1307 updated for this new situation.
6160 - fnmatch: accept an alphanum to be followed by a non-alphanum in char set
6162 Also be more tolerant about set pattern syntax.
6163 Update unit test 1307 accordingly.
6165 Bug: https://curl.haxx.se/mail/lib-2018-01/0114.html
6167 - fnmatch: do not match the empty string with a character set
6169 Jay Satiro (30 Jan 2018)
6170 - build: fix windows build methods for curl_ctype.c
6172 - Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
6173 curlx files since they are required by both src and lib.
6175 Follow-up to 4272a0b which added curl_ctype.
6177 Daniel Stenberg (30 Jan 2018)
6178 - progress-bar.d: update to match implementation
6180 ... since commit 993dd5651a6
6182 Reported-by: Martin Dreher
6183 Bug: https://github.com/curl/curl/pull/2242#issuecomment-361059228
6187 - http2: set DEBUG_HTTP2 to enable more HTTP/2 logging
6189 ... instead of doing it unconditionally in debug builds. It cluttered up
6190 the output a little too much.
6192 - [Max Dymond brought this change]
6194 file: Check the return code from Curl_range and bail out on error
6196 - [Max Dymond brought this change]
6198 Curl_range: add check to ensure "from <= to"
6200 - [Max Dymond brought this change]
6202 Curl_range: commonize FTP and FILE range handling
6206 - RELEASE-NOTES: synced with 811beab9f
6208 - curlver: next release will be 7.59.0
6210 - [Michał Janiszewski brought this change]
6212 curl/curl.h: fix comment typo for CURLOPT_DNS_LOCAL_IP6
6216 - time: support > year 2038 time stamps for system with 32bit long
6218 ... with the introduction of CURLOPT_TIMEVALUE_LARGE and
6219 CURLINFO_FILETIME_T.
6224 - curl_easy_reset: clear digest auth state
6226 Bug: https://curl.haxx.se/mail/lib-2018-01/0074.html
6227 Reported-by: Ruurd Beerstra
6231 - [Adam Marcionek brought this change]
6233 winbuild: make linker generate proper PDB
6235 Link.exe requires /DEBUG to properly generate a full pdb file on release
6240 - curl: add --proxy-pinnedpubkey
6242 To verify a proxy's public key. For when using HTTPS proxies.
6247 - configure: set PATH_SEPARATOR to colon for PATH w/o separator
6249 The logic tries to figure out what the path separator in the $PATH
6250 variable is, but if there's only one directory in the $PATH it
6251 fails. This change make configure *guess* on colon instead of erroring
6252 out, simply because that is probably the more common character.
6254 PATH_SEPARATOR can always be set by the user to override the guessing.
6256 (tricky bug to reproduce, as in my case for example the configure script
6257 requires binaries in more than one directory so passing in a PATH with a
6260 Reported-by: Earnestly on github
6264 - curl_ctype: private is*() type macros and functions
6266 ... since the libc provided one are locale dependent in a way we don't
6267 want. Also, the "native" isalnum() (for example) works differently on
6268 different platforms which caused test 1307 failures on macos only.
6272 Marcel Raad (29 Jan 2018)
6273 - build: open VC15 projects with VS 2017
6275 Previously, they were opened with Visual Studio 2015 by default, which
6278 Daniel Stenberg (29 Jan 2018)
6279 - RELEASE-NOTES: synced with 094647fca
6281 - TODO: UTF-8 filenames in Content-Disposition
6285 - KNOWN_BUGS: DICT responses show the underlying protocol
6289 Jay Satiro (27 Jan 2018)
6290 - [Alessandro Ghedini brought this change]
6292 docs: fix typos in man pages
6294 Closes https://github.com/curl/curl/pull/2266
6296 Patrick Monnerat (26 Jan 2018)
6297 - lib555: drop text conversion and encode data as ascii codes
6299 If CURL_DOES_CONVERSION is enabled, uploaded LFs are mapped to CRLFs,
6300 giving a result that is different from what is expected.
6301 This commit avoids using CURLOPT_TRANSFERTEXT and directly encodes data
6304 Bug: https://github.com/curl/curl/pull/1872
6306 Daniel Stenberg (26 Jan 2018)
6307 - lib517: make variable static to avoid compiler warning
6309 ... with clang on macos
6311 Patrick Monnerat (26 Jan 2018)
6312 - lib544: sync ascii code data with textual data
6314 Data mismatch caused test 545 to fail when character encoding
6315 conversion is enabled.
6317 Bug: https://github.com/curl/curl/pull/1872
6319 Daniel Stenberg (25 Jan 2018)
6320 - [Travis Burtrum brought this change]
6322 GSKit: restore pinnedpubkey functionality
6324 inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37
6328 - [Dair Grant brought this change]
6330 darwinssl: Don't import client certificates into Keychain on macOS
6334 - configure: fix the check for unsigned time_t
6336 Assign the time_t variable negative value and then check if it is
6337 greater than zero, which will evaluate true for unsigned time_t but
6338 false for signed time_t.
6340 - parsedate: fix date parsing for systems with 32 bit long
6342 Make curl_getdate() handle dates before 1970 as well (returning negative
6345 Make test 517 test dates for 64 bit time_t.
6347 This fixes bug (3) mentioned in #2238
6351 - [McDonough, Tim brought this change]
6353 openssl: fix pinned public key build error in FIPS mode
6355 Here is a version that should work with all versions of openssl 0.9.7
6359 https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
6360 https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html
6362 At the very bottom of the 1.1.0 documentation there is a history section
6363 that states, " stack allocated EVP_MD_CTXs are no longer supported."
6365 If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
6366 simple mapping can be used as described here:
6367 https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes
6371 - [Travis Burtrum brought this change]
6373 SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum
6375 - [Travis Burtrum brought this change]
6377 SChannel/WinSSL: Implement public key pinning
6381 - bump: towards 7.58.1
6383 - cookies: remove verbose "cookie size:" output
6385 It was once used for some debugging/verifying logic but should never have
6388 - TODO: hardcode the "localhost" addresses
6390 - TODO: CURL_REFUSE_CLEARTEXT
6392 An idea that popped up in discussions on twitter.
6394 - progress-bar: don't use stderr explicitly, use bar->out
6396 Reported-By: Gisle Vanem
6397 Bug: https://github.com/curl/curl/commit/993dd5651a6c853bfe3870f6a69c7b329fa4e8ce#commitcomment-27070080
6399 GitHub (24 Jan 2018)
6400 - [Gisle Vanem brought this change]
6402 Fixes for MSDOS etc.
6404 djgpp do have 'mkdir(dir, mode)'. Other DOS-compilers does not
6405 But djgpp seems the only choice for MSDOS anyway.
6407 PellesC do have a 'F_OK' defined in it's <unistd.h>.
6409 Update year in Copyright.
6411 - [Gisle Vanem brought this change]
6415 Version 7.58.0 (23 Jan 2018)
6417 Daniel Stenberg (23 Jan 2018)
6420 - [Gisle Vanem brought this change]
6422 progress-bar: get screen width on windows
6424 - test1454: --connect-to with IPv6 address w/o IPv6 support!
6426 - CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support
6428 Bug: https://curl.haxx.se/mail/lib-2018-01/0087.html
6429 Reported-by: John Hascall
6433 - docs: fix man page syntax to make test 1140 OK again
6435 - http: prevent custom Authorization headers in redirects
6437 ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
6438 curl already handles Authorization headers created internally.
6440 Note: this changes behavior slightly, for the sake of reducing mistakes.
6442 Added test 317 and 318 to verify.
6444 Reported-by: Craig de Stigter
6445 Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
6447 - curl: progress bar refresh, get width using ioctl()
6449 Get screen width from the environment variable COLUMNS first, if set. If
6450 not, use ioctl(). If nether works, assume 79.
6454 The "refresh" is for the -# output when no total transfer size is
6455 known. It will now only use a single updated line even for this case:
6457 The "-=O=-" ship moves when data is transferred. The four flying
6458 "hashes" move (on a sine wave) on each refresh, independent of data.
6460 - RELEASE-NOTES: synced with bb0ffcc36
6462 - libcurl-env.3: first take
6464 - TODO: two possible name resolver improvements
6466 - [Kartik Mahajan brought this change]
6468 http2: don't close connection when single transfer is stopped
6473 - test558: fix for multissl builds
6475 vtls.c:multissl_init() might do a curl_free() call so strip that out to
6476 make this work with more builds. We just want to verify that
6477 memorytracking works so skipping one line is no harm.
6479 - examples/url2file.c: add missing curl_global_cleanup() call
6481 Reported-by: XhstormR on github
6484 - [Michael Gmelin brought this change]
6486 SSH: Fix state machine for ssh-agent authentication
6488 In case an identity didn't match[0], the state machine would fail in
6489 state SSH_AUTH_AGENT instead of progressing to the next identity in
6490 ssh-agent. As a result, ssh-agent authentication only worked if the
6491 identity required happened to be the first added to ssh-agent.
6493 This was introduced as part of commit c4eb10e2f06fbd6cc904f1d78e4, which
6494 stated that the "else" statement was required to prevent getting stuck
6495 in state SSH_AUTH_AGENT. Given the state machine's logic and libssh2's
6496 interface I couldn't see how this could happen or reproduce it and I
6497 also couldn't find a more detailed description of the problem which
6498 would explain a test case to reproduce the problem this was supposed to
6501 [0] libssh2_agent_userauth returning LIBSSH2_ERROR_AUTHENTICATION_FAILED
6505 - openssl: fix potential memory leak in SSLKEYLOGFILE logic
6507 Coverity CID 1427646.
6509 - openssl: fix the libressl build again
6511 Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
6512 late OpenSSL version...
6517 Reported-by: jungle-boogie on github
6519 - unit1307: test many wildcards too
6521 - curl_fnmatch: only allow 5 '*' sections in a single pattern
6523 ... to avoid excessive recursive calls. The number 5 is totally
6524 arbitrary and could be modified if someone has a good motivation.
6526 - ftp-wildcard: fix matching an empty string with "*[^a]"
6528 .... and avoid advancing the pointer to trigger an out of buffer read.
6530 Detected by OSS-fuzz
6531 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5251
6532 Assisted-by: Max Dymond
6534 - SMB: fix numeric constant suffix and variable types
6536 1. don't use "ULL" suffix since unsupported in older MSVC
6537 2. use curl_off_t instead of custom long long ifdefs
6538 3. make get_posix_time() not do unaligned data access
6542 Reported-by: Chester Liu
6544 - [rouzier brought this change]
6546 CURLOPT_TCP_NODELAY.3: fix typo
6550 - smtp/pop3/imap_get_message: decrease the data length too...
6552 Follow-up commit to 615edc1f73 which was incomplete.
6554 Assisted-by: Max Dymond
6555 Detected by OSS-fuzz
6556 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5206
6558 - openssl: enable SSLKEYLOGFILE support by default
6563 Patrick Monnerat (14 Jan 2018)
6564 - mime: clone mime tree upon easy handle duplication.
6566 A mime tree attached to an easy handle using CURLOPT_MIMEPOST is
6567 strongly bound to the handle: there is a pointer to the easy handle in
6568 each item of the mime tree and following the parent pointer list
6569 of mime items ends in a dummy part stored within the handle.
6571 Because of this binding, a mime tree cannot be shared between different
6572 easy handles, thus it needs to be cloned upon easy handle duplication.
6574 There is no way for the caller to get the duplicated mime tree
6575 handle: it is then set to be automatically destroyed upon freeing the
6578 New test 654 checks proper mime structure duplication/release.
6580 Add a warning note in curl_mime_data_cb() documentation about sharing
6581 user data between duplicated handles.
6585 - docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata
6587 Daniel Stenberg (13 Jan 2018)
6588 - test395: HTTP with overflow Content-Length value
6590 - test394: verify abort of rubbish in Content-Length: value
6592 - test393: verify --max-filesize with excessive Content-Length
6594 - HTTP: bail out on negative Content-Length: values
6596 ... and make the max filesize check trigger if the value is too big.
6600 Reported-by: Brad Spencer
6604 Marcel Raad (13 Jan 2018)
6605 - [Dan Johnson brought this change]
6607 configure.ac: append extra linker flags instead of prepending them.
6609 Link order should list libraries after the libraries that use them,
6610 so when we're guessing that we might also need to add -ldl in order
6611 to use -lssl, we should add -ldl after -lssl.
6613 Closes https://github.com/curl/curl/pull/2234
6615 Daniel Stenberg (13 Jan 2018)
6616 - RELEASE-NOTES: synced with 6fa10c8fa
6618 Jay Satiro (13 Jan 2018)
6619 - setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values
6621 Broken since f121575 (precedes 7.56.1).
6623 Bug: https://github.com/curl/curl/issues/2225
6624 Reported-by: cmfrolick@users.noreply.github.com
6626 Closes https://github.com/curl/curl/pull/2227
6628 Patrick Monnerat (13 Jan 2018)
6629 - setopt: reintroduce non-static Curl_vsetopt() for OS400 support
6631 This also upgrades ILE/RPG bindings with latest setopt options.
6633 Reported-By: jonrumsey on github
6637 Jay Satiro (11 Jan 2018)
6638 - [Zhouyihai Ding brought this change]
6640 http2: fix incorrect trailer buffer size
6642 Prior to this change the stored byte count of each trailer was
6643 miscalculated and 1 less than required. It appears any trailer
6644 after the first that was passed to Curl_client_write would be truncated
6645 or corrupted as well as the size. Potentially the size of some
6646 subsequent trailer could be erroneously extracted from the contents of
6647 that trailer, and since that size is used by client write an
6648 out-of-bounds read could occur and cause a crash or be otherwise
6649 processed by client write.
6651 The bug appears to have been born in 0761a51 (precedes 7.49.0).
6653 Closes https://github.com/curl/curl/pull/2231
6655 - [Basuke Suzuki brought this change]
6657 easy: fix connection ownership in curl_easy_pause
6659 Before calling Curl_client_chop_write(), change the owner of connection
6660 to the current Curl_easy handle. This will fix the issue #2217.
6662 Fixes https://github.com/curl/curl/issues/2217
6663 Closes https://github.com/curl/curl/pull/2221
6665 Daniel Stenberg (9 Jan 2018)
6666 - [Dimitrios Apostolou brought this change]
6668 system.h: Additionally check __LONG_MAX__ for defining curl_off_t
6670 __SIZEOF_LONG__ was introduced in GCC 4.4, __LONG_MAX__ was introduced
6675 - COPYING: it's 2018!
6677 - progress: calculate transfer speed on milliseconds if possible
6679 to increase accuracy for quick transfers
6684 Jay Satiro (7 Jan 2018)
6685 - scripts: allow all perl scripts to be run directly
6687 - Enable execute permission (chmod +x)
6689 - Change interpreter to /usr/bin/env perl
6691 Closes https://github.com/curl/curl/pull/2222
6693 - mail-rcpt.d: fix short-text description
6695 - build: remove HAVE_LIMITS_H check
6697 .. because limits.h presence isn't optional, it's required by C89.
6699 Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2
6701 Closes https://github.com/curl/curl/pull/2215
6703 - openssl: fix memory leak of SSLKEYLOGFILE filename
6705 - Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
6710 - Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX"
6712 This reverts commit c97648b55080343bb371522bf4233e94a2a13a99.
6714 SIZEOF_LONG should not be checked in system.h since that macro is only
6715 defined when building libcurl.
6717 Ref: https://github.com/curl/curl/pull/2186#issuecomment-354767080
6718 Ref: https://gcc.gnu.org/onlinedocs/cpp/Common-Predefined-Macros.html
6720 Michael Kaufmann (30 Dec 2017)
6721 - test1554: improve the error handling
6723 - test1554: add global initialization and cleanup
6725 Daniel Stenberg (29 Dec 2017)
6726 - curl_version_info.3: call the argument 'age'
6728 Reported-by: Pete Lomax
6729 Bug: https://curl.haxx.se/mail/lib-2017-12/0074.html
6731 Patrick Monnerat (27 Dec 2017)
6732 - [Mikalai Ananenka brought this change]
6734 brotli: data at the end of content can be lost
6736 Decoding loop implementation did not concern the case when all
6737 received data is consumed by Brotli decoder and the size of decoded
6738 data internally hold by Brotli decoder is greater than CURL_MAX_WRITE_SIZE.
6739 For content with unencoded length greater than CURL_MAX_WRITE_SIZE this
6740 can result in the loss of data at the end of content.
6744 Jay Satiro (26 Dec 2017)
6745 - examples/cacertinmem: ignore cert-already-exists error
6747 - Ignore X509_R_CERT_ALREADY_IN_HASH_TABLE errors in the CTX callback
6748 since it's possible the cert may have already been loaded by libcurl.
6750 - Remove the EXAMPLE code in the CURLOPT_SSL_CTX_FUNCTION.3 doc.
6751 Instead have it direct the reader to this cacertinmem.c example.
6753 - Fix the CA certificate to use the right CA for example.com, Digicert.
6755 Bug: https://curl.haxx.se/mail/lib-2017-12/0057.html
6756 Reported-by: Thomas van Hesteren
6758 Closes https://github.com/curl/curl/pull/2182
6760 - [Gisle Vanem brought this change]
6762 tool_getparam: Support size modifiers for --max-filesize
6764 - Move the size modifier detection code from limit-rate to its own
6765 function so that it can also be used with max-filesize.
6767 Size modifiers are the suffixes such as G (gigabyte), M (megabyte) etc.
6769 For example --max-filesize 1G
6771 Ref: https://curl.haxx.se/mail/archive-2017-12/0000.html
6773 Closes https://github.com/curl/curl/pull/2179
6775 Steve Holme (22 Dec 2017)
6776 - build: Fixed incorrect script termination from commit ad1dc10e61
6778 - Makefile.vc: Added our standard copyright header
6780 - winbuild: Added support for VC15
6782 - build: Added Visual Studio 2017 project files
6784 - build-wolfssl.bat: Added support for VC15
6786 - build-openssl.bat: Added support for VC15
6788 Jay Satiro (22 Dec 2017)
6789 - [Dimitrios Apostolou brought this change]
6791 curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX
6793 Closes https://github.com/curl/curl/pull/2186
6795 - [Mattias Fornander brought this change]
6797 examples/rtsp: fix error handling macros
6799 Closes https://github.com/curl/curl/pull/2185
6801 Patrick Monnerat (20 Dec 2017)
6802 - curl_easy_reset: release mime-related data.
6804 Move curl_mime_initpart() and curl_mime_cleanpart() calls to lower-level
6805 functions dealing with UserDefined structure contents.
6806 This avoids memory leakages on curl-generated part mime headers.
6807 New test 2073 checks this using the cli tool --next option: it
6808 triggers a valgrind error if bug is present.
6810 Bug: https://curl.haxx.se/mail/lib-2017-12/0060.html
6811 Reported-by: Martin Galvan
6813 - content_encoding: rework zlib_inflate
6815 - When zlib version is < 1.2.0.4, process gzip trailer before considering
6816 extra data as an error.
6817 - Inflate with Z_BLOCK instead of Z_SYNC_FLUSH to maximize correct data
6818 and minimize corrupt data output.
6819 - Do not try to restart deflate decompression in raw mode if output has
6820 started or if the leading data is not available anymore.
6821 - New test 232 checks inflating raw-deflated content.
6825 - brotli: allow compiling with version 0.6.0.
6827 Some error codes were not yet defined in brotli 0.6.0: do not issue code
6828 for them in this case.
6830 Daniel Stenberg (13 Dec 2017)
6831 - CURLOPT_READFUNCTION.3: refer to argument with correct name
6837 - rand: add a clang-analyzer work-around
6839 scan-build would warn on a potential access of an uninitialized
6840 buffer. I deem it a false positive and had to add this somewhat ugly
6841 work-around to silence it.
6843 - krb5: fix a potential access of uninitialized memory
6845 A scan-build warning.
6847 - conncache: fix a return code [regression]
6849 This broke in 07cb27c98e. Make sure to return 'result' properly. Pointed
6852 - curl: support >256 bytes warning messsages
6856 Michael Kaufmann (12 Dec 2017)
6857 - libssh: fix a syntax error in configure.ac
6859 Follow-up to c92d2e1
6863 Daniel Stenberg (12 Dec 2017)
6864 - examples/smtp-mail.c: use separate defines for options and mail
6866 ... to make it clearer that the options want address-only, while the
6867 headers in an email can also have the real name.
6869 Assisted-by: Sean MacLennan
6871 - THANKS: added missing names
6873 ... as I reran the contrithanks script after the mailmap name fixups.
6875 - mailmap: added/clarified several names
6877 - setopt: less *or equal* than INT_MAX/1000 should be fine
6879 ... for the CURLOPT_TIMEOUT, CURLOPT_CONNECTTIMEOUT and
6880 CURLOPT_SERVER_RESPONSE_TIMEOUT range checks.
6882 Reported-by: Dominik Hölzl
6883 Bug: https://curl.haxx.se/mail/lib-2017-12/0037.html
6887 - [Dmitry Kostjuchenko brought this change]
6889 vtls: replaced getenv() with curl_getenv()
6891 Fixed undefined symbol of getenv() which does not exist when compiling
6892 for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
6893 curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
6898 - RELEASE-NOTES: synced with 3b9ea70ee
6900 - TODO: Expose tried IP addresses that failed
6902 Suggested-by: Rainer Canavan
6906 - curl.1: mention http:// and https:// as valid proxy prefixes
6908 - curl.1: documented two missing valid exit codes
6910 - CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference
6912 - Revert "curl: don't set CURLOPT_INTERLEAVEDATA"
6914 This reverts commit 9ffad8eb1329bb35c8988115ac7ed85cf91ef955.
6916 It was actually added rather recently in 8e8afa82cbb629 due to a crash
6917 that would otherwise happen in the RTSP code. As I don't think we've
6918 fixed that behavior yet, we better keep this work-around until we have
6921 Michael Kaufmann (10 Dec 2017)
6922 - tests: mark data files as non-executable in git
6924 - tests: update .gitignore for libtests
6926 Daniel Stenberg (10 Dec 2017)
6927 - multi_done: prune DNS cache
6929 Prune the DNS cache immediately after the dns entry is unlocked in
6930 multi_done. Timed out entries will then get discarded in a more orderly
6935 Reported-by: Oleg Pudeyev
6940 - mailmap: fixup two old git Author "aliases"
6942 Jay Satiro (10 Dec 2017)
6943 - openssl: Disable file buffering for Win32 SSLKEYLOGFILE
6945 Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
6946 like it does for other platforms. However, the Windows CRT does not
6947 actually support line buffering (_IOLBF) and will use full buffering
6948 (_IOFBF) instead. We can't use full buffering because multiple processes
6949 may be writing to the file and that could lead to corruption, and since
6950 full buffering is the only buffering available this commit disables
6951 buffering for Windows SSLKEYLOGFILE entirely (_IONBF).
6953 Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
6955 Daniel Stenberg (10 Dec 2017)
6956 - RESOLVE: output verbose text when trying to set a duplicate name
6958 ... to help users understand what is or isn't done!
6960 - CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE
6962 - [John DeHelian brought this change]
6964 sftp: allow quoted commands to use relative paths
6968 Jay Satiro (8 Dec 2017)
6969 - [Richard Alcock brought this change]
6971 CURLOPT_PRIVATE.3: fix grammar
6973 - Change "never does nothing" double-negative to "never does anything".
6975 Closes https://github.com/curl/curl/pull/2168
6977 Daniel Stenberg (8 Dec 2017)
6978 - curl: remove __EMX__ #ifdefs
6980 These are OS/2-specific things added to the code in the year 2000. They
6981 were always ugly. If there's any user left, they still don't need it
6986 Jay Satiro (8 Dec 2017)
6987 - openssl: improve data-pending check for https proxy
6989 - Allow proxy_ssl to be checked for pending data even when connssl does
6990 not yet have an SSL handle.
6992 This change is for posterity. Currently there doesn't seem to be a code
6993 path that will cause a pending data check when proxyssl could have
6994 pending data and the connssl handle doesn't yet exist [1].
6996 [1]: Recall that an https proxy connection starts out in connssl but if
6997 the destination is also https then the proxy SSL backend data is moved
6998 from connssl to proxyssl, which means connssl handle is temporarily
6999 empty until an SSL handle for the destination can be created.
7001 Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542
7003 Closes https://github.com/curl/curl/pull/1916
7005 Daniel Stenberg (8 Dec 2017)
7006 - curl: don't set CURLOPT_INTERLEAVEDATA
7008 That data is only ever used by the CURLOPT_INTERLEAVEFUNCTION callback
7009 and that option isn't set or used by the curl tool!
7011 Updates the 9 tests that verify --libcurl
7015 - curl.h: remove incorrect comment about ERRORBUFFER
7017 ... error messages are _not_ sent to stderr if this is not set.
7019 - [Michael Felt brought this change]
7021 configure: add AX_CODE_COVERAGE only if using gcc
7026 - curl: limit -# update frequency for unknown total size
7028 Make it use a max 10Hz update frequency for this case as well. Return
7029 early if the "point" hasn't moved since last invoke.
7031 Reported-by: Elliot Saba
7036 - BINDINGS: another PostgreSQL client
7038 ...the former link is dead.
7040 Reported-by: Frank Gevaerts
7042 - [Zachary Seguin brought this change]
7044 CONNECT: keep close connection flag in http_connect_state struct
7049 - [Per Malmberg brought this change]
7051 include: get netinet/in.h before linux/tcp.h
7053 ... to allow build on older Linux dists (specifically CentOS 4.8 on gcc
7058 - openldap: fix checksrc nits
7060 - [Stepan Broz brought this change]
7062 openldap: add commented out debug possibilities
7064 ... to aid debugging openldap library using its built-in debug messages.
7068 - examples: move threaded-shared-conn.c to the "complicated" ones
7070 ... due it relying on pthreads to link.
7072 - RELEASE-NOTES: synced with b261c44e8
7074 ... and bump next release version to 7.58.0
7076 - [Jan Ehrhardt brought this change]
7078 URL: tolerate backslash after drive letter for FILE:
7080 ... as in "file://c:\some\path\curl.out"
7082 Reviewed-by: Matthew Kerwin
7085 - [Randall S. Becker brought this change]
7087 tests: added netinet/in6.h includes in test servers
7089 - [Randall S. Becker brought this change]
7091 configure: check for netinet/in6.h
7093 Needed by HPE NonStop NSE and NSX systems
7098 - curl-config: add --ssl-backends
7100 Lists all SSL backends that were enabled at build-time.
7102 Suggested-by: Oleg Pudeyev
7105 - conncache: only allow multiplexing within same multi handle
7107 Connections that are used for HTTP/1.1 Pipelining or HTTP/2 multiplexing
7108 only get additional transfers added to them if the existing connection
7109 is held by the same multi or easy handle. libcurl does not support doing
7110 HTTP/2 streams in different threads using a shared connection.
7114 - threaded-shared-conn.c: fixed typo in commenta
7116 - threaded-shared-conn.c: new example
7118 - conncache: fix several lock issues
7120 If the lock is released before the dealings with the bundle is over, it may
7121 have changed by another thread in the mean time.
7127 - libssh: remove dead code in sftp_qoute
7129 ... by removing a superfluous NULL pointer check that also confuses
7135 - sasl_getmesssage: make sure we have a long enough string to pass
7137 For pop3/imap/smtp, added test 891 to somewhat verify the pop3
7140 For this, I enhanced the pingpong test server to be able to send back
7141 responses with LF-only instead of always using CRLF.
7145 - libssh2: remove dead code from SSH_SFTP_QUOTE
7147 Figured out while reviewing code in the libssh backend. The pointer was
7148 checked for NULL after having been dereferenced, so we know it would
7149 always equal true or it would've crashed.
7151 Pointed-out-by: Nikos Mavrogiannopoulos
7156 - ssh-libssh.c: please checksrc
7158 Nikos Mavrogiannopoulos (4 Dec 2017)
7159 - libssh: fixed dereference in statvfs access
7161 The behavior is now equivalent to ssh.c when SSH_SFTP_QUOTE_STATVFS
7166 Daniel Stenberg (4 Dec 2017)
7167 - [Guitared brought this change]
7169 RESOURCES: update spec names
7173 Nikos Mavrogiannopoulos (3 Dec 2017)
7174 - libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS
7176 The previous code was incorrectly following the libssh2 error detection
7177 for libssh2_sftp_statvfs, which is not correct for libssh's sftp_statvfs.
7181 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7183 - libssh: no need to call sftp_get_error as ssh_get_error is sufficient
7187 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7189 Daniel Stenberg (2 Dec 2017)
7190 - libssh: fix minor static code analyzer nits
7192 - remove superfluous NULL check which otherwise tricks the static code
7193 analyzers to assume NULL pointer dereferences.
7195 - fix fallthrough in switch()
7199 - openssl: pkcs12 is supported by boringssl
7201 Removes another #ifdef for BoringSSL
7203 Pointed-out-by: David Benjamin
7207 - [Jay Satiro brought this change]
7209 travis: use pip2 instead of pip
7211 .. since now mac osx image expects pip2 or pip3, and doesn't know pip:
7213 0.01s$ pip install --user cpp-coveralls
7214 /Users/travis/.travis/job_stages: line 57: pip: command not found
7216 Ref: https://github.com/travis-ci/travis-ci/issues/8829
7218 Closes https://github.com/curl/curl/pull/2133
7220 - [Nikos Mavrogiannopoulos brought this change]
7222 lib582: do not verify host for SFTP
7224 This SFTP test fails with libssh back-end due to failure to verify
7225 the peer. Disable peer verification in the test as there seems to
7226 be the intention of the test.
7228 Note that the libssh back-end automatically verifies the peer's
7229 host using the default known_hosts file.
7231 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7233 - [Nikos Mavrogiannopoulos brought this change]
7235 libssh: added SFTP support
7237 The SFTP back-end supports asynchronous reading only, limited
7238 to 32-bit file length. Writing is synchronous with no other
7241 This also brings keyboard-interactive authentication.
7243 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7245 - [Nikos Mavrogiannopoulos brought this change]
7247 symbols-in-versions: added new symbols with 7.56.3 version
7249 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7251 - [Nikos Mavrogiannopoulos brought this change]
7253 .travis.yml: added build --with-libssh
7255 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
7257 - [Nikos Mavrogiannopoulos brought this change]
7259 libssh2: return CURLE_UPLOAD_FAILED on failure to upload
7261 This brings its in sync with the error code returned by the
7264 Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
7266 - [Nikos Mavrogiannopoulos brought this change]
7268 libssh2: send the correct CURLE error code on scp file not found
7270 That also updates tests to expect the right error code
7272 libssh2 back-end returns CURLE_SSH error if the remote file
7273 is not found. Expect instead CURLE_REMOTE_FILE_NOT_FOUND
7274 which is sent by the libssh backend.
7276 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
7278 - [Nikos Mavrogiannopoulos brought this change]
7280 Added support for libssh SSH SCP back-end
7282 libssh is an alternative library to libssh2.
7283 https://www.libssh.org/
7285 That patch set also introduces support for ECDSA
7286 ed25519 keys, as well as gssapi authentication.
7288 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
7290 - RELEASE-NOTES: synced with af8cc7a69
7292 - curlver: towards 7.57.1